ISO 27001

ISO/IEC 27001 is the international standard for information security management systems, awarded by accredited certification bodies after a third-party audit.

What is ISO 27001?

ISO/IEC 27001 is the international standard for an Information Security Management System (ISMS). Unlike SOC 2 (a U.S.-centric attestation report from an AICPA-licensed auditor), ISO 27001 is a certification awarded by an accredited certification body after an audit against the standard's 93 Annex A controls and the management-system clauses 4-10. The current version is ISO/IEC 27001:2022.

EU and APAC enterprise buyers often weight ISO 27001 more heavily than SOC 2; many U.S. enterprise procurement teams accept either. Vendors selling globally often pursue both because they cover overlapping but distinct evidence: SOC 2 reports auditor opinion on operating effectiveness over time, ISO 27001 certifies an ongoing management system.

How to verify the certification

Ask the vendor for the certificate number, the issuing certification body, and the scope statement. Verify the certificate number on the certification body's public registry — most accredited bodies publish a search tool. Confirm the certification has not lapsed (certifications run on three-year cycles with annual surveillance audits) and that the scope covers the specific service you intend to use, not just a parent product.

ISO 27001 vs the cousins

ISO 27017 extends ISO 27001 with cloud-specific guidance for cloud service providers and customers. ISO 27018 adds privacy controls for processors of personally identifiable information in cloud services. ISO 42001 is the newest cousin — an AI management system standard. A mature AI vendor often holds 27001 + 27017 + 27018, and increasingly 42001. Ask which apply.