ISO 27001:2022 complete ISMS guide for companies.

ISO 27001:2022 is the international standard for Information Security Management Systems (ISMS), with 93 Annex A controls.

ISO 27001 is the international reference standard for information security. In an environment where cyberattacks on companies multiply each year, where GDPR demands technical and organisational measures to protect personal data, and where the ENS (Spanish National Security Framework) obliges public sector suppliers, ISO 27001 certification has become a first-order strategic asset for Spanish companies. In this pillar guide I cover the current version (ISO 27001:2022) with requirements, costs, FAQ, real case and checklist so you make the decision with criteria.

What is an ISMS and why do you need one?

An Information Security Management System (ISMS) is the set of policies, procedures, technical controls and management processes an organisation establishes to protect the confidentiality, integrity and availability of its information. It is not just technology: an ISMS covers people, processes and technology in an integrated way.

ISO 27001 provides the framework for establishing, implementing, maintaining and continuously improving an ISMS. Its approach is risk-management based: you identify the risks threatening your information, assess their probability and impact, select the appropriate controls to reduce risk to an acceptable level and monitor that everything works.

What is new in ISO 27001:2022

The 2022 version updated Annex A controls, moving from 114 controls organised in 14 domains to 93 controls organised in 4 themes:

• Organisational controls (37 controls): policies, roles, risk management, third parties, compliance.
• People controls (8 controls): selection, training, disciplinary, departure.
• Physical controls (14 controls): security of facilities, equipment, supplies, waste.
• Technological controls (34 controls): access control, encryption, networks, backups, vulnerability management.

New controls versus the 2013 version include:

• Threat intelligence.
• Information security for the use of cloud services.
• ICT readiness for business continuity.
• Physical security monitoring.
• Configuration management.
• Information deletion.
• Data masking.
• Data Loss Prevention (DLP).
• Monitoring activities.
• Web filtering.
• Secure coding.

Risk analysis: the heart of the ISMS

Risk analysis is the central exercise of ISO 27001. Unlike ENS (Spanish National Security Framework), which specifically references MAGERIT, ISO 27001 allows any recognised methodology. The most used are:

• ISO 27005: specific guide for information security risks.
• ISO 31000: general risk management framework.
• MAGERIT: especially useful if you also need to comply with ENS.
• OCTAVE.

The process includes identifying information assets, identifying threats and vulnerabilities, evaluating impact and probability, calculating risk level, selecting risk treatment (mitigate, transfer, accept or avoid) and determining residual risk.

The Statement of Applicability (SOA)

The Statement of Applicability is a mandatory document linking the 93 Annex A controls with their implementation status in the organisation. For each control, you must indicate:

• Whether it applies or does not apply with documented justification.
• Implementation status (not implemented, partial, complete).
• Available evidence.

It is the bridge document between risk analysis and control implementation, and is one of the first documents auditors review. A poorly made SOA is the #1 cause of problems in the external audit.

Comparative table: ISO 27001 vs ENS vs GDPR

Criterion	ISO 27001	ENS (Spanish National Security Framework)	GDPR
Scope	International, voluntary	Spain, mandatory for public sector and its suppliers	EU, mandatory if you process personal data
Focus	Security of all information	Public sector information	Personal data specifically
Certifiable	Yes, by ENAC-accredited body	Yes, by ENAC-accredited body	Not certifiable (mechanisms like BCR Scheme do exist)
Risk analysis	Free methodology (ISO 27005/31000/MAGERIT)	MAGERIT mandatory	Implicit (PIA / DPIA in specific cases)
Controls	93 (Annex A 2022)	Measures by Basic/Medium/High category	Technical and organisational measures (Art. 32)
SME implementation cost	€12,000-30,000	€8,000-25,000	Variable
Market recognition	Very high, global	Indispensable Spanish public sector	Mandatory, not differentiator
Sanction for non-compliance	Loss of certificate and contracts	Impossibility of contracting with public sector	Up to 4% global turnover / €20M

Relationship with ENS, GDPR and NIS2

ISO 27001 complements three regulatory frameworks especially relevant in Spain:

ENS (Spanish National Security Framework)

Shares many controls with ISO 27001 but differs in scope (international vs national) and in the risk analysis methodology. Simultaneous implementation can generate savings of 30-40% versus implementing them separately.

GDPR

ISO 27001 provides the technical and organisational measures framework the Regulation requires to protect personal data. ISO 27001 certification is the best evidence of compliance with the GDPR's accountability principle.

NIS2

NIS2 is the European directive on network and information systems security, transposed into Spanish law via the corresponding Royal Decree-law. ISO 27001 covers most of the risk management and incident notification requirements demanded of essential and important operators.

Consult my ENS vs ISO 27001 comparative article to understand the differences and when you need both certifications.

ISO 27001 certification costs

Costs are higher than ISO 9001 due to the technical complexity of the ISMS:

• SME of 10 to 50 employees: total cost of consultancy plus certification between €12,000 and €30,000.
• Companies of 50 to 250 employees: between €25,000 and €60,000.
• Larger companies: may exceed €40,000 in consultancy alone.

Financing with Kit Consulting

Kit Consulting (Spain consultancy grant for SMEs) can finance up to €18,000 of cybersecurity advice for companies of 10 to 249 employees, covering the three categories (basic, advanced and preparation for certification) which align directly with an ISO 27001 project.

Consult my Kit Consulting cybersecurity and ISO 27001 guide to finance your certification.

Implementation process: 6 phases in 9-14 months

1. Initial diagnosis and gap analysis (4-6 weeks): asset inventory, evaluation against the 93 controls.
2. Risk analysis (6-10 weeks): chosen methodology, identification of threats and vulnerabilities, valuation, treatment.
3. ISMS design and SOA (4-6 weeks): policies, procedures, SOA with justification of each control.
4. Implementation of technical and organisational controls (12-20 weeks): the longest and costliest phase, especially for technological controls.
5. Internal audit and management review (3-4 weeks).
6. Certification audit (4-6 weeks): documentary phase 1 + on-site phase 2 with ENAC-accredited body.

Real case: a 22-employee software company

A custom software development company (22 employees, Las Palmas) decided to certify in ISO 27001 under pressure from three corporate clients that began requiring it in contract renewals.

Process:

• Initial diagnosis: 38% compliance with the 93 controls before the project.
• Risk analysis: 64 risks identified, 12 in red zone.
• Additional technical investments: corporate MFA, DLP in email, network segmentation, EDR, centralised log management (€12,500 additional to consultancy).
• Total duration: 11 months.
• Total year 1 cost: €26,800 (consultancy €15,000 + technology €8,500 + certifier €3,300).
• Kit Consulting recovered: 14.

Result:

• They kept the three clients (combined annual volume €280,000).
• They won two new corporate clients in regulated sectors.
• A phishing incident in month 8 was successfully contained thanks to implemented controls (no data loss).

Mini-glossary

• ISMS: Information Security Management System.
• CIA: Confidentiality, Integrity, Availability. Pillars of information security.
• SOA: Statement of Applicability of controls.
• Annex A: list of ISO 27001 security controls (93 in the 2022 version).
• MAGERIT: risk analysis methodology of the Spanish National Cryptologic Centre.
• NIS2: Directive (EU) 2022/2555 on measures for a high common level of cybersecurity.
• DLP: Data Loss Prevention.
• MFA: Multi-Factor Authentication.
• EDR: Endpoint Detection and Response.
• Residual risk: risk remaining after applying controls.

Frequently asked questions

Do I need ISO 27001 if I already comply with GDPR?

Yes, they are complementary. GDPR is a legal obligation affecting only personal data. ISO 27001 protects all your company's information (personal data, intellectual property, commercial information, source code). Additionally, ISO 27001 certification is the best evidence of compliance with the GDPR's accountability principle.

How long does certification take?

Between 9 and 14 months for a first certification, depending on the starting point. Companies with good technical maturity (controls already implemented, structured IT management) can drop to 6-8 months; companies starting from scratch may extend to 14-18 months.

What happens if I fail the external audit?

Major NCs require action plan and complementary audit within 90 days. It does NOT usually mean losing the whole project: the certification body gives a period to remedy. Typical additional cost: €1,500-3,500 for the complementary audit.

Can I apply for ISO 27001 without being a technology company?

Yes, and increasingly more sectors implement it: professional services (law firms, accountancies), private healthcare, training, manufacturing with sensitive intellectual property, research bodies. Any company handling valuable information can benefit.

How does it relate to NIS2?

NIS2 (transposed in Spain in 2025) requires "essential operators" and "important operators" to implement cybersecurity risk management measures. ISO 27001 covers most of those measures. If your company is in the NIS2 scope (energy, transport, healthcare, digital infrastructures, banking, water, waste, food, chemicals, space, certain postal and waste management services, manufacture of critical medical devices, etc.), ISO 27001 is practically mandatory in practice.

Is the certification valid in other countries?

Yes. ISO 27001 is an international standard and the certificate issued by an ENAC-accredited body is recognised in all IAF MLA (mutual recognition agreement) signatory countries. This includes practically all OECD countries. Related: ISO Certification Spain: bodies and costs compared.

How much does it cost to maintain the certificate annually?

Typical recurring cost:

• Annual surveillance audit: €1,500-4,000.
• Maintenance consultancy (optional): €200-600/month.
• Technical renewals, updates, continuous training: variable depending on size.

Typical SME total: €4,000-10,000/year.

Checklist: 10 steps to implement ISO 27001

1. Define ISMS scope (what information, what processes, what locations).
2. Complete inventory of information assets.
3. Choose risk analysis methodology (ISO 27005 or MAGERIT if shared with ENS).
4. Conduct full risk analysis with objective valuations.
5. Select applicable controls and draw up SOA.
6. Implement organisational, people, physical and technological controls.
7. Train all employees in their security responsibilities.
8. Measure security indicators for at least 3 months before the external audit.
9. Conduct a complete internal audit and resolve findings.
10. Pass phase 1 and phase 2 with ENAC-accredited body.

Need to implement ISO 27001 in your company? Let's talk and I will offer you a no-commitment information security diagnosis with the most efficient strategy for your organisation.

---

Authorship: Ángel Ortega Castro · independent consultant in strategy, quality and digitalisation for SMEs. Related: Internal ISO Audit: Complete Guide with Real Value.

Frequently asked questions

Do I need ISO 27001 if I already comply with GDPR?

Yes, they are complementary. GDPR affects only personal data. ISO 27001 protects all your company's information.

How long does certification take?

Between 9 and 14 months for a first certification. Companies with good technical maturity can drop to 6-8 months.

What happens if I fail the external audit?

Major NCs require action plan and complementary audit within 90 days. Typical additional cost: €1,500-3,500.

Can I apply without being a tech company?

Yes. Professional services, private healthcare, training, manufacturing with sensitive IP can all benefit.

How does it relate to NIS2?

ISO 27001 covers most NIS2 measures. If you are in NIS2 scope, ISO 27001 is practically mandatory in practice.

Is the certification valid in other countries?

Yes. An ENAC certificate is recognised in all IAF MLA signatory countries (practically all OECD).