ISO/IEC 27001

ISO/IEC 27001 is the international standard for an Information Security Management System (ISMS), jointly published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Unlike SOC 2, it is a true certification: an accredited body audits the ISMS and issues a certificate valid for three years, with surveillance audits in between.

The current revision — ISO/IEC 27001:2022 — restructured the control catalogue from 114 controls into 93, grouped into four themes: Organizational, People, Physical, and Technological. The supporting standard ISO/IEC 27002:2022 provides implementation guidance for each control.

What matters for the human-risk discussion:

• Annex A control A.6.3 (formerly A.7.2.2 in the 2013 edition) explicitly requires information security awareness, education and training appropriate to the person’s role — and evidence that it happens.
• A.6.8 (information security event reporting) implies people know how to report — a behavior, not a knowledge item.
• The Statement of Applicability (SoA) lists which Annex A controls are in scope; the auditor will ask for the operating evidence behind each one.
• Continual improvement (Clause 10) means the ISMS must demonstrate that controls get better over time — completion-rate snapshots flatline at “100% trained” and tell the auditor nothing about improvement.

Where the standard meets behavior-centered security: an auditor who has been seeing the same LMS export every year for a decade is increasingly receptive to behavioral evidence — a trend line of risky behaviors observed and corrected — as the operating-effectiveness artifact for A.6.3. The standard does not prescribe a format; the choice of artifact is the organization’s.

Most SaaS vendors selling into European mid-market and enterprise pursue ISO 27001 in parallel with SOC 2, since the control overlap is high and one audit body can often cover both engagements.