What is ISO/IEC 27001?
ISO/IEC 27001 is the international standard for information security management. It does not certify a product, a server, or a single feature — it certifies that your organization runs a working information security management system (ISMS): a defined way of identifying risks to your information, deciding what to do about them, and proving you actually do it, over and over.
That distinction matters more than it sounds. A certificate on the wall is not the point of ISO 27001; the management system behind it is. An auditor is not asking "is your software secure?" — they are asking "can you show me the system you use to keep it secure, and the evidence that the system runs?" Everything else in the standard follows from that.
The current version is the 2022 revision (ISO/IEC 27001:2022). If you read older guides referring to 114 controls, those describe the 2013 edition — the 2022 revision reorganized the control set into 93 controls across four themes, which we cover below.
ISO 27001 vs ISO 27002
These two get confused constantly, so it is worth being precise. ISO 27001 is the standard you certify against — it sets the requirements for the management system and lists the controls in Annex A. ISO 27002 is the companion guidance that explains, in detail, how to implement each of those controls. You are audited against 27001; you reach for 27002 when you need to know how to actually do a control. There is no separate ISO 27002 certificate.