ISO/IEC 27001:2022

What it is

ISO/IEC 27001:2022 is the current revision of the ISO standard for an Information Security Management System (ISMS). It defines the requirements for establishing, implementing, maintaining, and continually improving an organisation's information security posture. The 2022 revision restructured the controls in Annex A — from 114 controls in 2013 to 93 in 2022, organised into four themes: Organisational, People, Physical, and Technological. The standard is certifiable: an external auditor tests an organisation's ISMS against the requirements and issues a certificate valid for three years (with annual surveillance audits).

Why it matters

For B2B SaaS, ISO 27001 certification is table stakes in enterprise procurement. Security review processes at large companies — banks, insurers, public sector — routinely require an ISO 27001 certificate or its equivalent (SOC 2 Type II) before onboarding a vendor. Without it, the procurement timeline extends by months as the vendor produces equivalent evidence ad hoc. With it, the security review collapses to verifying the certificate, reading the auditor's letter, and reviewing the sub-processor list.

How Norrsent handles it

Norrsent's platform is ISO 27001:2022 aligned. The full audit is targeted for late 2026; alignment documentation, evidence, and the gap analysis are available on request via the security pack. SOC 2 Type II is in progress in parallel, on the same control set.

Common questions

What's the difference between ISO 27001:2013 and ISO 27001:2022?

The standard's structure is similar; the changes are concentrated in Annex A. Controls were restructured into four themes, eleven new controls were added (e.g., threat intelligence, secure coding, data leakage prevention), and several were merged or reworded. Organisations certified on 2013 must transition to 2022 by 31 October 2025.

Is 'aligned' the same as 'certified'?

No. 'Aligned' means the organisation has built its ISMS to the standard's requirements but hasn't yet completed an external audit. 'Certified' means an accredited auditor has tested the ISMS and issued a certificate. Procurement-grade trust requires the certificate.

How does ISO 27001 relate to SOC 2?

Different geographies, similar substance. ISO 27001 originated in Europe and is the global ISO standard; SOC 2 originated with the AICPA and is dominant in North America. Both test similar controls (access management, change management, encryption, incident response). Most enterprise vendors hold both because procurement teams in different regions ask for different ones.