ISO 27001:2022. Global Standard. Continuously Assessed.

ISO/IEC 27001:2022 is the internationally recognized standard for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). Published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), it provides a systematic approach to managing sensitive information so that it remains secure. The standard applies to organizations of any size and any sector. Unlike framework-specific compliance requirements (CMMC for defense, HIPAA for healthcare, PCI-DSS for payments), ISO 27001 is industry-agnostic. Companies pursue certification to demonstrate security maturity to international customers, satisfy supply chain requirements, meet regulatory expectations in the EU and APAC, and differentiate in competitive markets. Certification is performed by accredited certification bodies operating under national accreditation schemes (UKAS in the UK, ANAB in the US, DAkkS in Germany, JAS-ANZ in Australia). The accreditation chain ensures that auditors follow consistent assessment methodologies regardless of geography.

The 2022 revision restructured the standard significantly. The previous version (ISO/IEC 27001:2013) organized Annex A into 114 controls across 14 domains. The 2022 revision consolidated those into 93 controls across 4 themes: Organizational (37 controls), People (8 controls), Physical (14 controls), and Technological (34 controls). The restructuring was not cosmetic. The 2022 revision introduced 11 entirely new controls that reflect the current threat landscape: A.5.7 Threat intelligence, A.5.23 Information security for use of cloud services, A.5.30 ICT readiness for business continuity, A.7.4 Physical security monitoring, A.8.9 Configuration management, A.8.10 Information deletion, A.8.11 Data masking, A.8.12 Data leakage prevention, A.8.16 Monitoring activities, A.8.23 Web filtering, and A.8.28 Secure coding. Organizations certified under the 2013 version must transition to the 2022 version by October 31, 2025. New certifications are issued exclusively under the 2022 standard.

Global recognition is what separates ISO 27001 from regional frameworks. The standard is recognized across 160+ countries where ISO standards carry legal or contractual weight. Enterprise procurement teams in the EU, APAC, and the Middle East increasingly require ISO 27001 as a condition of vendor onboarding. The standard aligns with GDPR data protection requirements and positions organizations for NIS2 compliance in the European Union. In competitive markets, certification differentiates. In regulated markets, it satisfies. For organizations expanding internationally, ISO 27001 eliminates the need to pursue jurisdiction-specific certifications in every market. The certification process typically requires 6 to 12 months of preparation and costs between $20,000 and $100,000+ depending on organizational complexity, scope, and the certification body selected. That investment pays returns across every customer relationship, regulatory obligation, and supply chain requirement that references the standard.

The ISMS documentation burden is where most organizations begin to struggle. ISO 27001 requires a comprehensive set of documented information: the information security policy, the risk assessment methodology, the risk treatment plan, the Statement of Applicability, the internal audit program, management review records, corrective action logs, and evidence of control effectiveness for all 93 Annex A controls. Each document must be maintained, version-controlled, reviewed at defined intervals, and traceable to the organizational context it describes. Most organizations create these documents during initial certification, assign ownership, and then watch them decay. Policies are written to satisfy the auditor, not to reflect operational reality. The risk register captures the threats that existed at certification time, not the threats that emerged since. The Statement of Applicability describes the infrastructure as it existed on the day it was compiled. Between certification cycles, the organization changes. The documents do not.

Internal audit fatigue compounds the documentation problem. Clause 9.2 requires internal audits at planned intervals to determine whether the ISMS conforms to the organization's own requirements and the requirements of the standard. Clause 9.3 requires management review of the ISMS at planned intervals to ensure its continuing suitability, adequacy, and effectiveness. In practice, internal audits become annual events compressed into a two-week scramble. The internal audit team (often the same people responsible for maintaining the ISMS) reviews controls against stale documentation, produces findings, logs corrective actions, and presents results to management. Management review becomes a slide deck summarizing the internal audit findings rather than a genuine evaluation of ISMS performance. The corrective actions from the previous cycle sit in a tracking spreadsheet, partially addressed. The cycle repeats. Each iteration adds administrative overhead without improving security posture because the audit evaluates documentation completeness, not operational effectiveness.

Surveillance audit failures are the consequence of evidence decay between certification cycles. After initial certification, the certification body conducts surveillance audits in years one and two, followed by a full recertification audit in year three. Surveillance audits are not full reassessments; they sample controls and evaluate whether the ISMS is being maintained as described. Organizations that treat certification as a project rather than an ongoing operation discover during surveillance that their evidence has gone stale, their risk register has not been updated, their internal audit findings have not been closed, and their management review records show perfunctory compliance rather than genuine oversight. A surveillance audit failure does not revoke certification immediately, but it triggers major nonconformities that must be resolved within a defined timeframe. Repeated failures lead to certification suspension or withdrawal. The organization then faces the cost and disruption of recertification from scratch, losing the competitive advantage that certification provided while spending more to regain it than it would have cost to maintain it.

Organizational controls (A.5, 37 controls) establish how the organization governs information security at a strategic level. These cover information security policies, roles and responsibilities, segregation of duties, contact with authorities, threat intelligence, asset management, information classification, acceptable use policies, access control policies, identity management, supplier relationships, information security in project management, incident management, and business continuity. People controls (A.6, 8 controls) address the human element: screening, terms and conditions of employment, information security awareness and training, disciplinary processes, responsibilities after termination, confidentiality agreements, and remote working security. Together, these 45 controls form the governance and human capital foundation of the ISMS. They determine whether security operates as an organizational discipline or remains an afterthought delegated to the IT department.

Physical controls (A.7, 14 controls) protect the physical environment: security perimeters, physical entry controls, securing offices and facilities, physical security monitoring, protection against physical and environmental threats, working in secure areas, clear desk and clear screen policies, equipment siting, security of assets off-premises, storage media, supporting utilities, and cabling security. Technological controls (A.8, 34 controls) cover the technical implementation: user endpoint devices, privileged access management, information access restriction, source code security, secure authentication, capacity management, protection against malware, technical vulnerability management, configuration management, information deletion, data masking, data leakage prevention, monitoring activities, web filtering, secure coding, network security, and network segregation. The 2022 revision introduced several new controls in this theme, including A.8.11 Data masking, A.8.12 Data leakage prevention, A.8.16 Monitoring activities, A.8.23 Web filtering, and A.8.28 Secure coding. These additions reflect threats that did not exist or were not well understood when the 2013 version was published.

The four-theme structure enables systematic assessment. Rather than evaluating 114 controls scattered across 14 overlapping domains (as in the 2013 version), the 2022 structure groups controls by the type of capability they represent. Organizational controls can be assessed by evaluating policies, procedures, and governance structures. People controls can be assessed by evaluating HR processes, training records, and contractual arrangements. Physical controls can be assessed by inspecting facilities, reviewing access logs, and testing environmental protections. Technological controls can be assessed by examining system configurations, scanning infrastructure, and verifying technical implementations. This thematic grouping aligns assessment activities with the teams responsible for each area. It also clarifies which controls can be evidenced through automated technical collection (most of A.8) and which require human-generated documentation (most of A.5 and A.6). Understanding this distinction is critical for building an evidence collection strategy that is sustainable beyond the initial certification effort.

The initial gap analysis evaluates your organization against ISO 27001 on two levels. First, the management system requirements in Clauses 4 through 10: understanding the organization and its context (Clause 4), leadership commitment and policy (Clause 5), planning including risk assessment and treatment (Clause 6), support including resources, competence, awareness, communication, and documented information (Clause 7), operational planning and control (Clause 8), performance evaluation including monitoring, measurement, internal audit, and management review (Clause 9), and improvement including nonconformity handling and continual improvement (Clause 10). Second, the 93 Annex A controls: which ones apply to your organization, which are already implemented, which have gaps, and which can be excluded with justification. The gap analysis produces a clear picture of the distance between your current state and certification readiness.

ISMS scope definition is the foundational decision that shapes everything that follows. Clause 4.3 requires the organization to determine the boundaries and applicability of the ISMS. This means identifying which business processes, organizational units, locations, assets, and technologies fall within scope. Scope that is too broad increases the number of applicable controls and the evidence collection burden. Scope that is too narrow risks excluding information assets that should be protected, which the certification body will identify as a nonconformity. The scope must also account for the context of the organization (Clause 4.1): external and internal issues that affect the ISMS, and the needs and expectations of interested parties (Clause 4.2), including customers, regulators, suppliers, and employees. These contextual factors determine which controls are relevant and how they must be implemented.

Redoubt Forge structures the gap analysis as a guided process. Sentinel runs continuous discovery across your connected infrastructure, enumerating every resource, configuration, network path, and data flow within the declared scope. Garrison displays the discovered estate as a live inventory. Rampart maps the discovered infrastructure to the 93 Annex A controls, identifying which controls have technical evidence from connected systems and which require organizational documentation. Artificer guides the process by asking targeted questions about your organizational context, interested parties, risk appetite, and business processes. Artificer adapts its questions based on what Sentinel has already discovered: if Sentinel finds cloud infrastructure, Artificer asks about cloud service agreements and shared responsibility models relevant to A.5.23. If Sentinel finds remote access configurations, Artificer asks about remote working policies relevant to A.6.7. The gap analysis produces a prioritized list of actions: controls that are already satisfied with evidence, controls that are partially implemented, and controls that require new implementations or documentation.

Clause 6.1.2 requires a formal information security risk assessment process that identifies risks associated with the loss of confidentiality, integrity, and availability of information within the scope of the ISMS. Each risk must be analyzed for likelihood and impact, evaluated against risk acceptance criteria defined by the organization, and assigned a risk level. The risk assessment methodology must be repeatable and produce consistent, valid, and comparable results. This is not a one-time exercise. Clause 8.2 requires the organization to perform information security risk assessments at planned intervals or when significant changes are proposed or occur. The certification body will evaluate both the methodology and the evidence that the methodology has been applied consistently. A risk register that was created during initial certification and never updated is a nonconformity waiting to surface during surveillance.

The risk treatment plan documents how each identified risk will be addressed. Clause 6.1.3 defines four treatment options: mitigate (implement controls to reduce the risk to an acceptable level), accept (acknowledge the risk and operate within the defined risk appetite), transfer (share the risk through insurance or contractual arrangements), and avoid (eliminate the activity that creates the risk). For risks that are mitigated, the treatment plan must identify which controls from Annex A (or other sources) address the risk, how those controls are implemented, and what residual risk remains after implementation. This creates a direct, auditable link between the risk register and the Statement of Applicability. Every control in the SoA should trace back to at least one risk that justifies its inclusion. Every risk in the register should trace forward to the controls that mitigate it.

Rampart integrates risk assessment into the compliance workflow. Risks are identified from your infrastructure context, your organizational threat profile, and the results of Sentinel's continuous discovery. Each risk is linked to the Annex A controls that mitigate it. Rampart scores risk using the organization's defined methodology: likelihood, impact, and the resulting risk level. Artificer recommends treatment options based on the risk profile, the controls already implemented, and the organization's stated risk appetite. When a control that mitigates a risk degrades or loses evidence, the associated risk is flagged for re-evaluation. When a new risk is identified, Artificer evaluates which existing controls already provide partial mitigation and which gaps require additional treatment. The risk register and the control assessment operate as a connected system. Changes in one propagate to the other automatically, ensuring the relationship between risks and controls remains current throughout the certification cycle.

The Statement of Applicability (SoA) is the backbone document of an ISO 27001 ISMS. Clause 6.1.3 d) requires the organization to produce a statement that contains the necessary controls (from Annex A and any additional sources), the justification for their inclusion, whether they are implemented or not, and the justification for excluding any Annex A controls. The SoA is the primary reference document for the certification body. It declares the scope of your control environment and provides the auditor with a roadmap for their assessment. Every control marked as applicable must be demonstrably implemented with verifiable evidence. Every control marked as not applicable must have a justification grounded in the organizational context, scope boundaries, and risk assessment results. An SoA that includes a control without evidence of implementation is a nonconformity. An SoA that excludes a control without adequate justification is also a nonconformity.

Traditionally, the SoA is a spreadsheet that someone fills in manually during the certification preparation phase. It lists all 93 Annex A controls, marks each as applicable or not applicable, provides an implementation status (implemented, partially implemented, not implemented), and includes a brief justification for each decision. This spreadsheet is often outdated before it is completed. Maintaining it requires re-reviewing applicability whenever systems change, new services are deployed, organizational scope expands, or risk assessments are updated. In organizations with dynamic infrastructure, the SoA becomes a snapshot of a moment that no longer exists. The certification body reviews it as though it describes the current environment, and the gap between document and reality becomes a source of nonconformities during the audit.

Rampart derives your SoA from connected infrastructure and organizational context. Controls are mapped to your systems. Applicability is computed based on your declared scope, your risk assessment results, the technologies you operate, and the data types you handle. When a control applies, the SoA documents how it is implemented with references to specific infrastructure components and evidence artifacts. When a control does not apply, the exclusion is flagged for human review. Artificer generates justification narratives for each inclusion and exclusion, grounded in the risk assessment and organizational context rather than generic boilerplate. The SoA is a living document. When you add a new system, the SoA updates to reflect new control applicability. When you decommission a system, controls that were applicable only to that system are flagged for review. When your risk assessment identifies a new threat, the SoA evaluates whether additional controls become applicable. The document stays current because it is derived from your environment, not maintained separately from it.

Implementation translates the gap analysis and risk treatment plan into operational reality. Organizational controls (A.5) require policies, procedures, and governance structures: information security policy approved by management, acceptable use policies communicated to all personnel, access control procedures documented and enforced, incident management processes established and tested, supplier security requirements defined in contracts. People controls (A.6) require HR integration: screening processes for new hires, security responsibilities in employment contracts, awareness training programs with completion tracking, disciplinary procedures for security violations. Physical controls (A.7) require facility assessments and physical security measures. Technological controls (A.8) require system configurations, security tool deployments, and technical enforcement mechanisms. Each control must produce evidence of its implementation and ongoing effectiveness. The evidence must be traceable, current, and sufficient for an auditor to verify the control is operating as described.

Clause 9.2 requires the organization to conduct internal audits at planned intervals to determine whether the ISMS conforms to the organization's own requirements and the requirements of the standard. Clause 9.3 requires management review at planned intervals, considering the status of actions from previous reviews, changes in external and internal issues, feedback on information security performance, results of risk assessments, and opportunities for continual improvement. These are not optional activities. They are mandatory management system requirements. The certification body will request evidence of internal audit planning, execution, findings, corrective actions, and management review inputs and outputs. Organizations that compress internal audits into a single annual event miss the standard's intent: the ISMS should be continuously evaluated and improved, not periodically inspected and forgotten.

Armory provides hardened Terraform modules that satisfy technological controls from the first deployment. An encryption module that satisfies A.8.24 (Use of Cryptography) by configuring storage-level and transit-level encryption with key management policies. A logging module that satisfies A.8.15 (Logging) by deploying centralized log collection with tamper-evident storage and retention policies. A network segmentation module that satisfies A.8.22 (Segregation of Networks) by establishing boundaries with enforced traffic inspection and deny-by-default rules. Vanguard runs continuous security scanning across your codebase and infrastructure: SAST, secret detection, dependency analysis, container scanning, and configuration audits. Scan results map directly to technological controls in Annex A. A vulnerability discovered in application code maps to A.8.8 (Management of Technical Vulnerabilities). A secret detected in source code maps to A.8.4 (Access to Source Code). The scanning IS the evidence of control operation, collected continuously rather than assembled for the audit.

Stage 1 is the documentation review. The certification body examines your ISMS documentation to determine whether the organization is ready for the implementation audit. The auditor evaluates the information security policy, the Statement of Applicability, the risk assessment methodology and results, the risk treatment plan, the ISMS scope definition, evidence that the ISMS has been operational for a sufficient period (typically at least three months), and the internal audit and management review records. Stage 1 is not a pass/fail event. It is a readiness assessment. The auditor identifies areas of concern that must be addressed before Stage 2 proceeds. If the documentation has significant gaps, the certification body may postpone Stage 2 until the gaps are resolved. The time between Stage 1 and Stage 2 is typically 30 to 90 days, depending on the certification body and any issues identified.

What auditors evaluate during Stage 1 follows a predictable pattern. They verify that the ISMS scope is clearly defined and aligned with the organizational context and interested party requirements. They confirm that the risk assessment methodology is documented, repeatable, and has been applied. They review the SoA for completeness: are all 93 controls addressed, are applicability decisions justified, are exclusions defensible? They examine the internal audit program: has at least one full cycle been completed, were findings documented, were corrective actions assigned and tracked? They review management review records: did management evaluate ISMS performance, were decisions documented, were resources allocated? The auditor is assessing whether the ISMS exists as a functioning management system, not just as a collection of documents created for the audit. Evidence of operational history distinguishes a genuine ISMS from a documentation exercise assembled the month before the assessment.

Rampart produces Stage 1 evidence packages organized by clause. The SoA, risk assessment documentation, risk treatment plans, ISMS policy documents, internal audit records, management review outputs, and evidence of operational history are all accessible from the compliance workspace. Artificer generates clause-by-clause narratives that describe how the organization satisfies each management system requirement, referencing specific evidence artifacts with timestamps and provenance. Alliance grants the certification body time-bound, read-only access to the compliance workspace. The auditor navigates your documented information independently without relying on your team to pull artifacts on demand. They can view every control, drill into the evidence chain for each, examine the SoA, and download artifacts for their own records. Every action the auditor takes within Alliance is logged, creating a chain of custody for the assessment itself.

Stage 2 is the implementation audit. The certification body verifies that the ISMS is implemented as documented, that controls are operating effectively, that the Plan-Do-Check-Act cycle is functioning, and that management review and internal audit processes are active. Stage 2 typically involves on-site activities (or remote assessment, depending on the certification body and organizational structure): interviews with personnel responsible for implementing and operating controls, observation of processes in action, examination of evidence artifacts, and verification that the SoA accurately reflects the deployed environment. The assessment scope covers both the management system requirements (Clauses 4-10) and the applicable Annex A controls. The auditor samples controls across all four themes, focusing on areas identified as concerns during Stage 1 and on controls that carry higher risk significance based on the organization's context.

Evidence quality determines the pace and outcome of Stage 2. The auditor examines artifacts for each sampled control: configuration evidence for technological controls, policy documents and approval records for organizational controls, training records and HR documentation for people controls, facility access logs and environmental monitoring data for physical controls. For each control, the auditor verifies that the evidence corresponds to the implementation described in the SoA, that the evidence is current (not collected months ago and never refreshed), and that the control is operating in the context described. A control that was implemented correctly at deployment but has since drifted due to configuration changes is not operating effectively, regardless of what the documentation states. Interviews verify that personnel understand their security responsibilities and can describe how controls operate in practice. The auditor is looking for consistency between documentation, evidence, and operational reality.

Every compliance event in the platform is stored as an immutable record with a SHA-256 integrity hash, timestamp, user ID, and full provenance metadata. Sentinel provides continuous evidence streams from every connected infrastructure source. When the auditor examines a technological control, the evidence is not a static screenshot from last month. It is a continuous record of configuration state collected by Sentinel, with integrity verification proving the evidence has not been modified after collection. The auditor can verify that a control has been operating effectively not just at the moment of assessment, but continuously throughout the evidence collection period. For organizations accustomed to preparing evidence packages the week before the audit, this represents a fundamentally different model. Instead of assembling artifacts under time pressure, the platform has been collecting evidence continuously since the day the ISMS became operational. The auditor receives an immutable evidence chain with complete provenance, not a folder of exported configurations assembled for the occasion.

ISO 27001 certification follows a three-year cycle. After initial certification, the certification body conducts surveillance audits in year one and year two. These are not full reassessments. They sample a subset of controls and management system clauses to verify that the ISMS is being maintained. The certification body selects its sample based on areas of previous concern, changes reported by the organization, and the results of the organization's own internal audits. Surveillance audits can result in minor nonconformities (observations that require corrective action but do not threaten certification) or major nonconformities (fundamental failures that must be resolved within a defined timeframe or risk certification suspension). In year three, a full recertification audit evaluates the entire ISMS against all management system requirements and applicable Annex A controls. Recertification is a complete reassessment, equivalent in scope to the original Stage 1 and Stage 2 process.

The organizations that struggle with surveillance are the ones that treat certification as a project with a finish line. After initial certification, the compliance team disbands or redirects to other priorities. Documentation updates stop. Internal audits become perfunctory. Risk assessments are not refreshed when the threat landscape changes. New systems are deployed without updating the SoA. Personnel changes occur without updating roles and responsibilities. The ISMS exists on paper but has stopped functioning as a management system. When the surveillance auditor arrives, the gap between the documented ISMS and the actual operating environment is immediately visible. Major nonconformities accumulate. The organization enters a remediation cycle that costs more in urgency and disruption than continuous maintenance would have cost in steady effort.

Sentinel maintains continuous evidence streams throughout the entire certification cycle. Drift detection fires in real time: when a configuration changes on a monitored resource, Sentinel evaluates the compliance impact immediately and maps the change to affected Annex A controls. Evidence freshness is tracked per control. When evidence approaches its expiration threshold, Sentinel re-collects from continuous sources automatically. For evidence that requires human action (annual policy reviews, periodic access certifications, management authorization renewals), the platform escalates through notifications with increasing urgency as the expiration date approaches. Rampart recalculates control scores as drift events arrive, maintaining an accurate real-time view of ISMS posture. When your surveillance audit begins, it starts from a position of demonstrated continuous compliance with a complete evidence history. When your recertification audit arrives in year three, the ISMS has been operating continuously with evidence of that operation at every point. Not a cold start. Not a scramble. A continuation of the posture you built from the beginning.

ISO 27001 Annex A controls share substantial structural overlap with every major compliance framework. A.8.2 (Privileged Access Rights) maps to NIST 800-53 AC-2 (Account Management), which maps to CMMC practice AC.L2-3.1.1 (Limit System Access). A.8.3 (Information Access Restriction) maps to NIST 800-53 AC-3 (Access Enforcement), SOC 2 CC6.1 (Logical and Physical Access Controls), HIPAA 164.312(a)(1) (Access Control), and PCI-DSS Requirement 7 (Restrict Access). A.8.24 (Use of Cryptography) maps to NIST 800-53 SC-13 (Cryptographic Protection), SOC 2 CC6.7 (Restriction of Transmission), and HIPAA 164.312(e)(1) (Transmission Security). These mappings are not approximate. They trace through published cross-walks maintained by NIST, AICPA, and ISO. The derivation chain is deterministic and auditable at every link.

For organizations managing multiple compliance obligations, ISO 27001 certification accelerates every subsequent framework assessment. An organization with ISO 27001 certification that activates a SOC 2 assessment will find 60-70% of Trust Service Criteria already satisfied by existing Annex A controls. Adding CMMC Level 2 uses the overlap between Annex A and NIST 800-53, which is the same control catalog from which NIST 800-171 (and therefore CMMC) derives. Adding FedRAMP Moderate traces through the same NIST 800-53 lineage. The investment in ISO 27001 certification is not a single-use expenditure. It compounds across your entire compliance portfolio. Organizations that pursue ISO 27001 first and then expand to additional frameworks operate more efficiently than those that treat each framework as an independent project with its own evidence collection, documentation, and assessment preparation.

Rampart maintains the cross-reference engine that resolves these derivation chains through five strategies: native control mapping (direct control-to-control relationships published by the framework authority), NIST 800-53 derivation chain tracing (following the path from any framework back through 800-53 to any other framework that derives from it), NIST CSF 2.0 bridging (using the Cybersecurity Framework's function/category/subcategory structure as an intermediary between frameworks that lack direct mappings), published cross-walks from authoritative sources (AICPA for SOC 2, ISO for 27001, NIST for all NIST publications), and AI-suggested mappings that require human confirmation before activation. As you satisfy ISO 27001 controls, Rampart computes your readiness percentage for every other framework in the catalog. The computation resolves each individual control relationship through the derivation chain and accounts for framework-specific parameter differences. When you activate a new framework assessment, it arrives pre-populated from your existing ISO 27001 work. One security posture. Every framework computed.