ISO/IEC 27001 - Information security

ISO/IEC 27001 is the international standard that defines how organizations should manage information security. It provides a comprehensive framework that combines both management system requirements and a set of specific information security controls. These controls are grouped into four main categories, referred to as themes.

This standard is applicable to any organization, regardless of size or sector. Its main objective is to help organizations build a structured system that protects the confidentiality, integrity, and availability of information. The most recent version of ISO/IEC 27001 was published in 2022.

Management system requirements

The management system requirements in ISO/IEC 27001 address several essential aspects. These include leadership and commitment from top management, the establishment of information security policies and objectives, the identification and treatment of risks, the performance of internal audits and management reviews, and the handling of nonconformities. These elements ensure that information security is integrated into the overall governance and operations of the organization.

Information security controls

The standard also introduces a set of 93 information security controls, grouped into four themes. The first theme focuses on organizational controls and addresses areas such as information classification and labelling, acceptable use of assets, information transfer, access rights, relationships with suppliers including those offering cloud services, incident response, business continuity, data privacy, and regulatory compliance.

The second theme is about people controls, covering topics such as employee screening, handling of disciplinary matters, remote work practices, confidentiality and non-disclosure, and awareness and training in information security.

The third theme addresses physical controls. It includes controls that address the protection of physical assets both on and off premises, storage media, the security of utility services and cabling, as well as the maintenance and secure disposal of equipment.

The final theme focuses on technological controls. This includes controls on the security of end point devices, protection against malware, capacity planning, network security, logging and monitoring activities, information backup, cryptographic protections, secure system development and effective change management.

To be compliant with ISO/IEC 27001, an organization must implement an information security management system that fulfills the management system requirements and also demonstrates conformity with the applicable security controls. This ensures a systematic and risk-based approach to managing information security across all levels of the organization

ISO/IEC 27001 certification for Information Security Management Systems (ISMS) is achieved following a successful two-stage audit, conducted by independent and qualified auditors. This audit assesses whether your organization’s ISMS is properly implemented and aligned with the requirements of the ISO/IEC 27001.

The certification is valid for three years, during which the organization undergoes annual surveillance audits. Surveillance audits ensure that the ISMS is functioning as intended, that it continues to protect information assets, and that it remains compliant with the applicable requirements.

Failure to conduct surveillance audits on schedule or failure to address major nonconformities identified during a surveillance audit may result in suspension or withdrawal of the certification.

At the end of the three-year certification cycle, organizations may undergo a recertification audit. This process is similar in scope to the initial certification audit and confirms that the organization’s ISMS remains effective and that its commitment to information security is ongoing.

We provide accredited certification services for Information Security Management Systems in accordance with ISO/IEC 27001:2022. Our process is designed to align with your organization's unique structure, business environment, and security requirements, delivering a certification experience that is both practical and efficient.

RIGCERT holds accreditation from ESYD, the Hellenic Accreditation Body, ensuring that your ISO/IEC 27001 certificate is officially recognized by regulatory authorities, clients, and partners worldwide. As a founding member of EA (European co-operation for Accreditation) and IAF (International Accreditation Forum), ESYD provides international recognition, giving your certification added credibility across global markets.

Choosing RIGCERT means working with professionals who are well-versed in information security risks, compliance obligations, and industry-specific challenges. We are committed to conducting certification activities with objectivity, clarity, and a focus on delivering value beyond compliance.