Understanding where ISO 27001 came from helps explain why it looks the way it does today — a risk-based management system rather than a rigid checklist of technical controls. Its lineage runs back to the mid-1990s and a piece of UK guidance that gradually became a global benchmark, absorbing lessons from every era of computing along the way.
This short history traces that journey from BS 7799 to the cloud-era 2022 edition, and shows how each revision shaped the standard organisations pursue for iso 27001 certification today — and why understanding the lineage still helps in a modern project.
The origin: BS 7799 (1995)
The story begins in the United Kingdom. In 1995, the British Standards Institution (BSI) published BS 7799, a code of practice for information security management developed with input from major UK companies and government departments. It was, in effect, a catalogue of good security practices distilled into a single, citable reference at a time when most organisations had no common language for the topic.
A second part, BS 7799-2, followed in 1998. This is the historically important piece: it defined the requirements for an information security management system (ISMS) that an organisation could be certified against, rather than merely consult. The split — guidance in one part, certifiable requirements in another — still echoes in today’s pairing of ISO 27001 and ISO 27002.
Even at this early stage, the defining idea was present: security should be managed as an ongoing system tailored to an organisation’s risks, not bolted on as a fixed set of products.
Going international: ISO/IEC 17799 and ISO 27001 (2005)
As the internet turned information security into a worldwide concern, the standard outgrew its British origins. In 2000, the code of practice was adopted internationally as ISO/IEC 17799, giving organisations outside the UK a recognised reference for the first time.
Then, in 2005, the requirements part was published as ISO/IEC 27001:2005 — the first edition to carry the name organisations know today. This was the moment ISO 27001 became a global certification that an accredited body could assess and award anywhere in the world.
The 2005 edition was built around the ‘Plan-Do-Check-Act’ cycle borrowed from quality management, embedding the idea that security is a continuous loop of planning, implementing, checking, and improving — a process, not a project with an end date. That cyclical mindset remains the philosophical core of the standard.
Free resource
The Complete Guide to ISO 27001
A practical, plain-English guide to building your ISMS and earning ISO 27001 certification.
Maturing: the 2013 revision
The 2013 revision was a significant modernisation. It aligned ISO 27001 with the common high-level structure (‘Annex SL’) shared by other ISO management-system standards such as ISO 9001, making it far easier for organisations to integrate multiple certifications under one management framework.
It also sharpened the emphasis on risk assessment and gave leadership a more explicit, accountable role — top management could no longer delegate security entirely to a technical team. The 2013 edition paired ten management clauses with an Annex A of 114 controls grouped into 14 domains.
For nearly a decade this was the version the world certified against, and it proved durable. Many of its ideas — the clause structure, the Statement of Applicability, the central role of risk — carry through unchanged into the current edition.
Modernising for the cloud: the 2022 revision
By the early 2020s, the threat landscape had shifted dramatically: cloud computing, remote and hybrid work, and a wave of high-profile supply-chain attacks demanded fresh controls that the 2013 edition did not address well. ISO/IEC 27001:2022 responded by restructuring Annex A.
The 114 controls were consolidated, merged, and updated into 93 controls across four clear themes — Organizational, People, Physical, and Technological — replacing the older 14-domain structure. The reorganisation made the control set easier to navigate and removed overlaps.
The 2022 edition also introduced eleven genuinely new controls, including threat intelligence, information security for cloud services, ICT readiness for business continuity, secure coding, data masking, configuration management, and data leakage prevention. The mandatory clauses (4–10) changed only modestly; the headline news was the modernised, cloud-aware control set.
What stayed the same across every edition
Across every revision, the core philosophy held firm: ISO 27001 certifies a management system driven by risk assessment, not a fixed list of technologies. You decide which risks matter to your organisation, choose controls to treat them, and document those choices in a Statement of Applicability.
That continuity is enormously practical. Skills, documentation, and habits built under earlier editions transfer cleanly to the current one, and an organisation that understood the 2013 standard is rarely starting from scratch when it moves to 2022.
The principle of continual improvement — monitor, audit, review, correct — has also survived every rewrite. It is why a certificate carries weight: it reflects an ongoing, audited commitment rather than a single moment of compliance.
Why the history matters for you today
If you are certifying now, you will be assessed against ISO 27001:2022. Organisations that held the 2013 certificate were given a transition window to migrate to the new edition, and most have now done so. Knowing the lineage helps in two very practical ways.
First, older templates, blog posts, and advice you find online may still reference the 2013 control numbering and the 14 domains; recognising that prevents confusion when a checklist does not match the current Annex A. Second, auditors respond well to teams that understand why a control exists rather than simply that it appears on a list — context the history provides.
The broader takeaway is reassuring: ISO 27001 is stable, mature, and well-proven. It has been refined for nearly thirty years, and the current edition reflects the best current thinking on protecting information in a cloud-first, supply-chain-connected world.
From history to your certificate
The lesson of ISO 27001’s history is that the standard rewards organisations who treat security as a living system. Each revision tightened that idea rather than replacing it, which is why a well-built ISMS ages gracefully through edition changes.
When you implement today, you inherit three decades of refinement — a structure that is comprehensive without being rigid, and flexible enough to fit a two-person startup or a multinational. ISpectra builds that structure with you against the current 2022 edition, so your certificate reflects the latest expectations from day one, with free VAPT and a multi-framework discount included.
The ISO 27000 family it anchors
ISO 27001 never stood alone, and its history is also the history of a growing family of companion standards. ISO 27000 provides the shared vocabulary; ISO 27002 expands each Annex A control with detailed implementation guidance; and ISO 27005 offers a structured approach to the risk management that sits at the centre of the standard.
Over time, sector and topic-specific members were added — ISO 27017 and ISO 27018 for cloud and personal data in the cloud, and ISO 27701 extending the ISMS into a privacy management system. None of these are certifiable in the way 27001 is, but together they form an ecosystem that lets organisations extend a single management system in whatever direction their risks demand.
Understanding that ISO 27001 is the certifiable hub of a wider family explains why so much supporting guidance exists, and why the standard has remained relevant as new technologies arrived. ISpectra helps organisations achieve iso 27001 certification efficiently, from gap analysis through to the certificate.
Free consultation
Need help with ISO 27001?
Talk to our certified compliance team — we’ve supported 200+ audits.