ISO 27001 is the international standard for information security management. Whether required by customers or pursued voluntarily, we help you implement all 93 Annex A controls and achieve certification.
ISO/IEC 27001:2022 is the international standard for establishing, implementing, maintaining and continually improving an information security management system (ISMS). It provides a systematic approach to managing sensitive company information based on risk assessment.
Latest version: ISO 27001:2022 replaced the 2013 version in October 2022. Organizations certified to the 2013 version must transition by October 31, 2025. The 2022 version restructured Annex A from 114 controls in 14 categories to 93 controls in 4 themes.
Plan-Do-Check-Act continuous improvement
Third-party audited and recognized globally
Complements SOC 2 for US markets and ISO 42001 for AI systems.
Organizations handling sensitive data
Customer data, financial records, health information
Cloud service providers
SaaS, PaaS, IaaS providers requiring security certification
Financial services
Banks, fintech, payment processors
Healthcare organizations
Hospitals, clinics, health tech companies
Government contractors
Organizations working with public sector data
Global enterprises
Demonstrating security commitment to customers and partners
Purpose-built capabilities for ISMS implementation and certification
Register all information assets with structured metadata covering ownership, classification and handling requirements. The platform captures the asset context required by A.5.9 and maintains the inventory mandated by A.5.1.
Addresses: A.5.1 Inventory of information, A.5.9 Asset classification
Identify security risks using structured assessment methods aligned with ISO 27001 requirements. The platform tracks risk sources, treatment decisions and generates the documentation required by Clauses 6.1.2 and 8.2.
Addresses: Clause 6.1.2 Information security risk assessment, Clause 8.2 Risk treatment
Establish information security policies, define roles and generate procedures aligned with ISO 27001. The platform maintains policy versioning and approval workflows that satisfy Clause 5.2 and A.5.1.
Addresses: Clause 5.2 Information security policy, A.5.1 Policies for information security
Track implementation of all 93 Annex A controls with evidence collection. The platform documents control status, responsible parties and maintains the audit trail required by Clause 6.1.3.
Addresses: Clause 6.1.3 Statement of Applicability, Clause 8.1 Operational planning
Track ISMS performance with KPIs aligned to security objectives. The platform consolidates monitoring data, incident patterns and control effectiveness for ongoing visibility required by Clause 9.1.
Addresses: Clause 9.1 Monitoring and measurement, A.5.7 Threat intelligence
Manage audit programs with structured workflows and feed findings into improvement cycles. The platform supports the Plan-Do-Check-Act cycle central to ISO 27001 certification and maintenance.
Addresses: Clause 9.2 Internal audit, Clause 9.3 Management review, Clause 10 Continual improvement
All ISMS activities maintain comprehensive audit trails with timestamps, assigned responsibilities and approval workflows. This demonstrates systematic information security management for certification audits.
VerifyWise addresses all mandatory clauses and Annex A controls
Annex A controls in ISO 27001:2022
Controls with dedicated tooling
Coverage across all 4 themes
ISMS mandatory clauses and PDCA cycle
Policies, roles, supplier relationships
Screening, awareness, disciplinary
Secure areas, equipment, disposal
Access control, cryptography, logging
Auto-generate SoA with control justifications and exclusions
Track risk treatment decisions and residual risk acceptance
Manage audit schedules, findings and corrective actions
Crosswalk to ISO 42001, SOC 2 and NIST requirements
ISO 27001 follows the Plan-Do-Check-Act cycle across seven mandatory clauses
Understand organizational context, interested parties, and define ISMS scope.
Demonstrate leadership commitment and establish information security policy.
Address risks and opportunities, set objectives and plan to achieve them.
Ensure resources, competence, awareness and documented information.
Implement and operate ISMS processes.
Monitor, measure, analyze and evaluate ISMS performance.
Address nonconformities and continually improve ISMS.
PDCA cycle
Continuous improvement model
ISO 27001:2022 organizes controls into 4 themes covering organizational, people, physical and technological security
Policies, procedures, roles, and organizational security measures.
Key controls
Examples
Information security policy, asset classification, supplier security, incident response planning
Human resource security throughout the employment lifecycle.
Key controls
Examples
Background checks, security awareness training, employment contracts, offboarding procedures
Protection of physical areas, equipment and assets.
Key controls
Examples
Access control to offices, visitor management, CCTV, equipment disposal, clean desk policy
Technical security measures for systems and networks.
Key controls
Examples
Access control, encryption, logging, vulnerability management, secure development, backup
Note: Not all 93 controls apply to every organization. Your Statement of Applicability documents which controls you implement and provides justification for any exclusions based on your risk assessment.
Start control assessmentKey changes in the latest version and transition requirements
| Aspect | ISO 27001:2022 | ISO 27001:2013 |
|---|---|---|
Structure | 4 themes: Organizational, People, Physical, Technological | 14 categories organized by topic |
Control count | 93 controls (streamlined and consolidated) | 114 controls (more granular) |
Naming convention | Attributes: Preventive, Detective, Corrective | Categories only |
Cloud focus | A.5.23 Cloud services explicit control | Cloud covered implicitly |
Threat intelligence | A.5.7 Dedicated threat intelligence control | Part of incident management |
Transition deadline | October 31, 2025 (all certifications must transition) | No longer valid after October 2025 |
Organizations certified to ISO 27001:2013 must transition to ISO 27001:2022 by this date. After October 31, 2025, ISO 27001:2013 certificates will no longer be valid.
What changed: 11 new controls added, 24 controls merged, 58 controls updated. Focus on emerging risks including cloud security, threat intelligence, and information security for cloud services.
Two-stage audit conducted by accredited certification bodies
Auditor reviews ISMS documentation to verify completeness
Key activities
On-site assessment of ISMS implementation and operation
Key activities
Stage 1 + Stage 2 audit
Certification valid 3 years
Surveillance audits
Years 1 and 2 after certification
Recertification audit
Full reassessment
Structured path from gap analysis to certification audit
Access ready-to-use ISMS documentation aligned with ISO 27001:2022 requirements and compatible with ISO 42001 and SOC 2
Common questions about ISO 27001 certification
Start your ISMS implementation with our guided assessment and certification preparation tools.