LOGBOOK

HELP

Quiz Entry - updated: 2026.07.05

What does ISO 27001 define, and what artefacts mark its scope?

27001 defines the introduction, operation, monitoring, maintenance, and improvement of a documented ISMS — and its scope is set by the Scope statement and the Statement of Applicability (SoA).

Key facts:

  • History: developed from the British Standard BS 7799-2:2002, published as ISO 27001:2005, revised 2013 and 2022.
  • Defines the security process via PDCA.
  • Scope — written boundary of what's covered (e.g., "the SaaS product 'Foo' and its supporting infrastructure in Zurich and Dublin").
  • Statement of Applicability (SoA) — explicit list of which Annex A controls are applied, which are excluded, and why.

A company can be certified against ISO 27001 by an accredited certification body. Certificates last 3 years with annual surveillance audits.

Tip: The SoA is the most-read document in any 27001 audit. Vague SoAs ("control included") get auditors nervous; specific SoAs ("control A.8.5: applied via Okta MFA for all admin accounts") sail through.

Go deeper:

From Quiz: ISF / ISMS & Security Standards (ISO 27k, NIST, BSI) | Updated: Jul 05, 2026