ISO 27001

01What it is

ISO/IEC 27001 is the international standard for an information security management system — a governing system for how you identify risk and then select, operate, and continually improve controls. Unlike a SOC 2 attestation, it results in a formal certification issued by an accredited certification body, recognized by buyers worldwide.

02How it’s structured

The standard’s management clauses (4 through 10) cover context, leadership, planning, support, operation, performance evaluation, and improvement — the machinery of the ISMS. Annex A provides the control catalog. The 2022 revision reorganized Annex A into 93 controls across four themes: Organizational (37), People (8), Physical (14), and Technological (34). It also introduced 11 new controls reflecting modern practice — including threat intelligence, information security for cloud services, and secure development.

03How certification works

An accredited body runs a Stage 1 review of your documentation and readiness, followed by a Stage 2 audit of the ISMS in operation. Certification is valid for three years, with annual surveillance audits to confirm the system is being maintained and a full recertification at the end of the cycle.

04ISO 27001 vs SOC 2

The two overlap heavily at the control level. The real differences are the deliverable — a certificate versus an attestation report — and the audience that prefers each. Many firms eventually need both; with a shared control set, the second framework is far less than a second project.

05What RedOps delivers

RedOps builds the ISMS and gets you to a successful Stage 2 — reusing your SOC 2 work wherever the controls align.