auxlo
Start free assessment
Information Security Management

ISO 27001:2022 certification, built to pass and built to last.

ISO/IEC 27001 is the international benchmark for information security. We design lean ISMS programs that pass certification on the first attempt and continue to operate without becoming a documentation burden, covering the full Annex A control set in the 2022 version.

Book a 30-min scoping callRun a free self-assessment
Annex A controls
93 (2022 revision)
Typical timeline
6–12 months
Audit cycle
3-year recertification

What ISO 27001 actually demands

ISO/IEC 27001:2022 requires a working Information Security Management System: defined scope, security policy, risk assessment methodology, Statement of Applicability against the 93 Annex A controls, security objectives, internal audit programme, management review cadence, and continual improvement. Certification is awarded by an accredited certification body after a Stage 1 documentation review and Stage 2 implementation audit.

It is a management-system standard. That means auditors aren't just checking that controls exist, they're checking that the ISMS is being run.

How we run an ISO 27001 program

  1. Scope and context. Define what's in the ISMS, locations, services, data types. Resist scope creep at this stage; it pays off later.
  2. Risk assessment. A repeatable methodology, asset and threat inventory, risk register, treatment plan.
  3. Statement of Applicability. Each Annex A control included, excluded, or partially adopted, with documented justification.
  4. Control implementation. Policies, procedures, technical controls. We write the documentation set to a real-world standard, not a template dump.
  5. Internal audit and management review. Independent internal audit, KPI dashboard, formal management review with minuted decisions.
  6. Stage 1 + Stage 2 audits. We coordinate with the certification body and run mock audits before each stage.

What the 2022 revision changed

Annex A was restructured from 114 controls into 93, grouped into Organizational, People, Physical, and Technological themes. Eleven new controls were added, threat intelligence (A.5.7), information security for cloud services (A.5.23), ICT readiness for business continuity (A.5.30), physical security monitoring (A.7.4), configuration management (A.8.9), information deletion (A.8.10), data masking (A.8.11), data leakage prevention (A.8.12), monitoring activities (A.8.16), web filtering (A.8.23), and secure coding (A.8.28). Transition from the 2013 version closed October 31, 2025; new certifications must use 2022.

ISO 27001 and SOC 2 together

The two standards overlap by roughly 70%. We design one underlying control framework that produces both a SOC 2 Type 2 report and ISO 27001 certification with shared evidence, shared training, and shared internal audit work, typically cutting combined effort by 30–40% versus running two parallel programs.

FAQ

Common questions

What is ISO/IEC 27001?
ISO/IEC 27001 is the international standard for an Information Security Management System (ISMS). The current version (2022) requires a documented ISMS with leadership commitment, risk assessment, a Statement of Applicability against the 93 Annex A controls, internal audit, management review, and continual improvement, verified by an accredited certification body.
How long does ISO 27001 certification take?
From kickoff to a Stage 2 certification audit, plan on 6–12 months for a small or mid-size organization. Surveillance audits follow at year 1 and year 2, with full recertification in year 3.
ISO 27001 or SOC 2, which should we pursue?
If you sell primarily into North American enterprise buyers, SOC 2 Type 2 is the most-asked-for artefact. If you sell into Europe, regulated industries, or governments, ISO 27001 carries more weight. The controls overlap by roughly 70%, so we design programs that can produce both efficiently when the time comes.
What changed in ISO 27001:2022?
Annex A was restructured from 114 controls into 93, grouped into four themes (organizational, people, physical, technological). Eleven new controls were added, including threat intelligence, cloud security, data masking, and secure coding. Organizations certified against the 2013 version had a transition window that closed October 31, 2025.
Do we have to implement all 93 Annex A controls?
No. The Statement of Applicability is where you justify inclusion or exclusion of each control based on your risk assessment. Auditors care about defensible reasoning, not maximal coverage.

Your next enterprise contract is waiting on this.

  • Flat fee, total cost known up front
  • Canadian data residency available on paid engagements
Book a free intro call