ISO/IEC 27001:2022

An ISMS that survives the surveillance audit.

Annex A traceability, management review inputs, and continual improvement tied to the same operational data your engineers and risk team already work in.

Request a demo Get started

ANNEX A · 2022

Four themes, ninety-three controls, one ledger

Scope each theme, attach evidence, and let the SoA generate itself from real applicability decisions.

A.586%

Organizational

32 of 37 applicable

A.6100%

People

8 of 8 applicable

A.779%

Physical

11 of 14 applicable

A.888%

Technological

30 of 34 applicable

Where ISMS programs drift

Certification is achievable. Staying aligned is harder.

SoA fossilizes

The Statement of Applicability is written once and never reflects what actually got deployed.

Owners scatter

Annex A controls span 6 teams. Without one ledger, ownership erodes between certifications.

Mgmt review is theater

Quarterly packs are rebuilt manually from stale exports. Surveillance audits surface the same finding twice.

Risk and ISMS diverge

Risk register and control library evolve in different tools. Treatment plans never link to the controls they protect.

ISMS lifecycle

Plan · Do · Check · Act, instrumented

The clauses ISO requires you to operate become workflows, not slide decks.

Plan

Scope, context, leadership commitment, risk assessment, statement of applicability.

Do

Implement controls, train people, document procedures, run treatment plans.

Check

Internal audit, control testing, management review, KPI tracking, nonconformity log.

Act

Corrective action, continual improvement, scope adjustment, surveillance prep.

3-year audit cycle

The full surveillance arc on one screen

M0Stage 1Documentation reviewISMS scope, risk method, SoA approved

M2Stage 2Implementation auditAnnex A evidence, internal audit, mgmt review

M14Surveillance 1Selected Annex ASampled controls + corrective actions

M26Surveillance 2Selected Annex ATrend analysis, mature improvement plan

M36RecertificationFull ISMS reviewRenewed certificate, updated scope

SOC 2 vs ISO 27001

One platform, both certifications

Reuse the controls you already maintain — most teams cover 65%+ of ISO with their SOC 2 evidence.

Dimension	SOC 2	ISO 27001
Control source	Trust Services Criteria	Annex A 2022 (93 controls)
Audit cadence	Annual Type II	3-year cycle + surveillance
Risk integration	Recommended	Required (clause 6)
Statement	System description	Statement of Applicability
Mgmt review	Implicit	Required input/output

SOC 2 CC6 logical accessISO Annex A.5.15, A.8.3

SOC 2 CC7 system opsISO Annex A.8.16, A.8.20

SOC 2 CC8 changeISO Annex A.8.32, A.8.31

SOC 2 CC9 risk mitigationISO Clause 6.1, A.5.7

“Surveillance audits used to mean two weeks of internal scramble. Now the auditor reviews exports, asks two questions, and signs off.”
Head of GRC · International fintech · 12 entities

Adjacent programs

Pair ISO 27001 with

SOC 2 ReadinessStructured control mapping and evidence collection Vendor Risk OversightAssess third parties against your controls Audit PreparationAssemble evidence packages in hours, not days Security Ops AlignmentConnect detection signals to compliance posture Executive ReportingCompliance and risk health for leadership teams

Run your ISMS the way it was supposed to work

See SoA management, Annex A coverage, and surveillance audit packaging in your tenant.

Request a demo Compliance workspace