Context and ISMS scope
Understanding of internal and external context, interested parties, documented system scope.
Compliance · ISO/IEC 27001
Information security management system.
ISO/IEC 27001:2022. International standard for information security management systems. Requires implementation of an ISMS and the adoption of appropriate controls selected from Annex A.
Context
Who it is useful for
Organizations intending to be formally certified by an accredited body, or organizations that want to adopt the framework as an internal baseline without formal certification. Certification requires the involvement of an accredited certification body — this assessment prepares the organization for that step or consolidates the internal adoption of the framework.
What the assessment covers
What the assessment covers
Leadership and roles
Management commitment, security policy, roles and responsibilities, communication.
Planning
Risk assessment, risk treatment, Statement of Applicability (SoA), measurable objectives.
Operational support
Resources, competencies, awareness, communication, documented information management.
Operations and Annex A controls
The 93 controls of Annex A:2022 organized in 4 themes (organizational, people, physical, technological).
Performance evaluation and improvement
Monitoring, internal audits, management review, nonconformity management and corrective actions.
Same method
Same methodology, applied to the specific regulation.
The methodology common to all certifications — the open-source platform, the documents delivered, the 0–5 maturity model, the work phases — is described once on the main Compliance page.
Have a deadline to face on this regulation?
We start with a scoping: classification of the organization, perimeter, responsible people, availability of existing evidence. From there the rest is sized.