ISO 27001 as an automated outcome.
ISO/IEC 27001:2022 specifies the requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System. Argitron implements every Annex A control out of the box, generates the Statement of Applicability from live state, and produces the auditor's evidence pack on demand.
Annex A
Four themes. 93 controls. One control library.
The 2022 revision merged 56 of the 2013 controls into 24 consolidated controls, revised 58, and introduced 11 new ones. Argitron's library carries every control with its 2013 mapping for organisations mid-transition.
Policies, roles, supplier relationships, threat intelligence, incident planning.
Screening, terms of employment, awareness, remote working, NDAs.
Premises, secure areas, equipment, clear desk, cabling.
Endpoint, identity, cryptography, secure development, network, logging.
What's new in 2022
11 new controls — and where they catch most teams off guard.
Most legacy 27001 evidence libraries lack coverage for these. Argitron ships templated controls, automated checks, and a cleanly mapped SoA on day one.
What the auditor will ask for
The Statement of Applicability is the most-scrutinised document in any 27001 audit.
The SoA must list every Annex A control (you cannot omit any), state whether it applies, justify exclusions with risk-based reasoning, reference the policy or procedure that implements each applicable control, and carry evidence of senior-management approval. Missing controls in the SoA produce an automatic non-conformity.
From there, auditors sample. Expect them to ask for:
- Information-asset inventory with classification and owner
- Risk assessment methodology + risk register + risk treatment plan
- Per-control implementation evidence (configurations, logs, tickets)
- Internal audit programme + audit reports + nonconformity register
- Management-review minutes, inputs, and resulting actions
- Training and awareness records (A.6.3)
- Corrective-action records (CAPAs) and effectiveness evidence
- SoA generated from live control state — never out of date.
- Risk register as a first-class data model, not a spreadsheet attached to a page.
- Asset inventory auto-discovered, classified, and pinned to controls.
- Internal-audit + management-review workflows ship pre-built.
- Cosign-signed evidence bundle auditors can verify cryptographically.
Certification timeline
Stage 1 → Stage 2 → annual surveillance → recertification.
Documentation review. Confirms the ISMS is designed correctly and ready for Stage 2.
Tests the ISMS in operation. Auditor samples controls, walks the evidence, interviews owners.
Light-touch audit. Samples a subset of controls. Checks corrective actions.
Full audit again. Certificate is valid for three years; recertification is a fresh cycle.
Argitron coverage
What's automated, what's templated, what's left to your process.
Honest scope. We tell you exactly which areas Argitron runs, which it accelerates, and which still belong to your auditors and physical premises.
| Area | Status | Note |
|---|---|---|
| Statement of Applicability generation | Automated | Generated from live control state. Every Annex A control listed; exclusions justified with referenced risk decisions. |
| Risk register + treatment plan | Automated | First-class data model. Inherent / residual scoring, treatment options, owner, due date. |
| Asset inventory | Automated | Auto-discovered from cloud accounts and identity providers; manual additions for off-cloud assets. |
| A.8 Technological controls (34) | Automated | Continuous evidence via Audit pillar — vuln scans, IaC checks, secret detection, configuration drift. |
| Internal audit + management review | Automated | Built-in workflows. Findings, CAPAs, and effectiveness evidence on the same record. |
| Auditor evidence pack export | Automated | Single command. Cosign-signed bundle. Hash-chained for tamper evidence. |
| A.5 Organisational controls (37) | Templated | Templated policies + workflow attestation. Owner sign-off recorded as evidence. |
| A.6 People controls (8) | Templated | HR-system integration + attestation. Awareness training records linked to A.6.3. |
| A.7 Physical controls (14) | Templated | Templated procedures + manual evidence upload (visitor logs, access cards, photos). |
| External certification audit | Out of scope | Conducted by your accredited certification body (BSI, BV, DNV, etc.). Argitron prepares the bundle. |
The evidence pack
One command. The bundle your auditor accepts.
The 27001 audit pack is not just a folder of PDFs. It is the SoA, the risk treatment plan, the internal-audit programme, the management-review minutes, and per-control evidence — bundled, hash-chained, and cryptographically signed so the auditor can verify it has not been altered.
Argitron emits the bundle from live data. Run it the night before Stage 2; run it again before each surveillance. The bundle is reproducible: same inputs, same hash.
$ argitron audit run --framework iso-27001 --evidence-pack collecting Annex A controls 93/93 ok collecting risk register entries 214/214 ok collecting internal audit findings 12/12 ok bundling soa.pdf ok bundling risk-treatment-plan.pdf ok bundling management-review-2026q1.pdf ok bundling evidence/* (1,847 files) ok signing cosign · sha256:f8c3…b2a9 ready ./out/iso-27001-2026-04-25.bundle.tar.gz verifiable with: cosign verify-blob …
Get started
Start the ISO 27001 evidence pack on the free tier.
Free under 25 assets, forever. Full ISO 27001 pack on Starter ($18,000 / year). No demo gate.