Back to Resources | Blogs

ISO 27000 Series: The Ins and Outs of ISO 27001, ISO 27002, ISO 27701, ISO 27017, and ISO 27018

April 16, 2025 | ISO 27001

The ISO 27000 series is a collection of internationally recognized compliance standards designed to help organizations of all sizes demonstrate their commitment to cybersecurity best practices. From foundational guidance to specialized certifications for privacy and cloud security, these standards offer a comprehensive blueprint for businesses to establish and maintain strong security postures.

Whether you’re just beginning to explore ISO certification or looking to expand your compliance program with the additional frameworks, understanding the relationship between ISO 27001 and its supporting standards, including ISO 27002, ISO 27701, ISO 27017, and ISO 27018, is paramount. 

In this article, we’ll break down what each standard covers, how the certification process works, and how these standards can help you build trust with customers, partners, and stakeholders.

ISO 27001

Considered the gold standard in information security, ISO/IEC 27001:2022—often shortened to ISO 27001—is a globally recognized compliance framework that sets baseline requirements for establishing, operating, monitoring, maintaining, and continuously improving an organization’s information security management system (ISMS). Compliance with this standard demonstrates that your organization has implemented sound policies for managing and reducing risk.

To achieve ISO 27001 certification, organizations must undergo a multi-stage process that begins with an internal audit to assess whether their ISMS has been developed, implemented, and maintained in accordance with their own internal standards as well as the requirements of ISO 27001. 

Following the internal audit, organizations are ready to begin the two-stage remediation and certification process, or the “certification audit.” During Stage 1, your auditor will test the design of the organization’s ISMS, including:

  • Reviewing documentation;
  • Identifying potential nonconformities; and,
  • Evaluating the organization’s plan to remediate any issues. 

Organizations then move on to Stage 2, where the auditor tests the effectiveness of the ISMS and checks to ensure that areas of concern have been remediated. After both stages, the auditor reviews the results of their assessments and makes a final decision on certification.

Once issued, ISO 27001 certifications are valid for three years, with annual surveillance audits required in the interim.

ISO 27002

While ISO 27001 outlines what an organization must do to establish and maintain an effective ISMS, ISO 27002 provides detailed guidance on how to do it.

ISO 27002 is not a certifiable standard on its own, but acts as a critical companion to ISO 27001 by helping organizations understand and implement the controls required to achieve compliance. It offers practical guidance for selecting, implementing, and managing information security controls based on industry best practices.

ISO 27002 is especially useful during risk assessments and when selecting controls that align with your organization’s unique risks and compliance needs. The standard includes detailed explanations, best practices, and implementation advice for each control, helping to ensure your ISMS is both compliant with ISO 27001 standards and effective in mitigating risk.

ISO 27701

First introduced in 2019, ISO/IEC 27701 builds on ISO 27001 with a special focus on data privacy. Specifically designed for organizations that process personally identifiable information (PII), ISO 27701 outlines requirements for establishing, implementing, maintaining, and continually improving a privacy information management system (PIMS).

ISO 27701 certification demonstrates that your organization has built and implemented a program for protecting PII in line with global privacy best practices. Because data privacy relies on strong cybersecurity practices, ISO 27701 certification cannot be achieved without a valid ISO/IEC 27001 certification.

ISO 27017

ISO/IEC 27017 is an extension of ISO 27001 that focuses specifically on cloud security. It requires seven additional controls that are unique to cloud services, as well as 37 controls that are implemented through ISO 27002. 

ISO 27017 covers a wide range of areas, including data protection, access control, incident response, and risk management. Like ISO 27701, ISO 27017 is not a standalone certification. ISO 27001 certifications that incorporate ISO 27017 controls are valid for three years, during which time organizations are required to complete annual surveillance audits to ensure continued compliance.

ISO 27018

ISO/IEC 27018 builds on the foundation of ISO 27001 to provide a privacy-specific framework for cloud service providers (CSPs) that process PII. It includes 24 additional controls that are unique to CSPs. Those controls are focused on safeguarding PII in cloud environments, such as secure data deletion, restrictions on processing, and user transparency.

ISO 27018 certification is valid for three years, with annual surveillance audits required to maintain compliance.

Benefits of ISO Certification

Achieving certification against one or more standards in the ISO 27000 series offers more than just a badge to include on your website footer—it equips your organization with a comprehensive framework for protecting sensitive information and managing cybersecurity risks in a way that is repeatable, scalable, and globally recognized. By achieving certification, you’re building trust with customers, partners, and other stakeholders and demonstrating that your team takes a proactive approach to managing cyber risk.

Though not legally required in the U.S., ISO certification is recognized internationally and often requested by enterprise clients and global partners as a prerequisite for doing business. The good news is that for organizations that are already compliant with other cybersecurity frameworks, ISO 27001 and its supporting standards fit seamlessly into your existing compliance program. 

For instance, most requirements listed in ISO 27001 map over to SOC 2 controls. As part of an elite group of U.S. firms that is qualified to audit against all of the highest-regarded security standards, including ISO 27001, SOC 2, HITRUST, and PCI DSS, BARR can leverage our unique coordinated audit approach to map SOC 2 control requirements during your ISO 27001 meetings, allowing your organization to bypass additional walkthroughs to obtain a SOC 2 Type 2 report simultaneously. 

This was the strategy used by Kinsta, a leading WordPress hosting provider that worked with BARR to achieve ISO 27001, ISO 27017, and ISO 27018 certification, along with a SOC 2 attestation. Kinsta’s global, fully remote team had never undergone an ISO audit before, and they needed a partner who could be flexible with scheduling and audit management while guiding them through the complex certification process. 

Kinsta found that partner in BARR, who managed their simultaneous SOC 2 and ISO 27001, 27017, and 27018 compliance efforts to ensure the process remained streamlined and efficient.

“Our SOC 2 report and ISO certifications have become key differentiators in the market, giving our customers confidence in our security and data management practices,” said Nathan Bliss, Kinsta’s chief sales officer. “We’ve seen an increase in customer retention rates and have received positive feedback from clients who appreciate our commitment to maintaining the highest standards of security and compliance.”

Ready to take the next step in your compliance journey? Contact us today for a free consultation.

*ISO certifications are issued by BARR Certifications, the certification body of BARR Advisory.

Let's Talk