HomeResourcesGuidesISO 27001 Implementation Guide
Pillar 3 · Information Security

ISO 27001 Implementation Guide — From Gap to Certified

A practical, end-to-end guide to ISO 27001:2022 certification — what the standard requires, how to build an ISMS that passes first time, and what to expect at every stage.

4,000+ words
25 min read
Updated Feb 2026
ISO 27001 Lead Auditor
Start Reading ↓

In This Guide

What You'll Learn

01

What ISO 27001 certifies and who actually needs it

02

What changed in ISO 27001:2022 — the 4 themes, 93 controls, and 11 new additions

03

How to define ISMS scope correctly — the most consequential early decision

04

A month-by-month implementation roadmap calibrated to 45+ real engagements

05

The CFO case for ISO 27001 — ROI calculation and Complio overhead reduction

C H A P T E R 0 1

What is ISO 27001 and Why Get Certified?

ISO/IEC 27001 is the international standard for information security management systems (ISMS). Published jointly by the International Organization for Standardization and the International Electrotechnical Commission, it provides a systematic, risk-based framework for protecting the confidentiality, integrity, and availability of information assets. Unlike point solutions or technology-centric checklists, ISO 27001 certifies a management system — the policies, processes, risk treatments, and governance structures an organisation uses to manage information security on an ongoing basis.

Certification is granted by an accredited certification body (CB) after a two-stage external audit. The certificate is valid for three years, subject to annual surveillance audits that verify the ISMS continues to operate effectively and adapt to new risks. This ongoing assurance model is what distinguishes ISO 27001 from one-time assessments — it requires organisations to demonstrate continuous improvement, not just compliance at a point in time.

Key distinction:ISO 27001 certifies a management system, not a set of technical controls. Two certified organisations may implement very different controls — what matters is that each has a documented, risk-based rationale for its choices and can demonstrate that the system works.

The question of who needs ISO 27001 has shifted considerably over the past five years. Historically, certification was a nice-to-have that signalled security maturity. Today, it is increasingly a prerequisite. Enterprise procurement teams now routinely include ISO 27001 certification as a mandatory supplier requirement in RFPs and vendor risk assessments. In financial services, regulators across Asia-Pacific reference ISO 27001 as an accepted framework — the Monetary Authority of Singapore's Technology Risk Management Guidelines (MAS TRM), Bank Negara Malaysia's Risk Management in Technology (BNM RMiT), and Bangladesh Bank's ICT Security Guidelines all recognise ISO 27001 as a baseline. Government contracts in several APAC jurisdictions now require or strongly preference ISO 27001-certified suppliers.

For organisations already pursuing PCI DSS compliance, ISO 27001 is complementary rather than alternative. PCI DSS is prescriptive and payment-specific; ISO 27001 is risk-based and covers the entire organisation. Many of our clients pursue both — the overlap in controls (access management, encryption, logging, incident response) means the marginal effort for the second certification is significantly lower than starting from scratch. We explore this relationship in detail in our PCI DSS vs ISO 27001 comparison.

EIC has delivered 45+ ISO 27001 certifications across Asia-Pacific, spanning financial services, technology, healthcare, telecommunications, and government. Every engagement includes Complio, our compliance management platform, which centralises evidence collection, automates control monitoring, and significantly reduces the documentation overhead that derails many ISMS implementations. You can learn more about our ISO 27001 certification service and how we structure engagements.

C H A P T E R 0 2

ISO 27001:2022 — What Changed from 2013

The 2022 revision of ISO 27001 represents the most significant restructure of Annex A since the standard's inception. While the main body clauses (4–10) received only minor editorial updates, the Annex A control set was comprehensively reorganised. The previous 2013 structure grouped 114 controls across 14 categories (A.5 through A.18) — a taxonomy that had grown unwieldy and created artificial boundaries between related controls. The 2022 revision consolidates these into 93 controls organised under four intuitive themes: Organisational (37 controls), People (8 controls), Physical (14 controls), and Technological (34 controls).

This restructure is not merely cosmetic. The four-theme model better reflects how organisations actually implement security — grouping controls by who implements them rather than by abstract domain. It also introduced 11 entirely new controls that address threat categories absent from the 2013 version, reflecting the evolution of cloud computing, data protection regulation, and threat intelligence practices over the intervening decade.

The 11 New Controls

  • A.5.7Threat intelligence: Requires organisations to collect and analyse threat intelligence relevant to their context
  • A.5.23Information security for use of cloud services: Addresses cloud service acquisition, use, management, and exit
  • A.5.30ICT readiness for business continuity: Ensures ICT can support business operations during disruptions
  • A.7.4Physical security monitoring: Continuous surveillance of physical premises for unauthorised access
  • A.8.9Configuration management: Documented, monitored configurations for hardware, software, and networks
  • A.8.10Information deletion: Secure deletion when data is no longer required
  • A.8.11Data masking: Pseudonymisation and masking to limit unnecessary data exposure
  • A.8.12Data leakage prevention: DLP controls for data in use, in transit, and at rest
  • A.8.16Monitoring activities: Proactive monitoring of networks, systems, and applications for anomalous behaviour
  • A.8.23Web filtering: Controls to manage access to external websites and reduce malware exposure
  • A.8.28Secure coding: Secure development principles applied throughout the software lifecycle

Of these, A.5.23 (cloud services) and A.8.12 (data leakage prevention) have the broadest impact. Nearly every organisation we assess uses cloud services, yet few have documented policies governing cloud security responsibilities, service-level expectations, or exit strategies. A.8.12 requires DLP capabilities that many mid-sized organisations have not yet deployed — making it one of the most common gap findings in our initial assessments.

AspectISO 27001:2013ISO 27001:2022
Annex A Categories14 categories (A.5–A.18)4 themes
Total Controls11493
New Controls11 new controls added
Merged Controls24 controls merged
StructureDomain-based groupingTheme-based: Organisational, People, Physical, Technological
Cloud CoverageMinimalDedicated control A.5.23
Threat IntelligenceNot addressedRequired (A.5.7)
DLPNot addressedRequired (A.8.12)

Transition deadline: The transition period from ISO 27001:2013 to ISO 27001:2022 ended in October 2025. All certified organisations must now hold the 2022 version. New certifications have been issued against ISO 27001:2022 exclusively since April 2024.

For a detailed breakdown of the transition process and what it means for currently certified organisations, see our ISO 27001:2022 transition guide. The official standard document is available from ISO.

C H A P T E R 0 3

ISMS Scope Definition — Getting It Right the First Time

Scope definition is the single most consequential decision in any ISO 27001 implementation. Get it right and the remainder of the project proceeds with clear boundaries, manageable effort, and predictable cost. Get it wrong — too broad and the project becomes unwieldy; too narrow and the certificate lacks credibility or fails to satisfy the business requirement that motivated certification in the first place.

ISO 27001 Clause 4.3 requires the organisation to determine the boundaries and applicability of the ISMS. This is informed by Clause 4.1 (understanding the organisation and its context) and Clause 4.2 (understanding the needs and expectations of interested parties). In practice, scope definition involves four interconnected inputs: geographic boundaries (which offices, data centres, and remote working arrangements are included), organisational boundaries (which business units and functions fall within scope), information asset boundaries (which data sets, systems, applications, and networks are covered), and interface boundaries (which third-party processors, cloud services, and external connections touch in-scope assets).

Common Scoping Mistakes

In our 45+ ISO 27001 engagements, three scoping mistakes appear repeatedly:

  • Scoping out cloud infrastructure: Organisations hosting critical workloads in AWS, Azure, or GCP sometimes attempt to exclude cloud environments from the ISMS scope. This is rarely defensible — if cloud services store, process, or transmit in-scope information, they belong in scope. The 2022 standard makes this explicit with control A.5.23.
  • Scoping in the entire organisation prematurely: First-time certifiers often set an organisation-wide scope before their security maturity can sustain it. A more pragmatic approach is to begin with a defined business unit or service line, achieve certification, and then expand scope in subsequent surveillance cycles.
  • Omitting third-party processors: Outsourced IT support, managed SOC providers, payroll processors, and SaaS platforms that handle in-scope data must be addressed in the ISMS. Clause 8.1 requires the organisation to manage outsourced processes, and control A.5.19 (supplier relationships) requires documented agreements and monitoring.

The scope statement itself is a concise document — typically one to two pages — but it must be precise enough for an external auditor to understand exactly what is included, what is excluded, and why. It references the information assets, locations, organisational units, and technologies within scope, and it documents any exclusions with justification. A vague scope statement is one of the most common findings in Stage 1 audits.

EIC approach:We use Complio's scope modelling module to map information assets to organisational and geographic boundaries. This produces a visual scope map and a draft scope statement that clients can review with their leadership team before finalising. The modelling process typically takes 2–3 days and prevents the costly rework that follows from an ill-defined scope.

Learn more about how Complio supports scope definition, or explore our ISO 27001 certification service for a full breakdown of our engagement model.

C H A P T E R 0 4

Risk Assessment Methodology

Clause 6.1.2 of ISO 27001 requires the organisation to define and apply a documented, repeatable information security risk assessment process. This is the engine of the ISMS — every control selection, every resource allocation, and every management review agenda item should trace back to a risk that has been identified, evaluated, and treated through this process. An ISMS without a functioning risk assessment methodology is, in the auditor's view, an ISMS that does not meet the standard's intent.

The standard does not prescribe a specific methodology. Some organisations adopt ISO 27005 (the companion standard for information security risk management), others use NIST SP 800-30, and many develop their own approach calibrated to their context. What the standard does require is that the methodology produces consistent, valid, and comparable results — meaning two people assessing the same risk should arrive at substantially similar conclusions.

The 5 x 5 Risk Matrix

The most commonly adopted approach — and the one we recommend for most organisations — is a semi-quantitative 5 x 5 matrix that plots likelihood (1–5) against impact (1–5) to produce a risk score between 1 and 25. Each axis is anchored to defined criteria: likelihood ranges from "rare" (less than once every 5 years) to "almost certain" (expected to occur multiple times per year); impact ranges from "negligible" (no material effect) to "catastrophic" (existential threat to the organisation). These criteria must be documented and approved by management before the first risk assessment begins.

Six-Step Risk Assessment Process

  • 1. Define risk criteria: Establish the likelihood and impact scales, risk appetite thresholds, and acceptable risk levels. These must be approved by top management and documented in the risk management policy.
  • 2. Asset inventory: Build a comprehensive inventory of information assets within the ISMS scope — data, hardware, software, facilities, people, and services. Each asset should have an assigned owner.
  • 3. Threat and vulnerability identification: For each asset (or asset group), identify plausible threats (e.g., ransomware, insider theft, natural disaster) and the vulnerabilities that could be exploited (e.g., unpatched systems, lack of MFA, no off-site backups).
  • 4. Risk evaluation: Apply the likelihood and impact criteria to each threat-vulnerability pair to calculate a risk score. Plot results on the risk matrix and prioritise by score.
  • 5. Risk treatment: For each risk above the acceptable threshold, select a treatment option: mitigate (apply controls), transfer (insurance or outsourcing), avoid (cease the activity), or accept (with documented justification and management sign-off).
  • 6. Statement of Applicability (SoA): Document which Annex A controls are applicable, which are implemented, which are planned, and which are excluded (with justification). The SoA is one of the most scrutinised documents during the Stage 1 audit.

Common mistakes: The three most frequent risk assessment failures we encounter are: (1) asset inventories that are too high-level to support meaningful threat identification, (2) risk criteria that were never formally approved by management, and (3) SoAs that use the old 2013 Annex A numbering instead of the 2022 structure — an immediate finding in any audit against the current standard.

Complio generates a pre-populated SoA template aligned to ISO 27001:2022 Annex A, with each of the 93 controls mapped to evidence requirements and linked to the risk register. This eliminates the manual cross-referencing that consumes significant effort in traditional implementations.

C H A P T E R 0 5

Annex A Controls — Selection and Implementation

A persistent misconception about ISO 27001 is that all 93 Annex A controls are mandatory. They are not. The standard requires organisations to determine which controls are necessary based on their risk assessment results and to document their applicability decisions in the Statement of Applicability. A control can be excluded provided the exclusion is justified — typically because the risk it addresses does not exist within the ISMS scope, or because an alternative control adequately mitigates the risk.

That said, most organisations find that the majority of controls are applicable. In our experience, a typical SoA for a mid-sized technology company will declare 80–90 of the 93 controls as applicable. The controls most commonly excluded are those related to physical security (for fully remote organisations) or secure coding (for organisations that do not develop software).

Organisational Controls (37 Controls)

This is the largest theme and covers the governance and management aspects of information security. Key controls include A.5.1 (policies for information security — the foundational policy set that every ISMS requires), A.5.2 (information security roles and responsibilities — ensuring every control has a defined owner), A.5.7 (threat intelligence — the new requirement for organisations to collect, analyse, and act on relevant threat data), A.5.12 (classification of information — a prerequisite for effective access control and data handling), A.5.19 (information security in supplier relationships — governing third-party risk), A.5.23 (cloud services — one of the most impactful new controls), and A.5.26 (response to information security incidents — requiring a documented incident response process with defined roles).

People Controls (8 Controls)

The people theme addresses the human element of information security. A.6.3 (information security awareness, education, and training) requires more than an annual online quiz — auditors expect role-specific training programmes with participation records and competency assessments. A.6.4 (disciplinary process) ensures there are documented consequences for policy violations. A.6.7 (remote working) has taken on new significance in the post-pandemic environment, requiring organisations to define security expectations for home offices, personal devices, and remote network connections.

Physical Controls (14 Controls)

Physical controls cover the protection of facilities, equipment, and physical media. A.7.1 through A.7.3 address physical security perimeters, entry controls, and office security. A.7.4 (physical security monitoring) is a new control requiring surveillance systems for premises that house sensitive information assets. A.7.7 (clear desk and clear screen) remains a standard requirement — simple in concept but frequently non-compliant in practice, particularly in open-plan offices.

Technological Controls (34 Controls)

This theme covers the technical security controls that most IT teams are familiar with. Access control (A.8.2 through A.8.5) covers user access management, privileged access, and multi-factor authentication — A.8.5 now explicitly requires MFA for all access to systems processing sensitive information, not just remote access. Secure development (A.8.25 through A.8.28) covers the secure software development lifecycle, including the new A.8.28 (secure coding) requirement. Configuration management (A.8.9 — new) requires documented, monitored baselines for all system components. DLP (A.8.12 — new) requires controls to prevent unauthorised data exfiltration across all channels. Vulnerability management (A.8.8) and logging/monitoring (A.8.15 and A.8.16) round out the technical control baseline.

Largest gap areas:Across our ISO 27001:2022 gap assessments, the four controls that most frequently present significant gaps are A.5.23 (cloud services — no documented cloud security policy), A.8.12 (DLP — no technical DLP capability deployed), A.5.7 (threat intelligence — no structured process for threat data collection), and A.8.9 (configuration management — no baseline configurations documented or monitored).

Complio maps each applicable control to specific evidence requirements and assigns ownership, creating a living compliance register that tracks implementation status and flags overdue items. Combined with our ISO 27001 certification service, this approach ensures that control implementation stays on track throughout the project lifecycle.

C H A P T E R 0 6

The 6–12 Month Implementation Roadmap

How long does ISO 27001 implementation take? The honest answer depends on your starting point. Organisations with an existing, documented security programme — formal policies, an asset register, regular risk assessments, and established governance — can typically achieve certification in 6 months. Those with documented policies but inconsistent implementation usually require 9 months. Organisations starting from scratch — no formal security programme, limited documentation, and ad-hoc processes — should plan for 12 months. These timelines are drawn from 45+ real engagements across Asia-Pacific and assume a dedicated project lead with adequate management support.

The following roadmap describes the 12-month path — the most common scenario for first-time certifiers. Organisations with greater maturity can compress the early phases and focus their effort on gap remediation and evidence collection.

MonthPhaseKey Deliverables
1Project InitiationExecutive sponsorship secured, project charter approved, ISMS project team formed, Complio deployed
2Context & ScopeClause 4.1/4.2 analysis complete, scope statement drafted, interested parties register created
3Risk AssessmentRisk methodology approved, asset inventory complete, threat/vulnerability identification started
4Risk TreatmentRisk evaluation complete, risk treatment plan approved, SoA drafted
5–6Policy DevelopmentCore ISMS policies written (information security, access control, acceptable use, incident response, supplier management, etc.), approved by management
6–7Control ImplementationTechnical controls deployed (MFA, logging, DLP, vulnerability scanning), physical controls verified, supplier agreements updated
7–8Awareness & TrainingSecurity awareness programme launched, role-specific training delivered, training records captured in Complio
8–9Operational RunISMS operating in production — incidents logged, changes managed, access reviews conducted, evidence collected
9–10Internal AuditFull internal audit conducted against ISO 27001:2022, findings documented, corrective actions initiated
10–11Management ReviewManagement review meeting held (Clause 9.3), ISMS performance reviewed, improvement actions approved
11Pre-AssessmentOptional pre-assessment by EIC to identify residual gaps before certification audit
12Certification AuditStage 1 (documentation review) and Stage 2 (on-site assessment) conducted by accredited CB

Key Dependencies

Three dependencies consistently determine whether an implementation stays on schedule. First, executive sponsorship — the ISMS requires policy approvals, resource allocation, and management review participation that only senior leadership can provide. Implementations without an engaged executive sponsor routinely exceed their timeline by 3–6 months. Second, IT cooperation — technical control implementation (MFA rollout, logging configuration, DLP deployment) depends on IT teams that have their own project backlogs. Early alignment with the IT department is critical. Third, supplier contracts — updating supplier agreements to include information security requirements (A.5.19, A.5.20) often involves legal review and re-negotiation, which can introduce delays of 4–8 weeks per supplier.

EIC manages this end-to-end through our ISO 27001 certification service, providing a dedicated Lead Auditor who acts as project director, Complio for evidence management, and fortnightly steering calls to maintain momentum and flag blockers early.

C H A P T E R 0 7

The Certification Audit — What to Expect

The ISO 27001 certification audit is a two-stage process conducted by an accredited certification body (CB) in accordance with IAF MD 1 (the International Accreditation Forum's mandatory document for management system audits). It is important to understand that EIC acts as the implementation partner — we help you build the ISMS, prepare the documentation, and achieve audit readiness. The certification body is a separate, independent entity. This separation is mandated by ISO 17021 (requirements for audit and certification bodies) and ensures the integrity of the certification process.

Stage 1: Documentation Review

Stage 1 is typically 1–2 days and focuses on the ISMS documentation. The auditor reviews the scope statement, information security policy, risk assessment methodology and results, Statement of Applicability, internal audit reports, and management review minutes. The purpose is to confirm that the ISMS documentation is complete, aligned to ISO 27001 requirements, and ready for a Stage 2 on-site assessment. The auditor will also plan the Stage 2 audit — identifying areas of emphasis, confirming logistics, and scheduling interviews. Stage 1 findings are typically observations or minor non-conformities related to documentation gaps. A major non-conformity at Stage 1 (e.g., no risk assessment conducted, no internal audit completed) will delay Stage 2 until the issue is resolved.

Stage 2: On-Site ISMS Audit

Stage 2 is the main certification audit, typically 2–5 days depending on the scope size and complexity. The auditor assesses whether the ISMS is effectively implemented and operating as documented. This involves interviews with personnel across the organisation (not just the security team), evidence review (logs, screenshots, configuration files, training records, incident reports), control testing (verifying that controls described in the SoA are actually in place), and observation (watching processes in action — access provisioning, change management, incident handling). The auditor samples across all clauses and applicable Annex A controls but does not test every control exhaustively. The sampling approach is risk-based, with higher scrutiny on controls related to the organisation's most significant risks.

Audit Findings

  • Major non-conformity: A significant failure to meet a requirement of the standard, or a situation that raises substantial doubt about the ISMS's ability to achieve its intended outcomes. Major NCs must be resolved before the certificate can be issued. Examples: no risk assessment conducted, critical controls not implemented despite being declared applicable in the SoA.
  • Minor non-conformity: A partial failure to meet a requirement that does not undermine the overall effectiveness of the ISMS. Minor NCs must be addressed within a defined timeframe (typically 90 days) with evidence of corrective action submitted to the CB. Examples: a policy approved but not communicated to staff, an access review overdue by one cycle.
  • Observation (opportunity for improvement): A finding that does not constitute a non-conformity but represents a potential weakness or improvement opportunity. Observations do not need formal corrective action but should be considered during management review. Examples: training records stored in multiple locations, risk register formatting inconsistencies.

After Certification

The certificate is valid for three years. Annual surveillance audits (typically 1 day each) verify that the ISMS continues to operate effectively. The CB audits a subset of clauses and controls each year, rotating coverage so that all areas are reviewed at least once during the three-year cycle. In year 3, a full recertification audit is conducted — essentially a repeat of the Stage 1 + Stage 2 process — to determine whether the certificate should be renewed for another three years.

EIC's role: We prepare you for certification — we do not issue the certificate ourselves. This separation between implementation partner and certification body is mandated by ISO 17021 and is fundamental to the credibility of the certification. We work with all major accredited CBs operating in Asia-Pacific and can recommend options based on your industry and geographic footprint.

C H A P T E R 0 8

ROI and Business Case — The CFO Section

This chapter is written for the person who signs the purchase order. ISO 27001 certification is a business investment, and like any investment, it should be evaluated on return. The security team can articulate the risk reduction benefits; this section provides the financial framework to justify the expenditure to a CFO, finance director, or board audit committee.

The ROI of ISO 27001 certification is driven by three quantifiable factors: new contract wins, cyber insurance premium reduction, and compliance overhead reduction through Complio. Each is examined below with representative ranges drawn from EIC client data across Asia-Pacific.

1. Contract Wins — Revenue Protection and Growth

ISO 27001 certification is increasingly a pass/fail criterion in enterprise procurement. Multinational corporations, financial institutions, and government agencies routinely require ISO 27001 certification from suppliers that handle sensitive data. Without the certificate, your proposal is screened out before evaluation begins — regardless of price or capability. The revenue impact is direct: contracts you cannot bid on represent lost revenue with a clear causal link to the absence of certification. Our clients consistently report that ISO 27001 certification opened access to enterprise RFPs that were previously inaccessible, with individual contract values ranging from USD 100,000 to USD 2 million annually.

2. Cyber Insurance Premium Reduction

Cyber insurance underwriters increasingly recognise ISO 27001 certification as a material risk reduction factor. Certified organisations demonstrate a systematic approach to risk management that correlates with lower claim frequency and severity. Premium reductions of 10–20% are common, translating to annual savings of USD 5,000 to USD 40,000 depending on organisation size, industry, and coverage limits. Some underwriters offer additional premium benefits for organisations that can demonstrate continuous compliance monitoring through platforms like Complio, as this provides assurance that the ISMS operates effectively between annual surveillance audits.

3. Complio Overhead Reduction

The ongoing maintenance of an ISMS — evidence collection, control monitoring, internal audit preparation, management review reporting, and surveillance audit readiness — consumes significant staff time. In organisations managing these activities through spreadsheets, shared drives, and email, we typically observe 1.5–2.5 FTE dedicated to ISMS maintenance. Complio reduces this by 40–50%, saving 0.5–1.5 FTE — equivalent to USD 20,000 to USD 75,000 annually in fully loaded staff costs. The platform automates evidence collection, sends control-owner reminders, generates audit-ready reports, and maintains a continuously updated risk register that eliminates the annual scramble before surveillance audits.

Simple ROI calculation:Year 1 investment: Implementation partner fees + CB audit fees + Complio licence + internal staff time. Ongoing annual cost: Complio licence + surveillance audit fee + reduced staff time. Annual benefit: New contract revenue + insurance savings + overhead reduction. Most organisations achieve positive ROI within 12–18 months of certification, with the breakeven point determined primarily by contract win value.

Regulatory Recognition

Beyond direct financial return, ISO 27001 certification satisfies or substantially addresses regulatory requirements across Asia-Pacific. MAS TRM (Singapore), BNM RMiT (Malaysia), and Bangladesh Bank's ICT Security Guidelines all reference ISO 27001 as an accepted framework. Organisations subject to these regulations can leverage their ISO 27001 certification to demonstrate compliance, reducing duplication of effort and the need for separate regulatory assessments. For organisations also considering ISO 22301 (business continuity), dual certification offers additional savings — the management system structure, internal audit programme, and management review process are shared, reducing the marginal cost of the second certification by 30–40%.

Free Guide · 4,000+ Words

Continue Reading: ISO 27001 Implementation Guide

Enter your work email for instant access — including the full guide and PDF download.

  • Annex A controls — selection & implementation
  • ISMS scope definition best practices
  • 6–12 month certification timeline
  • ROI and business case for the CFO

No spam, ever. Unsubscribe any time. Privacy Policy.

Continue Exploring

Related Resources

Service Page

ISO 27001 Certification Service

End-to-end ISO 27001:2022 implementation and certification support. 45+ certifications delivered across APAC with Complio included.

Learn More
Blog Article

ISO 27001:2022 Transition Guide

What changed from 2013 to 2022, the 11 new controls, and how to update your ISMS for the current standard.

Read Article
Technology

Complio — Compliance Management Platform

Centralised evidence collection, automated control monitoring, and audit-ready reporting. Included in every EIC engagement.

Learn More

Ready for ISO 27001 Certification?

Schedule a scoping call with an ISO 27001 Lead Auditor. We'll review your current security posture and outline the path to certification.