1.4 KiB
International standard for information security management systems (ISMS). The most widely adopted security certification globally — ~60,000 certified organizations. Requires: risk assessment, security controls (Annex A, 93 controls across 4 domains), continuous improvement (Plan-Do-Check-Act), management review, internal audit.
Who must comply: Self-selected — enterprises pursue ISO 27001 certification because supply chain partners and regulators require it. Increasingly mandatory for: cloud providers, government contractors, critical infrastructure, and regulated financial institutions in multiple jurisdictions.
Penalties: No direct fines. Losing certification means losing business.
Why it matters: ISO 27001 is the universal baseline. It is the entry-level certification that opens every other regulated market. The gate stack maps to Annex A controls directly (A.9 access control, A.12 operations security, A.16 incident management, A.18 compliance). First-mover advantage: the ISO 27001 audit market is mature ($68B) and entirely manual (auditors flip through binders). A gate stack that produces audit evidence automatically is not competing with other software — it is competing with binders.