ISO 27001 Readiness,
Clauses 4–10 scoped, Annex A controls mapped to a CloudCheck 360° pass, Statement of Applicability ready for stage 1. The 93 controls handled; the ISMS handled.
Readiness guide
01 Background
What ISO 27001 actually is
+
Background
What ISO 27001 actually is
ISO/IEC 27001 is the international standard for Information Security Management Systems (ISMS). The current version is ISO/IEC 27001:2022, which replaced the 2013 edition. Certification is issued by an accredited certification body and is valid for three years with annual surveillance audits.
The standard has two parts: Clauses 4–10 define the ISMS itself (context, leadership, planning, support, operation, evaluation, improvement); Annex A lists 93 information security controls.
Organizational · 37
policies, roles, suppliers, incident mgmt
People · 8
screening, terms, training, discipline
Physical · 14
secure areas, equipment, disposal
Technological · 34
access, crypto, logging, networks
Controls live in the companion standard ISO/IEC 27002:2022. Not all 93 controls apply to every organization — the organization selects which are applicable and documents the selection in a Statement of Applicability (SoA), a required ISMS artifact.
Sources: ISO/IEC 27001:2022, ISO/IEC 27002:2022.
02 Audience
Who needs it
+
Audience
Who needs it
Unlike SOC 2 (US-centric procurement) and HIPAA (US regulatory), ISO 27001 is internationally recognized and is the standard most often requested by European buyers, enterprise procurement teams, and any public-sector tender outside the US.
- Selling to European enterprises. Procurement often requires ISO 27001 as a prerequisite for vendor onboarding.
- Selling to large global organizations where a single international standard is easier to manage than country-specific frameworks.
- Tender-driven sales to UK government, EU institutions, or similar public buyers.
- Enterprise buyers who accept ISO 27001 in lieu of SOC 2 when the vendor is based outside the US.
Sequencing: a company selling primarily to US mid-market SaaS buyers usually does SOC 2 first and adds ISO 27001 later. A company selling primarily into Europe or into large global enterprises usually does ISO 27001 first.
03 Scope
What readiness means
+
Scope
What readiness means
ISO 27001 certification is a two-stage audit conducted by an accredited certification body:
Stage 1
Stage 1 — documentation audit
The certification body reviews the ISMS documentation to confirm the scope, SoA, risk assessment, and mandatory documents exist and are coherent.
Stage 2
Stage 2 — operational audit
Sampling-based audit of actual operation across the scope. Typically happens 2–8 weeks after stage 1.
Readiness means having everything stage 1 will ask for ready on day one, and having stage 2 evidence generated and accumulating for at least three months before the stage 2 audit. An ISMS created last Friday cannot be certified this Monday — the certification body samples evidence of operation.
Once certified, the ISMS undergoes annual surveillance audits (year 1, year 2) and a full recertification audit in year 3.
04 Mapping
How CloudCheck 360° maps to ISO 27001
+
Mapping
How CloudCheck 360° maps to ISO 27001
Annex A's technological controls (A.8) map to CloudCheck 360° categories directly. Organizational (A.5), people (A.6), and physical (A.7) controls require policy, process, and documentation work.
| Annex A | Control family | CC360° |
|---|---|---|
| A.5 | Organizational controls | §7 Compliance posture |
| A.6 | People controls | Policy & process (not technical) |
| A.7 | Physical controls | Inherited from cloud provider |
| A.8.2–8.5 | Privileged access, identity | §1 Identity |
| A.8.9–8.13 | Config, deletion, DLP, backup | §3 Data protection |
| A.8.15–8.17 | Logging, monitoring, time sync | §5 Logging |
| A.8.20–8.23 | Network security & segregation | §2 Network |
| A.8.28 / 8.32 | Secure coding, change mgmt | §4 Workload |
The Statement of Applicability is where every Annex A control is documented as applicable or not, with justification. This is the most scrutinized document in stage 1 — we produce it as a byproduct of the CC360-to-Annex-A cross-mapping.
05 Engagement
How an engagement runs
+
Engagement
How an engagement runs
Typically 12 to 20 weeks, driven by the policy volume and the time required to accumulate operating evidence.
Weeks 1–3
ISMS scoping
Define the scope (which parts of the business, which systems, which people) and the context (interested parties, issues, Clause 4). Establish leadership commitments and the security policy (Clause 5).
Weeks 3–8
Risk assessment & treatment
Clause 6 requires an information security risk assessment and a documented risk treatment plan. CC360 findings feed in as input; outputs include the risk register and Statement of Applicability.
Weeks 6–14
Control implementation
Technical remediation runs in parallel with policy work. Policies, procedures, and records mandated by the ISMS are created, reviewed, and approved.
Weeks 10–16
Operating period
The ISMS has to operate long enough that stage 2 evidence exists. Internal audits (Clause 9.2) and management reviews (Clause 9.3) happen at least once.
Weeks 16–20
Stage 1 & stage 2
Hand-off to the certification body. We support the client through both stages, responding to findings and evidence requests.
06 Patterns
Common gaps we see
+
Patterns
Common gaps we see
Risk assessment is event-based, not continuous.
Many organizations have done a one-off risk assessment but cannot show how risks are re-evaluated over time. ISO 27001 expects the risk assessment to be a living artifact.
Statement of Applicability is incomplete or unjustified.
The SoA either omits controls or lists them without a justification for inclusion or exclusion. Certification bodies treat this as a red flag because it suggests the ISMS is a paperwork exercise, not an operating system.
Internal audits never actually run.
Clause 9.2 requires planned internal audits before the certification audit. The audit plan exists; no one has executed an audit. We help set up a lightweight internal audit cadence that satisfies the clause without becoming its own overhead.
07 FAQ
Questions we get asked
+
FAQ
Questions we get asked
ISO 27001:2022 vs 2013? +
2022 is current. The 2013 version was withdrawn; new certifications issued today are to the 2022 edition. Organizations with legacy 2013 certifications are expected to transition by October 31, 2025 (per the IAF transition timeline).
How much do certification bodies cost? +
Separately billed. Expect $15K–$50K over the three-year cycle for a mid-sized organization, higher for larger scopes. Pick a certification body accredited by a recognized member of the International Accreditation Forum (IAF).
Can ISO 27001 replace SOC 2 for US buyers? +
Sometimes. Large US buyers who operate globally often accept ISO 27001 in lieu of SOC 2. US-only mid-market buyers usually still prefer SOC 2. Expect to need both within three years if you serve both markets.
What is "in scope" for the ISMS? +
The scope is the part of the business the ISMS governs. A SaaS company might scope to "the production environment, the engineering team, and the customer data platform." The certification applies to the scope; anything outside the scope is not certified.
Do we need a full-time ISMS manager? +
Usually no, for companies under 100 people. A part-time ISMS owner — often the Head of Security, CISO, or IT lead — is sufficient. The certification body wants a named responsible person, not a dedicated FTE.
What about ISO 27017 and 27018? +
27017 is cloud-specific guidance, 27018 is PII-in-the-cloud guidance. Some enterprise buyers ask for a certification that includes both. We include references to both in the control mapping for cloud-native clients.
Primary sources
ISO/IEC 27001:2022, ISO/IEC 27002:2022. See also the CloudCheck 360° methodology, SOC 2, and NIST CSF / CIS.
Start with a free Cloud Health Check.
A scoped-down CloudCheck 360° of your current environment. Delivered in five business days, no commitment.