ISO 27001, as an operating system.
ISO 27001 is more rigorous than SOC 2 — and required outside the U.S. or for enterprise procurement. We build the ISMS, scope it correctly, run the internal audit, and prepare you for external certification.
- Standard
- ISO/IEC 27001:2022
- Engagement
- ISMS build + audit prep
- Timeline
- 6–12 months
- Reuses
- SOC 2 controls
What's included
ISMS scoping
Information Security Management System scope — what's in, what's out, and why. Critical for certification.
Risk assessment & treatment
Risk-based methodology that drives control selection. Not a generic Annex A drop.
Statement of Applicability
SoA authored with treatment decisions documented for every Annex A control.
Internal audit
Internal audit run before certification. Findings closed with formal corrective actions.
Management review
Top-management review process built and operated.
External certification support
We work with most of the major certifying bodies and support every interaction.
Engagement lifecycle
- 01Months 1–2
Scoping + risk
ISMS scope, risk methodology, risk assessment, treatment plan.
- 02Months 2–6
Control implementation
Annex A controls implemented per SoA. Documentation authored.
- 03Month 6
Internal audit
Internal audit run; corrective actions closed.
- 04Months 7–8
Stage 1 audit
External auditor documentation review.
- 05Months 9–12
Stage 2 audit + certification
Stage 2 implementation audit. Certification issued.
What you walk away with
- ISO/IEC 27001:2022 certification
- Working ISMS with formal review cadence
- Risk register tied to business impact
- Audit-ready evidence library
- Significant overlap with SOC 2 controls (re-usable evidence)
- Enterprise-procurement eligibility (Fortune 500, EU)