By Framework · ISO 27001

The certificate the rest of the world asks to see

ISO 27001 is the international standard for an information security management system, and for a lot of enterprise and cross-border deals it is the first thing a customer asks for. The 2022 revision modernized it, and the window to transition off the old version has already closed.

The landscape

A management system, not a one-time audit

ISO 27001 certifies that you run a real information security management system: risks identified, controls chosen and justified, and the whole thing reviewed and improved on a cycle. The 2022 revision reworked the control set into four themes and added eleven controls covering cloud, threat intelligence, and secure development. Certification is granted by an accredited body and re-checked through surveillance audits, so it is a commitment, not a certificate you frame and forget.

ISO 27001:2022 Annex A ISMS Statement of Applicability ISO 27002 Risk Treatment Surveillance Audits
93
controls in the 2022 revision, streamlined into four themes from the 114 across fourteen domains in the old version. The deadline to move off the 2013 standard passed in October 2025, so those certificates are no longer valid.

The heart of ISO 27001 is risk. Every control you apply, and every one you leave out, has to be justified in a Statement of Applicability that traces back to a documented risk assessment. Certification bodies do not want a pile of policies; they want to see that the management system runs.

Why it is hard

The management system is the hard part

Passing an ISO 27001 audit is not about writing controls once. It is about keeping a risk assessment, a Statement of Applicability, treatment plans, and evidence all consistent with each other, all the time, so a surveillance audit a year later still holds up. And most organizations pursuing ISO 27001 are pursuing SOC 2 and a dozen regulations alongside it, on the same underlying controls.

Managed in disconnected documents, that becomes drift: a risk register that no longer matches the controls, and an SoA that no longer matches reality.

How SimpleRisk fits

One control library, every obligation

SimpleRisk was built around risk-driven security, which is exactly what ISO 27001 asks for: assess the risk, choose the control, prove it, and keep it current.

  • Run the ISMS, not just the audit. Keep the risk assessment, treatment plans, and Statement of Applicability connected, so what you certify is what you actually operate.
  • Map once, satisfy many. Through the Secure Controls Framework, one control maps across ISO 27001, SOC 2, NIST, PCI DSS, and 250-plus frameworks, so certification work is not thrown away on the next audit.
  • Justify every control. Trace each Annex A decision back to the risk that drove it, the evidence a certification body expects to see.
  • Stay ready between audits. Define tests, run them on a schedule, and walk into a surveillance audit with current evidence instead of a scramble.

Earn the certificate and keep it, on one platform

Start a free trial or book a demo, and see how SimpleRisk runs the risk assessment, controls, and evidence an ISO 27001 certification depends on.

Start a free trial