Frameworks / Foundational SaaS & Cloud / ISO/IEC 27001 : 2022
Risk governance · operationalized

Security becomes a system, not a certificate.

ISO 27001 installs a leadership-governed management system around risk — not just a certificate. The ISMS names risk, owns it, treats it, and proves it operates. The certificate is the registrar’s confirmation that the system is real and running.

Our stance: Run it concurrent with SOC 2. ~85% control overlap. One evidence library, two reports, 1.3x effort: not 2x.

Book the scoping call See the timeline ↓ 48-hour written memo
§ 0 · Why pursue it

ISO 27001 opens markets SOC 2 alone cannot.

Certificationaccredited registrar 3-year cycleannual surveillance ISMSmgmt system, not a report 93 controlsAnnex A · 4 themes ~85% SOC 2 overlap1.3x effort, not 2x EU & APAC defaultinternational enterprise ask
The market reality

ISO 27001 is the certificate that opens international enterprise procurement. Where SOC 2 speaks to U.S. buyers, ISO 27001 speaks to European procurement, government contractors, and global enterprise. Most international RFPs name it specifically. The certificate is valid for three years, with annual surveillance audits confirming the management system is still running. Running ISO 27001 concurrent with SOC 2 is the highest-leverage compliance investment for a growth-stage SaaS company: ~85% of evidence overlaps, and one evidence library covers both reports at approximately 1.3× the effort of a single engagement.

Framework architecture

The ISO 27001
operating system

One management system.
Every security obligation connected.

  • Governance
  • Risk treatment
  • Asset ownership
  • Supplier assurance
  • Access control
  • Internal audit
  • Management review
  • Continual improvement
ISO 27001 works when the ISMS becomes the operating layer for security — not a binder built for the audit.

Global trust, governed.

ISO 27001 governance in action — enterprise security leadership meeting
§ I · The standard

What ISO 27001 actually is, in plain English.

The one-line version

A registrar-issued certificate on whether your ISMS conforms to the standard — a true certification, not an attestation. The management system behind the certificate is what creates lasting value; the certificate demonstrates it externally.

Certificateissued by accredited registrar Clauses 4–10mandatory ISMS core Annex A93 controls, self-selected via SoA 3-year validityannual surveillance audits Public registerbuyers verify directly
The standard, in full

ISO/IEC 27001 is a certification of an Information Security Management System. The certificate, issued by an accredited registrar, says your ISMS conforms to the standard. Buyers see a certificate. What an internal auditor sees is your management review minutes, your risk treatment plan, your nonconformity log, and whether the system actually runs.

The standard is structured in two layers. Clauses 4 – 10 describe the management system itself: context, leadership, planning, support, operation, evaluation, improvement: and they are mandatory. Annex A lists 93 controls in four themes (organizational, people, physical, technological), reorganized in the 2022 revision. Annex A controls are candidates, not requirements: you select what applies in your Statement of Applicability (SoA), justify exclusions, and live with the consequences if the auditor disagrees. The certificate is valid for three years with annual surveillance audits in years 2 and 3, then a recertification audit. Drop a surveillance audit and the certificate suspends.

Senior practitioner’s note

The certificate is the easy part. The ISMS has to actually run.

Plenty of firms get certified. Fewer maintain an ISMS that does what the standard claims it does. Surveillance audits in year two are where most ISMSs are exposed: management review hasn’t happened, the risk register is stale, internal audits were never run. We design the ISMS for year-three operating cost, not year-one certification.

The trust journey
Stage 1 of 5

A claim earns nothing.

“We take security seriously.” Any company can say it. With nothing behind it, a buyer has no reason to believe it.

Buyers don’t trust the logo. They trust the independently evaluated system behind it.
low 01Claim 02Evidence 03Independent evaluation 04Certification 05Trusted supplier
The trust journey

Trust is built, not claimed.

01 · Claim
“We take security seriously.” Any company can say it. Nothing independently evaluated.
The claim exists. The management system behind it does not yet.
02 · Evidence
Policies, controls, risk register: self-asserted. Buyer has only your word.
Policies, controls, risk treatment, and management review give the claim substance.
03 · Evaluation
No third-party has reviewed the ISMS. The judgment is still yours alone.
An accredited registrar independently examines the ISMS. The judgment is no longer yours.
04 · Certificate
No certificate. Buyer cannot verify. Deal stalls at procurement.
The buyer holds independent proof: a registrar accountable to its accreditation body attests conformance.
05 · Trust
No pathway for the buyer to rely on your security posture.
The buyer is not trusting a logo. They trust the independently evaluated management system behind it.

ISO 27001 transfers trust because an independent body evaluated the system, not the claim.

§ I.5 · The Nexurion advantage

Build the ISMS for year three, not year one.

Two reports. One evidence library. ~85% control overlap between ISO 27001 and SOC 2. We sequence so the SOC 2 audit window and ISO 27001 Stage 2 share the same evidence period. The marginal cost of adding ISO 27001 to an active SOC 2 engagement is 1.3x, not 2x.
Nexurion
  • Senior practitioner leads from day one — not a coordinator with stage-gate reviews
  • ISMS designed for year-three operating cost, not certification day
  • Registrar-independent by policy — no conflict under ISO/IEC 17021
Generic approach
  • Coordinator-led with senior review only during the audit window
  • ISMS designed to pass Stage 2; surveillance is someone else’s problem
  • Some firms bundle consulting and certification (ISO/IEC 17021 conflict)
Engagement structure · our professional position

Independent of the registrar: by design.

We are not an accredited certification body and we do not issue ISO 27001 certificates. That separation is required by ISO/IEC 17021: a registrar that consults and certifies has a conflict that voids the certificate. We run the readiness, you choose the registrar — or we introduce three with active partner relationships. Registrar relationships »

Built to last three years

Designed for the registrar
who comes back in year two.

We instrument the ISMS for continuous evidence collection before the engagement is 30 days old. By Stage 2, the audit room is pre-populated. Surveillance year two passes because the system was designed to run — not to certify.

Image Slot · ISO 27001 Source required: 2400×1600px · Ratio 3:2 · Dark context Focal mass 68% from left · object-position: 68% center Subject: ISMS governance / data center architecture / dark-toned interior
Right edge: active architectural detail required — no dark falloff
Left 20%: quiet and dark — ready for mask gradient transition
§ II · ISMS scope decoder

Does this apply to you?

ISO 27001 is rarely the first ask in U.S. domestic deals. It becomes mandatory when European procurement, federal frameworks, or insurance underwriters get involved.

Interactive · 3 questions

ISO 27001 scope check

1. Are EU, UK, APAC, or international enterprise customers in your pipeline?
2. Do you already hold or are you running a SOC 2 Type 2?
3. Has any RFP / vendor questionnaire required ISO 27001 specifically?
Answer above: we’ll tell you whether ISO 27001 is the right next move.
§ V · The clock

A first-time certification, realistically: 9 to 14 months.

From kickoff to a certificate in your buyer’s hands. The chokepoint is rarely Stage 2; it’s the three months of operational evidence registrars expect to see before Stage 1.

Timeline · First certification
9 to 14 months, realistically
Wk 0–6
Gap & ISMS design
Wk 6–22
Remediation & ISMS launch
Wk 22–36
Operate the ISMS
Gate to Stage 1. 3+ months of evidence required. Where most stall.
Wk 36–40
Stage 1 audit
Wk 40–56
Stage 2 & certificate issued
Wk 0 – 6
Gap & ISMS design
What this covers
Gap analysis against clauses 4-10 + Annex A. Scope statement drafted, risk methodology agreed, SoA v0, internal-audit program designed.
Wk 6 – 22
Remediation & ISMS launch
What this covers
Policies issued, controls implemented, risk treatment plan running, owners assigned, training delivered, ConMon configured. ISMS goes live.
Wk 22 – 36
Operate the ISMS
What this covers
3+ months of operating evidence: management review, internal audit cycle, risk register updates, incident drills. This is the gate to Stage 1.
Wk 36 – 40
Stage 1 audit
What this covers
Documentation review by the registrar. Findings list issued; minor NCs closed before Stage 2. Stage 2 scheduled 4-12 weeks later.
Wk 40 – 56
Stage 2 + cert issued
What this covers
On-site / hybrid audit, NCs (if any) remediated, recommendation for certification, technical review, certificate issued. Surveillance year 2 starts the clock.
How Nexurion runs it
§ VI · How Nexurion runs it

Build the ISMS to operate, not to certify.

An ISMS designed only to pass Stage 2 will fail surveillance in year two. Every Nexurion ISO 27001 engagement is led by a senior practitioner who reads risk treatment plans and management-review minutes the way an auditor does: for evidence the system is alive, not laminated. Read our methodology.

From day one we instrument continuous monitoring against the SoA: not a quarterly evidence sweep. Risk register reviews trigger automatically; supplier reassessments queue against contract dates; internal-audit findings post directly into the management-review pack. When Stage 2 starts, we hand the registrar a read-only audit-room with every artifact pre-mapped to the Annex A control it covers. More on ConMon »

Running SOC 2 Type 2 at the same time — which we recommend whenever U.S. and international buyers are both in your pipeline — we sequence the audit period and Stage 2 so one evidence library serves both. ~85% of work is shared; the marginal cost of adding ISO 27001 to a SOC 2 engagement is small. See engagement outcomes.

Engagement structure

Independent of the registrar: by design.

We are not an accredited certification body and we do not issue ISO 27001 certificates. That separation is required by ISO/IEC 17021. We run the readiness; you choose the registrar. Registrar relationships »

§ VII · Where engagements stall

Six places an ISO 27001 goes sideways.

Surveillance year two is the great revealer. The mistakes that cause majors there were almost always made in the design phase: visible to a senior, invisible to a template.

01 / Scope creep

"The whole company, obviously."

Why it happens
Scoping every legal entity, every product, every office at once means evidence everywhere and exclusions nowhere. Scope to the ISMS that buyers need to see. Expand at recertification, not before.
02 / Templated SoA

93 controls, 93 "applicable."

Why it happens
A SoA where everything is in scope and nothing is justified is the auditor’s favorite document. Exclusions defended in plain English are professional; exclusions skipped are how you collect minor NCs.
03 / Management review never happens

Clause 9.3, silently skipped.

Why it happens
Management review is the ISMS’s heartbeat. If it didn’t happen, the ISMS isn’t running, and Stage 2 will say so. Calendar it the day after the engagement begins. Document it. Year two depends on it.
04 / Internal audit theater

An audit run by the team being audited.

Why it happens
Clause 9.2 demands competence and impartiality. Engineers reviewing engineering is a finding. Outsource internal audit, rotate ownership, or both: we run it for clients who don’t have an internal function.
05 / 2022 transition gaps

Eleven new controls, quietly unimplemented.

Why it happens
Threat intel (A.5.7), ICT readiness (A.5.30), config mgmt (A.8.9), monitoring activities (A.8.16): the new controls catch firms that transitioned on paper but didn’t implement. Test them in your internal audit before the registrar does.
06 / Registrar mismatch

An unaccredited certificate.

Why it happens
Some certificates come from CBs not accredited by ANAB / UKAS / IAF members. Buyers are starting to filter these out. Pay the extra few thousand for an accredited registrar. We’ll introduce three.
The ISMS matures
Stage 1 of 5

The system is designed.

Scope, risk methodology, Statement of Applicability, and an ownership model. On paper, the management system exists.

What matures is the management system — not a certificate, not a report.
ISMS risk loop Design1 Operate2 Review3 Audit4 Improve5
Surveillance year two is where most ISMSs are exposed. We design for year three.
§ VIII · Registrars

Registrars we work with.

Registrar fit matters more than registrar name. All accredited registrars issue equivalent certificates: what differs is auditor judgment, calendar flexibility, and sector strength. We’ll introduce you to three, calibrated to your timeline.

If you already have a registrar: we run a pre-Stage 1 alignment call to confirm scope and the SoA. We’ve never had a Stage 2 deferred over readiness.

§ IX · Cross-mapping

ISO 27001 against the rest of the stack.

ISO 27001 is the most universally portable security framework. Most other audits credit ISO 27001 evidence; the SoA does the heavy lifting. The gaps are usually where you think they are.

The stack

ISO 27001 against the rest of the stack.

ISO 27001 your baseline SOC 2 ~85% overlap HITRUST CSF ~70% overlap NIST 800-171 ~65% overlap HIPAA ~60% overlap PCI DSS v4 ~50% overlap GDPR ~30% overlap
Line weight indicates approximate control overlap with ISO 27001. Higher overlap means more of the Annex A work carries directly into that framework. Detailed crosswalk below.
The stack

ISO 27001 is the broadest foundation.

Overlap from ISO 27001’s perspective — tap any row for detail
ISO 27017
90%
What ISO 27001 covers
All Annex A controls. ISO 27017 extends them for cloud deployments.
What’s still needed
Cloud customer/provider role split, ICT supply chain, virtualization controls.
SOC 2 Type 2
85%
What ISO 27001 covers
Annex A maps cleanly to all Common Criteria. One evidence library covers both.
What’s still needed
System description, AICPA-style report, U.S. CPA firm, complementary user-entity controls.
ISO 27018
85%
What ISO 27001 covers
Security foundation. ISO 27018 adds PII-in-cloud specifics on top.
What’s still needed
PII processor obligations, public cloud notice, cross-border transfers, retention.
ISO 27701
80%
What ISO 27001 covers
ISO 27701 (PIMS) is built directly on top of ISO 27001 as an extension.
What’s still needed
Privacy roles, lawful basis, DPIAs, DSAR workflow, sub-processor inventory.
NIST 800-171
75%
What ISO 27001 covers
Most controls have a direct Annex A equivalent. Strong access & operational overlap.
What’s still needed
CUI marking, SSP, POA&M, supply-chain controls, federal-specific requirements.
HIPAA
70%
What ISO 27001 covers
Administrative and technical safeguards align significantly with Annex A.
What’s still needed
BAAs, breach notification, minimum necessary rule, OCR-specific risk analysis.
ISO 42001
30%
What ISO 27001 covers
Management system structure mirrors; security controls provide a partial base.
What’s still needed
AIMS, AI impact assessments, model lifecycle governance, third-party AI inventory — mostly net-new work.
FrameworkOverlap with ISO 27001What you still need to do
SOC 2 Type 2~85%: Annex A maps cleanly to the Common Criteria.System description, AICPA-style report writing, U.S. CPA firm engagement, complementary user-entity controls.
ISO 27017 (cloud)~90%: extends Annex A with cloud-specific controls.Cloud customer / provider role split, ICT supply chain, virtualization controls.
ISO 27018 (PII in cloud)~85%: PII-specific extension.PII processor obligations, public cloud customer notice, transfers, retention.
ISO 27701 (privacy)Built on top of ISO 27001: PIMS extension.Privacy roles, lawful basis, DPIAs, DSAR workflow, sub-processor inventory.
HIPAA Security Rule~70%: administrative / technical safeguards align.BAAs, breach notification, minimum necessary, OCR-specific risk analysis.
NIST 800-171~75%: most controls have an Annex A equivalent.CUI marking, SSP, POA&M, supply-chain controls, federal-specific.
ISO 42001 (AI)~30%: mgmt-system structure mirrored, controls orthogonal.AIMS, AI impact assessments, model lifecycle, third-party AI inventory. See governance »
§ IV · Stage 1 vs Stage 2 — the two assessments +
§ IV · The two assessments

Stage 1 vs Stage 2: both are needed.

Unlike SOC 2, ISO 27001 certification involves two sequential audit visits before a certificate issues. Stage 1 is documentation; Stage 2 is operation. Both are mandatory; failing Stage 1 means Stage 2 is rescheduled.

Required first visit

Stage 1

A documentation review. The registrar reads your ISMS: SoA, risk treatment plan, internal audit program, management review records: and confirms the system could work as designed. Half the time clients fail Stage 1 because management review hasn’t happened yet.

See full comparison
  • FormatDocumentation review · mostly remote
  • Duration1 – 2 days
  • TestsISMS design, SoA, mandatory records
  • OutcomeFindings list · readiness for Stage 2
  • Typical fee$8 – 15k registrar (varies by accreditation)
  • Failure modeStage 2 deferred · ISMS hasn’t run long enough
  • Time to Stage 24 – 12 weeks after Stage 1
Where the certificate is earned

Stage 2

An on-site (or hybrid) operational audit. The registrar tests whether your ISMS is actually running: sampled controls, walk-throughs of incidents, evidence of management review having occurred, evidence of internal audits, evidence of risk treatment progress.

See full comparison
  • FormatOn-site / hybrid · walkthroughs & sampling
  • Duration2 – 5 days · scaled to org size
  • TestsOperating effectiveness across all in-scope SoA controls
  • OutcomeCertificate · valid 3 years
  • Typical fee$20 – 60k registrar · plus surveillance years 2 & 3
  • Failure modeMajor NC · must close before certificate
  • Renews asSurveillance audit yr 2 & 3 · recert yr 4
Reference & lookup Everything below stays on the page in full — cross-mappings, recent changes, adjacent frameworks, frequently-asked questions, and field notes. It is here when you need it, and out of the way until you do.
§ III · Annex A

The four Annex A control themes.

The 2022 revision collapsed Annex A from 14 domains / 114 controls into 4 themes / 93 controls. Eleven new controls were added (threat intel, cloud security, ICT readiness for BC, secure coding, etc.). Click each theme to drill in.

37 controlsOrganizational: policies, roles, governance

The largest theme. Policies, roles, threat intel, supplier relationships, ICT readiness for business continuity, classification, identity management, incident response. This is the bulk of the SoA work and where most clients have something already: just not labeled the right way.

A.5.1
Information security policies
Master policy + topic policies, approved, communicated, reviewed annually.
A.5.7
Threat intelligence (new in 2022)
Sources, analysis, distribution to control owners. Often the gap that surprises year-2 surveillance.
A.5.19 – .23
Supplier relationships
Vendor risk register, contractual security clauses, sub-processor inventory, monitoring.
A.5.30
ICT readiness for BC (new in 2022)
Plans, capacity, recovery objectives, tested annually.
A.5.24 – .28
Incident management
Plan, response, learning, evidence collection, escalation paths.
A.5.9 – .14
Asset & information classification
Inventory, ownership, acceptable use, return on termination, classification.
A.5.15 – .18
Identity & access management
Provisioning, privilege, secrets, periodic reviews, off-boarding.
A.5.31 – .37
Compliance & legal
Statutory requirements, IPR, records, privacy, independent review.

8 controlsPeople: screening, training, terms

The smallest theme but the one most often under-evidenced. Pre-employment screening, terms & conditions, awareness, disciplinary, off-boarding, NDAs, remote working, reporting events.

A.6.1
Screening
Background checks at hire, documented, retained.
A.6.3
Awareness, education, training
Annual training, role-specific modules, completion tracked.
A.6.5
Termination & change
SCIM-driven offboarding, asset return, access revocation evidence.
A.6.7
Remote working (new in 2022)
Policy, endpoint controls, network requirements, home-office practice.

14 controlsPhysical: perimeter, equipment, media

For cloud-native firms, most of this is inherited from your IaaS provider’s SOC 2 / ISO 27001 and excluded with justification on the SoA. For firms with offices, data centers, or on-prem hardware, this is real work.

A.7.1 – .4
Perimeter, entry, secure areas
Office / DC physical access controls, visitor logs, monitoring.
A.7.5 – .9
Equipment & media
Endpoint inventory, secure disposal, off-premise equipment, supporting utilities.
A.7.10 – .14
Media & cabling
Storage media management, secure disposal, cabling, equipment maintenance.

34 controlsTechnological: where the audit lives

The longest theme and the heaviest evidence area. Includes new 2022 controls for cloud services, secure coding, data masking, configuration management, deletion, and monitoring activities.

A.8.1 – .8
Endpoint & access
User endpoints, privileged access, secure auth, info access restriction.
A.8.9
Configuration mgmt (new in 2022)
Hardening baselines, deviation tracking, IaC enforcement.
A.8.10 – .12
Information deletion / masking / DLP
Three new 2022 controls. Deletion at end of retention. Test data masking. DLP.
A.8.16
Monitoring activities (new in 2022)
Log collection, anomaly detection, alert handling: the SIEM ask.
A.8.23
Web filtering (new in 2022)
Filtering of malicious URLs / categories on managed endpoints.
A.8.25 – .34
Secure development
SDLC, secure coding, test data, change control, separation of envs.

RequiredStatement of Applicability: the auditor’s map

The single most-read document in the audit. For each of 93 Annex A controls you state: applicable / excluded; justification; implementation status. Excluded controls require defensible reasoning. The SoA is what the registrar reads first: we draft it surgically, not exhaustively.

SoA · 1
Applicability
Yes / no per control, mapped to risk treatment.
SoA · 2
Justification
Why included or excluded: risk-based, not preference-based.
SoA · 3
Implementation status
Implemented / partially / planned, with evidence references.
SoA · 4
Owner
Named accountable individual per control.
§ X · 2022 revision & transition

What changed in 27001:2022.

The third edition (October 2022) restructured Annex A and added eleven new controls reflecting how security has actually evolved since 2013. The transition deadline was 31 October 2025: certificates against the 2013 standard no longer issue. If yours was certified pre-transition, your next surveillance or recertification audit is against 2022.

  • 14 domains → 4 themes. Easier to read; same controls, regrouped. SoA mapping is mechanical with the published transition tables.
  • 114 controls → 93. Some merged, some renumbered, none deleted. The reduction is an organizing change, not a relaxation.
  • Eleven new controls. Threat intelligence (A.5.7), cloud services (A.5.23), ICT readiness (A.5.30), config mgmt (A.8.9), info deletion (A.8.10), data masking (A.8.11), DLP (A.8.12), monitoring activities (A.8.16), web filtering (A.8.23), secure coding (A.8.28), test data masking (A.8.33).
  • AI risk under clause 6.1. Registrars increasingly probe how AI was handled in risk assessment: even where Annex A doesn’t name it. Our AI Governance practice handles the bridge to ISO 42001.

Read our deeper take in Field Notes Vol. III: "Surveillance year two: where the eleven new controls catch transitioned firms."

§ XI · Pairs with

ISO 27001 is rarely the last framework.

The standard is a chassis. Most clients add at least one extension to satisfy a specific buyer or regulator.

Default U.S. pair
SOC 2 Type 2
Default U.S. enterprise ask. ~85% overlap; we run them concurrently for one evidence library.
Continuity
ISO 22301
Business continuity management. Pairs naturally; A.5.30 ICT readiness is the bridge.
If AI in product
ISO 42001
AI management system. Same management-system DNA; ~30% overlap, ~70% net-new. Governance »
§ XII · FAQ

Frequently asked.

Are we certified when the audit is complete? +
Yes. ISO 27001 is a true certification: the registrar issues a signed certificate listing scope, the standard version, validity dates, and the accreditation body. Marketing may say "ISO 27001 certified." Buyers will request a copy and verify it on the registrar’s public register.
How long does the first certification take? +
Realistically, 9 – 14 months from kickoff. Gap + ISMS design (6 weeks), remediation + ISMS launch (12 – 16 weeks), 3+ months of operating evidence, Stage 1 (1–2 days), 4–12 weeks gap, Stage 2 (2–5 days), certificate. Smaller orgs running concurrent SOC 2 compress somewhat. See full timeline.
What does it cost? +
For first-time certification: $28 – 75k for the registrar (Stage 1 + Stage 2), $40 – 90k for readiness + ConMon (Nexurion fee depends on scope & whether SOC 2 is concurrent). Surveillance years 2 & 3 each cost ~30–40% of Stage 2. See pricing structure »
Should we run ISO 27001 and SOC 2 at the same time? +
Almost always, if both are on the roadmap. ~85% of evidence is shared. We sequence so the SOC 2 audit period overlaps the run-up to Stage 2; one evidence library, one risk register, two reports. Total cost is ~1.3x a single framework, not 2x.
Can we be certified by an unaccredited registrar? +
You can. Don’t. Sophisticated buyers are filtering for IAF-MLA accreditation (ANAB, UKAS, etc.). The premium for an accredited registrar is small relative to the buyer-acceptance discount on an unaccredited one.
What happens if we miss a surveillance audit? +
The certificate suspends. If suspended for an extended period it withdraws and you start again at Stage 1. We hard-calendar surveillance dates from week 1 of the engagement.
Is ISO 27001 enough for EU GDPR compliance? +
No, but it’s a strong base. GDPR Article 32 references appropriate security measures: a 27001 ISMS substantially satisfies that. For full alignment add ISO 27701 (PIMS) or direct GDPR mapping; your DPO is still required separately.
§ XIII · From the Brief

Field notes on ISO 27001.

Pieces from Nexurion Field Notes directly relevant to the standard.

Coming · Vol. III
SOC 2 + ISO 27001 in one period.
How to run the two audits concurrently with one evidence library and 1.3x the engagement effort, not 2x.
Coming · Vol. IV
Surveillance year two: where the eleven new controls catch transitioned firms.
Threat intel (A.5.7), ICT readiness (A.5.30), monitoring activities (A.8.16): the patterns we see in 2022-revision audits.
Coming · Vol. V
The Statement of Applicability is a strategy document.
How to write defensible exclusions, why “all 93 applicable” is a tell, and why your SoA reads first.
Field Notes

Field Notes on ISO 27001

ISO 27001 on the calendar? Get the 5-minute scoping memo.

Five questions. One reply. Within 48 hours, a senior practitioner sends a written scoping memo: ISMS scope recommendation, SoA strategy, a realistic 9–14 month calendar, and a fee range (including whether to run concurrent SOC 2). AI signals translated into audit-ready decisions, on paper, before you commit. The booking link is at the bottom of the memo.

Contact us See the four offers
N Senior practitioner Book the scoping call · 48-hr memo