Framework
ISO/IEC 27001:2022
Specifies the requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System. The 2022 revision replaced the 2013 edition; the transition deadline for previously certified organisations was October 2025.
Annex A — 4 themes, 93 controls
| Theme | Range | Count | Focus |
|---|---|---|---|
| A.5 Organisational | 5.1–5.37 | 37 | Policies, roles, supplier relationships, threat intel, incident planning |
| A.6 People | 6.1–6.8 | 8 | Screening, terms of employment, awareness, remote working, NDAs |
| A.7 Physical | 7.1–7.14 | 14 | Premises, secure areas, equipment, clear desk, cabling |
| A.8 Technological | 8.1–8.34 | 34 | Endpoint, identity, cryptography, secure development, network, logging |
The 2022 revision merges 56 of the 2013 controls into 24 consolidated controls, revises 58, and introduces 11 new ones (threat intelligence, ICT readiness, configuration management, information deletion, data masking, DLP, monitoring activities, web filtering, secure coding, cloud-services use, physical security monitoring).
What the auditor will ask for
The Statement of Applicability is the single most-scrutinised document in any 27001 audit. It must list every Annex A control (you cannot omit any), state whether it applies, justify exclusions with risk-based reasoning, reference the policy or procedure that implements each applicable control, and carry evidence of senior-management approval. Missing controls in the SoA produce an automatic non-conformity.
From there, auditors sample. Expect them to ask for:
- Information-asset inventory
- Risk assessment methodology + risk register + risk treatment plan
- Per-control implementation evidence (configurations, logs, tickets, screenshots)
- Internal audit programme + audit reports + nonconformity register
- Management-review minutes, inputs, and resulting actions
- Training and awareness records
- Corrective-action records (CAPAs) and effectiveness evidence
Certification timeline
Documentation review. Confirms the ISMS is designed correctly and ready for Stage 2.
Tests the ISMS in operation. Auditor samples controls, walks the evidence, interviews owners.
Certificate is valid 3 years. First surveillance audit within 6–12 months. Recertification audit before year 3 ends.
What Argitron delivers
Honest scope. We tell you what's automated, what's templated, and what's left to your process.
| Area | Coverage |
|---|---|
| Statement of Applicability generation | Fully automated from live control state |
| Risk register + treatment plan | First-class data model |
| Asset inventory | Auto-discovered + manual additions |
| A.8 Technological controls (34) | Continuous evidence via Audit pillar |
| A.5 Organisational controls (37) | Templated policies + workflow attestation |
| A.6 People controls (8) | HR-system integration + attestation |
| A.7 Physical controls (14) | Templated procedures + manual evidence upload |
| Internal audit + management review | Built-in workflows |
| Auditor evidence pack export | Cosign-signed bundle |
Start the ISO 27001 evidence pack on the free tier.
Up to 25 assets, forever. SOC 2 starter pack included on Community. Full ISO 27001 pack on Starter ($18,000 / year).