ISO/IEC 27001 Information Security Management
The international standard for information-security management systems (ISMS), certifiable by accredited certification bodies.
What ISO/IEC 27001 actually is.
ISO/IEC 27001 specifies the requirements for an Information Security Management System - a risk-based, top-down approach to protecting information assets through policies, processes and controls. The 2022 revision streamlines the Annex A control set to 93 controls organised across four themes (organisational, people, physical, technological). Certification is widely used as procurement evidence in Australia and is commonly accepted as an "equivalent" for the CIRMP cyber hazard requirement.
Any organisation pursuing a certifiable information-security management system. Widely adopted in financial services, SaaS, managed services and supply-chain-critical vendors.
The control areas the framework covers.
Summary of the control families and outcomes the framework drives. Always validate against the official publication for the authoritative wording.
-
01
Context of the organisation
Understand the organisation and the needs of interested parties; determine ISMS scope.
-
02
Leadership
Top-management commitment, policy and assignment of roles and responsibilities.
-
03
Planning
Risk assessment and risk-treatment planning against information-security objectives.
-
04
Support and operation
Resources, awareness, communication, documented information and operational control.
-
05
Performance evaluation
Monitoring, internal audit and management review of the ISMS.
-
06
Improvement
Nonconformity and corrective action; continual improvement.
-
07
Annex A controls (93)
Control set grouped into organisational, people, physical and technological themes.
Read it from the issuing body.
For anything with a regulator or certification body behind it, the authoritative text is what counts - not our summary.
ISO/IEC 27001 Information Security Management
iso.org/standard/27001
Content on this page is a plain-language summary for programme planning. It is not legal or regulatory advice, and it does not replace a current copy of the issuer's publication.
How Vectra delivers against ISO/IEC 27001.
Assessment, engineering and operational services that line up with the framework's control areas.
ISO 27001 Compliance & Audits
Implement, certify and maintain the international standard for information security management - end-to-end across the three-year cycle.
Virtual CISO
Fractional security leadership embedded with your executive team.
Penetration Testing
Find it before the attackers do - CREST-certified engagements that deliver actionable findings, not compliance checkboxes.
Managed Detection & Response
Sovereign Australian XDR powered by nine global SOCs, AWS Australia hosting and 24x7 human-verified response.
Where ISO/IEC 27001 shows up.
Sectors where Vectra most commonly applies this framework. Click through for the industry-specific program view.
Banking & Finance
APRA CPS 234 and CPS 230 aligned cybersecurity for banks, insurers, superannuation funds and RSE licensees.
Healthcare & Pharma
Cybersecurity for hospitals, health services, life-sciences and aged care - where patient safety and sensitive health data never pause.
eCommerce & Retail
PCI DSS 4.0, bot defence and checkout-fraud protection for retailers, marketplaces and D2C brands.
Aviation & Logistics
Cybersecurity for airports, airlines, freight forwarders, ports and supply-chain operators under SOCI, MTOFSA and ICAO.
Critical Infrastructure
SOCI Act-aligned OT/ICS cybersecurity for energy, water, telecommunications, transport and data-storage operators.
Security, engineered around you.
Talk to an engineer - not a call centre. Most Vectra conversations start with a 30-minute technical briefing and end with a written plan.