Cybersecurity

ISO 27001 Standard 2026: What CISO/CIO Need to Know

Arthur TeboulPublished on May 18, 202613 min read

Citation Capsule

"ISO/IEC 27001:2022 contains 93 controls in Annex A, grouped in 4 themes (organizational, human, physical, technological) (Source: ISO, 2022)"
"73% of ISO 27001 certified organizations cite asset inventory management (A.5.9) as the most complex control to maintain (Source: ISMS.online State of Information Security, 2025)"
"Median certification cost for a French SMB is estimated €15,000-50,000 in year one (audit + consulting) (Source: AFNOR Certification, 2024)"

ISO 27001 has become nearly mandatory for any B2B company serving enterprise customers, operating cloud services, or proving security posture in procurement. As of May 12, 2026, over 70,000 active certifications exist worldwide, with approximately 4,800 in France (ISO Survey 2024).

This guide is written for IT departments, not CISOs alone. It defines the standard precisely, details the 2022 structure, explains mandatory clauses (4-10) versus Annex A controls (93 items), digs into the pivot control A.5.9 on asset inventory, costs certification, and shows how modern ITAM natively covers technical requirements.

For broader fleet management and compliance context, see our IT asset management software guide.

What exactly is ISO 27001?

ISO/IEC 27001 (joint ISO + IEC international standard) defines requirements to establish, implement, maintain, and improve an Information Security Management System (ISMS). It's a management standard — it doesn't prescribe how to do things technically; it specifies what must be in place to demonstrate auditable security posture.

The standard has two parts:

Main body (clauses 4-10) — mandatory in full. Defines ISMS requirements: organizational context, leadership, planning, support, operations, performance evaluation, improvement. This is the skeleton of your management system.

Annex A (93 controls) — apply if relevant. List of controls to consider when treating risks. The organization selects which apply to its scope, justifies exclusions in a Statement of Applicability (SoA).

Difference between ISO 27001 and ISO 27002

Frequent confusion. ISO 27001 is the certifiable standard — auditors assess against it. ISO 27002 is the implementation guide for Annex A controls — not certifiable, but essential as a practical reference. Both 2022 versions are synchronized.

Difference between ISO 27001:2013 and ISO 27001:2022

The October 2022 revision restructured Annex A:

	ISO 27001:2013	ISO 27001:2022
Annex A control count	114	93
Annex A structure	14 categories	4 themes (organizational, human, physical, technological)
New controls	—	11 (threat intelligence, cloud, secure code)
Merged controls	—	24 (eliminated duplicates)

Migration deadline: Organizations certified on 2013 had until October 31, 2025 to upgrade. As of May 12, 2026, all new certifications are on ISO 27001:2022.

Annex A 2022 structure (93 controls, 4 themes)

Theme	Prefix	Count	Examples
Organizational (A.5)	A.5.x	37	Security policies, asset management, supplier management, incident response
Human (A.6)	A.6.x	8	HR screening, training, disciplinary action
Physical (A.7)	A.7.x	14	Perimeters, secure zones, equipment
Technological (A.8)	A.8.x	34	Cryptography, access control, network security, secure development

For IT departments, high-impact controls are:

A.5.9 — Inventory of information and other associated assets
A.5.10 — Acceptable use of assets
A.5.11 — Return of assets
A.8.1 — User devices
A.8.32 — Change management

Why A.5.9 is the pivot control for IT

Control A.5.9 requires up-to-date inventory of information and supporting assets, with a designated owner per asset. Without this inventory, you can't demonstrate what you're protecting — auditors detect this in minutes.

What A.5.9 actually demands

Inventory must include:

All information assets (databases, files, source code, documentation)
All supporting assets (workstations, servers, network equipment, applications, cloud services)
Per asset: designated owner, classification (confidential/restricted/internal/public), location, lifecycle status

Auditors typically verify:

Is inventory current (no more than 5% missing vs. actual fleet)?
Are owners named (not generic "IT")?
Is the link asset → information → processing → risk traceable?
Is there proof of quarterly or semi-annual review?

The frequent gap: Excel spreadsheets vs real ITAM

73% of certified organizations cite A.5.9 as the most difficult control to maintain (ISMS.online 2025). Root cause: most start with Excel, which drifts in 6 months — missing devices, obsolete owners, forgotten classifications.

Modern ITAM (telemetry agent per device, auto-generated record, owner mapped via SSO or Active Directory) solves this structurally. That's the article's core argument: good ITAM = A.5.9 covered without manual effort.

How modern ITAM covers technical requirements

ISO 27001:2022 Control	Modern ITAM Coverage
A.5.9 Asset inventory	Auto inventory via agent, owner mapped from AD/SSO, configurable classification
A.5.10 Acceptable use	Policy linked to device via provisioning signature, acceptance traceability
A.5.11 Asset return	Offboarding workflow: remote lock, file recovery, lifecycle marker "returned"
A.5.12 Classification	Classification field in asset record, exportable by level
A.5.16 Identity management	SSO/AD integration, user ↔ asset mapping per device
A.5.23 Cloud service security	SaaS inventory via browser detection, ghost license tracking
A.8.1 User devices	Complete inventory (hardware, OS, versions), patch level, BitLocker/FileVault status
A.8.7 Malware protection	EDR presence and version verification per device
A.8.8 Vulnerability management	OS and application inventory with CVE matching
A.8.32 Change management	Hardware/software change history, deviation alerting

The ISO 27001 auditor doesn't mandate a specific tool — they verify you know what you own and who's responsible. Modern ITAM provides proof by design.

ISO 27001 certification: cost and timeline

Phase 1 — Conformance (3-9 months)

External consulting (optional): €8,000 to €30,000 depending on size
Internal time: 0.5 to 1.5 FTE CISO/quality during phase
Tooling: GRC platform (Vanta, Drata, ISMS.online) from €8,000/year for SMBs
Team training: €2,000 to €5,000

Phase 2 — Certification audit (4-8 weeks)

Stage 1 audit (documentation review): €3,000 to €6,000
Stage 2 audit (on-site): €5,000 to €15,000
Maintenance (annual surveillance audits): €4,000 to €10,000/year

Total year-one cost for French SMB: typically €15,000-50,000 (AFNOR, 2024). Tech SMB with existing maturity: €15-25k. Mid-market with extended scope: €40-100k+.

Accreditation bodies in France

Main COFRAC-accredited bodies in France: AFNOR Certification, Bureau Veritas, LRQA, SGS, Apave. Selection often based on sector (Bureau Veritas strong in manufacturing, AFNOR in public sector, LRQA in finance).

Framework	Type	Geography	Overlap with ISO 27001
ISO/IEC 27001:2022	Certifiable standard	International	—
GDPR	Regulation	EU	Partial (privacy, ~30%)
NIS2	EU Directive	EU (essential/important entities)	High (~70%)
SOC 2 Type 2	Attestation	Primarily USA	High (~75%)
HDS	Certification	France (healthcare)	High (~80%, hosting)

ISO 27001 is often the foundation: once certified, adding SOC 2, NIS2, or HDS requires only 20-30% additional effort, not a rebuild.

Common ISO 27001 certification pitfalls

1. Underestimating the inventory phase (A.5.9)

The classic trap. Organizations think they "know" their fleet, start the project, and realize at month 4 that 30% of devices are missing from the spreadsheet. Starting with solid ITAM avoids 60% of documented delays.

2. Confusing certification with security

Certification doesn't mean secure. An organization can pass with formally documented but imperfectly applied measures. Audits verify the ISMS exists, not its absolute effectiveness.

3. Forgetting supplier chain (A.5.19-A.5.22)

The 2022 Annex A strengthened supplier controls. Your entire subcontracting chain must be documented and audited — often a major gap in immature ISMs.

4. Underfunding maintenance

Certification renews every 3 years with annual surveillance audits. Without dedicated budget (€4-10k/year), you'll lose it at the first audit renewal.

1 Rust agent, <1% CPU, reduced attack surface

1 Rust agent, <1% CPU. Average ITAM stacks an inventory agent (GLPI), MDM (Intune), EDR (CrowdStrike), RMM (Atera), and DEX tool — sobrii provides functional equivalence on a single signed Rust binary, sandboxed, with measured footprint <1% CPU on Windows and macOS. Fewer agents = smaller attack surface, less battery drain, less support load.

For ISO 27001, this matters for A.8.7 (malware protection) and A.5.16 (identity management): fewer agents means fewer processes to harden, fewer service accounts to audit, and a single Microsoft Authenticode-signed binary that passes EDR policies without exception. For IT departments, it also means 4 fewer vendors to manage under A.5.19 (supplier management).

sobrii is 100% bilingual FR/EN at product core

sobrii is 100% bilingual FR/EN at product core. Every label, every CSRD/ISO 27001 report, every export is generated in the employee's language — not a 70%-translated glossary. Customer reference: Montpellier Metropolis (3M residents, multi-site fleet, 7,000+ monitored PCs). sobrii is one of the rare ITAM SaaS platforms designed in France with FR/EN parity from v1, hosted in the EU.

For ISO 27001 compliance, two direct impacts:

ISO 27001 audit-ready exports are generated in French (French auditor) or English (international auditor) — no manual re-translation
EU hosting eliminates questions about international data transfers (A.5.34 — personal data and privacy)

Verdict — Getting started with ISO 27001 certification in 2026

Four phases in order:

Months 1-2: Establish inventory (A.5.9). Deploy modern ITAM, map all assets, designate owners. Without this foundation, everything drifts.
Months 2-4: ISMS documentation. Policies, risk analysis, Statement of Applicability, treatment plan. Use GRC tool (Vanta, Drata, ISMS.online).
Months 4-6: Implementation and training. Deploy controls, train teams, start reviews.
Months 6-9: Stage 1 then Stage 2 audit. Choose body, plan, audit.

Typical total cost for French tech SMB: €15,000-30,000 year one. Maintenance: €4,000-10,000/year.

FAQ

What is ISO 27001 exactly?

ISO/IEC 27001:2022 is the international standard defining requirements for an Information Security Management System (ISMS). It comprises mandatory clauses (4-10) and an Annex A of 93 controls applied per relevance. Certification is issued by an accredited body (in France: AFNOR, Bureau Veritas, LRQA, SGS, Apave). Over 70,000 organizations worldwide are certified as of May 12, 2026.

What's the difference between ISO 27001 and ISO 27002?

ISO 27001 is certifiable — auditors assess against it. ISO 27002 is the implementation guide for Annex A controls — not certifiable but essential as practical reference. Both were revised in 2022 and synchronized.

How much does ISO 27001 certification cost in 2026?

For a French SMB, year-one total is typically €15,000-50,000: consulting (€8-30k), Stage 1 audit (€3-6k), Stage 2 audit (€5-15k), GRC tool (from €8k/year), internal time (0.5-1.5 FTE). Maintenance: €4,000-10,000/year for annual surveillance and triennial renewal.

Which ISO 27001 control is hardest to maintain?

A.5.9 — Inventory of information and other associated assets. 73% of certified organizations rank it most difficult (ISMS.online, 2025). Without modern ITAM, the inventory drifts in 6 months (missing devices, obsolete owners, forgotten classifications). ITAM with agent collection solves this structurally.

Is ISO 27001 mandatory in France?

No legal mandate in France. But it becomes a contractual prerequisite for: (1) serving enterprise customers in banking, insurance, healthcare, defense sectors, (2) responding to public procurement with cybersecurity criteria, (3) operating serious B2B cloud services. NIS2 obligations for critical/important entities cover ~70% of ISO 27001.

Can you be ISO 27001 certified managing fleet via Excel?

Theoretically yes, practically no beyond 100 devices. Auditors test inventory (A.5.9) and change traceability (A.8.32). Manual Excel drifts too fast; auditors detect gaps in hours. Best practice 2026: ITAM with auto agent collection, SSO user mapping, and per-asset audit history.

Sources

ISO — ISO/IEC 27001:2022 Information security management systems. https://www.iso.org/standard/27001 (accessed May 12, 2026)
ISMS.online — State of Information Security Report 2025. https://www.isms.online/state-of-information-security-report/ (accessed May 12, 2026)
AFNOR Certification — ISO/IEC 27001. https://certification.afnor.org/securite/iso-27001 (accessed May 12, 2026)
ISO Survey 2024 — Number of certificates per country. https://www.iso.org/the-iso-survey.html (accessed May 12, 2026)
ANSSI — Information Security Hygiene Guide. https://cyber.gouv.fr/publications/guide-dhygiene-informatique (accessed May 12, 2026)
Bureau Veritas France — ISO 27001 certification. https://www.bureauveritas.fr/besoins/iso-27001-management-securite-information (accessed May 12, 2026)

Written byArthur TeboulCPO & Co-founder, sobrii

Arthur is CPO and co-founder of sobrii, a SaaS platform that helps IT leaders manage the lifespan, costs, and carbon footprint of their device fleets. sobrii collects real-time data from every endpoint to replace calendar-based refresh cycles with decisions based on actual machine health.

LinkedIn →

Take action

Manage your IT fleet with sobrii

Discover how sobrii transforms IT fleet management.

Book a demo

Personalized demoOn your dataNo commitment