ScalePad
ControlMap

ISO/IEC 27001 Field Guide

ISO/IEC 27001 compliance, made operational: the MSP's tactical playbook

A tactical playbook for managed service providers guiding clients to the world's information-security certificate: the ISMS and its clauses, the 93 Annex A controls, and the certification journey, with a step-by-step ControlMap workflow.

The Standard, Decoded

ISO/IEC 27001 at a glance: why it lands on the MSP's desk

ISO/IEC 27001 is the international standard for an Information Security Management System (ISMS), a managed, risk-driven, continually improving system for protecting information, certified by accredited third parties. Where SOC 2 produces a report read under NDA, ISO 27001 produces a certificate anyone can verify, which is why it's the default ask in international deals, government tenders, and enterprise supply chains from Europe to APAC.

What It Is

What it certifies

Not a snapshot of controls but a management system: leadership commitment, a documented risk process, selected controls, internal audits, management reviews, and continual improvement, running as a loop (Plan-Do-Check-Act). The certificate says the loop exists, operates, and corrects itself.

The current edition

ISO/IEC 27001:2022, clauses 4–10 unchanged in substance, Annex A restructured to 93 controls in 4 themes with 11 new controls (cloud security, threat intelligence, DLP, secure coding…). All certificates have transitioned from the 2013 edition; a 2024 amendment also added climate-change considerations to context analysis. Build to 2022, nothing else exists now.

The 27000 Family: What the Neighbors Do

27001: certifiable requirements27002: Annex A implementation27005: information-security risk27701: privacy (PIMS) extension27017/27018: cloud security/privacy

The Question Every Client Asks

ISO 27001 vs SOC 2: which one, or both?

Choose ISO 27001 when…

Buyers are international, government, or enterprise-procurement-driven; a verifiable certificate beats a report; or the client wants one system that can extend to privacy, continuity, or AI management later.

Choose SOC 2 when…

The buyers are North American SaaS customers whose security reviews name it specifically: the detailed report is what their vendor-risk teams are built to read. (See this series' SOC 2 guide.)

Often: both

The control sets overlap heavily, an ISMS built once supplies both the certificate and the attestation. Cross-mapping makes the second framework an increment, not a second program.

Why it matters: like SOC 2, nobody legislates ISO 27001: the market does. Tenders list it as a pass/fail requirement, enterprise procurement filters on it, and partners verify certificates in public registries. The risk of doing it badly is distinct, though: certificates carry scope statements, and a certificate scoped to a broom closet fools nobody, sophisticated buyers read the scope and the Statement of Applicability before they believe the logo.

The Operating Model

Shared responsibility: MSP × certified organization

ISO 27001 is unusually explicit that the ISMS belongs to top management, clause 5 puts leadership commitment, policy, and role assignment on the client's executives by name, and auditors interview them to prove it. The MSP's lane is everything operational beneath that: running the controls, feeding the risk process, and keeping the evidence the audits live on. Externally provided processes, you, are themselves controlled under clause 8.1: expect to be examined.

MSP × certified organization: who runs what

MSP operates

  • Technological controls (A.8)
  • Identity, MFA & access admin
  • Monitoring, logging & EDR
  • Backup, BCDR & patching
  • Vulnerability management
  • Incident detection & response
  • Evidence pipelines

Shared

  • Risk assessment
  • Statement of Applicability
  • Policies & procedures
  • Training & awareness
  • Internal audits
  • Supplier management
  • Audit hosting

Client owns

  • Leadership commitment
  • ISMS scope & policy
  • Risk acceptance criteria
  • People & HR controls (A.6)
  • Hiring the certification body
  • Management review chair
  • Signing the SoA

Put leadership in the room

No executive sponsor, no certificate: the standard and the auditor both demand visible top-management ownership. Get the owner chairing management reviews from month one; it's also what makes the rest of the program fundable.

Scope like a strategist

The ISMS scope (clause 4.3) defines what the certificate covers, broad enough to be credible to buyers, tight enough to be operable. Scope follows the products and locations customers actually rely on; document what's excluded and why.

Prove the loop, continuously

Surveillance audits come every year: the ISMS must visibly cycle: risks reviewed, audits run, nonconformities corrected, improvements logged. Centralize it in a GRC platform so the loop leaves a trail.

Golden rule: ISO 27001 certifies the system that manages security, not a moment of security. Auditors forgive an incident handled well by a working ISMS; they fail a pristine network with no risk register, no internal audit, and no management review. Build the loop first: the controls hang off it, not the other way around.

01

Clauses 4–10

The ISMS: clauses 4 through 10

The certifiable requirements live in seven short clauses, every one of them mandatory, no exclusions. Together they form the Plan-Do-Check-Act loop: understand context, lead, plan against risk, resource it, operate it, measure it, improve it. Annex A's controls are the toolbox; clauses 4–10 are the machine that decides which tools to use and proves they're used.

Anatomy of the Requirements

What each clause demands

ClauseWhat it demandsPDCA phase
4 · Context of the organizationInternal/external issues (including climate, per the 2024 amendment), interested parties and their requirements, and the ISMS scope (4.3), the sentence on the certificate.Plan
5 · LeadershipTop-management commitment, the information security policy (5.2), and assigned roles, responsibilities, and authorities: the clause auditors test by interview.Plan
6 · PlanningThe engine room: risk assessment (6.1.2), risk treatment (6.1.3) producing the Statement of Applicability, and measurable security objectives (6.2).Plan
7 · SupportResources, competence with evidence, awareness, communication, and documented-information control (versioning, approval, availability).Do
8 · OperationRun what you planned: operational control, control of externally provided processes (your MSP), and the risk assessment/treatment performed at planned intervals and on change.Do
9 · Performance evaluationMonitoring & measurement (9.1), the internal audit program (9.2), and management review (9.3) with its required inputs and outputs.Check
10 · ImprovementNonconformity and corrective action (10.2), find it, fix it, fix the cause, prove both, plus continual improvement of the ISMS itself.Act

MSP tip: the loop is the product. Clauses 9 and 10 are where SMB programs die: the risk register goes stale, no internal audit runs, no management review happens, and surveillance finds a dead system. Calendar all three as recurring deliverables in the monthly service and the certificate keeps itself.

The 10-Step Implementation Path

Steps 1–5 build the Plan

A widely used implementation sequence, adapted for the 2022 edition and the MSP delivery model. First-time journeys typically run 6–12 months before the certification audit.

  1. 1

    Get management support

    Secure executive sponsorship, budget, and time before anything else, clause 5 will test it, and nothing below survives without it. Frame it commercially: the tenders and deals the certificate unlocks.

  2. 2

    Define the scope

    Decide what the ISMS covers, products, sites, teams, systems, per business objectives and what customers rely on. Write the 4.3 scope statement; it becomes the words on the certificate.

  3. 3

    Run the risk assessment

    Define the methodology (criteria, likelihood × impact, acceptance thresholds, ISO 27005 is the companion guide), then identify, analyze, and prioritize risks to information assets in scope.

  4. 4

    Build the risk treatment plan: and the SoA

    Decide per risk: mitigate, transfer, avoid, or accept. Select Annex A controls for the mitigations, then justify every one of the 93 in or out in the Statement of Applicability: the document auditors open first.

  5. 5

    Implement policies & procedures

    Publish the ISMS policy (top-management signed) and the supporting policy set for the selected controls, access, cryptography, supplier, incident, BC, tailored from templates, approved, and version-controlled.

The 10-Step Implementation Path, Continued

Steps 6–7 run the Do, 8–9 close the Check: and step 10 is the prize

  1. 6

    Train & build awareness

    Everyone in scope understands the policy, their role, and the consequences of nonconformity (clause 7.3), campaigns with completion records, plus competence evidence for security roles (7.2).

  2. 7

    Monitor & measure

    Operate the controls and watch them: define what's measured, how, and by whom (9.1), control performance, objective progress, incident trends, feeding dashboards the loop can act on.

  3. 8

    Conduct internal audits

    An impartial review of the ISMS against the standard and its own rules (9.2), planned program, documented findings, corrective actions tracked to closure. Your CaaS practice can deliver this; the auditor just can't audit their own work.

  4. 9

    Hold the management review

    Top management reviews the required inputs, audit results, risk status, objective progress, incidents, improvement opportunities, and decides (9.3). Minutes are mandatory evidence; the QBR is its natural vehicle.

  5. 10

    The certification audit

    An accredited certification body audits in two stages, documentation review, then on-site implementation audit, and issues the certificate. The Certification section walks the whole journey, surveillance included.

Sequencing wisdom: steps 3 and 4 are the heart, everything downstream must trace back to the risk assessment. Auditors follow the thread: this risk → this treatment decision → this SoA entry → this control → this evidence. Run the steps in order and the thread weaves itself; jump straight to controls and you'll reverse-engineer the justification under audit pressure.

02

The Control Catalogue

Annex A: 93 controls, 4 themes, one SoA

Annex A is the reference catalogue of controls the risk treatment draws from, a menu, not a mandate. The 2022 edition reorganized 114 scattered controls into 93 across four clean themes, merged duplicates, and added 11 new controls for the cloud-and-threat era. ISO 27002 provides the how-to guidance for every one.

Four Themes

Where the 93 controls live

A.5 · Organizational controls
37
37
A.6 · People controls
8
8
A.7 · Physical controls
14
14
A.8 · Technological controlsMSP home turf
34
34
93 controls total, theme counts as printed in the source guide.

The 11 controls new in 2022, where auditors look hardest for maturity: 5.7 threat intelligence, 5.23 cloud services security, 5.30 ICT readiness for business continuity, 7.4 physical security monitoring, 8.9 configuration management, 8.10 information deletion, 8.11 data masking, 8.12 data leakage prevention, 8.16 monitoring activities, 8.23 web filtering, and 8.28 secure coding. Notice the pattern, cloud, monitoring, data lifecycle, and resilience: exactly the services a modern MSP stack already delivers. For most SMB clients, the "new" controls are an evidence problem, not an engineering one.

The Keystone Document

The Statement of Applicability

One row per Annex A control, for all 93: included or excluded, the justification, and implementation status. Inclusions trace to risks or obligations; exclusions need defensible reasoning, "no software development" can exclude 8.25–8.31, until the client hires a developer. The SoA is the bridge between your risk register and your control set, and the first document both Stage 1 and surveillance auditors open.

Don't shrink the SoA: shrink the scope

Most SMB SoAs include the large majority of the 93, exclusions are the exception, not the strategy. Trying to shrink effort by excluding controls invites audit findings; shrink effort instead by scoping the ISMS well and inheriting from your standardized stack.

Theme by Theme

The four themes in practice: demands, translations, effort

Every included control needs an owner and evidence. These tables compress the four themes into working clusters, what the controls demand in practice, the MSP translation, and the effort level, with A.5 the documentation long pole and A.8 the MSP's home turf.

Part One

A.5 Organizational & A.6 People

ClusterWhat the controls demand in practiceMSP translationEffort
Governance & policy5.1–5.6Policy set published and reviewed; roles defined; segregation of duties; management responsibilities; contact with authorities and special-interest groups; threat intelligence (5.7) collected and acted on.Policy library + review cycle; advisory feeds (CISA, vendor intel) with triage notes.Moderate
Asset & information mgmt5.9–5.14Asset inventory with owners; acceptable use; return of assets; information classification and labelling; secure transfer rules.RMM-driven inventory; classification policy; secure file-transfer/portal standard.Moderate
Access (policy level)5.15–5.18Access-control policy, identity lifecycle, authentication info management, and rights provisioning/review/removal: the governance half of access (A.8 holds the technical half).JML workflow with approvals; documented access-review cadence.Heavy
Supplier & cloud5.19–5.23Supplier security policy, contract clauses, monitoring of supplier services, ICT supply-chain risk, and cloud services security (5.23), acquisition, use, and exit.Vendor register with diligence + the MSP's own entry; cloud-service onboarding checklist.Moderate
Incidents & continuity5.24–5.30Incident management planned and operated: response, evidence collection, learning; plus ICT readiness for business continuity (5.30) with tested recovery.IR plan + post-mortems; BCDR plan with annual test results.Moderate
Legal & records5.31–5.37Legal/regulatory/contractual requirements identified; IP and records protected; privacy/PII obligations; independent reviews; documented operating procedures.Obligation register (feeds clause 4.2); records retention; the annual independent review = your internal audit.Light
A.6 · The employment lifecycle6.1–6.8Screening before hire; security terms in employment contracts; awareness and training; disciplinary process; post-employment duties; confidentiality agreements; remote-working rules; and a channel for reporting security events.HR checklist integration; awareness platform campaigns; remote-work policy; "report it" button/process. Mostly client-operated with MSP tooling.Light

Why A.5 is the long pole: it's 40% of Annex A and almost entirely documentation and process, policies, registers, classifications, supplier files. The technology mostly exists; the writing doesn't. Budget analyst time accordingly, and lean on templates so tailoring, not drafting, is the work.

Part Two

A.7 Physical & A.8 Technological

ClusterWhat the controls demand in practiceMSP translationEffort
A.7 · Perimeters, entry & monitoring7.1–7.6Security perimeters, entry controls, securing offices and facilities, physical security monitoring (7.4, new), environmental threats, and working in secure areas.Badge/lock procedures, visitor log, camera/alarm coverage records, mostly client premises.Light
A.7 · Equipment & media7.7–7.14Clear desk/screen; equipment siting and protection; assets off-premises (laptops, home offices); storage media lifecycle; supporting utilities; cabling; maintenance; secure disposal/reuse with verified wiping.MDM + disk encryption cover off-premises; media destruction certificates; disposal logs.Moderate
A.8 · Endpoint & access tech8.1–8.5User device protection, privileged access management, information access restriction, source-code access, and secure authentication (MFA).MDM baselines, PAM/admin tiering, SSO + MFA everywhere.Heavy
A.8 · Operations & resilience8.6–8.14Capacity, anti-malware, vulnerability management, configuration management (8.9, new), information deletion (8.10, new), data masking (8.11, new), DLP (8.12, new), backup, and redundancy.EDR + vuln scanning cadence, hardening baselines, retention/purge jobs, DLP policies, tested backups.Heavy
A.8 · Logging, monitoring & network8.15–8.23Logging with protected logs, monitoring activities (8.16, new), clock sync, privileged utilities, software installation control, network security and segregation, web filtering (8.23, new).SIEM/log management with alert triage, network segmentation, DNS/web filtering via the security stack.Heavy
A.8 · Crypto & development8.24–8.34Cryptography policy and key management; secure development lifecycle incl. secure coding (8.28, new), testing, outsourced development, environment separation, test data, and audit-test safeguards.Encryption standards + key custody; for dev-shop clients: PR review, CI gates, environment separation, their engineers execute, you evidence.Moderate

Who Does What

Theme responsibility split

Typical allocation across the four themes and the ISMS loop for an MSP-supported certification, capture the real split per client in the supplier agreement.

A.8 Technological controls
MSP
Shared
Client
A.5 Organizationalpolicies, suppliers, incidents
MSP
Shared
Client
A.6 PeopleHR lifecycle & awareness
MSP
Shared
Client
A.7 Physicalpremises & equipment
MSP
Shared
Client
Clauses 4–10the ISMS loop itself
MSP
Shared
Client
MSP leadsSharedClient leadsProportions measured from the source guide's chart: the supplier agreement records the real allocation per client.

03

The 3-Year Cycle

The certification journey: and the three-year cycle

Certification comes from an accredited certification body (CB), accredited by a national body like ANAB or UKAS under IAF rules, never from a consultant. Choose the CB early (the implementer and the CB must be independent), because the cycle that starts at Stage 1 never really ends: certify, surveil annually, recertify every three years.

End to End

The certification path

  1. Ready

    Readiness

    The 10 steps run: ISMS built, operating ~3+ months, internal audit and management review done.

  2. Stage 1

    Documentation review

    Documentation & readiness review, scope, SoA, risk process, mandatory records; gaps flagged before Stage 2.

  3. Stage 2

    Implementation audit

    Interviews, sampling, and control observation against the SoA and clauses 4–10.

  4. Cert

    Certificate issued

    Nonconformities closed → certificate issued, valid 3 years, listed in the CB's public registry.

  5. Yr 1-2

    Surveillance

    Annual audits (years 1 & 2), lighter scope, but the loop must show it ran: audits, reviews, corrections.

  6. Yr 3

    Recertify

    Year 3, full reassessment before expiry; the cycle restarts.

MSP tip, choosing the CB: verify accreditation (ANAB/UKAS marks, an unaccredited "certificate" is worthless to buyers), ask for SMB references and sector experience, get the 3-year cost as one quote (Stage 1+2 plus both surveillances), and book early, audit calendars fill months out.

When something fails: major vs minor nonconformities

Major: systemic

A required element absent or systemically broken, no internal audit, a dead risk process. A major blocks certification until corrected and verified: the certificate waits on the fix, which is exactly why readiness runs the loop at least once before Stage 1.

Minor: isolated

An isolated lapse rather than a broken system: the certificate proceeds with a corrective-action plan, and the closure is checked at the next surveillance, so the corrective-action log needs to show the fix, the root cause, and the verification.

Auditors may also log opportunities for improvement, free consulting; take notes. The clause 10.2 muscle (root cause, correction, verification) is what turns findings into routine.

The Paper Trail

The document pack: and what the journey costs

The standard names its mandatory documented information: the ten records Stage 1 opens with and surveillance re-reads every year, plus the operational records the selected Annex A controls generate: access reviews, supplier files, training exports, incident records, backup and BC test results, organized per the SoA. Then comes the budget conversation, in planning ranges honest enough to survive year one.

Mandatory Documented Information

The document pack

DocumentWhat good looks likeClause
ISMS scopeA precise statement of what's covered, products, locations, teams, with exclusions reasoned. The words that appear on the certificate.4.3
Information security policy & objectivesTop-management-signed policy plus measurable objectives with owners and progress tracking.5.2 · 6.2
Risk process & resultsThe assessment methodology, the risk register with analysis and owners, and treatment results, refreshed at planned intervals and on significant change.6.1.2 · 8.2 · 8.3
Statement of ApplicabilityAll 93 Annex A controls: in/out, justification, implementation status, version-controlled, traceable to the register.6.1.3
Risk treatment planThe funded, dated plan turning treatment decisions into work: the program's project backbone.6.1.3 · 8.3
Competence evidenceRecords that people in security roles are qualified, certs, training, experience.7.2
Monitoring & measurement resultsDefined metrics with results over time, control performance, objectives, incidents.9.1
Internal audit program & resultsPlanned audit program, reports, findings, and corrective actions tracked to closure.9.2
Management review recordsMinutes covering the required inputs and the decisions made, at planned intervals.9.3
Nonconformities & corrective actionsThe log: what failed, the correction, the root-cause fix, and verification, internal and audit-raised alike.10.2

Budget Anchors

What the journey costs (SMB, USD)

Cost elementPlanning rangeWhat drives it
Readiness & implementation support$15K – $60KGap size, documentation debt, scope breadth: the MSP/CaaS engagement (and where templates compress most).
CB certification audit (Stage 1+2)$10K – $40KScope, headcount, and sites set the audit-day count; accredited CBs price from IAF-mandated day tables.
Annual surveillance audits$5K – $15K / yrRoughly a third of the initial audit effort, every year of the cycle.
Ongoing managed ISMS$2K – $6K / moThe CaaS service: risk and SoA upkeep, evidence, internal audit support, management-review prep: the Better/Best tier in action.

Budget honesty: quote the journey, never the audit, readiness → certify → run the loop for three years → recertify. A client who hears only the Stage 1+2 fee feels ambushed by surveillance year one; a client who sees the cycle funds it as the cost of the tenders it unlocks, one won contract typically pays for the entire triennium.

ControlMap by ScalePad

From tender panic to a living ISMS: in one platform

ControlMap is ScalePad's multi-tenant GRC platform built for MSPs. Everything the standard demands as documented information: the risk register, the SoA, policies with attestations, internal-audit records, management-review minutes, and the evidence behind all 93 controls, lives in one workspace per client, cycling on the cadence surveillance audits expect.

The Five-Step ControlMap Workflow for ISO/IEC 27001

  1. 1

    Onboard & adopt the framework

    Create a dedicated client workspace and load the 27001:2022 framework, clauses and all 93 Annex A controls pre-mapped. Anchor it with the 4.3 scope statement, context and interested-party analysis, and the contract that triggered the journey. Cross-mapping banks the same work toward SOC 2, CIS, or NIST.

  2. 2

    Run the gap & risk assessments

    Declare the client's stack and let Stacks auto-answer the assessment questions their existing EDR, identity, backup, and email security already satisfy; your analyst verifies and works the real gaps. Seed the clause-6 risk register from the risk library in the same pass, likelihood × impact, owners, treatments.

  3. 3

    Build the SoA: and split the controls

    Work through all 93 controls with in-tool guidance: include or exclude with justification, link each inclusion to the risks it treats, and assign owners: your engineers (A.8), client leadership and HR (A.5/A.6), premises staff (A.7), building the SoA and the responsibility split as one living document.

  4. 4

    Publish the policy set & get it signed

    Draft the ISMS policy and the supporting library (access, cryptography, supplier, incident, BC, acceptable use…) from templates, tailor, version-control approvals, and push for staff e-attestation, producing the clause-5/7 governance trail and the awareness records auditors sample, automatically.

  5. 5

    Run the loop on rails

    Recurring tasks enforce the ISMS calendar, risk reviews, access reviews, supplier reassessments, internal audits, management reviews, with evidence attached as it happens, automated where integrations allow. Stage 1, Stage 2, and every surveillance work from a current system, not a year-end reconstruction.

Package it as a service

Productize the cycle: Build (the 10 steps, readiness engagement) → Certify (Stage 1/2 hosting) → Run the loop (monthly managed ISMS through surveillances and recertification). The standard's own 3-year rhythm makes this the most contractually durable offering in the CaaS catalog.

Make the QBR land

The compliance QBR is clause 9.3 in disguise: run it with the management-review inputs (risks, audit results, objectives, incidents) and capture minutes, delivery and mandatory evidence in one meeting. "Your certificate renews itself, and here's the registry entry your prospects can verify" closes renewals cold.

Keep it alive

Scope drifts: new products, sites, suppliers, a first developer hire (hello, 8.25–8.31). Make "what changed in the business?" a standing QBR question, clause 8.2 requires re-assessment on significant change, and the SoA must follow.

Take Action

Map the platform, run the first 90 days, work the checklist

Where each part of the ISO journey lives in ControlMap and the records auditors expect; a realistic first-90-days arc per client, months 1–3 of a 6–12 month journey; and the ten-point quick-start checklist to put the whole guide in motion.

ControlMap in Action

Mapping ControlMap to the ISO journey

AreaDo this in ControlMapRecords you'll bank
The ISMS loopRun clauses 4–10 as tracked controls with owners; calendar the risk-review, internal-audit, and management-review cadences as recurring tasks; log nonconformities with root cause, correction, and verification per 10.2.Risk register history · internal-audit reports · management-review minutes · corrective-action log
Annex A & the SoAMaintain the SoA as a living artifact, 93 rows with justification and status; track the 11 new-in-2022 controls explicitly; schedule the operational cadences each included control implies.Version-controlled SoA · control status history · access-review sign-offs · supplier files · training attestations
Certification cycleStage the Stage-1 document pack for export; host the CB's evidence requests from the period-stamped library; track findings to closure; flip the workspace into the next surveillance window the day the audit ends; calendar the year-3 recertification.Stage-1 export pack · audit-finding register with closures · surveillance-ready evidence year over year
Your own MSPStand up a workspace for your own ISMS, clause 8.1 puts you inside every certified client's supplier controls, and your own 27001 (or 27001-aligned program) is the cleanest answer. Same platform, client zero, reusable across every client SoA.Your own ISMS & certificate · supplier-questionnaire answers · tender-ready security package

Per Client

A realistic first-90-days arc

Months 1–3 of a 6–12 month journey.

  1. W1-2

    Sponsor & scope

    Sponsor named · scope drafted · context & interested parties documented · workspace created.

  2. W3-6

    Assess & plan

    Gap assessment (Stacks-accelerated) & risk assessment complete · treatment plan priced and approved.

  3. W7-10

    Document & remediate

    SoA v1 signed · policy set live with attestations · remediation in flight · CBs shortlisted.

  4. W11-13

    Engage & operate

    CB engaged & Stage 1 dated · ISMS calendar running · evidence flowing · first loop report at QBR.

Take Action

Your 10-point ISO/IEC 27001 quick-start checklist

1

Put top management in the room

Sponsor named, budget and time secured before anything else, clause 5 will test it by interview, and nothing below survives without it. Frame it against the tenders and deals the certificate unlocks.

2

Write the 4.3 scope statement like a strategist

Broad enough to convince buyers, tight enough to operate, scope follows the products and locations customers actually rely on, with exclusions documented and reasoned.

3

Run the risk assessment with a documented methodology

Criteria, likelihood × impact, acceptance thresholds, ISO 27005 is the companion guide; then identify, analyze, and prioritize risks in scope; everything downstream must trace back to it.

4

Build the Statement of Applicability

All 93 controls justified in or out, linked to the risks they treat, version-controlled in ControlMap: the first document both Stage 1 and surveillance auditors open.

5

Close the A.8 technical gaps first

MFA, monitoring, configuration management, DLP, backup: your stack already covers most of the technological theme; the work is evidencing it control by control.

6

Publish the policy set and stand up the supplier register

Staff attestations on the policy library, diligence files and contract clauses in the vendor register, A.5's documentation is the long pole, so start it early.

7

Run a real internal audit and management review before Stage 1

The loop must have turned at least once, a planned audit with documented findings, and a management review with minutes covering the required inputs.

8

Choose an accredited certification body early

Verify the accreditation mark (ANAB/UKAS), ask for SMB references and sector experience, quote the full 3-year cycle as one number, and book the calendar slot months out.

9

Treat findings with clause 10.2 discipline

Correction, root cause, verification, and bank the records; surveillance checks the closures, and the corrective-action log is mandatory documented information.

10

Calendar the whole 3-year cycle in ControlMap

Risk reviews, internal audits, management reviews, surveillances, and the year-3 recertification as recurring tasks, so the certificate maintains itself.

This guide is provided for general educational purposes and reflects ISO/IEC 27001:2022 (including the 2024 amendment) as commonly understood at time of publication. It is not legal or audit advice; ISO and IEC own the standard's text, purchase the official publications for implementation, and confirm certification specifics with an accredited certification body or a qualified lead implementer/auditor. Cost figures are indicative planning anchors that vary by scope, region, and provider.

ControlMap

ControlMap by ScalePad

Turn ISO/IEC 27001 into your next managed service

See how MSPs run multi-client ISMS programs, risk registers, SoAs, policies, internal audits, and surveillance-ready evidence, in ControlMap.