Between evolving cyber threats, regulatory requirements, and the constant pressure to protect sensitive data, IT leaders have a lot on their plates. That’s where ISO/IEC 27001 comes in. Think of it as a trusted roadmap that helps you navigate the complexities of securing your organization’s information.
This blog explains the 14 domains of ISO/IEC 27001 and provides a practical roadmap for IT leaders to achieve certification—helping teams strengthen security practices, meet compliance requirements, and build customer trust.
TL;DR
- ISO/IEC 27001 is the globally recognized standard for building and maintaining an Information Security Management System (ISMS) that protects sensitive data and proves compliance.
- The 14 domains of ISO/IEC 27001 cover everything from policies and governance to access control, operations security, and supplier management, ensuring a comprehensive approach.
- The certification process typically takes 6–12 months, including implementation, evidence collection, and external audits, with smaller organizations sometimes completing it faster.
- Stitchflow helps IT leaders extend ISO/IEC 27001 controls to SaaS by continuously auditing every app, eliminating orphaned accounts, and producing audit-ready access reports across 100% of the stack.
What is ISO/IEC 27001?
ISO/IEC 27001, released by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), is the internationally recognized standard for managing information security. It provides a structured, risk-based framework to protect data, implement policies, and improve security practices.
This certification demonstrates to clients and partners that your organization meets global security standards.
💡ISO/IEC 27001 vs SOC 2: ISO/IEC 27001 is a global standard for building a full-fledged Information Security Management System (ISMS), while SOC 2 is a North American audit framework that verifies how well a service provider protects customer data. ISO leads to certification, and SOC 2 to an assurance report.
📚Also read: Guide to SOC 2 Compliance
How are ISMS & ISO/IEC 27001 related?
An Information Security Management System (ISMS) is the actual security framework you implement in your organization. ISO/IEC 27001 is the international standard that defines the requirements for building and maintaining said ISMS.
💡Think of it this way: if ISO/IEC 27001 is the blueprint, your ISMS is the house you build from it. The standard provides the specifications and rules, while your ISMS is the customized implementation that fits your organization’s specific needs and risks.
This relationship allows organizations to systematically manage information security risks, ensure policies are followed, and achieve internationally recognized certification when the ISMS meets the standard’s requirements.
⏱️The ISO/IEC 27001 certification process typically takes 6–12 months, covering implementation, internal review, and external audit feedback. Smaller organizations with an established ISMS may complete it in around 3 months.
What are the 14 domains of ISO/IEC 27001?
ISO/IEC 27001 comprises 14 domains, each representing a critical area in information security. These domains cover a wide range of controls, from risk management to physical security, ensuring a comprehensive approach to protect your organization's data.
1. Information security policies
Think of information security policies as the guiding rules for keeping your organization’s data safe. They should reflect your company’s goals, build on existing security practices, and follow any legal or contractual requirements.
Good policies also take into account past risk assessments and input from your team, so they stay relevant as threats and business needs change.
2. Organization of information security
This domain is about how your organization sets itself up to manage information security. It defines who’s responsible for what, how governance is structured, and how security ties into overall corporate oversight. A solid setup includes an org chart, clearly documented roles and responsibilities, a security governance framework, and the right contacts for internal teams or external partners.
💡In SaaS-heavy environments, it also means thinking beyond core systems—governance must extend across every app, domain, and team. That’s the only way to keep identities consistent and ensure accountability doesn’t get lost in the sprawl.
3. Human resource security
People are often the weakest link in security, which makes it essential to set clear expectations before, during, and after employment. This includes well-defined job roles, security responsibilities, and contracts with the right clauses built in—plus keeping records like background checks or clearances where needed.
Just as important is ongoing training and awareness, so employees stay aligned with security practices. And when someone leaves, secure offboarding is critical—every SaaS account, credential, and access point needs to be closed out so no orphaned accounts are left behind.
👉Use the free OffboardIT tool by Stitchflow to build custom offboarding checklists for different roles and ensure no accounts slip through the cracks.
4. Asset management
This domain is about knowing what information assets you have and making sure they’re properly protected. That includes maintaining a clear inventory, classifying assets by value or sensitivity, and assigning ownership so someone is accountable for each one.
SaaS apps and user accounts are key information assets too. Shadow IT and unused licenses often slip under the radar, so strong asset management means tracking every application and account—including the hidden or disconnected apps—to keep data secure and avoid waste.
👉Get a free access review report to discover and remediate deviations from your app access policies so you stay ISO/IEC 27001 compliant.
5. Access control
Access control is all about making sure the right people can access the right information while keeping unauthorized users out. This involves clear policies on who can access what, managing user permissions based on job roles, and keeping track of logins and activities.
With SaaS sprawl so prevalent, this goes beyond the core systems—every app, license, and account must be included. Shadow IT, over-provisioned roles, and orphaned accounts can all undermine access control if they aren’t continuously audited and cleaned up.
👉 Use the free RBAC App Access Matrix by Stitchflow to visualize, track, and review app permissions across roles, teams, and locations.
6. Cryptography
Cryptography protects sensitive data, particularly during transmission, by using encryption and managing cryptographic keys. Clear policies and well-documented procedures guide how encryption is applied and maintained, helping the organization remain secure and compliant with relevant regulations.
7. Physical and environmental security
Physical and environmental security safeguards your organization’s hardware, infrastructure, and data from unauthorized access, damage, or environmental hazards. It involves access controls, monitoring, and maintenance records, along with policies that address potential threats, keeping both people and equipment protected.
8. Operations security
Operations security is about safeguarding day-to-day IT processes and keeping risks under control. This covers areas like operational procedures, system monitoring, change and capacity management, and ensuring backups and recovery plans are in place.
In a SaaS-driven environment, these practices must also account for risks such as orphaned accounts, hidden users, and unused licenses that accumulate across cloud applications. Continuous logging and audit records—spanning both core systems and SaaS apps—are essential for detecting issues early and maintaining secure, reliable operations.
👉 Use the free Shadow IT Discovery Tool by Stitchflow to uncover hidden SaaS usage, identify unmanaged accounts, and track new apps before they become risks.
9. Communications security
Communications security protects information as it moves across networks and safeguards the supporting infrastructure. Key aspects include network security policies, encryption for data in transit, activity monitoring, and documentation of incidents and network configurations, helping prevent interception, alteration, or misuse of data.
10. System acquisition, development, and maintenance
This domain focuses on building security into information systems throughout their entire lifecycle—from design and development to maintenance and eventual disposal. It involves:
- Incorporating security requirements into system specifications
- Protecting data during application processing
- Documenting security features, technical reviews, and change controls
Clear acceptance criteria and records help maintain security as systems evolve over time.
11. Supplier relationships
Here, you focus on making sure suppliers handle your information securely. This includes having contracts with security requirements, understanding their security policies, and keeping records of assessments and audits.
You also track which suppliers have access to your data and set up clear procedures for reporting and responding to incidents involving them.
12. Information security incident management
Effective incident management defines how your organization responds to security events. It includes clear policies, records of past incidents, contact lists, and reporting templates. Preparing for recovery and business continuity ensures that incidents are addressed quickly and lessons are applied to prevent future issues.
13. Information security aspects of business continuity management
Integrating information security into business continuity planning ensures your organization can prevent, respond to, and recover from disruptions without compromising sensitive data.
This includes maintaining continuity and disaster recovery plans, conducting risk assessments and business impact analyses, and testing and updating these plans regularly to keep them effective.
14. Compliance
Compliance ensures your organization meets all legal, regulatory, and contractual requirements for information security. It involves keeping track of applicable laws, conducting regular audits and assessments, and maintaining records of data protection reviews.
Training staff and documenting procedures helps demonstrate that your organization consistently follows these requirements.
Key action items across the 14 ISO/IEC 27001 domains
To turn ISO/IEC 27001 principles into practice, IT leaders need a clear set of actionable steps. The table below summarizes the essential actions for each domain, helping you organize responsibilities, track progress, and build a robust information security framework.
ISO/IEC 27001 certification implementation roadmap for IT teams
Achieving ISO/IEC 27001 certification can feel complex, but breaking it down into key phases makes the process more manageable. Here’s a simplified roadmap to guide your organization:
Gap analysis
The first step is to benchmark your current information security practices against ISO/IEC 27001 requirements. You need to check where policies, procedures, and controls are missing or weak.
Key activities include:
- Reviewing existing policies, procedures, and controls
- Comparing current practices with ISO/IEC 27001 Annex A controls
- Engaging stakeholders from IT, HR, legal, facilities, and business units
- Documenting findings in a gap analysis register with owners, target dates, and status
‼️Don’t underestimate documentation requirements. Mandatory items like the risk assessment methodology and Statement of Applicability must be ready before certification. We also suggest avoiding a “checkbox” approach—focus on controls that truly reduce organizational risk.
2. Implementation planning
After identifying gaps, the next phase is building your Information Security Management System (ISMS). Structure the work around the 14 ISO/IEC 27001 domains, covering everything from policies and risk management to access control and supplier relationships.
Start with high-risk areas and mandatory documentation, and implement in phases:
- Assign ownership for each control and define responsibilities
- Plan training and awareness programs
- Set up evidence collection processes to include logs, training records, incident reports, and vendor assessments
For risk treatment, not all risks require technical controls—some can be accepted, transferred, or avoided—but every decision should be clearly documented.
‼️Don't ignore the "three months of evidence" rule—many certification bodies require at least three months of operational evidence before conducting Stage 2 audits.
3. Certification audit
Once your ISMS is in place and evidence has been collected, it’s time for the certification audit. This typically has two stages: Stage 1 is a documentation review (often remote), and Stage 2 is an on-site assessment of your controls and processes.
During the audit, senior leadership may be interviewed about their commitment, resource allocation, and understanding of the ISMS. Internal audits conducted 2–3 months beforehand help resolve gaps proactively.
‼️Certification costs extend beyond the audit fees. Factor in travel expenses, staff time, and potential corrective action implementation.
📚Also read: How to audit-proof your SaaS stack
4. Post-certification maintenance
Certification isn’t something you do once and forget. Keep your ISMS alive with regular monitoring, internal audits, management reviews, and timely updates. Rotate internal auditors across different areas to stay objective and avoid knowledge gaps.
💡Annual surveillance audits typically last 1–2 days, and full recertification occurs every three years.
Finally, make sure your ISMS evolves with business changes—whether that’s new systems, partnerships, or regulatory updates. Use metrics and reports to show leadership how well your ISMS is working and where improvements are needed.
How Stitchflow helps with ISO/IEC 27001 certification
ISO/IEC 27001 gives organizations a clear framework for building an Information Security Management System (ISMS). But when it comes to SaaS, things often fall apart. Disconnected apps, unmanaged identities, and shadow IT create gaps that identity providers and workflow tools can’t cover.
That “last mile” gap is where ISO audits stumble—missing access records, unmanaged contractor accounts, and orphaned logins that don’t match the organization’s policies or controls.
Stitchflow closes this compliance risk by extending visibility and control across 100% of apps and users:
- Continuously audits every SaaS app to surface orphaned accounts, hidden users, and unused licenses—risks that directly undermine secure daily operations.
- Provides a unified governance layer across multiple apps, domains, and teams, ensuring clear accountability for identities and access beyond the core IDP.
- Supports secure onboarding and offboarding by ensuring every SaaS account is accounted for, reducing the risk of orphaned access after employee or contractor departures.
- Treats SaaS apps and accounts as first-class information assets, maintaining inventories and ownership records that ISO/IEC 27001 requires but most organizations struggle to track manually.
- Produces audit-ready reports that include both federated and non-federated apps, giving IT leaders complete access to evidence without the burden of stitching together spreadsheets.
In practice, Stitchflow gives IT leaders what ISO/IEC 27001 demands: evidence that every user, across every app, is continuously monitored, appropriately provisioned, and securely deprovisioned. It transforms SaaS sprawl from a compliance liability into a managed part of the ISMS.
Book a free pilot with Stitchflow to see how continuous ISO/IEC 27001 compliance can work in your own environment. Or start smaller with a one-time done-for-you SaaS usage audit–the first report is on us.
Frequently asked questions
Most organizations complete ISO/IEC 27001 certification in 6–12 months, depending on size and readiness. Smaller companies with an existing security framework may finish in as little as 3 months, while larger enterprises often take longer due to the need for cross-team alignment, documentation, and evidence gathering.
ISO/IEC 27001 certification isn’t legally mandatory, but many industries and clients require it as a condition of doing business. For IT leaders, it’s often the most effective way to demonstrate strong security practices and win customer trust.
The first step is a gap analysis—comparing your current practices to ISO/IEC 27001 requirements. From there, you can prioritize high-risk areas, build an Information Security Management System (ISMS), and gather evidence to prepare for certification audits.
Certification involves three phases: implementing an ISMS aligned with the standard, collecting at least three months of operational evidence, and undergoing a two-stage external audit. Success requires leadership commitment, cross-department collaboration, and clear documentation of controls.
Costs vary based on company size, scope, and audit body, but most organizations spend between $10,000 and $50,000. Beyond audit fees, you need to factor in staff time, documentation, potential corrective actions, and ongoing maintenance for recertification every three years.
Sanjeev NC started his career in IT service desk and moved to ITSM process consulting, where he has led award-winning ITSM tool implementations. Sanjeev was also a highly commended finalist for Young ITSM Professional of the Year in itSMF UK’s annual awards.
