Quiz Entry - updated: 2026.07.05
What does ISO 27001 define, and what artefacts mark its scope?
27001 defines the introduction, operation, monitoring, maintenance, and improvement of a documented ISMS — and its scope is set by the Scope statement and the Statement of Applicability (SoA).
Key facts:
- History: developed from the British Standard BS 7799-2:2002, published as ISO 27001:2005, revised 2013 and 2022.
- Defines the security process via PDCA.
- Scope — written boundary of what's covered (e.g., "the SaaS product 'Foo' and its supporting infrastructure in Zurich and Dublin").
- Statement of Applicability (SoA) — explicit list of which Annex A controls are applied, which are excluded, and why.
A company can be certified against ISO 27001 by an accredited certification body. Certificates last 3 years with annual surveillance audits.
Tip: The SoA is the most-read document in any 27001 audit. Vague SoAs ("control included") get auditors nervous; specific SoAs ("control A.8.5: applied via Okta MFA for all admin accounts") sail through.
Go deeper:
ISO/IEC 27001 — ISMS requirements, certification, SoA — the history from BS 7799, the three-stage audit, and the role of the Statement of Applicability.