Information Security Management Systems

What is ISO 27001?

ISO 27001:2022 is the international standard for Information Security Management Systems. It provides a structured framework for identifying, assessing and managing information security risks — protecting the confidentiality, integrity and availability of your data and the data your clients entrust to you.

ISO 27001 certification is recognised globally as the gold standard for information security governance. It is increasingly a contractual requirement in technology, financial services, healthcare, and public sector supply chains, and is now routinely required by cyber insurers as a condition of cover.

Who needs ISO 27001?

ISO 27001 is particularly relevant for businesses that:

• ◆Handle sensitive client data, personal data, or confidential business information
• ◆Supply IT, software, cloud, or managed services to other businesses
• ◆Operate in financial services, healthcare, legal, or public sector
• ◆Are required by clients or contracts to demonstrate information security controls
• ◆Want to strengthen their cyber insurance position or reduce premiums
• ◆Have experienced or want to prevent data breaches, ransomware, or security incidents
• ◆Need to demonstrate compliance with UK GDPR alongside their data protection obligations

ISO 27001:2022 — the updated standard

The 2022 revision of ISO 27001 introduced a significantly updated set of Annex A controls — 93 controls across four themes (Organisational, People, Physical, and Technological), replacing the 114 controls from the 2013 version. Organisations certified to the 2013 standard were required to transition to the 2022 version by October 2025. All new certifications are now to the 2022 standard.

Anacruses has been implementing the 2022 standard since its publication and has guided multiple organisations through the transition process.

How Anacruses helps

ISO 27001 implementation is more involved than quality or environmental management — it requires a formal risk assessment, a Statement of Applicability, and evidence that 93 Annex A controls have been considered and where applicable implemented. We manage all of this.

Typical implementation timeline: 12–20 weeks, depending on your organisation's size, existing security controls, and the complexity of your information assets.

ISO 27001 and UK GDPR

ISO 27001 and UK GDPR are complementary. Many of the technical and organisational measures required by GDPR Article 32 are addressed directly by ISO 27001 Annex A controls. Achieving ISO 27001 certification strengthens your GDPR compliance position and provides documented evidence of your information security measures — valuable in the event of an ICO investigation.