International StandardVoluntary (commercially required)· ISO/IEC 27001:2022 (updated October 2022)

ISO 27001: Information Security Management System

ISO/IEC 27001:2022 — Information Security, Cybersecurity and Privacy Protection — issued by International Organization for Standardization & International Electrotechnical Commission.

Speak to a ISO 27001 SpecialistExplore the Compliance Platform
Standard
ISO/IEC 27001:2022
Annex A controls
93 (down from 114 in 2013)
Control themes
4 — Organisational, People, Physical, Technological
New controls
11 added in 2022 revision
Certification
3-year cycle: Stage 1 + Stage 2 + annual surveillance
Recognised in
150+ countries
OVERVIEW

What is ISO 27001?

ISO/IEC 27001 is the international standard for Information Security Management Systems (ISMS). It specifies the requirements for establishing, implementing, maintaining, and continually improving an ISMS, and is the most widely recognised information security certification in the world. The 2022 revision restructured Annex A from 114 controls into 93 controls organised under four themes — Organisational, People, Physical, and Technological — and added 11 new controls covering threat intelligence, cloud services, ICT readiness for business continuity, physical security monitoring, configuration management, information deletion, data masking, data leakage prevention, web filtering, secure coding, and monitoring activities.

In Qatar, ISO 27001 is increasingly a commercial requirement — government tenders, enterprise procurement teams, and regulated sector suppliers commonly require certification or equivalent evidence of security maturity. ISO 27001 also shares extensive control overlap with Qatar's NIA framework, making integrated implementation the most efficient path for organisations subject to both.

Certification follows a three-year cycle: Stage 1 (documentation review), Stage 2 (certification audit), and annual surveillance audits in years 2 and 3, with full recertification in year 4. Certification bodies must themselves be accredited by an IAF-recognised national accreditation body.

APPLICABILITY

Who must comply with ISO 27001?

  • 01Organisations seeking commercial differentiation through internationally recognised security certification
  • 02Suppliers to enterprise, government, and regulated sector clients that require ISO 27001 in procurement
  • 03Qatar organisations seeking efficient dual-compliance with NIA
  • 04Cloud service providers and SaaS vendors selling to security-conscious customers
  • 05Financial services, healthcare, and critical infrastructure operators globally
CONTROL DOMAINS

ISO 27001 structure at a glance

The ISO 27001 framework is organised into the following control areas. Vantage GRC pre-maps each one so evidence collected once contributes to your compliance picture across overlapping frameworks.

Organisational Controls (37)

Policies for information security
Information security roles and responsibilities
Threat intelligence (NEW in 2022)
Information security in supplier relationships
Cloud services security (NEW in 2022)
Information security incident management

People Controls (8)

Screening
Terms and conditions of employment
Information security awareness, education and training
Disciplinary process
Confidentiality or non-disclosure agreements

Physical Controls (14)

Physical security perimeters
Physical entry controls
Securing offices, rooms and facilities
Physical security monitoring (NEW in 2022)
Equipment maintenance and secure disposal

Technological Controls (34)

Access control and identity management
Cryptography
Secure system architecture and engineering
Network security
Configuration management (NEW in 2022)
Information deletion (NEW in 2022)
Data masking (NEW in 2022)
Data leakage prevention (NEW in 2022)
Web filtering (NEW in 2022)
Secure coding (NEW in 2022)
KEY REQUIREMENTS

What ISO 27001 requires you to do

  1. 1Define ISMS scope, information security policy, and risk assessment methodology aligned to ISO 27005.
  2. 2Conduct formal risk assessment and produce a Statement of Applicability (SoA) covering all 93 Annex A controls.
  3. 3Implement applicable controls and maintain documented evidence of operating effectiveness.
  4. 4Conduct internal audits, management reviews, and continual improvement cycles.
  5. 5Pass Stage 1 (documentation) and Stage 2 (operational) audits by an accredited certification body.
  6. 6Maintain certification through annual surveillance audits and full recertification every three years.
HOW VANTAGE HELPS

Vantage's approach to ISO 27001

Vantage GRC ships with the complete ISO 27001:2022 Annex A control library, dual-mapped against Qatar NIA so evidence collected for one satisfies the other. Built-in SoA generator, risk register aligned to ISO 27005, and audit workflow designed by ISO 27001 Lead Auditors with two decades of Qatar practitioner experience. End-to-end consulting support is available alongside the platform — gap assessment, ISMS build, internal audit, and certification audit support.

Book a 30-Min ConsultationExplore the Platform
RELATED FRAMEWORKS

ISO 27001 works alongside

Qatar Mandate

NIA

National Information Assurance Framework

International

SOC 2

Service Organization Controls 2

International

NIST CSF

NIST Cybersecurity Framework

FAQ

ISO 27001 questions

What changed between ISO 27001:2013 and ISO 27001:2022?

Annex A was restructured from 114 controls into 93 controls organised under four themes (Organisational, People, Physical, Technological), with 11 new controls added covering threat intelligence, cloud services, ICT readiness for business continuity, physical security monitoring, configuration management, information deletion, data masking, data leakage prevention, web filtering, secure coding, and monitoring activities. The clause-level requirements (clauses 4-10) saw smaller refinements emphasising leadership, risk-based thinking, and continual improvement.

How long does ISO 27001 certification take?

Most Qatar organisations achieve certification in 4-9 months from gap assessment to passing the Stage 2 audit, depending on size, current maturity, and pace of ISMS implementation. The certification cycle then runs three years with annual surveillance audits.

Does ISO 27001 satisfy Qatar NIA requirements?

ISO 27001 and NIA share extensive control overlap. An organisation operating an active ISO 27001 ISMS can leverage existing controls to satisfy a substantial portion of NIA requirements. Vantage's dual-mapping ensures evidence collected once contributes to both compliance pictures simultaneously.

Who can certify an organisation against ISO 27001?

Only certification bodies accredited by an IAF-recognised national accreditation body can issue valid ISO 27001 certificates. Common bodies operating in Qatar and the GCC include BSI, BSI MEA, Bureau Veritas, DNV, SGS, and TÜV.

Ready to operationalise ISO 27001 compliance?

Talk to a Vantage GRC consultant about your ISO 27001 programme — pre-mapped controls, evidence management, and audit-ready dashboards. Doha-based.

Book a ConsultationExplore the Platform