What Is ISO 27001?
Note: This guide reflects ISO/IEC 27001:2022 (the current version, superseding ISO 27001:2013). ISO 27001 certification is awarded by accredited certification bodies (UKAS-accredited for UK relevance) — consult an accredited body for your specific certification journey.
ISO 27001 is an international standard for an Information Security Management System (ISMS) — a systematic approach to managing information security risks. Unlike Cyber Essentials (which prescribes specific technical controls), ISO 27001 is risk-based: you identify your information security risks and implement controls proportionate to those risks. Annex A (ISO 27001:2022) lists 93 controls across 4 themes — you document which you apply and justify which you do not.
ISO 27001 vs Cyber Essentials — Key Differences
| Aspect | ISO 27001:2022 | Cyber Essentials |
|---|---|---|
| Approach | Risk-based — controls proportionate to risk | Prescriptive — 5 specific technical controls |
| Scope | Entire ISMS (people, processes, technology) | Technical controls only (firewalls, patching, etc.) |
| UK Government requirement | Not mandated — but increasingly requested | Mandatory for UK Government ICT contracts |
| NHS DTAC | Domain 3 supporting evidence | Domain 3 minimum requirement (CE), CE+ preferred |
| FCA operational resilience | Strong supporting evidence | Relevant but not sufficient alone |
| Cost | £8,000–£30,000 (cert + implementation) | £300–£5,000 |
| Timeline to certification | 6–18 months | 1–8 weeks |
| Annual requirement | Surveillance audit annually, full recert 3yr | Annual recertification |
ISO 27001:2022 Annex A — Key Controls for Software Companies
| Control Area | Key Controls | ClickMasters Standard Implementation |
|---|---|---|
| A.5 Organisational | Information security policies, supplier security, incident management | Documented security policies, supplier risk assessments, incident response plan |
| A.6 People | Background checks, security awareness, acceptable use | DBS checks for engineers, annual security training, AUP |
| A.7 Physical | Locked premises, clear desk, equipment disposal | Secure office, screen lock policy, secure device disposal |
| A.8 Technological | Access control, cryptography, secure development, vulnerability management | RBAC, AES-256 encryption, OWASP SSDLC, Dependabot |
ISO 27001 Scope for Software Development
ClickMasters ISO 27001 alignment: ClickMasters maintains ISO 27001-aligned security practices across all development and delivery. We provide clients with a technical security evidence pack (architecture diagrams, security controls documentation, penetration test reports) that supports their own ISO 27001 Annex A evidence requirements.