ISO 27001 Certification Path
Navigate ISO 27001:2022 from gap analysis through certification — Annex A controls, ISMS documentation, and stage 1/stage 2 audit preparation.
On this page
What is ISO 27001?
ISO/IEC 27001 is the international standard for Information Security Management Systems (ISMS). It provides a systematic approach to managing sensitive company information so that it remains secure. Certification is granted by accredited bodies after a two-stage audit process. The 2022 revision reorganized controls into 4 themes (Organizational, People, Physical, Technological) with 93 controls in Annex A.
- International standard published by ISO and IEC
- Applicable to any organization regardless of size or industry
- Certification valid for 3 years with annual surveillance audits
- 2022 revision: 93 Annex A controls organized into 4 themes
ISO 27001 in ComplyWise
ComplyWise includes 93 controls mapped to ISO 27001:2022 Annex A. Each control is cross-mapped via the UCF to related controls in SOC 2, HIPAA, NIST CSF, and other frameworks. Automated scans evaluate technical controls (encryption, access control, network security) while manual assessments cover organizational, people, and physical controls.
- 93 Annex A controls fully mapped in the platform
- Cross-mapped to UCF for multi-framework efficiency
- Automated scanning for technology-related controls (A.5–A.8 technological)
- Manual assessment support for organizational and people controls
ISMS Documentation
ISO 27001 requires documented policies, procedures, and records for the ISMS. Key documents include the Information Security Policy, Risk Assessment Methodology, Statement of Applicability (SoA), Risk Treatment Plan, and various operational procedures. ComplyWise helps track which documents exist, their review dates, and their approval status against control requirements.
- Information Security Policy — top-level policy mandated by clause 5.2
- Risk Assessment Methodology — defines your approach to identifying and evaluating risks
- Statement of Applicability (SoA) — declares which Annex A controls are applicable and justifies exclusions
- Risk Treatment Plan — documents how identified risks will be addressed
- Internal Audit Program — schedule and results of periodic ISMS audits
Certification Process
ISO 27001 certification involves two stages. Stage 1 is a documentation review where the certification body evaluates your ISMS documentation, SoA, and risk assessment. Stage 2 is an on-site (or remote) audit where the auditor verifies that controls are implemented and operating effectively. ComplyWise prepares you for both stages by tracking document completeness and control implementation status.
- Stage 1: Documentation review — SoA, risk assessment, policies, procedures (typically 1–2 days)
- Stage 2: Implementation audit — evidence of control operation, staff interviews, process observation (typically 3–5 days)
- Non-conformities: Major (certification blocker) or Minor (corrective action required)
- Certification valid for 3 years, with annual surveillance audits in years 2 and 3
Gap Analysis & Readiness
Use ComplyWise's gap analysis report to identify which Annex A controls are fully implemented, partially implemented, or not yet addressed. The report prioritizes controls by risk impact and effort required, helping you create an efficient remediation plan. Run the report monthly during your certification journey to track progress.
- Automated gap analysis covering all 93 Annex A controls
- Priority ranking by risk impact and implementation effort
- Progress tracking over time for management review
- Exportable report for sharing with certification body or consultants
Maintaining Certification
After achieving certification, continuous compliance is essential. Annual surveillance audits sample a subset of controls. ComplyWise's continuous scanning ensures technical controls remain in place, while the assessment tracker reminds you of pending policy reviews, risk reassessments, and internal audits.
- Continuous automated scanning for technical controls
- Policy review reminders and document management
- Management review meeting preparation and evidence
- Annual internal audit scheduling and result tracking