Short answer: nobody is required to be ISO 27001 certified, but this standard can be extremely useful if your organisation is looking to protect against cyberattacks and reassure customers that their private information is in safe hands.
ISO/IEC 27001 – commonly shortened to ISO 27001 – is the global standard for information security management systems. Organisations of all sizes and across all sectors can obtain ISO 27001 certification by implementing a compliant information security management system (ISMS) and verifying it through an accredited certification body.
More...