ISO 27001: definition and history of this standard

ISO 27001: definition

ISO 27001 (or ISO/IEC 27001) is the information security management standard that is part of the ISO/IEC 27000 family of standards, of which it is the best known. Specifically, it sets out the requirements for ISMS (Information Security Management Systems) for all types of organizations, whether they are managing the security of information entrusted by third parties, personnel data, intellectual property documents or financial data.

ISO 27001: history and objective

Based on BS 7799-2, ISO 27001 was first published in November 2005 and revised in 2013. Laying the foundations of information security management in an organization, it also integrates the management principles of the ISO 9001 standard and the PDCA (Plan, Do, Check et Act) of continuous improvement. Because its requirements are generic, ISO 27001 can be applied to any type of organization, regardless of its size or nature (commercial or not).

The objective of the ISO 27001 standard is to manage risks by protecting the confidentiality and availability of information in an organization. It works to put in place good practices in data protection through both organizational and technical measures. Moreover, the ISO 27001 standard does not impose a specific risk assessment method but rather reproducibility criteria. Thus, organizations have the choice between adapting ISO 27005 to their needs, or opting for one of the known methods such as EBIOS (Expression of Requirements and Identification of Security Objectives), set up by the ANSSI (National Agency for Information Systems Security).

Update to ISO 27001: transition from the 2013 version to ISO 27001:2022

The ISO 27001 standard has undergone a major update with the publication of ISO/IEC 27001:2022, in order to respond to the rapidly evolving risks associated with the digital transformation of organizations. In its new version, the standard takes into account the widespread use of cloud computing, the rise of remote working, and the intensification of cyber threats, which have profoundly changed work environments and information systems.

Since October 2023, it has no longer been possible to obtain certification under the 2013 version. However, organizations that were already certified were given a three-year transition period, ending in October 2025, to upgrade their Information Security Management System (ISMS) to the 2022 version.

The 2022 version also reinforces the integration of cybersecurity and privacy protection, as evidenced by the expanded title of the standard: « Information security, cybersecurity, and privacy protection—Information security controls. » It introduces significant adjustments to the body of the standard, including an increased focus on monitoring security objectives, planning changes to the ISMS, strengthening communication, and expanding management review to include stakeholder expectations.

Annex A

Annex A has also been extensively reorganized, with security measures now structured around four main themes (organizational, human, physical, and technological) and enhanced with new controls, such as threat intelligence, data leak prevention, and physical security monitoring.

Link between ISO 27001 and DORA regulations

The ISO/IEC 27001 standard lays the foundation for security governance and is ISMS-oriented. It is based on a voluntary approach for all organizations.

The European DORA (Digital Operational Resilience Act) regulation is based on the ISO 27001 standard and imposes binding regulatory requirements for digital operational resilience on the relevant players (the finance sector).

Both frameworks are based on a risk-based approach, encourage the implementation of appropriate security controls, structure incident and supplier management, and are part of a continuous improvement process. As such, an organization that already has an ISMS compliant with ISO 27001 has a solid foundation for meeting DORA requirements.

Compliance with DORA requires going further on certain specific regulatory aspects, such as reporting incidents to the competent authorities or formally regulating relationships with critical service providers.