In a world where cybersecurity has become a board-level priority — not just an IT concern — two questions keep surfacing in leadership meetings:
"What exactly do we need to do?" and "How do we know it's enough?"
ISO/IEC 27001:2022 and Slovenia's Information Security Act (ZInfV-1) answer both. This article explains what the standard and the law actually require, why they matter for every organisation — not just regulated sectors — and how they complement each other as the foundation of a robust security posture.
1. What is ISO 27001?
ISO/IEC 27001 is the international standard for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). It was developed jointly by the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC); the current version was published in 2022.
It is often mischaracterised as purely a "certification standard." In reality, it is a risk management framework: a flexible, risk-based methodology that helps organisations:
- identify information assets and the threats they face,
- implement proportionate security controls,
- demonstrate that those controls are working — to regulators, clients, and owners.
KEY POINT
ISO 27001 does not prescribe a single solution. It requires organisations to understand their specific risks and respond to them deliberately. This makes it applicable to organisations of any size, in any sector.
2. The structure: ten clauses and 93 controls
The standard follows the High Level Structure (HLS) common to all modern ISO management system standards. The ISMS core comprises ten clauses:
| Poglavje | Vsebina |
| 4 — Context | Understanding the organisation, interested parties, and ISMS scope |
| 5 — Leadership | Management commitment, security policy, roles and responsibilities |
| 6 — Planning | Risk assessment, risk treatment plan, security objectives |
| 7 — Support | Resources, competence, awareness, communication, documentation |
| 8 — Operation | Control implementation, change management, supplier oversight |
| 9 — Performance | Internal audits, management review, effectiveness measurement |
| 10 — Improvement | Corrective actions, nonconformities, continual improvement |
Beyond the clauses, the standard includes Annex A — a catalogue of 93 security controls organised into four thematic groups: organisational, people, physical, and technological controls. Organisations do not implement all controls; they select those that address identified risks and justify any exclusions in the Statement of Applicability (SoA).
3. Why ISO 27001 — and why now?
The standard delivers practical value regardless of whether an organisation pursues certification. Benefits operate on three levels:
3.1 Risk management, not just compliance
The standard's central mechanism — risk assessment and treatment — forces organisations to approach security strategically. Rather than reactively patching holes, it builds a proactive, risk-informed security culture.
3.2 Trust with clients and partners
ISO 27001 certification or a documented ISMS is increasingly required by public sector clients, financial services organisations, and critical infrastructure operators as a condition of doing business. It is becoming a market access requirement, not just an internal tool.
3.3 A regulatory foundation
ISO 27001 is not itself a legal requirement, but it serves as the reference framework for most modern security regulations — including the NIS2 Directive and Slovenia's ZInfV-1. Organisations with an established ISO 27001 ISMS have a far easier path to demonstrating compliance.
DID YOU KNOW?
According to the ISO Survey 2023, ISO 27001 is one of the fastest-growing certification standards in the world. The number of certifications in Europe grew by more than 40% between 2019 and 2023 — a trend directly linked to the rise of NIS2.
4. ZInfV-1: Slovenian law meets international standard
The Information Security Act (ZInfV-1), which transposed the EU NIS2 Directive (2022/2555) into Slovenian law, requires essential and important entities to establish an information security management system and adopt proportionate technical and organisational measures to manage security risks.
The law explicitly references requirements that map directly to ISO 27001:
- information security and risk management policies,
- incident handling — including mandatory notification to SI-CERT within 72 hours,
- business continuity and crisis management,
- supply chain security,
- staff training and awareness,
- encryption and access control.
Crucially, ZInfV-1 does not mandate a specific standard. It requires demonstrable, proportionate measures. ISO 27001 is the most widely recognised and accepted framework for meeting those requirements — with regulators and courts alike.
IMPORTANT
Fines for essential entities under ZInfV-1 reach up to EUR 10 million or 2% of annual turnover. For important entities: up to EUR 7 million or 1.4% of annual turnover. Determining which category applies to your organisation is the mandatory first step.
5. ISO 27001 and ZInfV-1: Parallels and differences
| ISO 27001 | ZInfV-1 / NIS2 |
| Voluntary standard (certification optional) | Legal obligation for essential/important entities |
| Organisation defines ISMS scope | Scope determined by law (critical infrastructure sectors) |
| Risk-based assessment and controls | Proportionate measures based on risk, size, and sector |
| 93 controls in Annex A | Law sets minimum substantive requirements |
| Incident notification per internal policy | Mandatory SI-CERT notification within 72 hours |
| Internal and external audits | Oversight by national regulator |
| Continual improvement | Periodic reporting to the regulator |
The key insight: ISO 27001 and ZInfV-1 are not in conflict — they are complementary. The standard provides the methodology; the law sets the minimum obligations. An organisation that builds an ISMS to ISO 27001 gains a structure that maps directly onto ZInfV-1 requirements.
6. Where to start: practical first steps
Building an ISMS to ISO 27001 does not require implementing everything at once. We recommend a staged, risk-based approach:
- Determine your regulatory status. Is your organisation an essential or important entity under ZInfV-1? The answer defines the scope of your legal obligations.
- Assess your current state. Where do you stand today against the standard's requirements? Which areas are covered, and where do gaps exist?
- Secure leadership commitment. An ISMS cannot succeed without top-level support. Security must be a strategic decision, not just an IT project.
- Define your ISMS scope. Which processes, systems, and locations will be included? A well-defined scope is the foundation of everything that follows.
- Conduct a risk assessment. Identify assets, threats, and vulnerabilities. Use the results to select appropriate controls from Annex A.
Over the coming weeks, this series will examine each ISO 27001 clause in depth — from organisational context to continual improvement — mapping each one to the specific requirements of ZInfV-1.
NEXT STEPS
Before your next cybersecurity meeting — find out where your organisation stands today. Our free Information Security Maturity Assessment shows you in 10 minutes, across five key ISO 27001 domains aligned with ZInfV-1 requirements. Fill in the short form and your personalised assessment is waiting on the other side.