ISO/IEC 27001:2022 Readiness.

Source: ISO/IEC 27001:2022 standard page · ISO/IEC 27002:2022 (controls guidance)

Three concrete outputs from a readiness engagement:

• Output A

  Defined ISMS scope

  Documented scope of the Information Security Management System — which products, locations, employees, and data flows are in scope. Scope drives every other deliverable; getting it wrong inflates the audit cost and delays certification.

• Output B

  Statement of Applicability (SoA) + risk treatment plan

  For each of the 93 Annex A controls, the SoA documents whether it applies, why, and how it is implemented. The SoA is the fingerprint of your control environment — see our writeup Why your ISO 27001 Statement of Applicability keeps drifting.

• Output C

  ISMS operational artifacts

  Risk register current and reviewed, internal audit program in place, management review meetings documented, corrective action register active. The ISMS is a living management system — auditors look for evidence of operation, not just policy existence.

Certification audits run in two stages. Stage 1 is a documentation review (4-8 weeks before Stage 2). Stage 2 is on-site/remote audit of the operating ISMS. Surveillance audits run annually for 3 years; recertification audit at year 3.

The 93 Annex A controls span 4 themes. Technological controls map heavily to CC360° categories; Organizational, People, and Physical controls run alongside.

The Statement of Applicability documents Cloud Upload's position on each of the 93 controls. Cloud-native SaaS companies typically have ~80 applicable controls; the rest (e.g., physical media disposal, paper records) are excluded with documented rationale.

A first-time ISO 27001 readiness engagement is typically 12 to 20 weeks, depending on starting state and scope size.

1. Weeks 1-3

   Scope definition & ISMS framing

   Define ISMS scope (which products, locations, data flows, employees). Identify interested parties and their requirements. Establish ISMS objectives. CloudCheck 360° pass surfaces technical baseline.

2. Weeks 3-8

   Risk assessment & treatment

   ISO 27005-aligned risk assessment. Risk treatment plan documented per identified risk (treat / accept / avoid / transfer). Statement of Applicability drafted with rationale per Annex A control.

3. Weeks 6-14

   Control implementation & policy

   Technical controls implemented or remediated. Policies drafted (Information Security Policy, Access Control Policy, Cryptography Policy, BCP, Supplier Relationship Management Policy, etc.). Internal audit program established.

4. Weeks 14-18

   Internal audit + management review

   First internal audit cycle completed against ISMS. Management review meeting held with documented minutes. Corrective actions tracked. ISMS demonstrably operating.

5. Weeks 18-20

   Certification body selection & Stage 1 prep

   Cloud Upload introduces 2-3 vetted UKAS/ANAB-accredited certification bodies. Stage 1 audit scheduled. Cloud Upload remains available for engineering questions during Stage 1 and Stage 2.

Stage 1 → Stage 2 typically runs 4-8 weeks. Surveillance audits annually, recertification at year 3.

• Statement of Applicability written once, never updated.

  The SoA is supposed to be the fingerprint of your control environment — current and accurate. In most companies it's a snapshot from the year of certification. Changes to controls, scope, or environment should trigger SoA updates. The fix is making SoA review a quarterly activity tied to change management.

• Risk register exists, risk treatment plan does not.

  Most companies maintain a risk register. The standard requires a risk treatment plan — for each risk, the documented treatment decision (accept / mitigate / transfer / avoid) with owner and target date. The fix is a single column added to the risk register, populated and reviewed quarterly.

• Internal audit program theoretical.

  ISMS requires an internal audit program. Many companies have a policy that says “we will internally audit annually” and no evidence of any audit ever performed. Auditors specifically ask for internal audit reports. The fix is scheduling a quarterly internal audit (one ISMS section per quarter) with documented findings.

• Management review meetings never held.

  ISMS requires periodic management review. Many companies skip this entirely. The standard expects documented minutes covering ISMS performance, audit results, risk treatment progress, change to context. The fix is quarterly 60-minute leadership meeting with template agenda and signed minutes.

• Supplier risk reviewed at onboarding only.

  A.5.19-A.5.22 require supplier risk management as ongoing activity. Most companies do an initial supplier review during onboarding and never revisit. Auditors look for annual reassessments, particularly for suppliers handling customer data.

• Stage 1 vs Stage 2 audit?

  Stage 1 is a documentation review — the certification body confirms your ISMS is documented and ready to be audited. Stage 2 is the actual conformance audit — sampling controls, interviewing personnel, reviewing evidence. Stage 1 typically 1-2 days; Stage 2 typically 3-5 days for a small SaaS company.

• Which certification body should we use?

  Choose an accredited body (UKAS in the UK, ANAB in the US, COFRAC in France, etc.). Cloud Upload is vendor-neutral; we typically introduce 2-3 candidates and let you select based on geography, audit style, and budget. Premium global bodies (BSI, DNV, Bureau Veritas) cost more; regional bodies (Nimble, A-LIGN) are competitive.

• How much does ISO 27001 certification cost?

  Stage 1 + Stage 2 typically $20,000-$60,000 depending on scope and certification body. Surveillance audits annually $8,000-$20,000. Recertification at year 3 similar to Stage 2 cost. Readiness work (Cloud Upload + your team time) is separate — usually 12-20 weeks of engagement.

• Can we use ISO 27001 instead of SOC 2 for US customers?

  Sometimes. US enterprise buyers increasingly accept ISO 27001 — particularly if you have a SOC 2 + ISO 27001 mapping document. Most growing SaaS companies eventually need both. Significant overlap in controls means the second framework is faster than the first — typically 60-70% control reuse.

• What about ISO 27017 and ISO 27018?

  ISO 27017 (cloud security) and ISO 27018 (cloud privacy) are extension standards specifically for cloud service providers. They are NOT standalone certifications — they extend the base ISO 27001 certification scope. Cloud-native SaaS companies often add both extensions during the Stage 2 audit.

• When does the 2013 → 2022 transition deadline hit?

  October 2025. Companies certified under ISO 27001:2013 must transition to ISO 27001:2022 by then or lose certification. The transition is non-trivial — A.5 → A.8 control reorganization changes the SoA structure substantially.