What is ISO 27001?
ISO 27001 is an international standard published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). It defines the requirements for an Information Security Management System, commonly called an ISMS.
The standard takes a risk-based approach. Rather than prescribing specific technologies, it requires organizations to identify information assets, assess threats, select controls from Annex A, and operate a continuous improvement cycle modeled on Plan-Do-Check-Act.
The current version is ISO/IEC 27001:2022, which introduced 11 new controls covering threat intelligence, cloud services, secure coding, and where customer data physically lives. It replaces the 2013 edition, and certified organizations had a three-year transition window to align.
Why ISO 27001 Matters
For enterprise buyers, ISO 27001 is shorthand for "this vendor has thought about security in a structured way and proven it to an external auditor." Procurement teams in regulated industries often filter vendors by certification status before any product evaluation begins.
The standard also carries legal weight. ISO 27001 maps to GDPR Article 32 obligations, overlaps with SOC 2 trust criteria, and underpins national rules like the EU's NIS2 directive. Around 70,000 organizations worldwide hold the certification, with steep growth since 2020.
For AI support vendors specifically, certification covers how customer data is encrypted, who can access it, how incidents are handled, and how subprocessors are managed. Buyers comparing ISO 27001 certified support platforms should check the certificate itself, the scope statement, and recent audit reports rather than marketing claims.
How ISO 27001 Works
Certification is a two-stage external audit. Stage 1 reviews documentation, scope, and ISMS design. Stage 2 verifies that the controls actually operate. Once certified, the organization receives annual surveillance audits and a full recertification every three years.
Annex A of the 2022 revision contains 93 controls grouped into four themes: organizational, people, physical, and technological. Examples include access control, cryptographic policy, vulnerability management, and supplier security. Not every control is mandatory. Organizations declare which ones apply in a document called the Statement of Applicability.
For AI vendors handling support tickets, the controls map to concrete engineering work: encryption of prompts and customer data, adversarial testing of model behavior, tamper-evident audit trails inside ServiceNow workflows, and documented incident response. Teams deploying AI chatbots wired into CRM systems need each integration covered by the certificate's scope statement, not just the core product.
How Fini Approaches ISO 27001
Fini holds ISO/IEC 27001:2022 certification alongside SOC 2 Type II, ISO 42001, GDPR, PCI-DSS Level 1, and HIPAA. The control set is implemented inside the reasoning-first architecture rather than bolted on after deployment. PII Shield enforces real-time redaction before customer data reaches any model, which addresses several Annex A technological controls in one stroke.
Enterprise buyers can request the current certificate and scope statement during evaluation, and most teams reach production with audit-ready logs in 48 hours. To see the controls in action, book a demo.
What is ISO 27001 in simple terms?
ISO 27001 is the global standard that tells organizations how to set up and run an information security management system. It covers people, processes, and technology rather than any single tool. Certification means an independent auditor has confirmed that the controls actually exist and operate. Fini holds the current ISO/IEC 27001:2022 certification covering its full AI support platform.
What is the difference between ISO 27001 and SOC 2?
ISO 27001 is an international certification awarded after an external audit against a fixed standard. SOC 2 is a US-originated attestation report (Type I or Type II) written by an auditor against trust service criteria. ISO 27001 produces a certificate; SOC 2 produces a report. Many vendors hold both because European buyers expect ISO and US buyers expect SOC 2.
Is ISO 27001 mandatory?
ISO 27001 is voluntary in most jurisdictions, but it is effectively required in regulated procurement. EU public sector contracts, financial services RFPs, and large healthcare buyers almost always demand it. Some industries such as defense and critical infrastructure face legal mandates through NIS2 or sector-specific rules that lean heavily on the ISO 27001 control set.
How long does ISO 27001 certification take?
A typical first-time certification project runs nine to fifteen months. The work includes risk assessment, control implementation, internal audit, management review, and the two-stage external audit. Mature organizations with existing security programs sometimes finish in six months. Surveillance audits afterward are shorter, usually two to three days on site each year.
Does ISO 27001 cover AI specifically?
ISO 27001:2022 has no AI-specific controls, but its risk-based approach captures AI-related threats through general controls on secure development, supplier management, and threat intelligence. For dedicated AI governance, ISO 42001 (AI management systems) was published in 2023 and is designed to sit alongside ISO 27001. Vendors handling sensitive support workflows should hold both.
How do I verify a vendor's ISO 27001 certification?
Ask for the certificate itself, the Statement of Applicability, and the scope statement. The certificate lists the certification body (BSI, TUV, Schellman, and others) plus an expiry date. Verify it on the certification body's public register. Scope matters most: a certificate covering only "corporate IT" tells you nothing about whether the AI product you are buying is included.