International ISO Certification Body
Verify Certificate Contact

ISO/IEC 27001:2022

Information Security Management

ISO certification for organizations protecting information assets and demonstrating trustworthy handling of customer, operational, and regulated data.

Information Security Current 2022 Revision 93 Annex A Controls

About the standard

What is ISO/IEC 27001:2022?

ISO/IEC 27001:2022 is the international standard for information security management systems (ISMS). It provides a risk-based framework for establishing, implementing, maintaining, and continually improving the protection of information assets.

The 2022 revision restructured the Annex A controls into 93 controls organized into four themes — Organizational, People, Physical, and Technological — replacing the 114-control structure of the 2013 version. Organizations new to ISO 27001 should certify against the 2022 revision.

Who it’s for

Organizations entrusted with sensitive information.

ISO 27001 is industry-agnostic but particularly relevant to:

  • SaaS, technology, and managed service providers
  • Healthcare, financial services, and legal firms
  • Government contractors and prime-tier suppliers
  • Data processors and analytics platforms
  • Organizations responding to enterprise security questionnaires and vendor risk assessments

What the standard requires

ISMS core + Annex A controls.

The standard has two parts: the ISMS management system requirements (clauses 4–10) and Annex A — a catalog of 93 information security controls applied based on a documented risk assessment.

  • Context & interested parties — understanding stakeholders, scope of the ISMS.
  • Leadership — information security policy, roles, responsibilities, authorities.
  • Planning — risk assessment, risk treatment, Statement of Applicability (SoA), security objectives.
  • Support — resources, competence, awareness, communication, documented information.
  • Operation — risk treatment plan execution, information security risk assessment cadence.
  • Performance evaluation — monitoring, measurement, internal audit, management review.
  • Improvement — nonconformity, corrective action, continual improvement.
  • Annex A controls — 93 controls across Organizational (37), People (8), Physical (14), and Technological (34) themes.

Why AmericanQMS

ISMS certification, without the SOC-2-style consulting bill.

Many organizations face a choice between an expensive accredited audit firm (often $30K+ for a SaaS company) and a checkbox-style cert mill. We offer the third path: real risk-based ISMS implementation guidance, documented Stage 1 + Stage 2 audits against the 2022 standard, and an AmericanQMS certificate that supports vendor risk responses and enterprise procurement.

Most ISO 27001 engagements complete in 8–12 weeks. Combined certification with ISO 20000-1 (IT Service Management) is common for MSPs.

Get ISO/IEC 27001:2022 certified.

Tell us about your environment, data, and customer requirements. We’ll respond within one business day.

Get Certified All standards →