// ISO 27001

How close is your ISMS to ISO/IEC 27001 certification?

ISO/IEC 27001:2022 certifies that you run a working information security management system, not just a list of controls. This six-question check gives you an honest readiness tier and shows where the gap sits before a certification body's auditor finds it for you.

ISO 27001 readiness assessment

What's pushing you toward ISO 27001 right now?

What is ISO/IEC 27001?

ISO/IEC 27001:2022 is the international standard for an information security management system (ISMS). It sets out how an organisation plans, runs, reviews, and improves its security, covering clauses 4 to 10 plus reference controls in Annex A. Certification proves an independent auditor checked the system works.

What changed in the 2022 version?

The 2022 update reorganised Annex A from 114 controls into 93, grouped under four themes: Organisational, People, Physical, and Technological. It added 11 new controls, including threat intelligence, information security for cloud services, and secure coding. The transition grace period for 2013 certificates ended on 2025-10-31.

How long does ISO 27001 certification take?

For most organisations, 6 to 9 months is realistic. Small teams with a narrow scope and an existing baseline can reach certification in about 3 months; large businesses can take a year. Control work and documentation are usually the longest phase, with the two-stage audit running 2 to 3 months.

Common questions

Stage 1 is a readiness review of your documentation: scope, risk method, SoA, and evidence of internal audit and management review. Stage 2 is the main audit, where they review records, interview staff, and test whether your Annex A controls actually work in practice.

No. You apply the controls your risk assessment justifies, and document every include-or-exclude decision in the SoA. The SoA has to address all 93, but it's normal to exclude controls that don't fit, as long as the reasoning holds up.

The SoA maps your decisions against every Annex A control, tied to your risks. It's one of the first documents an auditor asks for and a common reason organisations fail Stage 1. It connects your risk treatment to the controls you've chosen, so it has to match what you actually do.

The transition deadline was 2025-10-31, after which 2013 certificates lapse. If you've missed it you'll likely need to re-certify against the 2022 standard. The practical work is closing the gap on the 11 new controls and reworking your SoA against the 93-control structure.

LET'S CONNECT

A senior engineer replies within an hour, 24/7.