X
Akamai
Login
Login Close
Control Center
Access the Akamai platform
Login Close
Cloud Manager
Manage your cloud resources

What Is ISO 27001?

ISO/IEC 27001 is an internationally recognized information security standard, developed by the certification body International Organization for Standardization (ISO) and the IEC (the International Electrotechnical Commission). ISO 27001 has been through several iterations, including ISO 27001:2013; the latest version is ISO/IEC 27001:2022.

ISO 27001 provides guidelines and a framework, with requirements for “establishing, implementing, maintaining and continually improving” an information security management system (ISMS). ISO 27001 comprises 93 risk management controls, but not all are required to meet compliance with the ISO 27001 standard; instead, ISO 27001 compliance is about understanding your organization’s risk level and deciding which of the 93 controls are most appropriate to mitigate that risk to information assets.

ISO 27001 and data security

ISO 27001 requires the establishment of an ISO 27001 ISMS framework to encapsulate policies and procedures that protect an organization’s sensitive data, including intellectual property. This framework is based on the processes, people, technology, and procedures needed for information security controls, to secure systems and devices, and protect sensitive information from unauthorized access that can lead to data misuse, exposure, disruption, modification, or destruction. In addition, the ISMS policies and procedures help reduce the data risk from cyberattacks and insider threats through risk assessment. An ISMS also helps in meeting compliance with data protection and privacy regulations, such as the General Data Protection Regulation (GDPR), by helping enforce integrity, confidentiality, and data availability. An organization’s ISMS requires documents such as a Statement of Applicability (SOA) and Risk Treatment Plan (RTP) to complete the certification process.

To meet the ISO 27001 requirements, an organization needs to engage in activities such as management reviews, performance evaluations, and a risk-based review of the context of the organization. Once this is complete, they must take corrective actions to implement controls and a risk management process, including defining an ISMS scope and asset management process.

 

Achieve ISO 27001 compliance with Akamai

Akamai security solutions protect against vulnerabilities, malware threats (including ransomware), data breaches, and DDoS attacks. Akamai protects your customer experience, workforce, systems, and personal data and sensitive data by embedding security into everything, everywhere. The Akamai global platform ensures that an organization can detect and prevent existing and emerging threats and adapt to the changing security landscape. This is essential in maintaining ISO 27001 compliance and demonstrating continual improvement in security. The Zero Trust element of Akamai’s platform helps to create an ISO 27001 compliant environment providing deep visibility into assets, access controls, and network flows, with granular enforcement of security policy.

How does ISO 27001 affect your organization?

ISO 27001 comprises controls covering organizational, people, physical, and technological areas. All sectors are at risk of human-centered cyberthreats that exploit access to critical systems and services.

Diagram illustrating the control categories of ISO 27001 compliance

A fundamental approach within the ISO 27001 standard control objectives is that of Zero Trust security. Controls include:

  • Access control, to establish physical and logical access controls to information and other associated assets
  • Privileged access rights, to ensure “least privilege” access
  • Segregation of networks, as part of a Zero Trust security approach

These controls help an organization establish a Zero Trust environment.

Here are three examples of sectors that benefit from implementing Zero Trust under ISO 27001:

ISO 27001 for critical infrastructures 

Attacks on critical infrastructures have devastating effects. A relevant example is a security incident at the U.S. oil supplier Colonial Pipeline . The entire Southwest of the United States was affected; all it took to circumvent operations security and infect the company with ransomware was a single compromised password. Critical infrastructures cover many vital services, including utilities, chemical manufacturers, and transport. The critical nature of these services makes them an attractive target for hackers. Unauthorized access and credential exposure that includes the wider supply chain is a central area of focus. The increased connectivity to the broader internet and an expanded attack surface of modern connected industrial units have allowed malicious actors to open once firmly closed doors into critical systems. Implementing ISO 27001 and associated information security policies and procedures mitigates the risk of cyberattacks on critical infrastructures.

ISO 27001 for healthcare 

The wider healthcare sector is an ideal target for cybercriminals. The sector is data rich, a critical infrastructure, and highly dependent on technology and supplier relationships. As a result, healthcare institutions are at risk from many forms of cyberattack, including data breaches and ransomware. In 2024, the FBI issued an advisory for critical infrastructure entities, namely within the healthcare industry, regarding ongoing ransomware threats. The FBI’s Internet Crime Complaint Center reported more reports of ransomware attacks targeting healthcare in 2022 than any other critical infrastructure sector. As a complex service, healthcare can benefit from the rigor required to implement an ISMS as part of ISO 27001 certification. A Zero Trust approach to information security risks will ensure that healthcare organizations can control access to sensitive data and maintain control over critical systems and services.

ISO 27001 for financial services 

A 2023 International Monetary Fund (IMF) survey across 51 countries found that cyberthreats against financial instructions are “proliferating,” indicating a proper response by the sector is urgently needed. The financial industry suffers a variety of cyberattacks, including ransomware, data breaches, and DDoS attacks. The 2022 Verizon Data Breach Investigation Report broke the type of attacks against the financial sector into “Ransomware, Use of Stolen Creds, and Phishing,” covering 80% of breaches. With stolen credentials playing an integral role in most attacks in the sector, ISO/IEC 27001 provides critical mechanisms for the financial sector to enforce a Zero Trust approach to unauthorized access.

Business benefits of ISO 27001

Data security is a recognized competitive advantage. Achieving ISO 27001 certification helps organizations prove to customers, clients, and other stakeholders that your company takes information security seriously and has business continuity management in place. Being ISO 27001 compliant means that you have created a secure environment, based on an ISMS, that mitigates your data security risks and helps minimize risks for the companies you do business with.

Going through the process, to implement a set of controls to manage information security threats and improve incident management, means your organization has performed a data security gap analysis and is at lower risk of cyberattacks and accidental data exposure. This translates into fewer data breaches and a reduced likelihood of fines and other penalties for noncompliance with regulations.

The ISO 27001 controls and framework map to other data protection regulations, such as GDPR and NIST CSF (Cybersecurity Framework). Therefore, having ISO 27001 certification helps comply with these other data protection regulations.

Frequently Asked Questions (FAQ)

ISO 27001 centers on the organization-wide design and implementation of an ISMS; SOC 2 provides a comprehensive security framework to achieve this. SOC 2 compliance requires an organization to prove it has implemented a series of essential security controls to protect information. In other words, ISO 27001 takes an organization through a comprehensive development and implementation of an ISMS, including an internal audit, but SOC 2 focuses on a narrower audit of security controls.

Further differences include that ISO 27001 is an internationally recognized certification standard. SOC 2 is a set of external audits carried out by an independent certified public accountant (CPA). Although not a certification audit, SOC 2 may reveal additional nonconformities during the audit process.

ISO/IEC 27001 is a widely recognized international standard that sets out requirements for an ISMS. It is used by organizations of any size or type that require assurance that their information security risks are being managed. This includes organizations in the public and private sector, small and medium-sized businesses, large companies, nonprofit organizations, and government agencies, all of which could benefit from the comprehensive Annex A controls for their information systems’ security.

 

Although it is sometimes referred to as ISO 27001, the official abbreviation for the international standard on requirements for information security management is ISO/IEC 27001. That is because it has been jointly published by the ISO and the International Electrotechnical Commission (IEC). The number indicates that it was published under the responsibility of Subcommittee 27 (on Information Security, Cybersecurity and Privacy Protection) of ISO’s and IEC’s Joint Technical Committee on Information Technology (ISO/IEC JTC 1).

Certification to ISO/IEC 27001 is one way to demonstrate to interested parties that your organization is committed and able to manage information securely and safely. Holding a certificate issued by an accredited certification body may bring an additional layer of confidence, as an accreditation body has provided independent confirmation of the certification body’s competence. If you wish to use a logo to demonstrate certification, contact the certification body that issued the certificate. As in other contexts, standards should always be referred to with their full reference, for example “certified to ISO/IEC 27001:2022” (not just “ISO 27001 certified”).

Why customers choose Akamai

Akamai is the cybersecurity and cloud computing company that powers and protects business online. Our market-leading security solutions, superior threat intelligence, and global operations team provide defense in depth to safeguard enterprise data and applications everywhere. Akamai’s full-stack cloud computing solutions deliver performance and affordability on the world’s most distributed platform. Global enterprises trust Akamai to provide the industry-leading reliability, scale, and expertise they need to grow their business with confidence.

Related Blog Posts

DNSSEC helps protect your domain against cache poisoning and answer forgery. It’s a crucial addition to your domain.
DNSSEC helps protect your domain against cache poisoning and answer forgery. It’s a crucial addition to your domain.
What Is DNSSEC, and How Does It Work?
Read how DNSSEC enhances security by adding cryptographic signatures to DNS records, ensuring data is securely transmitted over Internet Protocol (IP) networks.
Read more
The observed attacks sparked conversations both publicly and privately among several organizations, including Akamai.
The observed attacks sparked conversations both publicly and privately among several organizations, including Akamai.
Anatomy of a SYN-ACK Attack
Learn how the TCP SYN-ACK attack vector reflection works, why it’s uncommon, and concerns it raises for security.
Read more
Web applications and APIs will continue to proliferate, fuel innovation, and deliver the experiences that define our modern world.
Web applications and APIs will continue to proliferate, fuel innovation, and deliver the experiences that define our modern world.
Why (and How) APIs and Web Applications Are Under Siege
Read a summary of the latest SOTI report, which tackles the security risks in web applications and APIs, and the infrastructure that powers them
Read more

Related Customer Stories

Explore all Akamai Security Solutions

Start your free trial and see what a difference having the world’s largest and most trusted cloud delivery platform can make.

Take me there