Skip to content

Business glossary

ISO 27001 (Information Security Management System)

ISO/IEC 27001 is the internationally recognised standard for Information Security Management Systems (ISMS). It provides a framework of requirements, controls, and best practices enabling organisations to systematically protect the confidentiality, integrity, and availability of information assets, and to achieve independent certification demonstrating that protection to clients, regulators, and partners.

Digital

What Is ISO 27001?

ISO/IEC 27001 (current version: ISO 27001:2022, published October 2022) is the global standard for Information Security Management Systems (ISMS). Published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), it specifies requirements for establishing, implementing, maintaining, and continually improving an ISMS within the context of the organisation.

Unlike a technical checklist, ISO 27001 is a management system standard — meaning it integrates information security into organisational governance, risk management, and business processes rather than treating it as purely an IT matter.

Structure: The High-Level Structure (HLS)

ISO 27001:2022 follows the standard Annex SL High-Level Structure used by all modern ISO management system standards (also ISO 9001, ISO 14001, ISO 22301). This makes integration with other management systems straightforward. The main clauses are:

  • Clause 4: Context of the organisation
  • Clause 5: Leadership and commitment
  • Clause 6: Planning (risk assessment and treatment)
  • Clause 7: Support (resources, competence, awareness, communication, documented information)
  • Clause 8: Operation (implementing risk treatment plans, controls)
  • Clause 9: Performance evaluation (monitoring, internal audit, management review)
  • Clause 10: Improvement (nonconformities, corrective action, continual improvement)

Annex A Controls

ISO 27001:2022 references Annex A, which lists 93 information security controls organised into four themes (updated from the previous 14-domain structure):

  1. Organisational controls (37 controls) — policies, roles, responsibilities, asset management, supplier relationships
  2. People controls (8 controls) — screening, terms of employment, training, disciplinary process
  3. Physical controls (14 controls) — physical security perimeters, clear desk, secure disposal
  4. Technological controls (34 controls) — access control, cryptography, network security, vulnerability management, monitoring

New controls in the 2022 revision include threat intelligence, cloud security, data masking, and ICT readiness for business continuity.

The Certification Process

ISO 27001 certification is awarded by accredited certification bodies (in Spain, ENAC-accredited bodies such as AENOR, Bureau Veritas, TÜV, BSI). The process typically follows these stages:

  1. Gap analysis — benchmark current state against ISO 27001 requirements
  2. ISMS design and implementation — define scope, conduct risk assessment, select controls, write policies and procedures
  3. Statement of Applicability (SoA) — document which Annex A controls are applicable and why
  4. Internal audit — verify implementation before external audit
  5. Stage 1 audit (documentation review) — certification body reviews ISMS documentation
  6. Stage 2 audit (implementation review) — on-site verification of implementation
  7. Certification issued — valid for three years, with annual surveillance audits

For a medium-sized Spanish company, the process typically takes 6–12 months from initial gap analysis to certification.

ISO 27001 and Regulatory Compliance

ISO 27001 certification provides significant leverage in meeting regulatory obligations:

  • GDPR/LOPD-GDD: ISO 27001’s technical and organisational measures (TOMs) directly satisfy Article 32 GDPR requirements. The AEPD recognises ISO 27001 as evidence of appropriate security measures.
  • NIS2: ISO 27001 addresses many of NIS2’s mandatory risk management measures. NIS2 explicitly recognises use of European and international standards, and ISO 27001 is the most cited reference.
  • DORA: For financial entities, ISO 27001 supports the ICT risk management framework requirements, though DORA has additional sector-specific requirements beyond what ISO 27001 alone covers.
  • ENS (Esquema Nacional de Seguridad): Spain’s National Security Framework for public sector entities is closely aligned with ISO 27001 and many controls overlap.

Business Benefits Beyond Compliance

Beyond regulatory compliance, ISO 27001 certification delivers tangible commercial value:

  • Required or strongly preferred by enterprise clients and public procurement frameworks
  • Reduces cyber insurance premiums in many cases
  • Provides a structured approach to supply chain security assessments
  • Demonstrates security maturity to investors during M&A due diligence

How BMC Can Help

We guide organisations through the full ISO 27001 implementation journey — from initial gap analysis and scope definition through risk assessment methodology, control selection, policy drafting, internal audit preparation, and certification body coordination. We also help companies understand how ISO 27001 intersects with their GDPR and NIS2 obligations.

Frequently asked questions

How long does ISO 27001 certification take for a Spanish company?
For a medium-sized Spanish company, the full process from initial gap analysis to certification award typically takes 6 to 12 months. The timeline depends on the organisation's current security maturity, the complexity of the ISMS scope, and the speed of implementing required controls and policies. The certification process itself includes a Stage 1 documentation review audit and a Stage 2 implementation audit, conducted by an ENAC-accredited certification body such as AENOR, Bureau Veritas, TÜV, or BSI.
How does ISO 27001 help with GDPR compliance in Spain?
ISO 27001's technical and organisational measures (TOMs) directly satisfy Article 32 GDPR requirements for appropriate security measures to protect personal data. The AEPD (Spain's data protection authority) recognises ISO 27001 certification as evidence of appropriate security controls. Implementing ISO 27001 provides documented risk assessment, access control, encryption, incident management, and business continuity procedures — all requirements that the AEPD evaluates when investigating data breaches.
Is ISO 27001 mandatory for NIS2-regulated companies in Spain?
ISO 27001 is not explicitly mandated by the NIS2 Directive, but it is the most widely recognised standard for implementing the risk management measures that NIS2 requires. NIS2 explicitly recognises the use of European and international standards, and competent authorities assess compliance against standards including ISO 27001. In practice, ISO 27001 certification provides a structured path to demonstrating NIS2 compliance and provides defensible evidence during audits and inspections.
How many ISO 27001 controls are there in the current version?
ISO 27001:2022 (the current version, published in October 2022) references 93 information security controls in Annex A, organised into four themes: Organisational controls (37), People controls (8), Physical controls (14), and Technological controls (34). New controls introduced in the 2022 revision include threat intelligence, cloud security, data masking, and ICT readiness for business continuity. Companies transitioning from the 2013 version had until October 2025 to migrate to the new standard.
What are the business benefits of ISO 27001 certification beyond compliance?
ISO 27001 certification delivers tangible commercial value beyond regulatory compliance. It is required or strongly preferred in enterprise procurement processes and public sector contracts in Spain. It can reduce cyber insurance premiums by demonstrating a structured risk management approach. During M&A due diligence, ISO 27001 certification signals security maturity to buyers. It also provides a structured supply chain security assessment framework, helping certified companies evaluate and manage supplier security risks systematically.

Related service

Legal

Discover our services in this area

Related sectors

Technology & Startups International Trade & Export

Related terms

NIS2 Directive GDPR in Spain (LOPD-GDD) DORA (Digital Operational Resilience Act) CISO (Chief Information Security Officer) Business Continuity & Disaster Recovery (BCP/DRP)
Back to glossary

Request a personalized consultation

Our experts are ready to analyze your situation and provide tailored solutions.

Free consultation
Call Contact