Skip to content
27kay27kay

ISO 27001: History and Evolution

(updated: ) · 5 min read · 27kay
ISO 27001ISMScompliancecertification

ISO 27001 traces its roots back to a British standard published in 1995. Over three decades, it evolved from a national code of practice into the most widely adopted international standard for information security management. Understanding this history helps explain why the standard is structured the way it is - and why some requirements that seem arbitrary actually reflect decades of implementation experience.

BS 7799: The British origins (1995-2004)

The story begins with the British Standards Institution (BSI), which published BS 7799 in two parts:

BS 7799-1 (1995) was a code of practice - a collection of information security controls and guidance. Think of it as an early version of what later became ISO 27002. It told organizations what good security practice looked like but did not define a management system framework.

BS 7799-2 (1998) added the management system component. This is where the concept of an ISMS first appeared - a systematic approach to managing information security through policies, processes, risk assessment, and continual improvement. BS 7799-2 made certification possible. Organizations could be audited against it and receive formal recognition of their information security management.

BSI revised both parts in 1999 and again in 2002, refining the controls and the management system requirements based on early adoption experience. By the early 2000s, BS 7799 had gained traction beyond the UK, with organizations in Europe and Asia seeking certification. That international interest made it clear the standard needed a global home.

Becoming international: ISO/IEC 27001:2005

In 2005, the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) adopted BS 7799-2 as ISO/IEC 27001:2005 - the first international version of the standard.

Simultaneously, BS 7799-1 was republished as ISO/IEC 17799:2005 (later renumbered to ISO/IEC 27002:2005 in 2007), becoming the companion code of practice for security controls.

The 2005 edition established several concepts that remain central to the standard today:

  • The Plan-Do-Check-Act (PDCA) cycle as the management framework
  • Risk assessment as the basis for selecting controls
  • The Statement of Applicability as the link between risk treatment and Annex A controls
  • Management commitment and resource allocation
  • Internal audit and management review as continual improvement mechanisms

The 2005 edition contained 133 controls organized into 11 domains. By today’s standards, the control set was heavily focused on traditional IT security - network security, access control, physical security - reflecting the technology landscape of the mid-2000s.

The 2013 revision: Annex SL and modern structure

ISO/IEC 27001:2013 was a significant rewrite. The most important change was adopting the Annex SL high-level structure - a common framework that ISO uses across all management system standards (quality, environment, occupational health, etc.).

This restructuring matters for organizations running multiple management systems. If you already have ISO 9001 (quality) or ISO 14001 (environment), the clause structure of ISO 27001:2013 aligns directly. Context of the organization, leadership, planning, support, operation, performance evaluation, and improvement follow the same pattern across all Annex SL standards.

Other key changes in 2013:

  • The PDCA cycle was no longer explicitly mandated (though it remains a natural fit)
  • Risk assessment became more flexible - organizations could choose their methodology rather than following the prescriptive asset-threat-vulnerability approach of 2005
  • Controls were reorganized from 133 controls in 11 domains to 114 controls in 14 domains
  • Greater emphasis on interested parties and organizational context

The 2013 edition held for nearly a decade - the longest gap between revisions - and became the version most organizations worldwide certified against.

ISO 27001:2022: The current edition

The 2022 revision kept the management system clauses (4-10) largely unchanged. The significant changes were in Annex A, which was completely restructured to align with the updated ISO 27002:2022.

The control set was reorganized from 114 controls in 14 domains to 93 controls in 4 themes:

  • Organizational controls (37 controls)
  • People controls (8 controls)
  • Physical controls (14 controls)
  • Technological controls (34 controls)

Eleven new controls were added to address areas that the 2013 edition did not explicitly cover:

  • Threat intelligence
  • Information security for cloud services
  • ICT readiness for business continuity
  • Physical security monitoring
  • Configuration management
  • Information deletion
  • Data masking
  • Data leakage prevention
  • Monitoring activities
  • Web filtering
  • Secure coding

These additions reflect how the threat landscape shifted between 2013 and 2022 - cloud adoption, supply chain attacks, data privacy regulations like GDPR and NIS2, and the general expectation that organizations manage information throughout its lifecycle, not just protect it at rest.

Organizations certified to the 2013 edition had until October 31, 2025 to transition. The migration process involved updating the SoA to the new control structure, performing a gap assessment against the new controls, and undergoing a transition audit.

Why the history matters for practitioners

Understanding how ISO 27001 evolved helps with implementation decisions:

Risk assessment flexibility. If you encounter guidance suggesting you must follow an asset-threat-vulnerability methodology, that is 2005-era thinking. Since 2013, the standard allows any risk assessment approach that produces comparable results. Choose a methodology that fits your organization.

Control selection context. The 93 controls in Annex A are not arbitrary - they represent three decades of accumulated security practice. When you build your Statement of Applicability, understanding why a control exists helps you assess whether it is relevant to your context.

Annex SL integration. If your organization already runs ISO 9001 or another management system standard, you can integrate the ISMS with existing processes. The shared structure was designed for this.

Transition experience. The 2013-to-2022 transition taught many organizations that their SoA and risk assessment were tightly coupled to the old control structure. Building a more flexible, risk-driven approach from the start makes future transitions smoother.

How 27kay can help

We have guided organizations through both the 2013 and 2022 editions of ISO 27001 - from first implementations to transitions between versions. Whether you are starting fresh or need to update an existing ISMS, our ISO 27001 implementation service covers the full lifecycle. For the complete picture, see our ISO 27001 knowledge hub.

Considering ISO 27001 for the first time or planning a transition? Get in touch - we will help you understand what the standard requires and what it takes to get there.