ISO/IEC 27001:2022

For many organisations, ISO 27001 certification is not optional — it is a prerequisite for doing business. European enterprise procurement teams, Gulf-region government entities, regulated-sector clients in financial services and healthcare, and increasingly Indian public-sector tenders all require or strongly prefer ISO 27001 certification from their vendors. Unlike SOC 2, which produces an attestation report, ISO 27001 results in an independently audited certificate that is valid for three years, subject to annual surveillance audits.

If you are losing deals, delaying procurement cycles, or receiving security questionnaires you cannot adequately answer, ISO 27001 certification typically resolves all three.

Technology companies selling to European, Gulf, or Indian enterprise clients where ISO 27001 is a procurement requirement. Managed service providers, cloud hosting companies, and SaaS platforms whose clients operate in regulated industries. Organisations pursuing government contracts in India, the UK, the EU, or the Gulf where ISO 27001 is often mandated. Businesses that already hold SOC 2 and want to extend their compliance posture for non-US markets. Any organisation that handles sensitive client data and wants a structured, auditable approach to information security.

The 2022 update is the first major revision since 2013. The core management system clauses (4–10) remain structurally similar, but Annex A underwent significant reorganisation. Controls were consolidated from 114 to 93, eliminating redundancy and grouping them into four intuitive themes. Eleven new controls were introduced, including Threat Intelligence (A.5.7), Information Security for Cloud Services (A.5.23), ICT Readiness for Business Continuity (A.5.30), Data Masking (A.8.11), Data Leakage Prevention (A.8.12), and Monitoring Activities (A.8.16). Organisations certified to ISO 27001:2013 must transition to the 2022 version by October 2025.

A credible ISO 27001 implementation is not a documentation exercise. It requires genuine engagement with how your organisation manages information security risk. The process begins with defining the ISMS scope and context — understanding your organisation’s boundaries, interested parties, and the information assets that matter. A formal risk assessment follows, identifying threats and vulnerabilities, evaluating likelihood and impact, and determining appropriate risk treatment. The Statement of Applicability (SoA) documents which of the 93 Annex A controls are applicable and why.

Policy and procedure documentation must reflect how your organisation actually operates, not how a template says it should. Control implementation covers access management, encryption, network security, supplier management, incident response, business continuity, and more. Internal audit and management review are mandatory before the certification body arrives.

The certification audit itself happens in two stages. Stage 1 is a documentation review to confirm the ISMS is designed appropriately. Stage 2 is an on-site (or remote) assessment of whether controls are operating effectively. Once certified, annual surveillance audits maintain the certificate, and a full recertification audit occurs every three years.

We have implemented ISO 27001 across technology companies, financial services firms, healthcare organisations, and professional services businesses. Our approach is practical: we build an ISMS that works for your business, not one that exists only to pass an audit. We handle scoping, risk assessment, SoA development, policy drafting, control implementation guidance, internal audit, and full support through Stage 1 and Stage 2 certification audits. We also provide ongoing surveillance audit support and help you integrate ISO 27001 with other frameworks like SOC 2, GDPR, or DPDPA to avoid duplicating effort.