top of page

ISO 27001 Compliance Program

ISO/IEC 27001 is an information security standard, part of the ISO/IEC 27000 family of standards, of which the last version was published in 2013, with a few minor updates since then. It is published by the International Organization for Standardization (ISO).


The main focus of the ISO 27001 standard is related to the information security management system (ISMS). At the beginning of the 2000 decade, ISO introduces the PDCA cycle (Plan, Do, Check, and Act).


ISO 27001 (2013) introduces 114 controls in 14 clauses and 35 control categories.

A.5: Information security policies (2 controls)

A.6: Organization of information security (7 controls)

A.7: Human resource security - 6 controls that are applied before, during, or after


A.8: Asset management (10 controls)

A.9: Access control (14 controls)

A.10: Cryptography (2 controls)

A.11: Physical and environmental security (15 controls)

A.12: Operations security (14 controls)

A.13: Communications security (7 controls)

A.14: System acquisition, development, and maintenance (13 controls)

A.15: Supplier relationships (5 controls)SOC 2

A.16: Information security incident management (7 controls)

A.17: Information security aspects of business continuity management (4 controls)

A.18: Compliance; with internal requirements, such as policies, and with external requirements, such as laws (8 controls)


Who can audit an ISO 27001 compliance program?

An ISMS may be certified compliant with ISO 27001 by some Accredited Registrars worldwide.


What is the ISO 27001 certification?

If an organization meets the ISO 27001 requirements and complete the certification process, the certification is awarded for a period of three years.  During that time, the organization must undergo annual monitoring audits.  Monitoring audits are much smaller than the initial examination and are designed to check whether the organization is maintaining and improving its management system.


What is the purpose of the ISMS scope?

ISMS scope is a crucial step at the beginning of the compliance program. What will be included and excluded in the ISMS scope? Do you have several subsidiaries? What part of your infrastructure will be out of scope, and why? The initial scope should be documented quickly in the compliance process. However, this scope can be changed all along with the compliance program.


Yucca IT Consulting can help you

We can assist you throughout your preparation process for the ISO 27001 compliance program, from the gap analysis to the independent audit. With the help of your in-house pilot, a realistic timetable will be documented and accepted by your management.

ISO 27001-Cadre ISO 27001
ISO 27001 compliance
bottom of page