[{"data":1,"prerenderedAt":8797},["ShallowReactive",2],{"framework-topics-iso27001":3,"framework-iso27001":5037,"related-glossary-iso27001-isms-incident-response-evidence-collection":5519,"explore-glossary-iso27001-\u002Fframeworks\u002Fiso27001\u002Fnonconformity-and-corrective-action":6721,"explore-topics-iso27001-\u002Fframeworks\u002Fiso27001\u002Fnonconformity-and-corrective-action":7411,"explore-hub-iso27001":7953,"explore-compare-vs-\u002Fframeworks\u002Fiso27001\u002Fnonconformity-and-corrective-action":8230,"explore-compare-\u002Fframeworks\u002Fiso27001\u002Fnonconformity-and-corrective-action":8396,"explore-blog-iso27001-\u002Fframeworks\u002Fiso27001\u002Fnonconformity-and-corrective-action":8514,"explore-industry-iso27001":8713},[4,494,875,1437,1909,2218,2675,3063,3358,3749,4163,4565],{"id":5,"title":6,"body":7,"description":473,"extension":474,"faq":475,"frameworkSlug":476,"lastUpdated":477,"meta":478,"navigation":479,"path":480,"relatedTerms":481,"relatedTopics":483,"seo":489,"stem":492,"__hash__":493},"frameworkTopics\u002F5.frameworks\u002Fiso27001\u002Fannex-a-controls.md","ISO 27001 Annex A Controls",{"type":8,"value":9,"toc":451},"minimark",[10,25,28,33,36,39,43,48,51,54,101,109,113,116,119,163,167,170,173,217,221,224,227,325,329,332,364,372,376,384,387,391,395,401,405,408,412,415,419,422,426,429,433,441,444],[11,12,13,14,19,20,24],"p",{},"Annex A of ",[15,16,18],"a",{"href":17},"\u002Fframeworks\u002Fiso27001","ISO 27001"," is the reference set of information security controls that organizations evaluate and, where applicable, implement within their ",[15,21,23],{"href":22},"\u002Fglossary\u002Fisms","ISMS",". The 2022 revision of the standard restructured these controls significantly, consolidating the previous 114 controls across 14 domains into 93 controls organized under four themes.",[11,26,27],{},"Understanding the structure, purpose, and implementation expectations of Annex A is fundamental to building a compliant and effective security program.",[29,30,32],"h2",{"id":31},"what-changed-in-iso-270012022","What Changed in ISO 27001:2022",[11,34,35],{},"The 2022 update replaced the 14-domain structure from the 2013 edition with four broader themes. Eleven new controls were introduced to address modern threats and practices. Several existing controls were merged where overlap existed, and all controls received updated guidance in the companion standard ISO 27002:2022.",[11,37,38],{},"Organizations certified under the 2013 version were given a transition period to align with the 2022 structure. New certifications are now assessed against the 2022 edition exclusively.",[29,40,42],{"id":41},"the-four-themes","The Four Themes",[44,45,47],"h3",{"id":46},"_1-organizational-controls-37-controls","1. Organizational Controls (37 Controls)",[11,49,50],{},"Organizational controls address the governance, policy, and procedural foundations of information security. They cover the \"who decides what\" and \"how things work\" aspects of your ISMS.",[11,52,53],{},"Key controls in this theme include:",[55,56,57,65,71,77,83,89,95],"ul",{},[58,59,60,64],"li",{},[61,62,63],"strong",{},"Policies for information security."," Establishing and maintaining a set of information security policies approved by management.",[58,66,67,70],{},[61,68,69],{},"Roles and responsibilities."," Defining and allocating information security responsibilities across the organization.",[58,72,73,76],{},[61,74,75],{},"Threat intelligence."," Collecting and analyzing information about threats relevant to the organization. This is a new control in 2022.",[58,78,79,82],{},[61,80,81],{},"Information security in project management."," Integrating security considerations into project management practices regardless of project type.",[58,84,85,88],{},[61,86,87],{},"Supplier relationships."," Managing security risks introduced by suppliers and third-party service providers.",[58,90,91,94],{},[61,92,93],{},"Incident management."," Planning, detecting, reporting, and responding to information security incidents.",[58,96,97,100],{},[61,98,99],{},"Business continuity."," Ensuring information security requirements are addressed during disruption.",[11,102,103,104,108],{},"Organizational controls form the backbone of your ISMS and are heavily examined during both Stage 1 and Stage 2 of the ",[15,105,107],{"href":106},"\u002Fframeworks\u002Fiso27001\u002Fcertification-process","certification process",".",[44,110,112],{"id":111},"_2-people-controls-8-controls","2. People Controls (8 Controls)",[11,114,115],{},"People controls focus on the human element of information security. Despite being the smallest theme by count, these controls address one of the most significant risk areas.",[11,117,118],{},"Controls in this theme cover:",[55,120,121,127,133,139,145,151,157],{},[58,122,123,126],{},[61,124,125],{},"Screening."," Background verification of personnel before and during employment.",[58,128,129,132],{},[61,130,131],{},"Terms and conditions of employment."," Contractual obligations related to information security.",[58,134,135,138],{},[61,136,137],{},"Information security awareness, education, and training."," Ensuring all personnel understand their security responsibilities.",[58,140,141,144],{},[61,142,143],{},"Disciplinary process."," Formal processes for addressing security policy violations.",[58,146,147,150],{},[61,148,149],{},"Responsibilities after termination or change of employment."," Protecting information when people leave or change roles.",[58,152,153,156],{},[61,154,155],{},"Remote working."," Security measures for personnel working outside traditional office environments. This control was updated significantly in 2022.",[58,158,159,162],{},[61,160,161],{},"Information security event reporting."," Mechanisms for personnel to report suspected security events.",[44,164,166],{"id":165},"_3-physical-controls-14-controls","3. Physical Controls (14 Controls)",[11,168,169],{},"Physical controls protect the tangible assets and environments where information is processed and stored.",[11,171,172],{},"This theme includes controls for:",[55,174,175,181,187,193,199,205,211],{},[58,176,177,180],{},[61,178,179],{},"Physical security perimeters and entry."," Controlling access to buildings, data centers, and secure areas.",[58,182,183,186],{},[61,184,185],{},"Securing offices, rooms, and facilities."," Appropriate physical protection based on risk.",[58,188,189,192],{},[61,190,191],{},"Physical security monitoring."," Surveillance and detection systems.",[58,194,195,198],{},[61,196,197],{},"Protecting against physical and environmental threats."," Fire, flood, power loss, and other environmental risks.",[58,200,201,204],{},[61,202,203],{},"Equipment security."," Protecting hardware from theft, damage, and unauthorized access, including off-site equipment and secure disposal.",[58,206,207,210],{},[61,208,209],{},"Clear desk and clear screen."," Reducing exposure of sensitive information in work areas.",[58,212,213,216],{},[61,214,215],{},"Storage media."," Managing the lifecycle of removable and fixed storage media.",[44,218,220],{"id":219},"_4-technological-controls-34-controls","4. Technological Controls (34 Controls)",[11,222,223],{},"Technological controls address the technical safeguards that protect information systems and data.",[11,225,226],{},"Notable controls include:",[55,228,229,235,241,247,253,259,265,271,277,283,289,295,301,307,313,319],{},[58,230,231,234],{},[61,232,233],{},"User endpoint devices."," Securing laptops, phones, and other devices that access organizational information.",[58,236,237,240],{},[61,238,239],{},"Privileged access rights."," Restricting and monitoring the use of elevated system privileges.",[58,242,243,246],{},[61,244,245],{},"Access control."," Managing who can access what information and systems based on business and security requirements.",[58,248,249,252],{},[61,250,251],{},"Secure authentication."," Implementing strong authentication mechanisms.",[58,254,255,258],{},[61,256,257],{},"Configuration management."," Ensuring systems are configured securely and consistently. This is new in 2022.",[58,260,261,264],{},[61,262,263],{},"Information deletion."," Securely removing information when it is no longer needed. Also new in 2022.",[58,266,267,270],{},[61,268,269],{},"Data masking."," Protecting sensitive data through masking techniques. New in 2022.",[58,272,273,276],{},[61,274,275],{},"Data leakage prevention."," Detecting and preventing unauthorized disclosure of information. New in 2022.",[58,278,279,282],{},[61,280,281],{},"Monitoring activities."," Monitoring systems, networks, and applications for anomalous behavior. New in 2022.",[58,284,285,288],{},[61,286,287],{},"Web filtering."," Controlling access to external websites to reduce exposure to malicious content. New in 2022.",[58,290,291,294],{},[61,292,293],{},"Secure coding."," Applying security principles in software development. New in 2022.",[58,296,297,300],{},[61,298,299],{},"Logging and monitoring."," Recording events and reviewing logs for security purposes.",[58,302,303,306],{},[61,304,305],{},"Network security."," Protecting networks and network services.",[58,308,309,312],{},[61,310,311],{},"Cryptography."," Using encryption and related techniques to protect information confidentiality, integrity, and authenticity.",[58,314,315,318],{},[61,316,317],{},"Vulnerability management."," Identifying and addressing technical vulnerabilities.",[58,320,321,324],{},[61,322,323],{},"Backup."," Maintaining and testing backup copies of information and software.",[29,326,328],{"id":327},"control-attributes","Control Attributes",[11,330,331],{},"ISO 27001:2022 introduced a set of attributes that can be applied to each control, making it easier to filter and organize controls based on different perspectives:",[55,333,334,340,346,352,358],{},[58,335,336,339],{},[61,337,338],{},"Control type:"," Preventive, detective, or corrective.",[58,341,342,345],{},[61,343,344],{},"Information security properties:"," Confidentiality, integrity, or availability.",[58,347,348,351],{},[61,349,350],{},"Cybersecurity concepts:"," Identify, protect, detect, respond, or recover (aligned with NIST CSF).",[58,353,354,357],{},[61,355,356],{},"Operational capabilities:"," Governance, asset management, access control, and other operational groupings.",[58,359,360,363],{},[61,361,362],{},"Security domains:"," Governance and ecosystem, protection, defense, or resilience.",[11,365,366,367,371],{},"These attributes are not mandatory to implement but provide useful ways to map controls to your ",[15,368,370],{"href":369},"\u002Fframeworks\u002Fiso27001\u002Frisk-assessment","risk assessment"," outcomes and to communicate control coverage to different stakeholders.",[29,373,375],{"id":374},"relationship-to-the-statement-of-applicability","Relationship to the Statement of Applicability",[11,377,378,379,383],{},"Every Annex A control must be evaluated and either declared applicable or excluded in your ",[15,380,382],{"href":381},"\u002Fframeworks\u002Fiso27001\u002Fstatement-of-applicability","Statement of Applicability",". The SoA documents which controls you have selected, why, and how they are implemented. You cannot simply ignore a control without justification. Even controls that are not applicable must be listed with a rationale for their exclusion.",[11,385,386],{},"This evaluation is driven by your risk assessment. Controls are selected based on the risks they mitigate, regulatory requirements, contractual obligations, and business needs.",[29,388,390],{"id":389},"implementation-approach","Implementation Approach",[44,392,394],{"id":393},"start-with-risk-not-controls","Start with Risk, Not Controls",[11,396,397,398,400],{},"A common mistake is to start by trying to implement all 93 controls and then retrofit risk justifications. The standard requires the opposite flow: identify risks first through your ",[15,399,370],{"href":369}," process, then select controls that treat those risks appropriately.",[44,402,404],{"id":403},"prioritize-based-on-risk-treatment","Prioritize Based on Risk Treatment",[11,406,407],{},"Not all controls carry equal weight for every organization. A cloud-native SaaS company will invest heavily in technological controls around access management, secure coding, and monitoring while spending less effort on physical perimeter security. A manufacturing firm with on-premises data centers will have the opposite emphasis.",[44,409,411],{"id":410},"use-iso-27002-for-guidance","Use ISO 27002 for Guidance",[11,413,414],{},"ISO 27002:2022 is the companion standard that provides detailed implementation guidance for each control. While ISO 27001 tells you what controls exist, ISO 27002 tells you how to implement them. It is not mandatory to follow ISO 27002 prescriptively, but it is an invaluable reference.",[44,416,418],{"id":417},"document-proportionally","Document Proportionally",[11,420,421],{},"Each control needs evidence of implementation, but the level of documentation should be proportionate to the risk and complexity involved. A small organization does not need the same volume of documentation as a multinational enterprise. Auditors look for effectiveness, not paperwork volume.",[44,423,425],{"id":424},"map-controls-to-existing-practices","Map Controls to Existing Practices",[11,427,428],{},"Many organizations already have security practices in place that satisfy Annex A controls without realizing it. During your gap analysis, map existing practices to controls before building new processes. This reduces duplication and avoids creating parallel systems.",[29,430,432],{"id":431},"keeping-controls-current","Keeping Controls Current",[11,434,435,436,440],{},"Annex A controls are not a set-and-forget exercise. Your control implementation should evolve as your risk landscape changes, new threats emerge, and your business grows. Regular internal audits, management reviews, and ",[15,437,439],{"href":438},"\u002Fframeworks\u002Fiso27001\u002Fsurveillance-audits","surveillance audits"," provide structured checkpoints to assess whether controls remain effective.",[11,442,443],{},"Platforms like episki help organizations maintain a living map between risks, controls, and evidence so that control coverage stays visible and gaps are identified early rather than during an external audit.",[11,445,446,447,450],{},"For a broader view of how ",[15,448,18],{"href":449},"\u002Fglossary\u002Fiso27001"," fits into your compliance strategy, explore the full framework overview.",{"title":452,"searchDepth":453,"depth":453,"links":454},"",2,[455,456,463,464,465,472],{"id":31,"depth":453,"text":32},{"id":41,"depth":453,"text":42,"children":457},[458,460,461,462],{"id":46,"depth":459,"text":47},3,{"id":111,"depth":459,"text":112},{"id":165,"depth":459,"text":166},{"id":219,"depth":459,"text":220},{"id":327,"depth":453,"text":328},{"id":374,"depth":453,"text":375},{"id":389,"depth":453,"text":390,"children":466},[467,468,469,470,471],{"id":393,"depth":459,"text":394},{"id":403,"depth":459,"text":404},{"id":410,"depth":459,"text":411},{"id":417,"depth":459,"text":418},{"id":424,"depth":459,"text":425},{"id":431,"depth":453,"text":432},"An overview of all 93 Annex A controls in the ISO 27001:2022 standard, organized by their four themes, with guidance on implementation and prioritization.","md",null,"iso27001","2026-04-16",{},true,"\u002Fframeworks\u002Fiso27001\u002Fannex-a-controls",[476,482],"isms",[484,485,486,487,488],"statement-of-applicability","risk-assessment","isms-implementation","certification-process","surveillance-audits",{"title":490,"description":491},"ISO 27001 Annex A Controls — All 93 Controls Explained (2022)","Explore the 93 Annex A controls in ISO 27001:2022 organized by four themes. Learn implementation approaches and how controls map to your ISMS.","5.frameworks\u002Fiso27001\u002Fannex-a-controls","0iPvCsRN3ufyW68RrURLICsdaAOeZDSPxFbI4OyTGlQ",{"id":495,"title":496,"body":497,"description":846,"extension":474,"faq":847,"frameworkSlug":476,"lastUpdated":477,"meta":864,"navigation":479,"path":865,"relatedTerms":866,"relatedTopics":868,"seo":870,"stem":873,"__hash__":874},"frameworkTopics\u002F5.frameworks\u002Fiso27001\u002Fcertification-body-selection.md","Choosing an ISO 27001 Certification Body",{"type":8,"value":498,"toc":827},[499,509,512,516,519,539,542,546,549,552,584,591,594,598,601,612,615,619,622,626,629,633,636,640,643,647,650,654,657,680,683,687,690,694,697,701,704,730,733,737,740,743,747,757,763,771,775,813,817,820],[11,500,501,502,504,505,508],{},"You cannot self-certify ",[15,503,18],{"href":17},". A certificate is only meaningful if it is issued by an accredited certification body that audited your ",[15,506,23],{"href":507},"\u002Fframeworks\u002Fiso27001\u002Fisms-implementation"," against the standard and found it conforming. The certification body you choose will be your audit partner for at least three years through the initial audit, two surveillance audits, and eventual recertification. The decision deserves more care than most teams give it.",[11,510,511],{},"This guide walks through what a certification body actually is, how accreditation works, how to evaluate options, and what to ask before signing.",[29,513,515],{"id":514},"what-a-certification-body-does","What a certification body does",[11,517,518],{},"A certification body, sometimes called a registrar, is an organization accredited to audit management systems against ISO standards and issue certificates. For ISO 27001, the certification body:",[55,520,521,524,527,530,533,536],{},[58,522,523],{},"Plans the audit engagement based on your scope.",[58,525,526],{},"Conducts Stage 1 and Stage 2 audits during initial certification.",[58,528,529],{},"Issues your certificate if Stage 2 passes.",[58,531,532],{},"Conducts annual surveillance audits.",[58,534,535],{},"Conducts full recertification every three years.",[58,537,538],{},"Maintains your certificate in their public register.",[11,540,541],{},"The certification body's authority comes from its accreditation, not from the certification body itself. Without accreditation, the certificate is essentially a vendor's opinion.",[29,543,545],{"id":544},"accreditation-explained","Accreditation explained",[11,547,548],{},"Accreditation is the layer above certification. Accreditation bodies assess certification bodies for competence and impartiality. They do not audit your ISMS directly. They audit the firms that audit your ISMS.",[11,550,551],{},"Major accreditation bodies relevant to ISO 27001 include:",[55,553,554,560,566,572,578],{},[58,555,556,559],{},[61,557,558],{},"UKAS (United Kingdom Accreditation Service)."," The UK national accreditation body. UKAS accreditation is well-respected globally and often specified in enterprise procurement.",[58,561,562,565],{},[61,563,564],{},"ANAB (ANSI National Accreditation Board)."," The US equivalent, part of ANSI. ANAB accreditation is the default for US-headquartered buyers.",[58,567,568,571],{},[61,569,570],{},"JAS-ANZ (Joint Accreditation System of Australia and New Zealand)."," Covers Australia and New Zealand.",[58,573,574,577],{},[61,575,576],{},"DAkkS (Deutsche Akkreditierungsstelle)."," Germany.",[58,579,580,583],{},[61,581,582],{},"A2LA (American Association for Laboratory Accreditation)."," Another US accreditation body covering some certification bodies.",[11,585,586,587,590],{},"All legitimate accreditation bodies are members of the ",[61,588,589],{},"International Accreditation Forum (IAF)",", which operates a multilateral recognition arrangement. An IAF MLA certificate from one member body is recognized by the others. When evaluating a certification body, the core question is: are they accredited for ISO\u002FIEC 27001 by an IAF member?",[11,592,593],{},"Non-accredited \"certificates\" exist. Some are issued by firms that never sought accreditation. Some are issued by firms whose accreditation was withdrawn. Enterprise procurement teams increasingly verify accreditation through the IAF CertSearch database before accepting a certificate. A non-accredited certificate may be worse than no certificate because it signals that the customer expected compliance and the supplier cut a corner.",[29,595,597],{"id":596},"major-certification-bodies-in-the-iso-27001-market","Major certification bodies in the ISO 27001 market",[11,599,600],{},"Without recommending any specific provider, the ISO 27001 market includes:",[55,602,603,606,609],{},[58,604,605],{},"Multinational certification bodies such as BSI, DNV, TÜV, SGS, and Bureau Veritas, which originated in broader quality and standards certification.",[58,607,608],{},"Security-focused firms such as Schellman, Coalfire ISO, A-LIGN, and Prescient Assurance, which also offer SOC 2 and other security attestations.",[58,610,611],{},"Regional firms with strong accreditation from specific bodies.",[11,613,614],{},"Each has tradeoffs. Larger firms offer geographic coverage and brand recognition. Security-focused firms tend to have deeper technical auditors but may have longer lead times due to demand. Regional firms often offer faster scheduling and lower cost but may lack the brand recognition enterprise customers look for.",[29,616,618],{"id":617},"evaluation-criteria","Evaluation criteria",[11,620,621],{},"Use the following criteria to evaluate certification bodies.",[44,623,625],{"id":624},"accreditation-scope","Accreditation scope",[11,627,628],{},"Confirm the certification body is accredited specifically for ISO\u002FIEC 27001. Some bodies are accredited for ISO 9001 or other standards but not 27001. Check the accreditation body's register directly, such as the UKAS or ANAB directories, rather than relying on marketing material.",[44,630,632],{"id":631},"industry-and-technology-experience","Industry and technology experience",[11,634,635],{},"Auditors vary dramatically in their familiarity with modern technology estates. A cloud-native SaaS company benefits from an auditor who understands AWS shared responsibility, CI\u002FCD security, and SaaS identity patterns. A financial services firm benefits from auditors familiar with PCI overlap. Ask for example clients in your sector and for auditor bios.",[44,637,639],{"id":638},"auditor-availability-and-scheduling","Auditor availability and scheduling",[11,641,642],{},"Lead times vary by certification body and by season. Some firms are booking new ISO 27001 clients three to six months out during peak periods. If you have a customer deadline driving certification timing, confirm availability before shortlisting.",[44,644,646],{"id":645},"geographic-coverage","Geographic coverage",[11,648,649],{},"If you have multi-site operations, a certification body that can audit all locations is more efficient than coordinating multiple firms. For remote-first companies, ask how the certification body handles remote audits and travel expectations.",[44,651,653],{"id":652},"cost-structure-and-transparency","Cost structure and transparency",[11,655,656],{},"Request a detailed proposal that breaks out:",[55,658,659,662,665,668,671,674,677],{},[58,660,661],{},"Stage 1 audit days and fees.",[58,663,664],{},"Stage 2 audit days and fees.",[58,666,667],{},"Surveillance audit days and fees for years one and two.",[58,669,670],{},"Recertification audit days and fees.",[58,672,673],{},"Travel and expenses policy.",[58,675,676],{},"Scope change fees.",[58,678,679],{},"Certificate maintenance fees.",[11,681,682],{},"Be wary of quotes that only cover the initial audit. The full three-year cycle is what matters.",[44,684,686],{"id":685},"customer-reputation","Customer reputation",[11,688,689],{},"Ask for references from existing clients, ideally in your industry and size bracket. Talk to those references about audit quality, auditor professionalism, scheduling responsiveness, and how disputes were handled. Social proof from peers matters more than vendor testimonials.",[44,691,693],{"id":692},"audit-approach","Audit approach",[11,695,696],{},"Different certification bodies emphasize different audit styles. Some are heavily documentation-focused. Others are more interview-driven. Some are collaborative. Others are adversarial. Ask how they handle findings, how disputes are resolved, and what the escalation path looks like.",[29,698,700],{"id":699},"typical-cost-ranges","Typical cost ranges",[11,702,703],{},"For a small to mid-sized technology company with a single-site ISMS scope:",[55,705,706,712,718,724],{},[58,707,708,711],{},[61,709,710],{},"Stage 1 audit."," One to two auditor days. $3,000 to $8,000.",[58,713,714,717],{},[61,715,716],{},"Stage 2 audit."," Three to ten auditor days depending on scope complexity. $10,000 to $35,000.",[58,719,720,723],{},[61,721,722],{},"Surveillance audits."," One to three auditor days per year. $5,000 to $15,000 annually.",[58,725,726,729],{},[61,727,728],{},"Recertification."," Similar to Stage 2. $10,000 to $30,000 every three years.",[11,731,732],{},"Across a three-year cycle, total certification body fees usually land between $40,000 and $90,000 for a mid-sized company. Multi-site scopes and global audits can push this significantly higher.",[29,734,736],{"id":735},"independence-from-consulting","Independence from consulting",[11,738,739],{},"ISO 27001 accreditation rules prohibit the same firm from providing consulting or implementation services and then certifying the same client. Many certification bodies have consulting affiliates or offer related services, but the accreditation rules force separation between those and the audit engagement.",[11,741,742],{},"If you engaged a consultancy for gap analysis or ISMS implementation, that firm cannot also be your certification body for the same engagement. Plan accordingly and select the certification body independently of your consulting partner.",[29,744,746],{"id":745},"how-this-fits-into-your-isms","How this fits into your ISMS",[11,748,749,750,753,754,756],{},"Certification body selection sits between ",[15,751,752],{"href":507},"ISMS implementation"," and the ",[15,755,107],{"href":106},". Ideally, the certification body is selected three to six months before you plan to begin Stage 1, giving time for scheduling and any pre-audit conversations.",[11,758,759,760,762],{},"After initial certification, the relationship continues through ",[15,761,439],{"href":438},". Changing certification bodies is possible but carries some friction: the new firm will usually require a transfer audit to confirm your certificate is valid and in good standing. Most organizations stay with their initial certification body for at least one three-year cycle.",[11,764,765,766,770],{},"The certification body's audit approach also interacts with your ",[15,767,769],{"href":768},"\u002Fframeworks\u002Fiso27001\u002Fisms-scope","ISMS scope",". A clear scope statement reduces audit days and audit cost. Ambiguous scope drives longer audits.",[29,772,774],{"id":773},"common-pitfalls","Common pitfalls",[55,776,777,783,789,795,801,807],{},[58,778,779,782],{},[61,780,781],{},"Choosing based on price alone."," A cheap audit from an unfamiliar body can fail to carry weight in enterprise procurement and end up costing more in lost deals.",[58,784,785,788],{},[61,786,787],{},"Not verifying accreditation."," Marketing sites sometimes overstate accreditation. Check the accreditation body's register directly.",[58,790,791,794],{},[61,792,793],{},"Ignoring auditor tenure."," Newly minted ISO 27001 auditors may not spot the issues experienced auditors do. Ask about specific auditors likely to be assigned.",[58,796,797,800],{},[61,798,799],{},"Selecting too late."," Scheduling pressure pushes organizations to accept the first available body rather than the best-fit body.",[58,802,803,806],{},[61,804,805],{},"Assuming the same firm can audit across all frameworks."," Some certification bodies also issue SOC 2 reports, but ISO 27001 and SOC 2 require different qualifications. Evaluate each separately.",[58,808,809,812],{},[61,810,811],{},"Ignoring surveillance audit cost."," A low initial audit with high surveillance fees can be more expensive over three years than a higher initial quote.",[29,814,816],{"id":815},"how-episki-helps","How episki helps",[11,818,819],{},"episki helps by keeping your ISMS in an audit-ready state regardless of which certification body you choose. The platform generates the scope statement, Statement of Applicability, evidence pack, and audit trail that every accredited certification body expects. Customers entering certification body conversations can share a clean summary of their programme to get faster, more accurate proposals.",[11,821,822,823,826],{},"Return to the ",[15,824,825],{"href":17},"ISO 27001 framework overview"," for the full certification journey and how certification body selection fits in.",{"title":452,"searchDepth":453,"depth":453,"links":828},[829,830,831,832,841,842,843,844,845],{"id":514,"depth":453,"text":515},{"id":544,"depth":453,"text":545},{"id":596,"depth":453,"text":597},{"id":617,"depth":453,"text":618,"children":833},[834,835,836,837,838,839,840],{"id":624,"depth":459,"text":625},{"id":631,"depth":459,"text":632},{"id":638,"depth":459,"text":639},{"id":645,"depth":459,"text":646},{"id":652,"depth":459,"text":653},{"id":685,"depth":459,"text":686},{"id":692,"depth":459,"text":693},{"id":699,"depth":453,"text":700},{"id":735,"depth":453,"text":736},{"id":745,"depth":453,"text":746},{"id":773,"depth":453,"text":774},{"id":815,"depth":453,"text":816},"How to evaluate and select an ISO 27001 certification body, including accreditation (UKAS, ANAB, JAS-ANZ), cost, scope, and what to ask during selection.",{"items":848},[849,852,855,858,861],{"label":850,"content":851},"What is an ISO 27001 certification body?","A certification body, sometimes called a registrar, is an accredited organization that audits your ISMS and issues your ISO 27001 certificate if you pass. Examples include BSI, DNV, TÜV, Schellman, Coalfire ISO, and A-LIGN.",{"label":853,"content":854},"What does accreditation mean and why does it matter?","Accreditation is independent oversight of the certification body itself. Accreditation bodies like UKAS in the UK and ANAB in the US audit certification bodies to ensure they are competent and impartial. A certificate from a non-accredited body has limited value in enterprise procurement.",{"label":856,"content":857},"How much does an ISO 27001 certification body cost?","Certification audit costs typically range from $15,000 to $40,000 for Stage 1 and Stage 2 combined, depending on scope, complexity, and auditor location. Annual surveillance audits typically run $8,000 to $20,000. Recertification in year three is similar in scale to the original audit.",{"label":859,"content":860},"Should I pick the cheapest certification body?","No. The cheapest option is rarely the best. Accreditation status, industry familiarity, auditor availability, and customer reputation usually outweigh small price differences. A cheap audit that your customers do not respect is worse than no audit.",{"label":862,"content":863},"Can the same firm that helped us prepare also certify us?","No. ISO 27001 requires certification bodies to be independent. A firm that provided consulting, gap analysis, or implementation support cannot also perform your certification audit. Many firms have separate consulting and certification arms, and the accreditation rules still prohibit overlap on the same client.",{},"\u002Fframeworks\u002Fiso27001\u002Fcertification-body-selection",[476,867,482],"certification-body",[487,488,869,486],"isms-scope",{"title":871,"description":872},"ISO 27001 Certification Body Selection — UKAS, ANAB & More","Pick the right ISO 27001 certification body. Compare accreditation, cost, industry fit, and auditor availability with a practical evaluation checklist.","5.frameworks\u002Fiso27001\u002Fcertification-body-selection","_OesFcheTLTJMpFIixfiRWtY7P0oEz2AiyQV3Q_iltA",{"id":876,"title":877,"body":878,"description":1427,"extension":474,"faq":475,"frameworkSlug":476,"lastUpdated":477,"meta":1428,"navigation":479,"path":106,"relatedTerms":1429,"relatedTopics":1430,"seo":1432,"stem":1435,"__hash__":1436},"frameworkTopics\u002F5.frameworks\u002Fiso27001\u002Fcertification-process.md","ISO 27001 Certification Process",{"type":8,"value":879,"toc":1411},[880,886,889,893,899,903,906,909,941,944,948,951,990,993,997,1000,1003,1023,1026,1030,1033,1036,1068,1071,1091,1094,1098,1101,1176,1179,1182,1211,1215,1225,1228,1232,1235,1239,1300,1304,1337,1341,1380,1384],[11,881,882,883,885],{},"Achieving ",[15,884,18],{"href":17}," certification demonstrates to customers, partners, and regulators that your organization manages information security through a systematic, risk-based approach. The certification process can feel opaque if you have never been through it, but it follows a well-defined sequence of stages that are consistent worldwide.",[11,887,888],{},"This guide breaks down each phase so you know exactly what to expect, how long it takes, and where organizations commonly stumble.",[29,890,892],{"id":891},"why-pursue-certification","Why Pursue Certification?",[11,894,895,896,898],{},"Many organizations operate an Information Security Management System (",[15,897,23],{"href":22},") without seeking formal certification. Certification adds external validation: an accredited certification body independently verifies that your ISMS meets the requirements of ISO\u002FIEC 27001. This is increasingly important when enterprise customers require proof of security maturity during procurement, when regulators accept ISO 27001 as evidence of due diligence, or when your organization wants a structured improvement cycle rather than ad-hoc security efforts.",[29,900,902],{"id":901},"choosing-a-certification-body","Choosing a Certification Body",[11,904,905],{},"A certification body (CB), sometimes called a registrar, is the organization that conducts your audit and issues your certificate. Only accredited CBs can issue recognized ISO 27001 certificates. Accreditation is granted by national bodies such as UKAS in the United Kingdom, ANAB in the United States, or JAS-ANZ in Australia and New Zealand.",[11,907,908],{},"When selecting a CB, consider:",[55,910,911,917,923,929,935],{},[58,912,913,916],{},[61,914,915],{},"Accreditation status."," Confirm the CB is accredited for ISO\u002FIEC 27001 by a member of the International Accreditation Forum (IAF).",[58,918,919,922],{},[61,920,921],{},"Industry experience."," Some CBs have deeper expertise in specific sectors like financial services, healthcare, or cloud technology.",[58,924,925,928],{},[61,926,927],{},"Auditor availability."," Lead times can vary from weeks to months depending on the CB's schedule.",[58,930,931,934],{},[61,932,933],{},"Geographic coverage."," If you have offices in multiple countries, choose a CB that can coordinate auditors across regions.",[58,936,937,940],{},[61,938,939],{},"Cost and transparency."," Fees vary. Request a detailed proposal that includes audit days, travel costs, and the surveillance audit schedule.",[11,942,943],{},"It is perfectly acceptable to get quotes from several CBs before committing. The CB should be independent and have no consulting relationship with your organization to avoid conflicts of interest.",[29,945,947],{"id":946},"pre-certification-preparation","Pre-Certification Preparation",[11,949,950],{},"Before engaging a certification body, most organizations go through a preparation phase that takes anywhere from three to twelve months depending on the maturity of existing security practices. Key activities during this phase include:",[952,953,954,960,966,978,984],"ol",{},[58,955,956,959],{},[61,957,958],{},"Scoping the ISMS."," Define the boundaries of your ISMS including locations, business processes, technologies, and organizational units. The scope statement is foundational and will be scrutinized during the audit.",[58,961,962,965],{},[61,963,964],{},"Conducting a gap analysis."," Compare your current practices against the requirements in clauses 4 through 10 of ISO 27001 and the controls listed in Annex A. This reveals what needs to be built, documented, or improved.",[58,967,968,971,972,974,975,977],{},[61,969,970],{},"Implementing the ISMS."," Build or refine your ",[15,973,370],{"href":369}," process, create your ",[15,976,382],{"href":381},", deploy controls, and establish the documentation required by the standard.",[58,979,980,983],{},[61,981,982],{},"Running an internal audit."," ISO 27001 requires that you perform at least one internal audit before the certification audit. This is your chance to catch nonconformities while there is still time to fix them.",[58,985,986,989],{},[61,987,988],{},"Conducting a management review."," Top management must review the ISMS to confirm it remains suitable, adequate, and effective. Document the inputs, decisions, and actions from this review.",[11,991,992],{},"Many organizations also run a pre-assessment or readiness review with their chosen CB. This optional step gives auditors a preliminary look at your documentation and controls without the formality of the certification audit.",[29,994,996],{"id":995},"stage-1-audit-documentation-review","Stage 1 Audit — Documentation Review",[11,998,999],{},"The Stage 1 audit is the first formal interaction with your certification body. Its primary purpose is to evaluate whether your ISMS documentation is in place and whether your organization is ready for the more detailed Stage 2 audit.",[11,1001,1002],{},"During Stage 1 the auditor will typically:",[55,1004,1005,1011,1014,1017,1020],{},[58,1006,1007,1008,1010],{},"Review your ISMS scope, information security policy, risk assessment methodology, ",[15,1009,382],{"href":381},", and risk treatment plan.",[58,1012,1013],{},"Assess whether internal audits and management reviews have been completed.",[58,1015,1016],{},"Confirm that mandatory documented information exists for all required clauses.",[58,1018,1019],{},"Identify any areas of concern that could become nonconformities in Stage 2.",[58,1021,1022],{},"Visit your primary site (though some CBs conduct Stage 1 remotely for smaller scopes).",[11,1024,1025],{},"The Stage 1 audit usually lasts one to two days for small to mid-sized organizations. At the end the auditor issues a report highlighting any gaps that need to be resolved before Stage 2. There is typically a window of two to six months between Stage 1 and Stage 2 to address findings.",[29,1027,1029],{"id":1028},"stage-2-audit-implementation-verification","Stage 2 Audit — Implementation Verification",[11,1031,1032],{},"Stage 2 is the main certification audit. Auditors verify that your ISMS is not just documented but actually implemented, effective, and operating as described.",[11,1034,1035],{},"Stage 2 activities include:",[55,1037,1038,1044,1050,1056,1062],{},[58,1039,1040,1043],{},[61,1041,1042],{},"Interviews with staff"," across departments to confirm that policies are understood and followed.",[58,1045,1046,1049],{},[61,1047,1048],{},"Evidence sampling."," Auditors select samples of records, logs, change tickets, access reviews, incident reports, and other artifacts to confirm controls are working.",[58,1051,1052,1055],{},[61,1053,1054],{},"Process observation."," Auditors may observe processes like onboarding, change management, or incident handling in real time.",[58,1057,1058,1061],{},[61,1059,1060],{},"Technical verification."," Depending on scope, auditors may review firewall configurations, access control lists, backup procedures, or vulnerability scan results.",[58,1063,1064,1067],{},[61,1065,1066],{},"Evaluation of all Annex A controls"," declared applicable in your SoA.",[11,1069,1070],{},"Stage 2 typically takes three to ten audit days on-site depending on the size and complexity of the scope. At the conclusion the audit team classifies findings into three categories:",[55,1072,1073,1079,1085],{},[58,1074,1075,1078],{},[61,1076,1077],{},"Major nonconformities."," Significant failures that prevent certification until resolved.",[58,1080,1081,1084],{},[61,1082,1083],{},"Minor nonconformities."," Isolated issues that must be corrected, usually within 90 days, but do not block certification.",[58,1086,1087,1090],{},[61,1088,1089],{},"Opportunities for improvement."," Suggestions that are not mandatory but are noted for consideration.",[11,1092,1093],{},"If there are no major nonconformities, the auditor recommends certification. The CB's internal review panel then confirms the recommendation and issues the certificate.",[29,1095,1097],{"id":1096},"realistic-timelines","Realistic Timelines",[11,1099,1100],{},"A realistic timeline from project kickoff to certificate in hand looks roughly like this:",[1102,1103,1104,1117],"table",{},[1105,1106,1107],"thead",{},[1108,1109,1110,1114],"tr",{},[1111,1112,1113],"th",{},"Phase",[1111,1115,1116],{},"Duration",[1118,1119,1120,1129,1136,1144,1152,1160,1168],"tbody",{},[1108,1121,1122,1126],{},[1123,1124,1125],"td",{},"Gap analysis and planning",[1123,1127,1128],{},"1–2 months",[1108,1130,1131,1133],{},[1123,1132,752],{},[1123,1134,1135],{},"3–9 months",[1108,1137,1138,1141],{},[1123,1139,1140],{},"Internal audit and management review",[1123,1142,1143],{},"1 month",[1108,1145,1146,1149],{},[1123,1147,1148],{},"Stage 1 audit",[1123,1150,1151],{},"1–2 days",[1108,1153,1154,1157],{},[1123,1155,1156],{},"Gap remediation between Stage 1 and Stage 2",[1123,1158,1159],{},"1–3 months",[1108,1161,1162,1165],{},[1123,1163,1164],{},"Stage 2 audit",[1123,1166,1167],{},"3–10 days",[1108,1169,1170,1173],{},[1123,1171,1172],{},"Certificate issuance",[1123,1174,1175],{},"2–6 weeks after Stage 2",[11,1177,1178],{},"For a mid-sized technology company starting from moderate maturity, a nine to twelve month timeline is typical. Organizations with very little existing security structure should plan for twelve to eighteen months.",[29,1180,1181],{"id":773},"Common Pitfalls",[55,1183,1184,1190,1199,1205],{},[58,1185,1186,1189],{},[61,1187,1188],{},"Underestimating documentation requirements."," ISO 27001 is specific about what must be documented. Missing a mandatory record can result in a nonconformity.",[58,1191,1192,1195,1196,1198],{},[61,1193,1194],{},"Treating it as a one-time project."," Certification is the starting point, not the finish line. You will face ",[15,1197,439],{"href":438}," annually and full recertification every three years.",[58,1200,1201,1204],{},[61,1202,1203],{},"Scope creep or scope too narrow."," A scope that is too broad inflates cost and effort; a scope that is too narrow may not satisfy customer expectations.",[58,1206,1207,1210],{},[61,1208,1209],{},"Lack of management commitment."," The standard explicitly requires top management involvement. Auditors look for evidence of leadership engagement, not just a signed policy.",[29,1212,1214],{"id":1213},"after-certification","After Certification",[11,1216,1217,1218,1220,1221,1224],{},"Receiving your certificate is a milestone, but the certification cycle continues with annual ",[15,1219,439],{"href":438}," and a full recertification audit in year three. Maintaining a living ISMS with current ",[15,1222,1223],{"href":369},"risk assessments",", up-to-date controls, and regular internal audits is essential to keeping your certification active.",[11,1226,1227],{},"Tools like episki help organizations stay audit-ready year-round by linking controls to evidence, automating review schedules, and surfacing gaps before external auditors arrive.",[29,1229,1231],{"id":1230},"certification-readiness-checklist","Certification Readiness Checklist",[11,1233,1234],{},"Use this checklist to track your progress toward ISO 27001 certification:",[44,1236,1238],{"id":1237},"preparation-phase","Preparation phase",[55,1240,1243,1252,1258,1264,1270,1276,1282,1288,1294],{"className":1241},[1242],"contains-task-list",[58,1244,1247,1251],{"className":1245},[1246],"task-list-item",[1248,1249],"input",{"disabled":479,"type":1250},"checkbox"," Define ISMS scope (locations, processes, technologies, and organizational units)",[58,1253,1255,1257],{"className":1254},[1246],[1248,1256],{"disabled":479,"type":1250}," Assign an ISMS owner and project team",[58,1259,1261,1263],{"className":1260},[1246],[1248,1262],{"disabled":479,"type":1250}," Conduct a gap analysis against ISO 27001 clauses 4–10 and Annex A",[58,1265,1267,1269],{"className":1266},[1246],[1248,1268],{"disabled":479,"type":1250}," Complete a risk assessment and produce a risk treatment plan",[58,1271,1273,1275],{"className":1272},[1246],[1248,1274],{"disabled":479,"type":1250}," Draft the Statement of Applicability (SoA)",[58,1277,1279,1281],{"className":1278},[1246],[1248,1280],{"disabled":479,"type":1250}," Write or update required policies (information security policy, access control, acceptable use, etc.)",[58,1283,1285,1287],{"className":1284},[1246],[1248,1286],{"disabled":479,"type":1250}," Implement controls identified in the risk treatment plan",[58,1289,1291,1293],{"className":1290},[1246],[1248,1292],{"disabled":479,"type":1250}," Establish an incident response process",[58,1295,1297,1299],{"className":1296},[1246],[1248,1298],{"disabled":479,"type":1250}," Set up a document control process for ISMS records",[44,1301,1303],{"id":1302},"internal-readiness","Internal readiness",[55,1305,1307,1313,1319,1325,1331],{"className":1306},[1242],[58,1308,1310,1312],{"className":1309},[1246],[1248,1311],{"disabled":479,"type":1250}," Conduct at least one internal audit covering all ISMS clauses",[58,1314,1316,1318],{"className":1315},[1246],[1248,1317],{"disabled":479,"type":1250}," Address nonconformities identified in the internal audit",[58,1320,1322,1324],{"className":1321},[1246],[1248,1323],{"disabled":479,"type":1250}," Hold a formal management review with documented minutes and decisions",[58,1326,1328,1330],{"className":1327},[1246],[1248,1329],{"disabled":479,"type":1250}," Verify all mandatory documented information is complete and current",[58,1332,1334,1336],{"className":1333},[1246],[1248,1335],{"disabled":479,"type":1250}," Confirm staff awareness — key personnel can explain relevant policies and their roles",[44,1338,1340],{"id":1339},"certification-body-engagement","Certification body engagement",[55,1342,1344,1350,1356,1362,1368,1374],{"className":1343},[1242],[58,1345,1347,1349],{"className":1346},[1246],[1248,1348],{"disabled":479,"type":1250}," Research and shortlist accredited certification bodies",[58,1351,1353,1355],{"className":1352},[1246],[1248,1354],{"disabled":479,"type":1250}," Request proposals and confirm accreditation status (IAF member)",[58,1357,1359,1361],{"className":1358},[1246],[1248,1360],{"disabled":479,"type":1250}," Schedule Stage 1 audit",[58,1363,1365,1367],{"className":1364},[1246],[1248,1366],{"disabled":479,"type":1250}," Complete Stage 1 and resolve any findings",[58,1369,1371,1373],{"className":1370},[1246],[1248,1372],{"disabled":479,"type":1250}," Schedule Stage 2 audit",[58,1375,1377,1379],{"className":1376},[1246],[1248,1378],{"disabled":479,"type":1250}," Prepare evidence packs for all applicable Annex A controls",[44,1381,1383],{"id":1382},"post-certification","Post-certification",[55,1385,1387,1393,1399,1405],{"className":1386},[1242],[58,1388,1390,1392],{"className":1389},[1246],[1248,1391],{"disabled":479,"type":1250}," Plan surveillance audit schedule (annually)",[58,1394,1396,1398],{"className":1395},[1246],[1248,1397],{"disabled":479,"type":1250}," Assign ongoing ISMS maintenance responsibilities",[58,1400,1402,1404],{"className":1401},[1246],[1248,1403],{"disabled":479,"type":1250}," Schedule periodic risk reassessments",[58,1406,1408,1410],{"className":1407},[1246],[1248,1409],{"disabled":479,"type":1250}," Set review cadence for policies and the Statement of Applicability",{"title":452,"searchDepth":453,"depth":453,"links":1412},[1413,1414,1415,1416,1417,1418,1419,1420,1421],{"id":891,"depth":453,"text":892},{"id":901,"depth":453,"text":902},{"id":946,"depth":453,"text":947},{"id":995,"depth":453,"text":996},{"id":1028,"depth":453,"text":1029},{"id":1096,"depth":453,"text":1097},{"id":773,"depth":453,"text":1181},{"id":1213,"depth":453,"text":1214},{"id":1230,"depth":453,"text":1231,"children":1422},[1423,1424,1425,1426],{"id":1237,"depth":459,"text":1238},{"id":1302,"depth":459,"text":1303},{"id":1339,"depth":459,"text":1340},{"id":1382,"depth":459,"text":1383},"A complete walkthrough of the ISO 27001 certification journey, from selecting a certification body through Stage 1 and Stage 2 audits to achieving certified status.",{},[476,482],[1431,485,484,486,488],"annex-a-controls",{"title":1433,"description":1434},"ISO 27001 Certification Process — Stages, Audits & Timeline","Learn every stage of the ISO 27001 certification process including Stage 1 and Stage 2 audits, certification body selection, and realistic timelines.","5.frameworks\u002Fiso27001\u002Fcertification-process","MSlNYNlme0S3E3sHdYpwuiBv3zf4zFP-UzqfRV7RXz0",{"id":1438,"title":1439,"body":1440,"description":1877,"extension":474,"faq":1878,"frameworkSlug":476,"lastUpdated":477,"meta":1895,"navigation":479,"path":1896,"relatedTerms":1897,"relatedTopics":1900,"seo":1904,"stem":1907,"__hash__":1908},"frameworkTopics\u002F5.frameworks\u002Fiso27001\u002Fcontinual-improvement.md","ISO 27001 Continual Improvement (Clause 10.3)",{"type":8,"value":1441,"toc":1852},[1442,1451,1454,1458,1461,1464,1484,1487,1491,1494,1497,1515,1518,1522,1525,1529,1537,1541,1549,1553,1556,1560,1563,1567,1573,1577,1580,1584,1587,1591,1594,1597,1623,1626,1630,1647,1651,1662,1666,1680,1684,1698,1702,1716,1719,1723,1726,1729,1743,1749,1753,1756,1776,1779,1781,1787,1790,1796,1798,1842,1844,1847],[11,1443,1444,1445,1447,1448,1450],{},"Clause 10.3 of ",[15,1446,18],{"href":17}," is only two sentences long, but it shapes whether your ",[15,1449,23],{"href":22}," stays alive or calcifies into documentation that everyone ignores. The clause requires the organization to continually improve the suitability, adequacy, and effectiveness of the ISMS. Certification auditors consistently test this by comparing the ISMS today against the ISMS a year ago and asking what actually changed and why.",[11,1452,1453],{},"Continual improvement done well is a strategic muscle. Done poorly, it becomes a checkbox activity where the same three PowerPoint slides get presented annually with no real movement. This guide is about the difference.",[29,1455,1457],{"id":1456},"what-clause-103-requires","What Clause 10.3 requires",[11,1459,1460],{},"The full text of Clause 10.3 is: \"The organization shall continually improve the suitability, adequacy, and effectiveness of the information security management system.\"",[11,1462,1463],{},"Three concepts carry weight in that sentence:",[55,1465,1466,1472,1478],{},[58,1467,1468,1471],{},[61,1469,1470],{},"Suitability."," Is the ISMS appropriate for the organization's context, scope, and risks? As the business changes, suitability can erode even when nothing in the ISMS looks broken.",[58,1473,1474,1477],{},[61,1475,1476],{},"Adequacy."," Does the ISMS actually cover what it needs to cover? Gaps between the documented ISMS and operational reality undermine adequacy.",[58,1479,1480,1483],{},[61,1481,1482],{},"Effectiveness."," Is the ISMS producing the outcomes it is supposed to produce? Reducing risk, preventing incidents, meeting objectives, satisfying interested parties.",[11,1485,1486],{},"Continual improvement targets all three. An audit finding that says \"the ISMS is documented but suitability has drifted\" is just as serious as a finding that a specific control does not work.",[29,1488,1490],{"id":1489},"continual-versus-continuous","Continual versus continuous",[11,1492,1493],{},"ISO 27001 uses \"continual\" deliberately. Continual means improvement in defined cycles with measurable progress. Continuous implies unbroken ongoing change. An ISMS that changes constantly without structure is harder to audit than one that improves in cycles.",[11,1495,1496],{},"Most organizations implement continual improvement through a combination of:",[55,1498,1499,1502,1505,1508],{},[58,1500,1501],{},"Regular measurement against defined metrics.",[58,1503,1504],{},"Periodic improvement planning, often tied to annual objectives.",[58,1506,1507],{},"Documented improvement actions with owners and due dates.",[58,1509,1510,1511,108],{},"Periodic reviews of improvement progress through ",[15,1512,1514],{"href":1513},"\u002Fframeworks\u002Fiso27001\u002Fmanagement-review","management review",[11,1516,1517],{},"This maps cleanly to the Plan-Do-Check-Act model that underpins all ISO management system standards.",[29,1519,1521],{"id":1520},"inputs-to-continual-improvement","Inputs to continual improvement",[11,1523,1524],{},"Continual improvement feeds on structured signals from across the ISMS. The most valuable inputs include:",[44,1526,1528],{"id":1527},"audit-findings","Audit findings",[11,1530,1531,1532,1536],{},"Trends in ",[15,1533,1535],{"href":1534},"\u002Fframeworks\u002Fiso27001\u002Finternal-audit","internal audit"," findings reveal systemic weaknesses. Three consecutive audits with access control findings point to a structural issue rather than an isolated problem.",[44,1538,1540],{"id":1539},"nonconformities-and-corrective-actions","Nonconformities and corrective actions",[11,1542,1543,1544,1548],{},"Patterns across the ",[15,1545,1547],{"href":1546},"\u002Fframeworks\u002Fiso27001\u002Fnonconformity-and-corrective-action","nonconformity and corrective action"," log often reveal that localized fixes are not addressing root causes. Clause 10.3 benefits when systemic learnings are extracted from CAPA.",[44,1550,1552],{"id":1551},"incident-and-near-miss-data","Incident and near-miss data",[11,1554,1555],{},"Actual security incidents and near-misses show where controls are failing or where controls are working but are too slow, too noisy, or too fragile to be relied on.",[44,1557,1559],{"id":1558},"metrics-and-kpi-trends","Metrics and KPI trends",[11,1561,1562],{},"Measurement over time beats snapshot measurement. A phishing simulation click rate of 7 percent is not inherently good or bad. A decline from 18 percent to 7 percent over four quarters is powerful evidence of continual improvement.",[44,1564,1566],{"id":1565},"risk-assessment-updates","Risk assessment updates",[11,1568,1569,1570,1572],{},"Changes to the ",[15,1571,370],{"href":369}," over time show whether the organization is actually reducing risk or merely tracking it. Residual risk should trend down or hold steady with a valid reason.",[44,1574,1576],{"id":1575},"customer-and-regulator-feedback","Customer and regulator feedback",[11,1578,1579],{},"Security questionnaire trends, customer-reported issues, regulatory comments, and auditor observations from other engagements all surface improvement opportunities.",[44,1581,1583],{"id":1582},"staff-feedback","Staff feedback",[11,1585,1586],{},"People operating controls daily are often the first to notice friction or failure. Channels for staff to suggest improvements feed the improvement backlog.",[29,1588,1590],{"id":1589},"building-useful-isms-metrics","Building useful ISMS metrics",[11,1592,1593],{},"The quality of your continual improvement is directly proportional to the quality of your metrics. Poor metrics produce vanity dashboards that leadership tolerates for one meeting and ignores thereafter. Good metrics drive decisions.",[11,1595,1596],{},"A useful ISMS metric meets four tests:",[55,1598,1599,1605,1611,1617],{},[58,1600,1601,1604],{},[61,1602,1603],{},"Relevant."," It measures something the organization actually cares about.",[58,1606,1607,1610],{},[61,1608,1609],{},"Measurable."," It can be collected consistently without heroic effort.",[58,1612,1613,1616],{},[61,1614,1615],{},"Actionable."," Changes in the metric lead to specific decisions or actions.",[58,1618,1619,1622],{},[61,1620,1621],{},"Trendable."," It makes sense over time, not just at a single point.",[11,1624,1625],{},"Examples of useful metrics by category:",[44,1627,1629],{"id":1628},"control-effectiveness","Control effectiveness",[55,1631,1632,1635,1638,1641,1644],{},[58,1633,1634],{},"Patch compliance rate against SLA.",[58,1636,1637],{},"Access review completion rate.",[58,1639,1640],{},"Mean time to remediate critical vulnerabilities.",[58,1642,1643],{},"Backup test success rate.",[58,1645,1646],{},"Control coverage against the scope (percentage of in-scope systems with required controls verified).",[44,1648,1650],{"id":1649},"risk","Risk",[55,1652,1653,1656,1659],{},[58,1654,1655],{},"Number of open risks by severity.",[58,1657,1658],{},"Residual risk trend across quarters.",[58,1660,1661],{},"Time to close risk treatments after identification.",[44,1663,1665],{"id":1664},"incident-and-detection","Incident and detection",[55,1667,1668,1671,1674,1677],{},[58,1669,1670],{},"Mean time to detect.",[58,1672,1673],{},"Mean time to respond.",[58,1675,1676],{},"Incident volume by category and trend.",[58,1678,1679],{},"Near-miss reports per quarter.",[44,1681,1683],{"id":1682},"people","People",[55,1685,1686,1689,1692,1695],{},[58,1687,1688],{},"Training completion rate by role.",[58,1690,1691],{},"Phishing simulation click and report rates.",[58,1693,1694],{},"Time from hire to security onboarding completion.",[58,1696,1697],{},"Time from termination to access revocation.",[44,1699,1701],{"id":1700},"isms-operation","ISMS operation",[55,1703,1704,1707,1710,1713],{},[58,1705,1706],{},"Internal audit coverage against plan.",[58,1708,1709],{},"Nonconformity aging.",[58,1711,1712],{},"Management review decision completion rate.",[58,1714,1715],{},"Policy review cadence adherence.",[11,1717,1718],{},"A leadership-facing ISMS dashboard with ten to twenty curated metrics across these categories is far more useful than a hundred-metric report that nobody reads.",[29,1720,1722],{"id":1721},"setting-information-security-objectives","Setting information security objectives",[11,1724,1725],{},"Clause 6.2 requires documented information security objectives that are measurable, monitored, communicated, and updated as appropriate. These objectives are a primary vehicle for continual improvement.",[11,1727,1728],{},"Good ISO 27001 objectives look like:",[55,1730,1731,1734,1737,1740],{},[58,1732,1733],{},"\"Reduce mean time to detect critical security incidents from 18 hours to under 6 hours by end of Q4 2026.\"",[58,1735,1736],{},"\"Achieve 98 percent patch compliance on critical CVEs within 14 days, sustained across four consecutive quarters.\"",[58,1738,1739],{},"\"Reduce phishing simulation click rate below 5 percent organization-wide by year end.\"",[58,1741,1742],{},"\"Close 100 percent of major internal audit findings within 60 days.\"",[11,1744,1745,1746,1748],{},"Each has a defined metric, a baseline, a target, and a timeframe. Each is evaluated during ",[15,1747,1514],{"href":1513}," and produces evidence of continual improvement or of gaps requiring correction.",[29,1750,1752],{"id":1751},"demonstrating-continual-improvement-to-auditors","Demonstrating continual improvement to auditors",[11,1754,1755],{},"Certification auditors will not ask \"are you continually improving?\" directly. They will probe for evidence such as:",[55,1757,1758,1761,1764,1767,1770,1773],{},[58,1759,1760],{},"Year-over-year comparison of audit findings, nonconformities, and incidents.",[58,1762,1763],{},"Progress against information security objectives.",[58,1765,1766],{},"Documented decisions from management review that resulted in change.",[58,1768,1769],{},"Metrics trends presented over multiple periods.",[58,1771,1772],{},"Specific improvement actions completed since the last audit.",[58,1774,1775],{},"Evidence that identified improvement opportunities were either pursued, deferred with rationale, or declined with rationale.",[11,1777,1778],{},"A blank section in management review minutes under \"opportunities for improvement\" is a red flag. So is an identical action log across several reviews with no closures.",[29,1780,746],{"id":745},[11,1782,1783,1784,1786],{},"Continual improvement sits inside Clause 10 alongside ",[15,1785,1547],{"href":1546},". Together they form the improvement engine of the ISMS. Clause 10.2 handles specific problems. Clause 10.3 handles systemic progress.",[11,1788,1789],{},"Continual improvement is fed by Clause 9 activities: monitoring, measurement, analysis, evaluation, internal audit, and management review. Without Clause 9 discipline, Clause 10.3 has nothing to act on.",[11,1791,1792,1793,1795],{},"During the ",[15,1794,107],{"href":106},", evidence of continual improvement is particularly important for surveillance audits and recertification. First-time certifiers have less history to show, so auditors focus on whether the improvement machinery exists. Recertification audits focus on whether the machinery actually produced improvement.",[29,1797,774],{"id":773},[55,1799,1800,1806,1812,1818,1824,1830,1836],{},[58,1801,1802,1805],{},[61,1803,1804],{},"Metrics that do not drive decisions."," A dashboard that is updated but never discussed in leadership meetings is not functioning.",[58,1807,1808,1811],{},[61,1809,1810],{},"Objectives that are not measurable."," \"Improve security culture\" is not an objective. \"Reduce phishing click rate below 5 percent by year end\" is.",[58,1813,1814,1817],{},[61,1815,1816],{},"Documenting improvement activities that never happen."," Listing initiatives on a roadmap that never start undermines the credibility of the entire ISMS.",[58,1819,1820,1823],{},[61,1821,1822],{},"Treating improvement as a project rather than a practice."," A one-time improvement sprint before an audit does not meet Clause 10.3.",[58,1825,1826,1829],{},[61,1827,1828],{},"Only measuring what is easy."," The easy metrics are often not the meaningful ones.",[58,1831,1832,1835],{},[61,1833,1834],{},"Ignoring regression."," Metrics that get worse over time deserve as much attention as metrics that get better. Regression without explanation is a finding.",[58,1837,1838,1841],{},[61,1839,1840],{},"No link between improvement and strategy."," Continual improvement should connect to business and security strategy, not exist in a compliance silo.",[29,1843,816],{"id":815},[11,1845,1846],{},"episki turns continual improvement from a narrative into a running system. The platform tracks ISMS metrics against targets, surfaces trends automatically, links improvement actions back to the controls, risks, and objectives they address, and produces the evidence pack auditors use to confirm Clause 10.3 is operating. Year-over-year comparisons are built in, so teams can present real progress at management reviews and certification audits without assembling it by hand.",[11,1848,822,1849,1851],{},[15,1850,825],{"href":17}," for how continual improvement closes the Plan-Do-Check-Act cycle at the heart of the ISMS.",{"title":452,"searchDepth":453,"depth":453,"links":1853},[1854,1855,1856,1865,1872,1873,1874,1875,1876],{"id":1456,"depth":453,"text":1457},{"id":1489,"depth":453,"text":1490},{"id":1520,"depth":453,"text":1521,"children":1857},[1858,1859,1860,1861,1862,1863,1864],{"id":1527,"depth":459,"text":1528},{"id":1539,"depth":459,"text":1540},{"id":1551,"depth":459,"text":1552},{"id":1558,"depth":459,"text":1559},{"id":1565,"depth":459,"text":1566},{"id":1575,"depth":459,"text":1576},{"id":1582,"depth":459,"text":1583},{"id":1589,"depth":453,"text":1590,"children":1866},[1867,1868,1869,1870,1871],{"id":1628,"depth":459,"text":1629},{"id":1649,"depth":459,"text":1650},{"id":1664,"depth":459,"text":1665},{"id":1682,"depth":459,"text":1683},{"id":1700,"depth":459,"text":1701},{"id":1721,"depth":453,"text":1722},{"id":1751,"depth":453,"text":1752},{"id":745,"depth":453,"text":746},{"id":773,"depth":453,"text":774},{"id":815,"depth":453,"text":816},"Drive ISO 27001 continual improvement under Clause 10.3 with ISMS metrics, KPIs, effectiveness measurement, and trend analysis auditors and leadership respect.",{"items":1879},[1880,1883,1886,1889,1892],{"label":1881,"content":1882},"What does Clause 10.3 of ISO 27001 actually require?","Clause 10.3 requires that the organization continually improve the suitability, adequacy, and effectiveness of the ISMS. It does not prescribe a specific method, but auditors will look for evidence that improvement is planned, measured, and acted on rather than accidental.",{"label":1884,"content":1885},"What is the difference between continual and continuous improvement?","Continual improvement means ongoing improvement with defined intervals and measurable progress. Continuous improvement implies improvement at all times without pause. ISO 27001 uses continual deliberately: the standard expects structured, cyclical improvement rather than perpetual change.",{"label":1887,"content":1888},"What ISMS metrics should we track?","Track metrics that measure control effectiveness, risk reduction, incident trends, audit findings over time, training and awareness, and objective completion. Useful examples include mean time to detect, patch compliance rate, phishing simulation click rate, and access review completion. The best metrics drive decisions, not just reports.",{"label":1890,"content":1891},"How do we demonstrate continual improvement to auditors?","Show measurement over time, documented decisions that changed the ISMS, completed improvement actions, and trend data that indicates progress. A static ISMS that looks identical year over year is hard to present as continually improving.",{"label":1893,"content":1894},"Who owns continual improvement in the ISMS?","The ISMS owner typically coordinates continual improvement activities, but responsibility is distributed. Control owners drive improvements in their areas, top management drives strategic improvement through management review, and staff contribute through feedback and suggestions.",{},"\u002Fframeworks\u002Fiso27001\u002Fcontinual-improvement",[476,482,1898,1899],"continuous-monitoring","monitoring",[1901,1902,1903,487],"internal-audit","management-review","nonconformity-and-corrective-action",{"title":1905,"description":1906},"ISO 27001 Continual Improvement — Clause 10.3 Metrics & KPIs","Operate ISO 27001 Clause 10.3 continual improvement with metrics, KPIs, and effectiveness measurement that drive real ISMS maturity.","5.frameworks\u002Fiso27001\u002Fcontinual-improvement","mOCRTlhApKK2k7KncKvMQlgV4aUg9bEfMsST8_xRWvY",{"id":1910,"title":1911,"body":1912,"description":2189,"extension":474,"faq":2190,"frameworkSlug":476,"lastUpdated":477,"meta":2207,"navigation":479,"path":1534,"relatedTerms":2208,"relatedTopics":2211,"seo":2213,"stem":2216,"__hash__":2217},"frameworkTopics\u002F5.frameworks\u002Fiso27001\u002Finternal-audit.md","ISO 27001 Internal Audit (Clause 9.2)",{"type":8,"value":1913,"toc":2172},[1914,1923,1926,1930,1933,1936,1950,1953,1957,1960,1963,1995,2001,2005,2008,2011,2014,2018,2021,2025,2028,2032,2035,2039,2042,2046,2049,2053,2056,2060,2063,2067,2070,2090,2093,2099,2101,2107,2114,2120,2122,2160,2162,2165],[11,1915,1916,1917,1919,1920,1922],{},"If there is a single activity that separates an ISO 27001 programme that will pass audit from one that will not, it is the internal audit. Clause 9.2 of ",[15,1918,18],{"href":17}," requires that you audit your own ",[15,1921,23],{"href":22}," at planned intervals to confirm it conforms to the standard, to your own requirements, and that it is effectively implemented and maintained. This is not a bureaucratic formality. A well-run internal audit programme is the single best signal of whether your organization is actually operating an ISMS or merely documenting one.",[11,1924,1925],{},"This guide walks through how to plan, staff, execute, evidence, and close out ISO 27001 internal audits so that both Stage 2 and surveillance auditors find a mature, self-correcting programme.",[29,1927,1929],{"id":1928},"what-clause-92-actually-requires","What Clause 9.2 actually requires",[11,1931,1932],{},"Clause 9.2 of ISO 27001 has two subclauses. Clause 9.2.1 requires that the organization conduct internal audits at planned intervals to provide information on whether the ISMS conforms to the organization's own requirements and the requirements of ISO 27001, and whether it is effectively implemented and maintained. Clause 9.2.2 requires that you plan, establish, implement, and maintain an audit programme that includes frequency, methods, responsibilities, planning requirements, and reporting.",[11,1934,1935],{},"In practice, this translates into four expectations that certification auditors will look for:",[55,1937,1938,1941,1944,1947],{},[58,1939,1940],{},"A documented audit programme that covers the full scope of the ISMS over a defined cycle, typically one to three years.",[58,1942,1943],{},"Objective and competent auditors who do not audit their own work.",[58,1945,1946],{},"Evidence-based audit results with findings categorized and documented.",[58,1948,1949],{},"A closure process where findings are tracked through to corrective action.",[11,1951,1952],{},"Teams often treat the audit programme itself as a compliance artifact rather than a plan. Auditors can tell the difference. A real programme shows evidence of actually being followed, including signed schedules, rescheduled audits, and audit reports with real findings.",[29,1954,1956],{"id":1955},"designing-the-audit-programme","Designing the audit programme",[11,1958,1959],{},"The audit programme is the multi-year plan for how your entire ISMS gets audited. For a small to mid-sized organization, a one-year cycle covering every ISO 27001 clause and every applicable Annex A control is typical. Larger organizations often operate a three-year cycle, covering different sections each year so that the full ISMS is audited by the end of the cycle.",[11,1961,1962],{},"A good audit programme defines:",[55,1964,1965,1971,1977,1983,1989],{},[58,1966,1967,1970],{},[61,1968,1969],{},"Scope of each audit."," Which clauses, which controls, which business units, which systems.",[58,1972,1973,1976],{},[61,1974,1975],{},"Frequency."," When each scope is audited. Higher-risk areas such as change management and access control often get more frequent coverage.",[58,1978,1979,1982],{},[61,1980,1981],{},"Methods."," Document review, interviews, observation, sampling of records, technical testing.",[58,1984,1985,1988],{},[61,1986,1987],{},"Auditor assignments."," Who will audit what, and confirmation that they are independent of the area being audited.",[58,1990,1991,1994],{},[61,1992,1993],{},"Reporting requirements."," Format of audit reports, required sign-offs, distribution list.",[11,1996,1997,1998,2000],{},"Build the programme from your ",[15,1999,370],{"href":369}," output rather than auditing everything equally. An access control failure is a higher-impact risk than a minor documentation gap, so access control deserves deeper sampling.",[29,2002,2004],{"id":2003},"auditor-independence-and-competence","Auditor independence and competence",[11,2006,2007],{},"Clause 9.2 requires that auditors be objective and impartial. In plain language: the person who built a control cannot audit that control.",[11,2009,2010],{},"Organizations achieve independence in several ways. Some rotate auditors between teams so that an engineer from the platform team audits the people and HR controls while the HR team audits platform controls. Others use a dedicated internal audit function. Many small companies contract with external consultants to audit areas where no internal independence is possible, such as the single ISMS owner auditing their own programme.",[11,2012,2013],{},"Auditor competence matters as well. Auditors should understand ISO 27001 requirements and auditing practice. ISO 19011 provides guidance on management system auditing and is a good training reference. Certification bodies do not require that internal auditors hold a specific credential, but they will ask how you determined the auditor was competent.",[29,2015,2017],{"id":2016},"running-the-audit-a-practical-flow","Running the audit — a practical flow",[11,2019,2020],{},"The actual audit follows a predictable pattern.",[44,2022,2024],{"id":2023},"_1-opening-meeting","1. Opening meeting",[11,2026,2027],{},"The auditor and the auditees meet to confirm scope, timing, and expectations. For large audits this is formal. For a small scope it can be a short conversation.",[44,2029,2031],{"id":2030},"_2-document-review","2. Document review",[11,2033,2034],{},"The auditor reviews the relevant policies, procedures, and records before or during the audit. This sets up interview questions and evidence requests.",[44,2036,2038],{"id":2037},"_3-interviews","3. Interviews",[11,2040,2041],{},"Auditors interview the people who actually operate the controls. The goal is to confirm that documented processes match real practice. Interviews often reveal process drift that documentation alone cannot.",[44,2043,2045],{"id":2044},"_4-evidence-sampling","4. Evidence sampling",[11,2047,2048],{},"Auditors request samples of records to verify control operation. Examples include a sample of access reviews, a sample of change tickets, a sample of incident records, a sample of backup test logs. Sample sizes should be documented so that the sampling approach is reproducible.",[44,2050,2052],{"id":2051},"_5-observation-and-technical-verification","5. Observation and technical verification",[11,2054,2055],{},"Where relevant, auditors observe processes happening in real time or verify technical configurations. Watching an on-call engineer handle a test alert is often more valuable than reading the incident response policy.",[44,2057,2059],{"id":2058},"_6-closing-meeting-and-draft-findings","6. Closing meeting and draft findings",[11,2061,2062],{},"The auditor debriefs the audited team, outlines preliminary findings, and gives the team a chance to provide additional context before the report is finalized.",[29,2064,2066],{"id":2065},"documenting-findings","Documenting findings",[11,2068,2069],{},"Every internal audit must produce a documented report. The report typically includes:",[55,2071,2072,2075,2078,2081,2084,2087],{},[58,2073,2074],{},"The audit scope and objectives.",[58,2076,2077],{},"The criteria used, which is usually ISO 27001 and your internal policies.",[58,2079,2080],{},"The audit team and their independence.",[58,2082,2083],{},"Methods used and samples reviewed.",[58,2085,2086],{},"Findings, each categorized as a nonconformity, observation, or opportunity for improvement.",[58,2088,2089],{},"Agreed timelines for corrective actions.",[11,2091,2092],{},"Findings should quote the specific requirement that was not met, describe the evidence of the gap, and state who owns the correction. A finding that says \"access reviews are not always completed\" is weaker than one that says \"Clause 9.2 of your Access Control Policy requires quarterly access reviews. Four of ten sampled systems had no documented review in Q1 2026. Owner: IT Operations.\"",[11,2094,2095,2096,2098],{},"Findings then flow into the ",[15,2097,1547],{"href":1546}," process, where root causes are identified and fixes are tracked to closure.",[29,2100,746],{"id":745},[11,2102,2103,2104,2106],{},"Internal audits are one of three major inputs to the ",[15,2105,1514],{"href":1513}," required by Clause 9.3. Management review uses internal audit results along with risk changes, incidents, and performance metrics to make decisions about the direction of the ISMS.",[11,2108,2109,2110,2113],{},"Internal audits also interact directly with ",[15,2111,2112],{"href":1896},"continual improvement"," under Clause 10.3. Patterns in audit findings over time often reveal systemic weaknesses that individual corrective actions cannot resolve. A mature ISMS uses internal audit trends to justify broader process changes, tooling investments, or staffing adjustments.",[11,2115,2116,2117,2119],{},"For first-time certifiers, at least one full internal audit must be complete before the Stage 2 audit in the ",[15,2118,107],{"href":106},". Certification auditors will ask to see the internal audit programme, the reports, and evidence that findings were tracked and closed.",[29,2121,774],{"id":773},[55,2123,2124,2130,2136,2142,2148,2154],{},[58,2125,2126,2129],{},[61,2127,2128],{},"Writing findings but not closing them."," An open finding that sits for a year is worse than no finding at all. It proves the organization does not act on its own audits.",[58,2131,2132,2135],{},[61,2133,2134],{},"Sampling only happy paths."," Pulling the three best-documented change tickets does not prove the change management process works. Randomized or risk-weighted sampling produces credible evidence.",[58,2137,2138,2141],{},[61,2139,2140],{},"Auditing documentation instead of practice."," A control that is beautifully documented but never operated will fail certification. Interviews and observation matter more than document review alone.",[58,2143,2144,2147],{},[61,2145,2146],{},"Single-person audit team for every audit."," If the same person audits every area, independence is fragile. Rotate auditors or introduce external support.",[58,2149,2150,2153],{},[61,2151,2152],{},"Skipping the opening and closing meetings."," These bookend activities create accountability and reduce the risk of disputed findings after the fact.",[58,2155,2156,2159],{},[61,2157,2158],{},"No audit trail of evidence."," Auditors should record what they reviewed, when, and where it came from. Without this, findings are hard to defend.",[29,2161,816],{"id":815},[11,2163,2164],{},"episki ships with an ISO 27001 internal audit workflow that generates the audit programme from your control graph, assigns independent auditors based on ownership history, captures evidence directly against the control being audited, and tracks findings through to verified closure. Audit reports export in an auditor-ready format that satisfies Clause 9.2 expectations without pulling days of manual effort from your ISMS owner.",[11,2166,2167,2168,2171],{},"See the full ",[15,2169,2170],{"href":17},"ISO 27001 framework"," for how internal audits connect to the broader certification cycle.",{"title":452,"searchDepth":453,"depth":453,"links":2173},[2174,2175,2176,2177,2185,2186,2187,2188],{"id":1928,"depth":453,"text":1929},{"id":1955,"depth":453,"text":1956},{"id":2003,"depth":453,"text":2004},{"id":2016,"depth":453,"text":2017,"children":2178},[2179,2180,2181,2182,2183,2184],{"id":2023,"depth":459,"text":2024},{"id":2030,"depth":459,"text":2031},{"id":2037,"depth":459,"text":2038},{"id":2044,"depth":459,"text":2045},{"id":2051,"depth":459,"text":2052},{"id":2058,"depth":459,"text":2059},{"id":2065,"depth":453,"text":2066},{"id":745,"depth":453,"text":746},{"id":773,"depth":453,"text":774},{"id":815,"depth":453,"text":816},"How to plan, conduct, and document ISO 27001 Clause 9.2 internal audits including scheduling, auditor independence, evidence collection, and reporting.",{"items":2191},[2192,2195,2198,2201,2204],{"label":2193,"content":2194},"How often are ISO 27001 internal audits required?","ISO 27001 requires internal audits at planned intervals. Most organizations run at least one full internal audit per year covering all clauses and applicable Annex A controls, often split into smaller audits throughout the year on a rolling programme.",{"label":2196,"content":2197},"Who can perform an ISO 27001 internal audit?","Anyone objective and competent can perform an ISO 27001 internal audit. The key requirement under Clause 9.2 is that auditors do not audit their own work. Many organizations use a mix of internal staff, rotated between teams, and external consultants for areas where internal independence is not possible.",{"label":2199,"content":2200},"What evidence do internal auditors review?","Internal auditors review policies, procedures, the risk register, the Statement of Applicability, control operation evidence such as logs, tickets, access reviews, training records, and meeting minutes. They also interview personnel to confirm practices match documentation.",{"label":2202,"content":2203},"What is the difference between an internal audit and a certification audit?","An internal audit is performed by or on behalf of your organization to assess your own ISMS. A certification audit is performed by an accredited certification body to decide whether to issue a certificate. Internal audits are inputs to management review. Certification audits grant or maintain certification.",{"label":2205,"content":2206},"Do minor nonconformities in an internal audit block certification?","No. Internal audit findings are your early warning system. Finding issues internally is a sign the programme is working. The risk is failing to track and close them, which can then surface as a nonconformity during the external audit.",{},[476,482,2209,2210],"audit-trail","evidence-collection",[1902,1903,487,2212],"continual-improvement",{"title":2214,"description":2215},"ISO 27001 Internal Audit — Clause 9.2 Guide & Checklist","Plan ISO 27001 Clause 9.2 internal audits with proper scheduling, independent auditors, evidence collection, and audit reports auditors respect.","5.frameworks\u002Fiso27001\u002Finternal-audit","8EcVsjllAAQ6BBjLuTHwZuoR-qrrq7v51marcETHLSg",{"id":2219,"title":2220,"body":2221,"description":2666,"extension":474,"faq":475,"frameworkSlug":476,"lastUpdated":477,"meta":2667,"navigation":479,"path":507,"relatedTerms":2668,"relatedTopics":2669,"seo":2670,"stem":2673,"__hash__":2674},"frameworkTopics\u002F5.frameworks\u002Fiso27001\u002Fisms-implementation.md","ISMS Implementation Guide",{"type":8,"value":2222,"toc":2633},[2223,2232,2236,2239,2265,2268,2272,2276,2279,2283,2289,2295,2301,2306,2310,2313,2316,2319,2325,2331,2337,2340,2344,2347,2350,2353,2362,2368,2380,2386,2390,2393,2396,2399,2405,2411,2417,2423,2429,2432,2436,2439,2442,2445,2451,2457,2463,2469,2473,2476,2479,2482,2488,2494,2501,2507,2511,2514,2517,2520,2526,2532,2535,2539,2542,2589,2592,2596,2602,2608,2614,2627],[11,2224,2225,2226,2228,2229,2231],{},"An Information Security Management System (",[15,2227,23],{"href":22},") is the structured framework of policies, processes, and controls that an organization uses to manage information security risks. ",[15,2230,18],{"href":17}," defines the requirements for establishing, implementing, maintaining, and continually improving an ISMS. This guide walks through each major clause of the standard and translates requirements into practical implementation steps.",[29,2233,2235],{"id":2234},"understanding-the-structure","Understanding the Structure",[11,2237,2238],{},"ISO 27001 clauses 4 through 10 contain the mandatory requirements for the ISMS. These clauses follow the Plan-Do-Check-Act (PDCA) cycle that underpins all ISO management system standards:",[55,2240,2241,2247,2253,2259],{},[58,2242,2243,2246],{},[61,2244,2245],{},"Plan (Clauses 4-6):"," Establish the ISMS context, secure leadership support, and plan for risk treatment.",[58,2248,2249,2252],{},[61,2250,2251],{},"Do (Clause 8):"," Implement the plans.",[58,2254,2255,2258],{},[61,2256,2257],{},"Check (Clause 9):"," Monitor, measure, audit, and review performance.",[58,2260,2261,2264],{},[61,2262,2263],{},"Act (Clause 10):"," Address nonconformities and drive continual improvement.",[11,2266,2267],{},"Clause 7 covers support requirements (resources, competence, awareness, communication, and documentation) that span the entire cycle.",[29,2269,2271],{"id":2270},"clause-4-context-of-the-organization","Clause 4: Context of the Organization",[44,2273,2275],{"id":2274},"what-the-standard-requires","What the Standard Requires",[11,2277,2278],{},"You must understand the internal and external issues relevant to your purpose that affect your ability to achieve the intended outcomes of the ISMS. You must also identify the needs and expectations of interested parties and determine the scope of the ISMS.",[44,2280,2282],{"id":2281},"how-to-implement","How to Implement",[11,2284,2285,2288],{},[61,2286,2287],{},"Identify context."," Document the internal factors (organizational structure, culture, capabilities, governance) and external factors (regulatory environment, market conditions, threat landscape, technology trends) that influence your ISMS.",[11,2290,2291,2294],{},[61,2292,2293],{},"Identify interested parties."," List the stakeholders who have requirements related to information security: customers, regulators, employees, shareholders, suppliers, and partners. Document their specific requirements.",[11,2296,2297,2300],{},[61,2298,2299],{},"Define the ISMS scope."," Write a clear scope statement that specifies which parts of the organization, which locations, which information assets, and which processes are covered. The scope should be achievable and meaningful. It must be available as documented information.",[11,2302,2303,2304,108],{},"A well-defined scope prevents scope creep during implementation and gives auditors a clear boundary for assessment during the ",[15,2305,107],{"href":106},[29,2307,2309],{"id":2308},"clause-5-leadership","Clause 5: Leadership",[44,2311,2275],{"id":2312},"what-the-standard-requires-1",[11,2314,2315],{},"Top management must demonstrate leadership and commitment to the ISMS, establish an information security policy, and assign roles, responsibilities, and authorities.",[44,2317,2282],{"id":2318},"how-to-implement-1",[11,2320,2321,2324],{},[61,2322,2323],{},"Secure executive sponsorship."," Identify a member of senior leadership who will champion the ISMS. This person must actively participate, not just sign documents.",[11,2326,2327,2330],{},[61,2328,2329],{},"Create the information security policy."," Draft a high-level policy that is appropriate to the organization's purpose, includes a commitment to satisfying applicable requirements, and includes a commitment to continual improvement. The policy must be communicated to all personnel.",[11,2332,2333,2336],{},[61,2334,2335],{},"Assign ISMS roles."," Formally assign responsibility for maintaining the ISMS, typically to an Information Security Manager or CISO. Define who is accountable for reporting ISMS performance to top management.",[11,2338,2339],{},"Auditors specifically look for evidence of genuine management engagement, not just signatures. Meeting minutes, resource allocation decisions, and management review records all serve as evidence.",[29,2341,2343],{"id":2342},"clause-6-planning","Clause 6: Planning",[44,2345,2275],{"id":2346},"what-the-standard-requires-2",[11,2348,2349],{},"Plan actions to address risks and opportunities, establish information security objectives, and plan how to achieve them.",[44,2351,2282],{"id":2352},"how-to-implement-2",[11,2354,2355,2358,2359,108],{},[61,2356,2357],{},"Conduct risk assessment."," Follow a defined methodology to identify, analyze, and evaluate information security risks. See the detailed guide on ",[15,2360,2361],{"href":369},"ISO 27001 risk assessment",[11,2363,2364,2367],{},[61,2365,2366],{},"Create the risk treatment plan."," For each risk above your acceptance threshold, document the treatment option (mitigate, transfer, avoid, accept), the specific controls to implement, responsible owners, and timelines.",[11,2369,2370,2373,2374,2377,2378,108],{},[61,2371,2372],{},"Develop the Statement of Applicability."," Evaluate all 93 ",[15,2375,2376],{"href":480},"Annex A controls"," and document applicability decisions in your ",[15,2379,382],{"href":381},[11,2381,2382,2385],{},[61,2383,2384],{},"Set information security objectives."," Define measurable objectives that are consistent with the information security policy. Objectives should be specific enough to be monitored and should be communicated to relevant functions. Examples include reducing incident response time, achieving a patching SLA, or completing security awareness training for all employees.",[29,2387,2389],{"id":2388},"clause-7-support","Clause 7: Support",[44,2391,2275],{"id":2392},"what-the-standard-requires-3",[11,2394,2395],{},"The organization must provide resources, ensure personnel competence, build awareness, establish communications, and manage documented information.",[44,2397,2282],{"id":2398},"how-to-implement-3",[11,2400,2401,2404],{},[61,2402,2403],{},"Allocate resources."," Budget for personnel, tools, training, and external services needed to establish and maintain the ISMS.",[11,2406,2407,2410],{},[61,2408,2409],{},"Ensure competence."," Identify the skills needed for ISMS roles and verify that personnel possess them. Maintain records of education, training, and experience. Where gaps exist, provide training or hire accordingly.",[11,2412,2413,2416],{},[61,2414,2415],{},"Build awareness."," All personnel must be aware of the information security policy, their contribution to the ISMS, and the consequences of not conforming. Awareness programs should be ongoing, not one-time events.",[11,2418,2419,2422],{},[61,2420,2421],{},"Define communication processes."," Determine what information about the ISMS needs to be communicated, when, to whom, and by what methods. This includes internal communications (policy updates, incident notifications) and external communications (customer inquiries, regulatory notifications).",[11,2424,2425,2428],{},[61,2426,2427],{},"Manage documentation."," ISO 27001 requires specific documented information including the scope, policy, risk assessment process, risk treatment plan, SoA, objectives, evidence of competence, operational planning records, risk assessment results, risk treatment results, monitoring and measurement results, internal audit results, management review results, and records of nonconformities and corrective actions.",[11,2430,2431],{},"Establish a documentation control process that covers creation, approval, distribution, revision, and retention. Documents must be available to those who need them and protected against unauthorized changes.",[29,2433,2435],{"id":2434},"clause-8-operation","Clause 8: Operation",[44,2437,2275],{"id":2438},"what-the-standard-requires-4",[11,2440,2441],{},"Plan, implement, and control the processes needed to meet ISMS requirements. Perform risk assessments at planned intervals and implement the risk treatment plan.",[44,2443,2282],{"id":2444},"how-to-implement-4",[11,2446,2447,2450],{},[61,2448,2449],{},"Implement controls."," Deploy the technical, organizational, people, and physical controls identified in your risk treatment plan and SoA. This is typically the most time-consuming phase.",[11,2452,2453,2456],{},[61,2454,2455],{},"Execute operational processes."," Establish the day-to-day processes that keep the ISMS running: change management, incident management, access control procedures, backup procedures, and vendor management.",[11,2458,2459,2462],{},[61,2460,2461],{},"Perform risk assessments."," Conduct risk assessments according to your planned schedule and when significant changes occur. Retain documented results.",[11,2464,2465,2468],{},[61,2466,2467],{},"Manage changes."," When planned changes are needed, control them. When unintended changes occur, review the consequences and take action to mitigate adverse effects.",[29,2470,2472],{"id":2471},"clause-9-performance-evaluation","Clause 9: Performance Evaluation",[44,2474,2275],{"id":2475},"what-the-standard-requires-5",[11,2477,2478],{},"Monitor, measure, analyze, and evaluate the ISMS. Conduct internal audits. Perform management reviews.",[44,2480,2282],{"id":2481},"how-to-implement-5",[11,2483,2484,2487],{},[61,2485,2486],{},"Define monitoring and measurement."," Determine what needs to be monitored (control effectiveness, incident trends, compliance metrics), when, by whom, and how results are analyzed. Common metrics include the number of security incidents, time to patch critical vulnerabilities, training completion rates, and audit finding closure rates.",[11,2489,2490,2493],{},[61,2491,2492],{},"Conduct internal audits."," Plan and execute internal audits at planned intervals. Audits must cover all ISMS requirements and be performed by auditors who are objective and impartial (they should not audit their own work). Document the audit program, criteria, scope, findings, and reports.",[11,2495,2496,2497,2500],{},"Internal audits are critical preparation for external ",[15,2498,2499],{"href":106},"certification audits",". They reveal nonconformities while there is still time to correct them.",[11,2502,2503,2506],{},[61,2504,2505],{},"Perform management reviews."," Top management must review the ISMS at planned intervals. Required inputs include the status of previous review actions, changes in context, feedback on performance (nonconformities, monitoring results, audit results), and opportunities for improvement. Outputs must include decisions and actions related to continual improvement.",[29,2508,2510],{"id":2509},"clause-10-improvement","Clause 10: Improvement",[44,2512,2275],{"id":2513},"what-the-standard-requires-6",[11,2515,2516],{},"Address nonconformities through corrective action and continually improve the ISMS.",[44,2518,2282],{"id":2519},"how-to-implement-6",[11,2521,2522,2525],{},[61,2523,2524],{},"Manage nonconformities."," When a nonconformity is identified (from audits, incidents, reviews, or operational issues), react to it, evaluate the need for corrective action, implement corrections, and review their effectiveness. Maintain records of nonconformities and corrective actions.",[11,2527,2528,2531],{},[61,2529,2530],{},"Drive continual improvement."," Establish mechanisms for identifying and implementing improvements. This can include trend analysis of incidents, benchmarking against industry practices, incorporating lessons learned, and acting on management review outputs.",[11,2533,2534],{},"The PDCA cycle means you are never finished. Each cycle of planning, implementing, checking, and acting should result in an ISMS that is incrementally more effective.",[29,2536,2538],{"id":2537},"documentation-requirements-summary","Documentation Requirements Summary",[11,2540,2541],{},"The following documented information is explicitly required by ISO 27001:",[55,2543,2544,2547,2550,2553,2556,2559,2562,2565,2568,2571,2574,2577,2580,2583,2586],{},[58,2545,2546],{},"ISMS scope (4.3)",[58,2548,2549],{},"Information security policy (5.2)",[58,2551,2552],{},"Risk assessment process (6.1.2)",[58,2554,2555],{},"Risk treatment plan (6.1.3)",[58,2557,2558],{},"Statement of Applicability (6.1.3)",[58,2560,2561],{},"Information security objectives (6.2)",[58,2563,2564],{},"Evidence of competence (7.2)",[58,2566,2567],{},"Documented information determined as necessary (7.5.1)",[58,2569,2570],{},"Operational planning and control (8.1)",[58,2572,2573],{},"Risk assessment results (8.2)",[58,2575,2576],{},"Risk treatment results (8.3)",[58,2578,2579],{},"Monitoring and measurement results (9.1)",[58,2581,2582],{},"Internal audit program and results (9.2)",[58,2584,2585],{},"Management review results (9.3)",[58,2587,2588],{},"Nonconformities and corrective actions (10.1)",[11,2590,2591],{},"Beyond these mandatory items, organizations typically create additional documentation including procedures, work instructions, technical standards, and operational guides. The volume should be proportionate to organizational size and complexity.",[29,2593,2595],{"id":2594},"practical-tips","Practical Tips",[11,2597,2598,2601],{},[61,2599,2600],{},"Start small and iterate."," You do not need to have everything perfect before starting. Implement the core processes, run a cycle, and improve based on what you learn.",[11,2603,2604,2607],{},[61,2605,2606],{},"Engage the whole organization."," An ISMS is not an IT project. It requires participation from HR, legal, operations, facilities, and every department that handles information within scope.",[11,2609,2610,2613],{},[61,2611,2612],{},"Automate where possible."," Manual evidence collection and documentation management become unsustainable as the ISMS matures. Platforms like episki automate control tracking, evidence linking, and review scheduling to reduce operational overhead.",[11,2615,2616,2619,2620,2623,2624,2626],{},[61,2617,2618],{},"Plan for surveillance from day one."," After ",[15,2621,2622],{"href":106},"certification",", you will face annual ",[15,2625,439],{"href":438},". Building sustainable processes from the start is far easier than retrofitting them later.",[11,2628,2629,2630,2632],{},"Learn more about how ",[15,2631,18],{"href":449}," works as a comprehensive framework for information security management.",{"title":452,"searchDepth":453,"depth":453,"links":2634},[2635,2636,2640,2644,2648,2652,2656,2660,2664,2665],{"id":2234,"depth":453,"text":2235},{"id":2270,"depth":453,"text":2271,"children":2637},[2638,2639],{"id":2274,"depth":459,"text":2275},{"id":2281,"depth":459,"text":2282},{"id":2308,"depth":453,"text":2309,"children":2641},[2642,2643],{"id":2312,"depth":459,"text":2275},{"id":2318,"depth":459,"text":2282},{"id":2342,"depth":453,"text":2343,"children":2645},[2646,2647],{"id":2346,"depth":459,"text":2275},{"id":2352,"depth":459,"text":2282},{"id":2388,"depth":453,"text":2389,"children":2649},[2650,2651],{"id":2392,"depth":459,"text":2275},{"id":2398,"depth":459,"text":2282},{"id":2434,"depth":453,"text":2435,"children":2653},[2654,2655],{"id":2438,"depth":459,"text":2275},{"id":2444,"depth":459,"text":2282},{"id":2471,"depth":453,"text":2472,"children":2657},[2658,2659],{"id":2475,"depth":459,"text":2275},{"id":2481,"depth":459,"text":2282},{"id":2509,"depth":453,"text":2510,"children":2661},[2662,2663],{"id":2513,"depth":459,"text":2275},{"id":2519,"depth":459,"text":2282},{"id":2537,"depth":453,"text":2538},{"id":2594,"depth":453,"text":2595},"A step-by-step guide to implementing an Information Security Management System aligned with ISO 27001 clauses 4 through 10, including documentation requirements and practical advice.",{},[476,482],[485,1431,484,487,488],{"title":2671,"description":2672},"ISMS Implementation Guide for ISO 27001 — Step-by-Step (Clauses 4-10)","Implement your ISMS with this step-by-step ISO 27001 guide covering clauses 4-10, documentation requirements, and practical implementation advice.","5.frameworks\u002Fiso27001\u002Fisms-implementation","dA5km-AiOdo_UVdB7QLLNNeCYkQVBlPFeRQL-lgBKBE",{"id":2676,"title":2677,"body":2678,"description":3036,"extension":474,"faq":3037,"frameworkSlug":476,"lastUpdated":477,"meta":3054,"navigation":479,"path":768,"relatedTerms":3055,"relatedTopics":3056,"seo":3058,"stem":3061,"__hash__":3062},"frameworkTopics\u002F5.frameworks\u002Fiso27001\u002Fisms-scope.md","ISO 27001 ISMS Scope — Boundaries, Interfaces, and Context",{"type":8,"value":2679,"toc":3018},[2680,2683,2692,2696,2699,2719,2722,2726,2729,2733,2736,2740,2743,2747,2750,2754,2757,2761,2764,2768,2771,2775,2778,2781,2807,2810,2814,2817,2820,2852,2855,2859,2862,2865,2882,2885,2902,2907,2911,2914,2934,2939,2941,2959,2962,2964,3008,3010,3013],[11,2681,2682],{},"The scope statement is the shortest document in your ISMS and the one with the most leverage. It decides what your ISO 27001 certificate covers and what it does not. Certification auditors read it first. Enterprise customers read it when evaluating your certificate. And the scope you set determines how much effort, cost, and risk your ISMS programme carries for years.",[11,2684,2685,2686,2688,2689,2691],{},"Clause 4.3 of ",[15,2687,18],{"href":17}," requires that the organization determine the boundaries and applicability of the ",[15,2690,23],{"href":22}," to establish its scope. That sounds simple. In practice, scope decisions are where many ISO 27001 programmes quietly set themselves up for trouble.",[29,2693,2695],{"id":2694},"what-iso-27001-requires","What ISO 27001 requires",[11,2697,2698],{},"Clause 4.3 has three inputs that must be considered when setting scope:",[55,2700,2701,2707,2713],{},[58,2702,2703,2706],{},[61,2704,2705],{},"The external and internal issues identified under Clause 4.1."," Market conditions, regulatory landscape, internal culture, technology dependencies.",[58,2708,2709,2712],{},[61,2710,2711],{},"The requirements of interested parties identified under Clause 4.2."," Customers, regulators, investors, employees, partners, and their relevant information security expectations.",[58,2714,2715,2718],{},[61,2716,2717],{},"The interfaces and dependencies between activities performed by the organization and those performed by other organizations."," Cloud providers, managed services, contractors, subsidiaries, and shared services.",[11,2720,2721],{},"The scope must be available as documented information. Most organizations produce a formal scope statement as part of the ISMS manual, with enough detail to stand on its own if extracted.",[29,2723,2725],{"id":2724},"what-a-scope-statement-should-include","What a scope statement should include",[11,2727,2728],{},"A credible ISO 27001 scope statement covers six dimensions:",[44,2730,2732],{"id":2731},"_1-organizational-boundaries","1. Organizational boundaries",[11,2734,2735],{},"Which legal entities, business units, divisions, or subsidiaries are covered. If your parent company operates multiple regulated subsidiaries, the scope should be explicit about which are included.",[44,2737,2739],{"id":2738},"_2-locations","2. Locations",[11,2741,2742],{},"Physical and logical locations within scope. Offices, data centers, colocation facilities, remote work arrangements, and cloud regions. For distributed organizations, scope often covers specific regions or excludes locations without in-scope activities.",[44,2744,2746],{"id":2745},"_3-products-and-services","3. Products and services",[11,2748,2749],{},"Which products or services the ISMS protects. A SaaS company might scope its ISMS to the production platform and supporting functions, explicitly excluding unrelated consulting arms.",[44,2751,2753],{"id":2752},"_4-processes","4. Processes",[11,2755,2756],{},"Which business processes are within scope. Customer data processing, product development, incident response, HR onboarding, finance, and so on. Processes that handle in-scope information must be included even if they sit in a business function that is otherwise out of scope.",[44,2758,2760],{"id":2759},"_5-technology","5. Technology",[11,2762,2763],{},"Which systems, platforms, and infrastructure are within scope. This often overlaps with products and services but should also call out supporting tooling like identity providers, monitoring platforms, collaboration tools, and ticketing systems.",[44,2765,2767],{"id":2766},"_6-information-types","6. Information types",[11,2769,2770],{},"Which information assets the ISMS protects. Customer data, intellectual property, employee records, financial data, or specific regulated data types.",[29,2772,2774],{"id":2773},"defining-boundaries","Defining boundaries",[11,2776,2777],{},"Boundaries are the edges of your ISMS. Inside the boundary, ISO 27001 controls apply. Outside, they do not. Clear boundaries prevent audit disputes about whether a control failure falls within scope.",[11,2779,2780],{},"Boundaries should be drawn by:",[55,2782,2783,2789,2795,2801],{},[58,2784,2785,2788],{},[61,2786,2787],{},"Logical separation."," Networks, accounts, environments, and data flows that can be cleanly isolated from out-of-scope systems.",[58,2790,2791,2794],{},[61,2792,2793],{},"Organizational separation."," Distinct teams, reporting lines, and access controls between in-scope and out-of-scope operations.",[58,2796,2797,2800],{},[61,2798,2799],{},"Physical separation."," Different buildings, floors, or secured areas.",[58,2802,2803,2806],{},[61,2804,2805],{},"Contractual separation."," Documented agreements with parent entities, subsidiaries, or shared service providers that clarify responsibility.",[11,2808,2809],{},"Where separation is weaker, the case for including those adjacent activities in scope strengthens. Trying to carve a tight scope through tightly integrated operations creates more risk than it saves.",[29,2811,2813],{"id":2812},"defining-interfaces","Defining interfaces",[11,2815,2816],{},"Interfaces are where in-scope activities meet out-of-scope activities, either inside your organization or with third parties. Clause 4.3 specifically requires that interfaces be considered when scoping. Auditors will ask how you handle each interface.",[11,2818,2819],{},"Typical interfaces include:",[55,2821,2822,2828,2834,2840,2846],{},[58,2823,2824,2827],{},[61,2825,2826],{},"Cloud providers."," You consume their services. They provide infrastructure, platform, or software controls. Your ISMS covers how you use their services, configure them, and manage your responsibilities under the shared responsibility model.",[58,2829,2830,2833],{},[61,2831,2832],{},"Managed service providers."," Third parties operating in-scope activities on your behalf. Scope should address contractual controls, monitoring, and right to audit.",[58,2835,2836,2839],{},[61,2837,2838],{},"Parent or sister companies."," Shared HR, finance, IT, or security functions that cross the ISMS boundary. Scope should clarify how those shared functions are controlled.",[58,2841,2842,2845],{},[61,2843,2844],{},"Contractors and consultants."," Time-limited access to in-scope systems or data. Scope should describe how access is governed.",[58,2847,2848,2851],{},[61,2849,2850],{},"Customer-facing interfaces."," How customer data flows in and out, and where responsibility transitions.",[11,2853,2854],{},"A common auditor test is to trace a piece of customer data through every interface and confirm that controls and responsibilities are clear at each boundary crossing.",[29,2856,2858],{"id":2857},"organizational-context-clause-41","Organizational context (Clause 4.1)",[11,2860,2861],{},"Clause 4.1 requires the organization to determine external and internal issues relevant to its purpose that affect its ability to achieve the intended outcomes of the ISMS. The scope flows from this context.",[11,2863,2864],{},"External issues commonly include:",[55,2866,2867,2870,2873,2876,2879],{},[58,2868,2869],{},"Regulatory environment. GDPR, HIPAA, state privacy laws, sector regulation.",[58,2871,2872],{},"Customer expectations. Enterprise procurement requirements, vertical-specific standards.",[58,2874,2875],{},"Threat landscape. Ransomware trends, supply chain attacks, relevant threat actors.",[58,2877,2878],{},"Technology trends. Cloud adoption, AI integration, remote work norms.",[58,2880,2881],{},"Economic and geopolitical conditions. Sanctions, export controls, market pressures.",[11,2883,2884],{},"Internal issues commonly include:",[55,2886,2887,2890,2893,2896,2899],{},[58,2888,2889],{},"Organizational structure. Growth stage, distributed or centralized operations.",[58,2891,2892],{},"Culture. Security maturity, engineering velocity, risk tolerance.",[58,2894,2895],{},"Technology estate. Legacy systems, cloud-native architecture, SaaS sprawl.",[58,2897,2898],{},"Resourcing. Team size, budget constraints, leadership engagement.",[58,2900,2901],{},"Change pace. Product release frequency, M&A activity, reorganizations.",[11,2903,2904,2905,108],{},"The context analysis is usually captured in a short document that feeds into the scope statement and into ",[15,2906,370],{"href":369},[29,2908,2910],{"id":2909},"interested-parties-clause-42","Interested parties (Clause 4.2)",[11,2912,2913],{},"Clause 4.2 requires identifying interested parties relevant to the ISMS and their relevant requirements. Interested parties typically include:",[55,2915,2916,2919,2922,2925,2928,2931],{},[58,2917,2918],{},"Customers, particularly enterprise and regulated customers with security requirements in contracts.",[58,2920,2921],{},"Regulators whose rules touch the in-scope information or services.",[58,2923,2924],{},"Employees, whose data is typically in scope and who depend on the ISMS for their own protection.",[58,2926,2927],{},"Shareholders and investors.",[58,2929,2930],{},"Partners and suppliers.",[58,2932,2933],{},"Certification bodies and accreditation bodies.",[11,2935,2936,2937,108],{},"For each, record the requirements relevant to the ISMS. Customer security addenda, regulatory obligations, and investor due diligence expectations all inform scope and control decisions. These requirements also frequently drive the ",[15,2938,382],{"href":381},[29,2940,746],{"id":745},[11,2942,2943,2944,2946,2947,2949,2950,2952,2953,2956,2957,108],{},"Scope sits at the foundation of the entire ISMS. Everything downstream depends on it. ",[15,2945,752],{"href":507}," builds inside the scope boundary. The ",[15,2948,382],{"href":381}," selects controls for the scope. The ",[15,2951,370],{"href":369}," assesses risks to assets within scope. The ",[15,2954,2955],{"href":865},"certification body"," audits against scope during the ",[15,2958,107],{"href":106},[11,2960,2961],{},"When scope changes, everything downstream must be reviewed. Adding a new product line, a new office, or a major new service usually triggers a scope update that cascades through the rest of the ISMS.",[29,2963,774],{"id":773},[55,2965,2966,2972,2978,2984,2990,2996,3002],{},[58,2967,2968,2971],{},[61,2969,2970],{},"Scope too narrow."," Excluding activities that customers expect to be covered. A SaaS scope that excludes the shared identity provider used by the platform will raise procurement objections.",[58,2973,2974,2977],{},[61,2975,2976],{},"Scope too broad."," Including every activity in the organization inflates audit cost and effort. Consulting practices, sales operations, and unrelated business lines often do not belong.",[58,2979,2980,2983],{},[61,2981,2982],{},"Vague scope statement."," \"All operations\" is not a scope. Auditors need specificity.",[58,2985,2986,2989],{},[61,2987,2988],{},"Ignoring interfaces."," Cloud providers, shared services, and contractors are almost always in scope in some capacity and must be addressed.",[58,2991,2992,2995],{},[61,2993,2994],{},"Copying scope from a competitor's certificate."," What works for one organization may not match yours.",[58,2997,2998,3001],{},[61,2999,3000],{},"Failing to revisit scope."," Business changes quickly. A scope written in year one may not match the organization by year three.",[58,3003,3004,3007],{},[61,3005,3006],{},"Disconnection between scope and SoA."," Controls listed as applicable in the SoA must cover the scope described in the scope statement.",[29,3009,816],{"id":815},[11,3011,3012],{},"episki captures your ISMS scope, interfaces, interested parties, and organizational context as structured data rather than a static document. When scope changes, downstream controls, risks, and SoA entries are flagged for review automatically. The platform produces a clean, auditor-ready scope statement linked to the supporting context artifacts so certification bodies and customers can understand exactly what the ISMS covers.",[11,3014,822,3015,3017],{},[15,3016,825],{"href":17}," for how scope connects to the full certification journey.",{"title":452,"searchDepth":453,"depth":453,"links":3019},[3020,3021,3029,3030,3031,3032,3033,3034,3035],{"id":2694,"depth":453,"text":2695},{"id":2724,"depth":453,"text":2725,"children":3022},[3023,3024,3025,3026,3027,3028],{"id":2731,"depth":459,"text":2732},{"id":2738,"depth":459,"text":2739},{"id":2745,"depth":459,"text":2746},{"id":2752,"depth":459,"text":2753},{"id":2759,"depth":459,"text":2760},{"id":2766,"depth":459,"text":2767},{"id":2773,"depth":453,"text":2774},{"id":2812,"depth":453,"text":2813},{"id":2857,"depth":453,"text":2858},{"id":2909,"depth":453,"text":2910},{"id":745,"depth":453,"text":746},{"id":773,"depth":453,"text":774},{"id":815,"depth":453,"text":816},"Define an ISO 27001 ISMS scope that satisfies auditors and customers, covering boundaries, interfaces, interested parties, and organizational context.",{"items":3038},[3039,3042,3045,3048,3051],{"label":3040,"content":3041},"What is the ISMS scope in ISO 27001?","The ISMS scope defines the boundaries of your information security management system. It states which business units, locations, processes, technologies, and information are covered by the ISMS and, by extension, by your ISO 27001 certificate.",{"label":3043,"content":3044},"Can the ISMS scope cover only part of the organization?","Yes. ISO 27001 allows a scope limited to specific business lines, products, or locations. However, the boundaries must be justified, and interfaces with out-of-scope parts of the organization must be defined and controlled. Customers may probe the scope to ensure it covers what matters to them.",{"label":3046,"content":3047},"What is the difference between scope and Statement of Applicability?","The scope defines what the ISMS covers. The Statement of Applicability defines which Annex A controls apply within that scope. Scope is about boundaries. The SoA is about control selection.",{"label":3049,"content":3050},"Do I need to include all cloud services in scope?","Yes, if they process or store information within the ISMS scope. You need to describe the interface with cloud providers, the responsibilities handled by those providers, and the controls you apply to the services. The cloud provider itself is not certified under your ISMS, but your use of it must be.",{"label":3052,"content":3053},"How often should I review the ISMS scope?","Review scope at least annually as part of management review, and whenever significant change occurs such as a new business line, acquisition, major product launch, or geographic expansion.",{},[476,482,484],[486,484,3057,487],"certification-body-selection",{"title":3059,"description":3060},"ISO 27001 ISMS Scope — Define Boundaries & Interfaces","Define your ISO 27001 ISMS scope with clear boundaries, interfaces, interested parties, and context. Avoid scoping mistakes that fail audits.","5.frameworks\u002Fiso27001\u002Fisms-scope","s9ML_L2njzE8Qcwzv2Q-w0FJdwLGCcsUhG9cfDUoMgE",{"id":3064,"title":3065,"body":3066,"description":3331,"extension":474,"faq":3332,"frameworkSlug":476,"lastUpdated":477,"meta":3349,"navigation":479,"path":1513,"relatedTerms":3350,"relatedTopics":3352,"seo":3353,"stem":3356,"__hash__":3357},"frameworkTopics\u002F5.frameworks\u002Fiso27001\u002Fmanagement-review.md","ISO 27001 Management Review (Clause 9.3)",{"type":8,"value":3067,"toc":3320},[3068,3077,3080,3084,3087,3090,3094,3097,3100,3104,3107,3181,3184,3188,3191,3223,3226,3230,3233,3236,3240,3243,3257,3260,3262,3265,3270,3272,3310,3312,3315],[11,3069,3070,3071,3073,3074,3076],{},"Clause 9.3 of ",[15,3072,18],{"href":17}," requires top management to review the organization's ",[15,3075,23],{"href":22}," at planned intervals to ensure its continuing suitability, adequacy, and effectiveness. Of all the clauses in ISO 27001, this is the one where certification auditors most consistently find weak evidence. A calendar invite titled \"Security Review\" with no agenda, no minutes, and no decisions will not pass Stage 2.",[11,3078,3079],{},"Management review is also the clause where ISO 27001 most clearly communicates a cultural expectation: information security is a leadership responsibility, not a technical hobby. Done well, the management review becomes one of the most valuable recurring events in the security calendar because it forces leadership to see the ISMS as it really is, not how anyone wishes it looked.",[29,3081,3083],{"id":3082},"what-clause-93-requires","What Clause 9.3 requires",[11,3085,3086],{},"Clause 9.3.1 requires top management to review the ISMS at planned intervals to ensure it remains suitable, adequate, and effective. Clause 9.3.2 lists specific required inputs. Clause 9.3.3 requires that outputs of the review include decisions related to continual improvement opportunities and any need for changes to the ISMS, and that the organization retain documented information as evidence of the results of management reviews.",[11,3088,3089],{},"The implication is that management review is not just a meeting. It is an evidence-producing event with defined inputs, documented decisions, and traceable outputs.",[29,3091,3093],{"id":3092},"cadence-how-often-to-review","Cadence — how often to review",[11,3095,3096],{},"The standard says \"at planned intervals\" without prescribing a specific cadence. In practice, certification bodies expect at least one comprehensive management review per year covering all required inputs. Many organizations run a lighter quarterly review focused on specific topics like risk changes, audit findings, or metrics trends, and reserve the full review for an annual off-site or strategic session.",[11,3098,3099],{},"Very high-growth companies or those in heavily regulated industries sometimes run monthly management reviews. Smaller or more stable organizations can credibly operate on an annual cycle. Whatever cadence you choose, document it in your ISMS procedures and stick to it. Auditors will ask when the last review happened and compare that against your stated cadence.",[29,3101,3103],{"id":3102},"required-inputs","Required inputs",[11,3105,3106],{},"Clause 9.3.2 lists the inputs the review must consider. A complete management review agenda covers:",[55,3108,3109,3115,3121,3127,3133,3142,3151,3160,3166,3175],{},[58,3110,3111,3114],{},[61,3112,3113],{},"Status of actions from previous management reviews."," Which decisions were executed, which are still in progress, which were dropped and why.",[58,3116,3117,3120],{},[61,3118,3119],{},"Changes in external and internal issues relevant to the ISMS."," Regulatory shifts, new customers with different requirements, major technology changes, organizational restructuring.",[58,3122,3123,3126],{},[61,3124,3125],{},"Feedback on information security performance."," Metrics on incidents, control effectiveness, training completion, phishing simulation results, patch compliance.",[58,3128,3129,3132],{},[61,3130,3131],{},"Feedback from interested parties."," Customer security questionnaires, regulatory feedback, auditor observations from external parties.",[58,3134,3135,3138,3139,3141],{},[61,3136,3137],{},"Results of risk assessment and risk treatment plan status."," Changes to the ",[15,3140,370],{"href":369},", new risks identified, status of risk treatments.",[58,3143,3144,3147,3148,3150],{},[61,3145,3146],{},"Opportunities for continual improvement."," Ideas surfaced from internal ",[15,3149,2112],{"href":1896}," efforts, staff suggestions, or industry changes.",[58,3152,3153,3156,3157,108],{},[61,3154,3155],{},"Nonconformities and corrective actions."," Status of open and closed ",[15,3158,3159],{"href":1546},"nonconformities and corrective actions",[58,3161,3162,3165],{},[61,3163,3164],{},"Monitoring and measurement results."," KPIs tracked against the ISMS.",[58,3167,3168,3171,3172,3174],{},[61,3169,3170],{},"Audit results."," Internal audit findings from the ",[15,3173,1535],{"href":1534}," programme and external audit findings if any.",[58,3176,3177,3180],{},[61,3178,3179],{},"Fulfillment of information security objectives."," Progress against the measurable objectives set under Clause 6.2.",[11,3182,3183],{},"Not every input needs to be a deep dive at every review. A quarterly cycle might rotate focus, while the annual review covers everything. What auditors want to see is evidence that over the course of your review cycle, every input was considered.",[29,3185,3187],{"id":3186},"required-outputs","Required outputs",[11,3189,3190],{},"Clause 9.3.3 requires outputs related to continual improvement opportunities and any changes needed in the ISMS. Documented outputs typically include:",[55,3192,3193,3199,3205,3211,3217],{},[58,3194,3195,3198],{},[61,3196,3197],{},"Decisions."," Specific, assigned, time-bound decisions. \"We will increase the security engineering headcount by one in Q3 2026\" is a decision. \"Security is important\" is not.",[58,3200,3201,3204],{},[61,3202,3203],{},"Changes to the ISMS."," Updates to scope, policies, controls, or procedures.",[58,3206,3207,3210],{},[61,3208,3209],{},"Resource commitments."," Budget, headcount, or tooling decisions.",[58,3212,3213,3216],{},[61,3214,3215],{},"Updated information security objectives."," Revised or reaffirmed objectives for the next period.",[58,3218,3219,3222],{},[61,3220,3221],{},"Acknowledged risks."," Risks that leadership has reviewed and accepted.",[11,3224,3225],{},"The management review output is often the strongest evidence auditors use to confirm that top management is genuinely engaged with the ISMS. Vague outputs signal a rubber-stamp review and invite deeper questioning.",[29,3227,3229],{"id":3228},"who-attends","Who attends",[11,3231,3232],{},"Top management means people with the authority to allocate resources and change organizational direction. In a small technology company this is typically the CEO, CTO, and COO. In a larger organization it may be a dedicated information security committee chaired by the CISO and including department heads with revenue, product, legal, and operations responsibility.",[11,3234,3235],{},"Supporting roles such as the ISMS owner, compliance lead, internal audit lead, and risk manager usually present material. Their attendance is expected, but they cannot substitute for the actual decision-makers. A management review where no one with budget authority is present will not satisfy Clause 9.3.",[29,3237,3239],{"id":3238},"documentation-expectations","Documentation expectations",[11,3241,3242],{},"The review must produce documented information as evidence. At a minimum, retain:",[55,3244,3245,3248,3251,3254],{},[58,3246,3247],{},"Meeting minutes or a review report capturing inputs discussed, participants, and outputs.",[58,3249,3250],{},"A record of attendees including roles, to demonstrate top management participation.",[58,3252,3253],{},"Supporting materials such as metrics dashboards, audit reports, and risk updates presented at the review.",[58,3255,3256],{},"Action logs tracking decisions to closure.",[11,3258,3259],{},"Minutes should be specific enough that an outside reader can reconstruct what was considered and decided. \"Discussed risk\" is not enough. \"Reviewed residual risk on vendor management, noting three vendors with overdue annual reviews. Decision: reassign vendor review owner by April 30 and complete reviews by May 31. Owner: CTO.\" is the right level of detail.",[29,3261,746],{"id":745},[11,3263,3264],{},"Management review sits inside Clause 9 (Performance Evaluation) alongside monitoring, measurement, analysis, evaluation, and internal audit. It is the moment where all of those inputs converge and leadership formally acts on them. Without management review, the rest of Clause 9 produces information but no decisions.",[11,3266,3267,3268,108],{},"Management review is also a critical bridge into Clause 10 (Improvement). Outputs feed directly into nonconformity handling and continual improvement. For first-time certifiers, at least one management review with complete inputs and outputs must be documented before Stage 2 of the ",[15,3269,107],{"href":106},[29,3271,774],{"id":773},[55,3273,3274,3280,3286,3292,3298,3304],{},[58,3275,3276,3279],{},[61,3277,3278],{},"Running the meeting but not documenting it."," Verbal commitments do not satisfy ISO 27001. If it is not in the minutes, it did not happen.",[58,3281,3282,3285],{},[61,3283,3284],{},"Skipping inputs."," Omitting risk assessment results or audit findings from the agenda will surface as a nonconformity.",[58,3287,3288,3291],{},[61,3289,3290],{},"No top management in the room."," Delegating the entire review to the security team invalidates it as a management review.",[58,3293,3294,3297],{},[61,3295,3296],{},"Repeating the same outputs every cycle."," Outputs should evolve as the ISMS matures. Identical decisions year after year suggest the review is ceremonial.",[58,3299,3300,3303],{},[61,3301,3302],{},"Treating the review as a report-out, not a decision forum."," The purpose is to decide, not to inform.",[58,3305,3306,3309],{},[61,3307,3308],{},"Holding the review too close to the certification audit."," Auditors want to see the review in normal operating cadence, not a one-time event manufactured for audit preparation.",[29,3311,816],{"id":815},[11,3313,3314],{},"episki generates the management review pack automatically from your control graph, risk register, audit findings, and metrics, so the ISMS owner is not spending a week assembling slides every quarter. Decisions made during the review are captured as tracked actions with owners and due dates, and the full review record is retained as documented information ready for external auditors.",[11,3316,822,3317,3319],{},[15,3318,825],{"href":17}," for how management review connects to the rest of the ISMS lifecycle.",{"title":452,"searchDepth":453,"depth":453,"links":3321},[3322,3323,3324,3325,3326,3327,3328,3329,3330],{"id":3082,"depth":453,"text":3083},{"id":3092,"depth":453,"text":3093},{"id":3102,"depth":453,"text":3103},{"id":3186,"depth":453,"text":3187},{"id":3228,"depth":453,"text":3229},{"id":3238,"depth":453,"text":3239},{"id":745,"depth":453,"text":746},{"id":773,"depth":453,"text":774},{"id":815,"depth":453,"text":816},"How ISO 27001 Clause 9.3 management reviews work, including required inputs and outputs, cadence, documentation, and demonstrating leadership engagement.",{"items":3333},[3334,3337,3340,3343,3346],{"label":3335,"content":3336},"How often should ISO 27001 management reviews happen?","ISO 27001 requires management reviews at planned intervals. Most organizations hold at least one full review annually, and many run a lighter quarterly review to keep leadership engaged between annual deep reviews.",{"label":3338,"content":3339},"Who must attend an ISO 27001 management review?","Top management must participate. For most companies this means executives with authority to allocate resources and change direction, such as the CEO, CTO, CISO, or equivalent. Supporting roles like the ISMS owner, compliance lead, and risk manager typically present material but do not substitute for top management attendance.",{"label":3341,"content":3342},"What are the required inputs to a management review?","Clause 9.3.2 lists required inputs including the status of actions from prior reviews, changes in external and internal issues, ISMS performance and effectiveness, audit results, risk assessment results, fulfillment of information security objectives, nonconformities and corrective actions, monitoring and measurement results, and opportunities for improvement.",{"label":3344,"content":3345},"What counts as an output of management review?","Outputs are decisions that drive action. Typical outputs include changes to the ISMS, resource decisions, updated information security objectives, improvement opportunities to pursue, and acknowledged risks requiring attention. Outputs must be documented.",{"label":3347,"content":3348},"Can management review be combined with other executive meetings?","Yes, as long as ISO 27001 inputs are covered and outputs are specifically documented as management review outputs. Many organizations run management review as a standing agenda item in an existing risk or security steering committee.",{},[476,482,3351],"grc",[1901,2212,1903,487],{"title":3354,"description":3355},"ISO 27001 Management Review — Clause 9.3 Inputs & Outputs","Run ISO 27001 Clause 9.3 management reviews with the right inputs, outputs, cadence, and documentation to satisfy auditors and drive ISMS improvement.","5.frameworks\u002Fiso27001\u002Fmanagement-review","EaBJSbCxJGE_pc_vp9p3EShtml69D9FHZLwWNi5UQn8",{"id":3359,"title":3360,"body":3361,"description":3722,"extension":474,"faq":3723,"frameworkSlug":476,"lastUpdated":477,"meta":3740,"navigation":479,"path":1546,"relatedTerms":3741,"relatedTopics":3743,"seo":3744,"stem":3747,"__hash__":3748},"frameworkTopics\u002F5.frameworks\u002Fiso27001\u002Fnonconformity-and-corrective-action.md","ISO 27001 Nonconformity and Corrective Action (Clauses 10.1 and 10.2)",{"type":8,"value":3362,"toc":3705},[3363,3372,3375,3379,3382,3385,3405,3408,3411,3415,3418,3468,3471,3475,3479,3482,3502,3505,3509,3512,3516,3519,3522,3526,3529,3543,3547,3550,3554,3557,3568,3571,3575,3578,3582,3585,3592,3606,3609,3614,3625,3628,3630,3644,3649,3651,3695,3697,3700],[11,3364,3365,3366,3368,3369,3371],{},"Clauses 10.1 and 10.2 of ",[15,3367,18],{"href":17}," govern how your ",[15,3370,23],{"href":22}," responds when something fails to meet a requirement. Every ISMS will generate nonconformities. The question is not whether they happen but whether your organization handles them in a structured, evidence-producing way that drives real improvement rather than just documentation theater.",[11,3373,3374],{},"The corrective action process, often referred to as CAPA (corrective and preventive action, inherited from quality management systems), is one of the most auditor-visible parts of your ISO 27001 programme. Certification auditors will sample open and closed nonconformities, verify that root causes were actually identified, and check that corrective actions were verified for effectiveness. Weakness here reliably produces findings.",[29,3376,3378],{"id":3377},"what-clauses-101-and-102-actually-say","What Clauses 10.1 and 10.2 actually say",[11,3380,3381],{},"Clause 10.1 (Continual Improvement) sets the expectation that the organization continually improves the suitability, adequacy, and effectiveness of the ISMS. In the 2022 revision this clause is short and points forward to the improvement activities described in the rest of Clause 10 and elsewhere.",[11,3383,3384],{},"Clause 10.2 (Nonconformity and Corrective Action) is the operational heart. When a nonconformity occurs, the organization must:",[55,3386,3387,3390,3393,3396,3399,3402],{},[58,3388,3389],{},"React to the nonconformity and take action to control and correct it.",[58,3391,3392],{},"Deal with the consequences.",[58,3394,3395],{},"Evaluate the need for action to eliminate the causes of the nonconformity so it does not recur, by reviewing the nonconformity, determining its causes, and determining if similar nonconformities exist or could occur.",[58,3397,3398],{},"Implement any action needed.",[58,3400,3401],{},"Review the effectiveness of any corrective action taken.",[58,3403,3404],{},"Make changes to the ISMS if necessary.",[11,3406,3407],{},"The organization must also retain documented information as evidence of the nature of the nonconformities, actions taken, and results.",[11,3409,3410],{},"This is a complete loop: detect, contain, analyze, fix, verify, evidence. Miss a step and the finding is effectively incomplete.",[29,3412,3414],{"id":3413},"where-nonconformities-come-from","Where nonconformities come from",[11,3416,3417],{},"Nonconformities surface from many sources. A well-designed ISMS captures them from all of them:",[55,3419,3420,3429,3435,3441,3447,3453,3462],{},[58,3421,3422,3428],{},[61,3423,3424,3427],{},[15,3425,3426],{"href":1534},"Internal audit"," findings."," The most structured source. Internal auditors identify gaps against ISO 27001, your own policies, or contractual requirements.",[58,3430,3431,3434],{},[61,3432,3433],{},"External audit findings."," From certification bodies during Stage 1, Stage 2, or surveillance audits.",[58,3436,3437,3440],{},[61,3438,3439],{},"Security incidents."," An incident that reveals a control was not operating as documented is a nonconformity even after the incident is contained.",[58,3442,3443,3446],{},[61,3444,3445],{},"Customer or regulator feedback."," A customer reporting a policy violation or a regulator flagging noncompliance.",[58,3448,3449,3452],{},[61,3450,3451],{},"Self-reported issues."," Engineers, ops staff, or managers noticing that a process is not being followed and raising it.",[58,3454,3455,3461],{},[61,3456,3457,3460],{},[15,3458,3459],{"href":1513},"Management review"," discussions."," Leadership identifying systemic issues during review.",[58,3463,3464,3467],{},[61,3465,3466],{},"Risk assessment updates."," Reassessing risk and finding existing controls are insufficient.",[11,3469,3470],{},"The more paths you have for nonconformities to surface, the healthier your ISMS. Organizations where all nonconformities come from external audits are not catching problems themselves.",[29,3472,3474],{"id":3473},"the-capa-workflow-step-by-step","The CAPA workflow step by step",[44,3476,3478],{"id":3477},"_1-identification-and-recording","1. Identification and recording",[11,3480,3481],{},"When a nonconformity is identified, record it immediately. Every nonconformity record should include:",[55,3483,3484,3487,3490,3493,3496,3499],{},[58,3485,3486],{},"Unique identifier.",[58,3488,3489],{},"Date identified and by whom.",[58,3491,3492],{},"Source (internal audit, incident, etc.).",[58,3494,3495],{},"Description referencing the specific requirement that was not met.",[58,3497,3498],{},"Evidence of the nonconformity.",[58,3500,3501],{},"Initial severity classification.",[11,3503,3504],{},"Entering nonconformities into a structured system, not an email thread, is essential for later auditor review.",[44,3506,3508],{"id":3507},"_2-immediate-correction-and-containment","2. Immediate correction and containment",[11,3510,3511],{},"Before root cause analysis, contain the problem. If an access review was missed, complete it. If a control stopped operating, restart it. If an incident is in progress, follow incident response to contain it. Correction addresses the immediate issue and limits the blast radius.",[44,3513,3515],{"id":3514},"_3-root-cause-analysis","3. Root cause analysis",[11,3517,3518],{},"This is where weak programmes fail. Root cause analysis asks why the nonconformity happened, not just what happened. Techniques include 5 Whys, fishbone diagrams, and fault tree analysis. The depth should match the severity: a minor isolated issue may only need a brief analysis, while a systemic issue deserves deeper investigation.",[11,3520,3521],{},"Root cause analysis should end with a statement of underlying cause that could plausibly lead to a corrective action. \"The access review was not completed because the owner was on vacation\" is a symptom. \"The access review process has no backup owner and no automated reminder, so it fails whenever the primary owner is unavailable\" is a root cause.",[44,3523,3525],{"id":3524},"_4-corrective-action-planning","4. Corrective action planning",[11,3527,3528],{},"Based on the root cause, plan corrective actions. A corrective action should be:",[55,3530,3531,3534,3537,3540],{},[58,3532,3533],{},"Specific. Not \"improve the process\" but \"assign a backup owner and enable automated reminders in the GRC platform.\"",[58,3535,3536],{},"Owned. A named person is responsible.",[58,3538,3539],{},"Time-bound. With a target completion date appropriate to severity.",[58,3541,3542],{},"Evidence-producing. The action should generate artifacts that prove completion.",[44,3544,3546],{"id":3545},"_5-implementation","5. Implementation",[11,3548,3549],{},"Execute the corrective action. Retain evidence of implementation, such as updated policies, new automation, training records, or configuration changes.",[44,3551,3553],{"id":3552},"_6-verification-of-effectiveness","6. Verification of effectiveness",[11,3555,3556],{},"ISO 27001 specifically requires review of effectiveness, not just evidence of implementation. This is the step most often missed. Verification asks whether the corrective action actually prevented recurrence. Depending on the nature of the action, verification might include:",[55,3558,3559,3562,3565],{},[58,3560,3561],{},"Re-auditing the affected area after a defined interval.",[58,3563,3564],{},"Reviewing metrics for the affected control over time.",[58,3566,3567],{},"Sampling additional records to confirm the fix is operating.",[11,3569,3570],{},"Only after verification is the nonconformity closed.",[44,3572,3574],{"id":3573},"_7-systemic-evaluation","7. Systemic evaluation",[11,3576,3577],{},"Clause 10.2 also requires evaluating whether similar nonconformities exist elsewhere or could occur. A single missed access review in one system might point to a gap in every access review process across the organization. This step is what separates corrective action from reactive firefighting.",[29,3579,3581],{"id":3580},"distinguishing-major-and-minor-nonconformities","Distinguishing major and minor nonconformities",[11,3583,3584],{},"Classifications affect how urgently a nonconformity must be handled and, in the case of external audits, whether certification is at risk.",[11,3586,3587,3588,3591],{},"A ",[61,3589,3590],{},"major nonconformity"," is typically:",[55,3593,3594,3597,3600,3603],{},[58,3595,3596],{},"Absence of a required element of the ISMS.",[58,3598,3599],{},"Systemic failure of a process.",[58,3601,3602],{},"Multiple minor nonconformities in the same area indicating a broader issue.",[58,3604,3605],{},"A control that is fundamentally not operating.",[11,3607,3608],{},"A major nonconformity from a certification body must be resolved before a certificate is issued or will suspend an existing certificate if not addressed.",[11,3610,3587,3611,3591],{},[61,3612,3613],{},"minor nonconformity",[55,3615,3616,3619,3622],{},[58,3617,3618],{},"An isolated failure within an otherwise functioning process.",[58,3620,3621],{},"A documentation gap that does not affect control operation.",[58,3623,3624],{},"A process deviation that is not yet systemic.",[11,3626,3627],{},"Minor nonconformities usually have a fixed remediation window, often 90 days, before the certification body follows up.",[29,3629,746],{"id":745},[11,3631,3632,3633,3636,3637,3640,3641,3643],{},"Nonconformity handling is where Clauses 9 and 10 meet. ",[15,3634,3635],{"href":1534},"Internal audits"," and ",[15,3638,3639],{"href":1513},"management reviews"," under Clause 9 surface nonconformities. Clause 10 processes them. Outputs from corrective action feed back into ",[15,3642,2112],{"href":1896}," as systemic learnings and often trigger updates to risk treatment or the Statement of Applicability.",[11,3645,1792,3646,3648],{},[15,3647,107],{"href":106},", auditors will review your nonconformity log both from internal audits and from operational sources. Closed nonconformities with weak root cause analysis or no effectiveness verification are a leading cause of findings during Stage 2.",[29,3650,774],{"id":773},[55,3652,3653,3659,3665,3671,3677,3683,3689],{},[58,3654,3655,3658],{},[61,3656,3657],{},"Correction without corrective action."," Fixing the immediate issue without addressing the root cause guarantees recurrence.",[58,3660,3661,3664],{},[61,3662,3663],{},"Root causes that are not really root causes."," Stopping at \"the person forgot\" rather than investigating why the process allowed forgetting is a shallow analysis.",[58,3666,3667,3670],{},[61,3668,3669],{},"No effectiveness verification."," Closing a nonconformity the day the fix ships misses the point. Effectiveness must be reviewed after the action has had time to operate.",[58,3672,3673,3676],{},[61,3674,3675],{},"Closing nonconformities too quickly to clear the backlog."," Auditors notice, and reopening a closed nonconformity looks worse than leaving it open with a plan.",[58,3678,3679,3682],{},[61,3680,3681],{},"Not looking for systemic occurrences."," Clause 10.2 specifically requires checking whether similar issues exist elsewhere.",[58,3684,3685,3688],{},[61,3686,3687],{},"Treating every issue as a minor."," Downgrading severity to reduce pressure produces audit findings when the pattern becomes visible.",[58,3690,3691,3694],{},[61,3692,3693],{},"Weak documentation trail."," If the nonconformity, root cause, action, and verification cannot be reconstructed from your records, the corrective action is effectively incomplete.",[29,3696,816],{"id":815},[11,3698,3699],{},"episki provides a structured nonconformity workflow that captures findings from internal audits, incidents, and ad-hoc reports into a single register, enforces the full CAPA lifecycle including mandatory root cause analysis and effectiveness verification, links each nonconformity back to the controls and risks it affects, and produces the documented evidence ISO 27001 auditors expect. Patterns across nonconformities surface automatically so systemic issues are caught before they become external audit findings.",[11,3701,3702,3703,108],{},"For the broader context of how nonconformity handling fits the ISMS cycle, return to the ",[15,3704,825],{"href":17},{"title":452,"searchDepth":453,"depth":453,"links":3706},[3707,3708,3709,3718,3719,3720,3721],{"id":3377,"depth":453,"text":3378},{"id":3413,"depth":453,"text":3414},{"id":3473,"depth":453,"text":3474,"children":3710},[3711,3712,3713,3714,3715,3716,3717],{"id":3477,"depth":459,"text":3478},{"id":3507,"depth":459,"text":3508},{"id":3514,"depth":459,"text":3515},{"id":3524,"depth":459,"text":3525},{"id":3545,"depth":459,"text":3546},{"id":3552,"depth":459,"text":3553},{"id":3573,"depth":459,"text":3574},{"id":3580,"depth":453,"text":3581},{"id":745,"depth":453,"text":746},{"id":773,"depth":453,"text":774},{"id":815,"depth":453,"text":816},"Handle ISO 27001 nonconformities and corrective actions under Clauses 10.1 and 10.2 with root cause analysis, CAPA workflows, and effectiveness verification.",{"items":3724},[3725,3728,3731,3734,3737],{"label":3726,"content":3727},"What counts as a nonconformity in ISO 27001?","A nonconformity is any failure to meet a requirement. That includes a requirement from ISO 27001 itself, from your own policies, from contractual obligations, or from regulations your ISMS references. Missing a required record, a control that is not operating, or a policy that is not being followed all qualify.",{"label":3729,"content":3730},"What is the difference between a major and minor nonconformity?","A major nonconformity is a significant failure that threatens the effectiveness of the ISMS, such as a systemic process breakdown or total absence of a required control. A minor nonconformity is an isolated issue that does not threaten the ISMS overall, such as a single missing record within an otherwise well-run process.",{"label":3732,"content":3733},"What is corrective action versus correction?","A correction fixes the immediate problem. A corrective action addresses the root cause so the problem does not recur. Correction patches the hole. Corrective action changes why the hole appeared in the first place.",{"label":3735,"content":3736},"How long should it take to close a nonconformity?","Most certification bodies expect minor nonconformities from external audits to close within 90 days. Internal nonconformities vary by severity. What matters most is that the timeline is documented, defensible, and actually met.",{"label":3738,"content":3739},"Do I need a separate CAPA system to satisfy Clause 10?","No, but you need a consistent, documented process. Many organizations use a ticketing system, a dedicated GRC platform, or a structured spreadsheet. The form matters less than the evidence of real root cause analysis and verification of effectiveness.",{},[476,482,3742,2210],"incident-response",[1901,1902,2212,487],{"title":3745,"description":3746},"ISO 27001 Nonconformity & Corrective Action — 10.1 & 10.2","Run ISO 27001 nonconformity and corrective action handling with root cause analysis, CAPA, and evidence auditors accept under Clauses 10.1 and 10.2.","5.frameworks\u002Fiso27001\u002Fnonconformity-and-corrective-action","WNFxiXuMxVt0--7gDQAZipXa1a9929Tc5iHAHtUAVBU",{"id":3750,"title":3751,"body":3752,"description":4154,"extension":474,"faq":475,"frameworkSlug":476,"lastUpdated":477,"meta":4155,"navigation":479,"path":369,"relatedTerms":4156,"relatedTopics":4157,"seo":4158,"stem":4161,"__hash__":4162},"frameworkTopics\u002F5.frameworks\u002Fiso27001\u002Frisk-assessment.md","ISO 27001 Risk Assessment",{"type":8,"value":3753,"toc":4133},[3754,3763,3766,3769,3789,3792,3796,3799,3803,3806,3816,3820,3823,3831,3835,3838,3846,3853,3857,3861,3864,3868,3871,3875,3878,3895,3899,3902,3906,3909,3913,3916,3920,3923,3953,3956,3970,3976,3980,3983,4033,4041,4045,4048,4080,4083,4087,4093,4099,4105,4111,4120,4124,4127],[11,3755,3756,3757,3759,3760,3762],{},"Risk assessment is the engine that drives every decision within an ",[15,3758,18],{"href":17}," ",[15,3761,23],{"href":22},". The standard does not prescribe a specific methodology but requires that your approach is systematic, repeatable, and produces comparable results over time. Getting risk assessment right determines which controls you implement, how you allocate resources, and ultimately whether your security program addresses real threats or just checks boxes.",[29,3764,3765],{"id":2694},"What ISO 27001 Requires",[11,3767,3768],{},"Clauses 6.1.2 and 8.2 of ISO 27001 set out the requirements for risk assessment. At a high level the standard requires you to:",[952,3770,3771,3777,3783],{},[58,3772,3773,3776],{},[61,3774,3775],{},"Define a risk assessment process"," that establishes criteria for risk acceptance, criteria for performing assessments, and ensures that repeated assessments produce consistent and comparable results.",[58,3778,3779,3782],{},[61,3780,3781],{},"Identify information security risks"," by identifying risks associated with the loss of confidentiality, integrity, and availability of information within the scope of the ISMS, and identifying the risk owners.",[58,3784,3785,3788],{},[61,3786,3787],{},"Analyze and evaluate risks"," by assessing the realistic likelihood and potential impact of each risk, determining the level of risk, and comparing results against your risk criteria to prioritize treatment.",[11,3790,3791],{},"These requirements give you flexibility in choosing a methodology while ensuring the outcome is rigorous enough to withstand audit scrutiny.",[29,3793,3795],{"id":3794},"choosing-a-risk-assessment-methodology","Choosing a Risk Assessment Methodology",[11,3797,3798],{},"There is no single correct methodology. The key is that your chosen approach meets the standard's requirements for consistency and comparability. Common approaches include:",[44,3800,3802],{"id":3801},"qualitative-assessment","Qualitative Assessment",[11,3804,3805],{},"The most widely used approach for ISO 27001, qualitative assessment uses descriptive scales (such as low, medium, high, or critical) for both likelihood and impact. Risks are plotted on a matrix and ranked accordingly.",[11,3807,3808,3811,3812,3815],{},[61,3809,3810],{},"Advantages:"," Accessible to non-technical stakeholders, faster to execute, easier to maintain.\n",[61,3813,3814],{},"Limitations:"," Subjective by nature, can produce inconsistent results if criteria are not well-defined.",[44,3817,3819],{"id":3818},"semi-quantitative-assessment","Semi-Quantitative Assessment",[11,3821,3822],{},"This approach assigns numerical values to qualitative scales (for example, 1 through 5 for likelihood and impact). The risk level is calculated by multiplying or adding these values, producing a numerical score that enables more granular ranking.",[11,3824,3825,3827,3828,3830],{},[61,3826,3810],{}," More granular than pure qualitative, still manageable without complex data.\n",[61,3829,3814],{}," The numbers can create a false sense of precision if the underlying scales are poorly calibrated.",[44,3832,3834],{"id":3833},"quantitative-assessment","Quantitative Assessment",[11,3836,3837],{},"Fully quantitative approaches express risk in financial or operational terms, often using methods like Factor Analysis of Information Risk (FAIR). Likelihood is expressed as frequency, and impact is expressed in monetary loss.",[11,3839,3840,3842,3843,3845],{},[61,3841,3810],{}," Enables cost-benefit analysis for control investments, speaks the language of business leadership.\n",[61,3844,3814],{}," Requires reliable data that many organizations do not have, significantly more complex.",[11,3847,3848,3849,3852],{},"Most organizations pursuing ",[15,3850,3851],{"href":106},"ISO 27001 certification"," start with a qualitative or semi-quantitative approach. The standard does not require quantitative analysis, and auditors are primarily concerned that your methodology is defined, documented, and consistently applied.",[29,3854,3856],{"id":3855},"building-your-risk-assessment-process","Building Your Risk Assessment Process",[44,3858,3860],{"id":3859},"step-1-define-the-scope-and-context","Step 1: Define the Scope and Context",[11,3862,3863],{},"Before identifying risks, confirm the scope of your ISMS and understand the internal and external context (clause 4). This includes the regulatory environment, contractual obligations, organizational structure, technology landscape, and threat landscape relevant to your operations.",[44,3865,3867],{"id":3866},"step-2-identify-assets-and-information","Step 2: Identify Assets and Information",[11,3869,3870],{},"Create an inventory of information assets within scope. Assets include data repositories, applications, infrastructure, personnel, processes, and third-party services. Some organizations take an asset-based approach where risks are identified per asset. Others take a scenario-based or threat-based approach. Either is acceptable.",[44,3872,3874],{"id":3873},"step-3-identify-threats-and-vulnerabilities","Step 3: Identify Threats and Vulnerabilities",[11,3876,3877],{},"For each asset or scenario, identify realistic threats (what could go wrong) and vulnerabilities (weaknesses that a threat could exploit). Common threat categories include:",[55,3879,3880,3883,3886,3889,3892],{},[58,3881,3882],{},"Malicious external attacks (ransomware, phishing, DDoS)",[58,3884,3885],{},"Insider threats (accidental or deliberate)",[58,3887,3888],{},"System failures (hardware, software, infrastructure)",[58,3890,3891],{},"Natural events (fire, flood, power outage)",[58,3893,3894],{},"Third-party and supply chain failures",[44,3896,3898],{"id":3897},"step-4-assess-likelihood-and-impact","Step 4: Assess Likelihood and Impact",[11,3900,3901],{},"Using your defined scales, rate each risk for likelihood (how probable is this event given current controls) and impact (what damage would result in terms of confidentiality, integrity, or availability). Document the rationale for each rating so it can be reviewed and challenged.",[44,3903,3905],{"id":3904},"step-5-calculate-and-rank-risk-levels","Step 5: Calculate and Rank Risk Levels",[11,3907,3908],{},"Combine likelihood and impact ratings to determine the overall risk level. Plot risks on a risk matrix or score them numerically. This ranking drives prioritization.",[44,3910,3912],{"id":3911},"step-6-evaluate-against-risk-criteria","Step 6: Evaluate Against Risk Criteria",[11,3914,3915],{},"Compare each risk level against your organization's risk acceptance criteria. Risks that fall below the acceptance threshold may be accepted with documentation. Risks above the threshold require treatment.",[29,3917,3919],{"id":3918},"the-risk-treatment-plan","The Risk Treatment Plan",[11,3921,3922],{},"Clause 6.1.3 requires a risk treatment plan that documents how each unacceptable risk will be addressed. For each risk, you select one or more treatment options:",[55,3924,3925,3935,3941,3947],{},[58,3926,3927,3930,3931,3934],{},[61,3928,3929],{},"Mitigate."," Apply controls to reduce likelihood, impact, or both. Controls are typically selected from ",[15,3932,3933],{"href":480},"Annex A"," but can come from any source.",[58,3936,3937,3940],{},[61,3938,3939],{},"Transfer."," Shift the risk to a third party, commonly through insurance or outsourcing to a provider with contractual security commitments.",[58,3942,3943,3946],{},[61,3944,3945],{},"Avoid."," Eliminate the activity or condition that creates the risk.",[58,3948,3949,3952],{},[61,3950,3951],{},"Accept."," Acknowledge the risk and choose not to treat it further, with formal approval from the risk owner.",[11,3954,3955],{},"The risk treatment plan must specify:",[55,3957,3958,3961,3964,3967],{},[58,3959,3960],{},"The controls or actions selected",[58,3962,3963],{},"Who is responsible for implementation",[58,3965,3966],{},"Implementation timelines",[58,3968,3969],{},"How effectiveness will be measured",[11,3971,3972,3973,3975],{},"This plan feeds directly into your ",[15,3974,382],{"href":381},", which declares which Annex A controls are applicable based on your risk treatment decisions.",[29,3977,3979],{"id":3978},"the-risk-register","The Risk Register",[11,3981,3982],{},"The risk register is the central repository that tracks all identified risks, their assessments, treatment decisions, and current status. While ISO 27001 does not mandate a specific format, your risk register should capture:",[55,3984,3985,3991,3997,4003,4009,4015,4021,4027],{},[58,3986,3987,3990],{},[61,3988,3989],{},"Risk ID and description."," A unique identifier and clear description of the risk scenario.",[58,3992,3993,3996],{},[61,3994,3995],{},"Risk owner."," The person accountable for managing the risk.",[58,3998,3999,4002],{},[61,4000,4001],{},"Likelihood and impact ratings."," Both inherent (before controls) and residual (after controls).",[58,4004,4005,4008],{},[61,4006,4007],{},"Risk level."," The calculated overall risk score.",[58,4010,4011,4014],{},[61,4012,4013],{},"Treatment decision."," Mitigate, transfer, avoid, or accept.",[58,4016,4017,4020],{},[61,4018,4019],{},"Controls applied."," Links to specific Annex A controls or custom controls.",[58,4022,4023,4026],{},[61,4024,4025],{},"Residual risk."," The remaining risk level after treatment is applied.",[58,4028,4029,4032],{},[61,4030,4031],{},"Status and review date."," Whether the risk is open, in treatment, or closed, and when it was last reviewed.",[11,4034,4035,4036,3636,4038,4040],{},"A well-maintained risk register is one of the most scrutinized artifacts during ",[15,4037,2499],{"href":106},[15,4039,439],{"href":438},". Auditors want to see that it is current, that risks have been reviewed on schedule, and that treatment plans are progressing.",[29,4042,4044],{"id":4043},"continuous-risk-monitoring","Continuous Risk Monitoring",[11,4046,4047],{},"Risk assessment is not a one-time activity. ISO 27001 requires ongoing monitoring and review of risks (clause 8.2 states risk assessments must be performed at planned intervals or when significant changes occur). Triggers for reassessment include:",[55,4049,4050,4056,4062,4068,4074],{},[58,4051,4052,4055],{},[61,4053,4054],{},"Organizational changes."," Mergers, new products, entering new markets, significant staffing changes.",[58,4057,4058,4061],{},[61,4059,4060],{},"Technology changes."," Migrating to new platforms, adopting new tools, decommissioning legacy systems.",[58,4063,4064,4067],{},[61,4065,4066],{},"Threat landscape changes."," New vulnerability disclosures, emerging attack patterns, incidents at peer organizations.",[58,4069,4070,4073],{},[61,4071,4072],{},"Incident outcomes."," Lessons learned from security incidents or near-misses within your own organization.",[58,4075,4076,4079],{},[61,4077,4078],{},"Audit findings."," Results from internal audits, external audits, or penetration tests.",[11,4081,4082],{},"Embed risk review into existing operational rhythms. Monthly or quarterly risk review meetings, integrated with change management processes, keep the risk register alive without creating a separate bureaucratic process.",[29,4084,4086],{"id":4085},"common-mistakes","Common Mistakes",[11,4088,4089,4092],{},[61,4090,4091],{},"Boiling the ocean."," Trying to identify every conceivable risk creates an unwieldy register that no one maintains. Focus on realistic, material risks within your scope.",[11,4094,4095,4098],{},[61,4096,4097],{},"Inconsistent criteria."," If different assessors interpret \"medium likelihood\" differently, your risk rankings become meaningless. Invest time in calibrating your scales with concrete examples.",[11,4100,4101,4104],{},[61,4102,4103],{},"Static risk registers."," A risk register that is updated once a year for audit purposes provides little actual security value. Risks change continuously, and your register should reflect that.",[11,4106,4107,4110],{},[61,4108,4109],{},"Ignoring residual risk."," After applying controls, you must reassess the remaining risk. If residual risk still exceeds your acceptance criteria, additional treatment is needed.",[11,4112,4113,4116,4117,4119],{},[61,4114,4115],{},"Disconnecting risk from controls."," Every control in your ",[15,4118,382],{"href":381}," should trace back to one or more risks. Controls without risk justification and risks without corresponding controls both indicate process problems.",[29,4121,4123],{"id":4122},"making-risk-assessment-practical","Making Risk Assessment Practical",[11,4125,4126],{},"The goal is not to create perfect risk models but to make informed, defensible decisions about where to invest in security. Keep your methodology as simple as your context allows, ensure risk owners are genuinely engaged, and use tooling that makes the risk register a living document rather than a static spreadsheet.",[11,4128,4129,4130,4132],{},"Platforms like episki link risk register entries directly to controls, evidence, and review schedules, ensuring that risk treatment decisions stay connected to operational reality. Explore the full ",[15,4131,18],{"href":449}," framework to see how risk assessment integrates with the rest of your compliance program.",{"title":452,"searchDepth":453,"depth":453,"links":4134},[4135,4136,4141,4149,4150,4151,4152,4153],{"id":2694,"depth":453,"text":3765},{"id":3794,"depth":453,"text":3795,"children":4137},[4138,4139,4140],{"id":3801,"depth":459,"text":3802},{"id":3818,"depth":459,"text":3819},{"id":3833,"depth":459,"text":3834},{"id":3855,"depth":453,"text":3856,"children":4142},[4143,4144,4145,4146,4147,4148],{"id":3859,"depth":459,"text":3860},{"id":3866,"depth":459,"text":3867},{"id":3873,"depth":459,"text":3874},{"id":3897,"depth":459,"text":3898},{"id":3904,"depth":459,"text":3905},{"id":3911,"depth":459,"text":3912},{"id":3918,"depth":453,"text":3919},{"id":3978,"depth":453,"text":3979},{"id":4043,"depth":453,"text":4044},{"id":4085,"depth":453,"text":4086},{"id":4122,"depth":453,"text":4123},"A practical guide to performing ISO 27001 risk assessments, building risk treatment plans, maintaining a risk register, and embedding continuous risk monitoring into your ISMS.",{},[476,482],[1431,484,486,487,488],{"title":4159,"description":4160},"ISO 27001 Risk Assessment — Methodology, Treatment & Monitoring","Master ISO 27001 risk assessment with practical guidance on methodology selection, risk treatment plans, risk registers, and continuous monitoring.","5.frameworks\u002Fiso27001\u002Frisk-assessment","EX-SLf_30WxGvY2gz6FAsCwDhxazyCDACEivFYrJ-9o",{"id":4164,"title":4165,"body":4166,"description":4556,"extension":474,"faq":475,"frameworkSlug":476,"lastUpdated":477,"meta":4557,"navigation":479,"path":381,"relatedTerms":4558,"relatedTopics":4559,"seo":4560,"stem":4563,"__hash__":4564},"frameworkTopics\u002F5.frameworks\u002Fiso27001\u002Fstatement-of-applicability.md","Statement of Applicability (SoA)",{"type":8,"value":4167,"toc":4530},[4168,4179,4184,4188,4194,4197,4211,4214,4218,4222,4225,4229,4232,4236,4239,4243,4247,4253,4257,4260,4264,4267,4293,4296,4300,4303,4323,4326,4334,4338,4341,4345,4348,4426,4429,4433,4439,4442,4445,4447,4451,4454,4458,4461,4465,4468,4472,4477,4481,4484,4488,4491,4495,4498,4524],[11,4169,4170,4171,3759,4173,4175,4176,4178],{},"The Statement of Applicability is one of the most important documents in an ",[15,4172,18],{"href":17},[15,4174,23],{"href":22},". It serves as the bridge between your ",[15,4177,370],{"href":369}," outcomes and the controls you implement, providing a complete picture of which security controls your organization has selected, why, and their implementation status.",[11,4180,4181,4182,108],{},"Auditors consider the SoA a mandatory document, and it is often the first artifact they request during both Stage 1 and Stage 2 of the ",[15,4183,107],{"href":106},[29,4185,4187],{"id":4186},"what-is-the-statement-of-applicability","What Is the Statement of Applicability?",[11,4189,4190,4191,4193],{},"The SoA is a document that lists all the controls from ",[15,4192,3933],{"href":480}," of ISO 27001 and, for each control, states whether it is applicable or not applicable to your organization. For applicable controls, the SoA describes how the control is implemented. For excluded controls, it provides the justification for exclusion.",[11,4195,4196],{},"Clause 6.1.3(d) of ISO 27001 specifies that the SoA must contain:",[55,4198,4199,4202,4205,4208],{},[58,4200,4201],{},"The necessary controls (those determined through risk treatment and any additional controls from other sources)",[58,4203,4204],{},"Justification for their inclusion",[58,4206,4207],{},"Whether the controls are implemented or not",[58,4209,4210],{},"Justification for excluding any Annex A controls",[11,4212,4213],{},"The SoA is not just a compliance checkbox. It is the definitive map of your security control landscape and serves as a reference point for auditors, management, and operational teams.",[29,4215,4217],{"id":4216},"why-the-soa-matters","Why the SoA Matters",[44,4219,4221],{"id":4220},"for-auditors","For Auditors",[11,4223,4224],{},"The SoA is the roadmap auditors use to plan their assessment. During the Stage 2 audit, auditors systematically verify that each control declared as applicable in the SoA is actually implemented and operating effectively. A well-structured SoA makes audits smoother and demonstrates organizational maturity.",[44,4226,4228],{"id":4227},"for-management","For Management",[11,4230,4231],{},"The SoA gives leadership a high-level view of the organization's security posture. It shows which risks are being treated, what controls are in place, and where gaps exist. This makes it a valuable input for management reviews required by clause 9.3.",[44,4233,4235],{"id":4234},"for-operations","For Operations",[11,4237,4238],{},"Security and IT teams use the SoA as a reference to understand what controls they are responsible for maintaining. When linked to specific policies, procedures, and evidence, the SoA becomes an operational tool rather than just an audit artifact.",[29,4240,4242],{"id":4241},"how-to-create-a-statement-of-applicability","How to Create a Statement of Applicability",[44,4244,4246],{"id":4245},"step-1-complete-your-risk-assessment","Step 1: Complete Your Risk Assessment",[11,4248,4249,4250,4252],{},"The SoA cannot be created in isolation. It depends on the outputs of your ",[15,4251,370],{"href":369}," and risk treatment plan. You need to know which risks you are treating and which controls you have selected to mitigate those risks before you can build the SoA.",[44,4254,4256],{"id":4255},"step-2-list-all-annex-a-controls","Step 2: List All Annex A Controls",[11,4258,4259],{},"Start with the complete list of 93 controls from Annex A of ISO 27001:2022, organized under the four themes: organizational, people, physical, and technological.",[44,4261,4263],{"id":4262},"step-3-determine-applicability","Step 3: Determine Applicability",[11,4265,4266],{},"For each control, determine whether it is applicable to your organization based on:",[55,4268,4269,4275,4281,4287],{},[58,4270,4271,4274],{},[61,4272,4273],{},"Risk treatment decisions."," Controls selected to mitigate identified risks are applicable.",[58,4276,4277,4280],{},[61,4278,4279],{},"Legal and regulatory requirements."," Some controls may be required by law regardless of your risk assessment findings.",[58,4282,4283,4286],{},[61,4284,4285],{},"Contractual obligations."," Customer contracts or partner agreements may mandate specific controls.",[58,4288,4289,4292],{},[61,4290,4291],{},"Business requirements."," Some controls support business objectives beyond pure security.",[11,4294,4295],{},"A control can be applicable even if your risk assessment did not specifically call for it, for example if it is required by regulation or considered industry best practice.",[44,4297,4299],{"id":4298},"step-4-document-justifications","Step 4: Document Justifications",[11,4301,4302],{},"For each applicable control, document:",[55,4304,4305,4311,4317],{},[58,4306,4307,4310],{},[61,4308,4309],{},"Why it is included."," Link it to specific risks, legal requirements, or contractual obligations.",[58,4312,4313,4316],{},[61,4314,4315],{},"How it is implemented."," Describe the implementation approach at a summary level. This could reference a policy, a technical configuration, a process, or a combination.",[58,4318,4319,4322],{},[61,4320,4321],{},"Implementation status."," Indicate whether the control is fully implemented, partially implemented, or planned.",[11,4324,4325],{},"For each excluded control, document:",[55,4327,4328],{},[58,4329,4330,4333],{},[61,4331,4332],{},"Why it is excluded."," Provide a clear, defensible justification. Common reasons include the control being outside the ISMS scope, the associated risk being accepted, or the control being not relevant to the organization's context (for example, physical perimeter controls for a fully remote organization with no physical offices).",[44,4335,4337],{"id":4336},"step-5-review-and-approve","Step 5: Review and Approve",[11,4339,4340],{},"The SoA should be reviewed and approved by management as part of the ISMS governance process. It is a living document that reflects management's decisions about acceptable risk and control implementation.",[29,4342,4344],{"id":4343},"soa-structure-and-format","SoA Structure and Format",[11,4346,4347],{},"ISO 27001 does not prescribe a specific format, but a typical SoA includes the following columns for each control:",[1102,4349,4350,4360],{},[1105,4351,4352],{},[1108,4353,4354,4357],{},[1111,4355,4356],{},"Column",[1111,4358,4359],{},"Description",[1118,4361,4362,4370,4378,4386,4394,4402,4410,4418],{},[1108,4363,4364,4367],{},[1123,4365,4366],{},"Control reference",[1123,4368,4369],{},"The Annex A control number (e.g., A.5.1)",[1108,4371,4372,4375],{},[1123,4373,4374],{},"Control name",[1123,4376,4377],{},"The name of the control",[1108,4379,4380,4383],{},[1123,4381,4382],{},"Applicable (Yes\u002FNo)",[1123,4384,4385],{},"Whether the control applies",[1108,4387,4388,4391],{},[1123,4389,4390],{},"Justification for inclusion\u002Fexclusion",[1123,4392,4393],{},"Why the control is or is not applicable",[1108,4395,4396,4399],{},[1123,4397,4398],{},"Implementation status",[1123,4400,4401],{},"Fully implemented, partially implemented, planned, or not implemented",[1108,4403,4404,4407],{},[1123,4405,4406],{},"Implementation description",[1123,4408,4409],{},"Summary of how the control is implemented",[1108,4411,4412,4415],{},[1123,4413,4414],{},"Risk reference",[1123,4416,4417],{},"Link to the risk(s) in the risk register that this control addresses",[1108,4419,4420,4423],{},[1123,4421,4422],{},"Evidence reference",[1123,4424,4425],{},"Pointer to evidence artifacts (policies, configurations, logs)",[11,4427,4428],{},"Some organizations add columns for control owners, review dates, and notes. The level of detail should be proportionate to the complexity of your ISMS.",[29,4430,4432],{"id":4431},"relationship-to-annex-a","Relationship to Annex A",[11,4434,4435,4436,4438],{},"The SoA and Annex A are tightly coupled but serve different purposes. ",[15,4437,3933],{"href":480}," is the reference catalog of 93 controls provided by the standard. The SoA is your organization's declaration of which controls from that catalog you have adopted and how.",[11,4440,4441],{},"You are not limited to Annex A controls. If your risk assessment identifies a need for a control that is not in Annex A, you can and should implement it. The SoA should note any additional controls beyond Annex A that your organization has adopted.",[11,4443,4444],{},"Conversely, you cannot add controls to the SoA that are not implemented. The SoA must accurately reflect reality. If a control is listed as implemented, auditors will verify it.",[29,4446,4086],{"id":4085},[44,4448,4450],{"id":4449},"excluding-controls-without-justification","Excluding Controls Without Justification",[11,4452,4453],{},"Every exclusion needs a documented rationale. Simply stating \"not applicable\" without explanation will be flagged by auditors. The justification must be specific to your organization's context, not generic.",[44,4455,4457],{"id":4456},"copy-pasting-from-templates","Copy-Pasting from Templates",[11,4459,4460],{},"Using a template as a starting point is fine, but the SoA must reflect your actual environment. Generic descriptions copied from templates are immediately obvious to experienced auditors and indicate that the SoA was not developed through a genuine risk-based process.",[44,4462,4464],{"id":4463},"declaring-controls-implemented-when-they-are-not","Declaring Controls Implemented When They Are Not",[11,4466,4467],{},"Overstating implementation status is one of the most damaging mistakes. If an auditor finds that a control declared as \"fully implemented\" is only partially in place or not functioning, it results in a nonconformity. Be honest about implementation status. Listing a control as \"partially implemented\" or \"planned\" is perfectly acceptable, especially during initial certification.",[44,4469,4471],{"id":4470},"treating-the-soa-as-static","Treating the SoA as Static",[11,4473,4474,4475,108],{},"The SoA should be updated whenever your risk landscape changes, new controls are implemented, or existing controls are modified. A stale SoA that does not match your current control environment will cause problems during ",[15,4476,439],{"href":438},[44,4478,4480],{"id":4479},"disconnecting-from-the-risk-register","Disconnecting from the Risk Register",[11,4482,4483],{},"The SoA should have clear traceability to your risk register and risk treatment plan. Every applicable control should map to at least one risk, and every risk treatment decision that involves control implementation should be reflected in the SoA. Auditors specifically look for this linkage.",[44,4485,4487],{"id":4486},"making-it-too-detailed-or-too-vague","Making It Too Detailed or Too Vague",[11,4489,4490],{},"The SoA should provide enough detail for an auditor to understand what is in place and verify it, but it is not meant to be a comprehensive security architecture document. Strike a balance between brevity and completeness.",[29,4492,4494],{"id":4493},"maintaining-the-soa","Maintaining the SoA",[11,4496,4497],{},"Build the SoA into your regular ISMS review cycle:",[55,4499,4500,4506,4512,4518],{},[58,4501,4502,4505],{},[61,4503,4504],{},"After each risk assessment cycle",", review whether new controls are needed or existing applicability decisions have changed.",[58,4507,4508,4511],{},[61,4509,4510],{},"When implementing changes",", update the SoA to reflect new or modified controls.",[58,4513,4514,4517],{},[61,4515,4516],{},"Before surveillance audits",", verify that the SoA matches the current state of your control environment.",[58,4519,4520,4523],{},[61,4521,4522],{},"During management reviews",", present SoA changes as part of the ISMS status update.",[11,4525,4526,4527,4529],{},"Maintaining the SoA in a spreadsheet is common but error-prone. Platforms like episki generate the SoA directly from your control graph, ensuring that applicability decisions, implementation status, and evidence references stay synchronized automatically. Learn more about how this fits into the broader ",[15,4528,18],{"href":449}," compliance workflow.",{"title":452,"searchDepth":453,"depth":453,"links":4531},[4532,4533,4538,4545,4546,4547,4555],{"id":4186,"depth":453,"text":4187},{"id":4216,"depth":453,"text":4217,"children":4534},[4535,4536,4537],{"id":4220,"depth":459,"text":4221},{"id":4227,"depth":459,"text":4228},{"id":4234,"depth":459,"text":4235},{"id":4241,"depth":453,"text":4242,"children":4539},[4540,4541,4542,4543,4544],{"id":4245,"depth":459,"text":4246},{"id":4255,"depth":459,"text":4256},{"id":4262,"depth":459,"text":4263},{"id":4298,"depth":459,"text":4299},{"id":4336,"depth":459,"text":4337},{"id":4343,"depth":453,"text":4344},{"id":4431,"depth":453,"text":4432},{"id":4085,"depth":453,"text":4086,"children":4548},[4549,4550,4551,4552,4553,4554],{"id":4449,"depth":459,"text":4450},{"id":4456,"depth":459,"text":4457},{"id":4463,"depth":459,"text":4464},{"id":4470,"depth":459,"text":4471},{"id":4479,"depth":459,"text":4480},{"id":4486,"depth":459,"text":4487},{"id":4493,"depth":453,"text":4494},"Everything you need to know about the ISO 27001 Statement of Applicability, including what it contains, how to create one, its relationship to Annex A, and mistakes to avoid.",{},[476,482],[1431,485,486,487,488],{"title":4561,"description":4562},"ISO 27001 Statement of Applicability (SoA) — Guide & Best Practices","Learn how to create an ISO 27001 Statement of Applicability. Covers SoA structure, Annex A mapping, common mistakes, and maintenance best practices.","5.frameworks\u002Fiso27001\u002Fstatement-of-applicability","FzA3uDdnLS792ODW33zk4W7ewvCCIJf18LzpLPzDdq4",{"id":4566,"title":4567,"body":4568,"description":5028,"extension":474,"faq":475,"frameworkSlug":476,"lastUpdated":477,"meta":5029,"navigation":479,"path":438,"relatedTerms":5030,"relatedTopics":5031,"seo":5032,"stem":5035,"__hash__":5036},"frameworkTopics\u002F5.frameworks\u002Fiso27001\u002Fsurveillance-audits.md","ISO 27001 Surveillance Audits",{"type":8,"value":4569,"toc":5007},[4570,4579,4583,4586,4615,4618,4621,4625,4628,4632,4635,4679,4683,4689,4692,4706,4710,4781,4784,4788,4791,4795,4802,4806,4809,4813,4816,4820,4826,4830,4833,4837,4840,4844,4847,4851,4854,4857,4871,4874,4877,4881,4884,4910,4913,4917,4920,4964,4968,4971,4997],[11,4571,4572,4573,4575,4576,4578],{},"Earning your ",[15,4574,18],{"href":17}," certificate is a significant achievement, but it marks the beginning of an ongoing commitment rather than the end of a project. The certification cycle spans three years, during which your certification body conducts surveillance audits to verify that your ",[15,4577,23],{"href":22}," continues to meet the standard's requirements. Understanding what these audits involve and how to prepare for them is essential to maintaining your certification.",[29,4580,4582],{"id":4581},"the-three-year-certification-cycle","The Three-Year Certification Cycle",[11,4584,4585],{},"ISO 27001 certification follows a predictable three-year rhythm:",[55,4587,4588,4597,4603,4609],{},[58,4589,4590,4593,4594,4596],{},[61,4591,4592],{},"Year 0:"," Initial certification audit (Stage 1 and Stage 2). See the ",[15,4595,107],{"href":106}," guide for details.",[58,4598,4599,4602],{},[61,4600,4601],{},"Year 1:"," First surveillance audit.",[58,4604,4605,4608],{},[61,4606,4607],{},"Year 2:"," Second surveillance audit.",[58,4610,4611,4614],{},[61,4612,4613],{},"Year 3:"," Recertification audit (full reassessment).",[11,4616,4617],{},"After recertification, the cycle repeats. The certificate issued at initial certification and at recertification is valid for three years, contingent on successful surveillance audits in the intervening years.",[11,4619,4620],{},"If a surveillance audit reveals significant issues that are not resolved, the certification body can suspend or withdraw your certificate.",[29,4622,4624],{"id":4623},"what-is-a-surveillance-audit","What Is a Surveillance Audit?",[11,4626,4627],{},"A surveillance audit is a smaller-scale audit conducted by your certification body to confirm that your ISMS is still operating effectively and in conformity with ISO 27001. Unlike the initial certification audit, surveillance audits do not assess every control and every clause. Instead, they sample specific areas while always covering certain mandatory elements.",[44,4629,4631],{"id":4630},"mandatory-elements","Mandatory Elements",[11,4633,4634],{},"Every surveillance audit must assess:",[55,4636,4637,4643,4649,4655,4661,4667,4673],{},[58,4638,4639,4642],{},[61,4640,4641],{},"Internal audit results."," The certification body reviews whether you have conducted internal audits as planned and whether findings have been addressed.",[58,4644,4645,4648],{},[61,4646,4647],{},"Management review results."," Evidence that top management has reviewed the ISMS and taken action on its outputs.",[58,4650,4651,4654],{},[61,4652,4653],{},"Corrective actions."," Status of any nonconformities raised in previous audits (both internal and external).",[58,4656,4657,4660],{},[61,4658,4659],{},"Handling of complaints."," How complaints related to information security have been managed.",[58,4662,4663,4666],{},[61,4664,4665],{},"ISMS effectiveness."," Whether the ISMS is achieving its intended outcomes and objectives.",[58,4668,4669,4672],{},[61,4670,4671],{},"Progress on planned improvements."," Actions identified in previous reviews or audits that were planned for implementation.",[58,4674,4675,4678],{},[61,4676,4677],{},"Use of marks and references to certification."," That the organization is using its certification status accurately and in accordance with the CB's rules.",[44,4680,4682],{"id":4681},"sampled-elements","Sampled Elements",[11,4684,4685,4686,4688],{},"In addition to the mandatory elements, the auditor selects a sample of ",[15,4687,2376],{"href":480}," and ISMS processes to verify. The sampling is designed so that, across the two surveillance audits in a cycle, all significant areas of the ISMS are assessed at least once.",[11,4690,4691],{},"The auditor may choose areas based on:",[55,4693,4694,4697,4700,4703],{},[58,4695,4696],{},"Results of the previous audit",[58,4698,4699],{},"Known changes to the organization or its environment",[58,4701,4702],{},"Areas that were not covered in recent audits",[58,4704,4705],{},"Specific risk areas or controls that are inherently complex",[29,4707,4709],{"id":4708},"how-surveillance-audits-differ-from-certification-audits","How Surveillance Audits Differ from Certification Audits",[1102,4711,4712,4725],{},[1105,4713,4714],{},[1108,4715,4716,4719,4722],{},[1111,4717,4718],{},"Aspect",[1111,4720,4721],{},"Certification Audit",[1111,4723,4724],{},"Surveillance Audit",[1118,4726,4727,4738,4748,4759,4770],{},[1108,4728,4729,4732,4735],{},[1123,4730,4731],{},"Scope",[1123,4733,4734],{},"Full ISMS",[1123,4736,4737],{},"Sampled subset plus mandatory elements",[1108,4739,4740,4742,4745],{},[1123,4741,1116],{},[1123,4743,4744],{},"3-10 audit days",[1123,4746,4747],{},"1-3 audit days typically",[1108,4749,4750,4753,4756],{},[1123,4751,4752],{},"Frequency",[1123,4754,4755],{},"Every 3 years",[1123,4757,4758],{},"Annually (years 1 and 2)",[1108,4760,4761,4764,4767],{},[1123,4762,4763],{},"Output",[1123,4765,4766],{},"Certification decision",[1123,4768,4769],{},"Continued certification or findings",[1108,4771,4772,4775,4778],{},[1123,4773,4774],{},"Stage 1 required",[1123,4776,4777],{},"Yes",[1123,4779,4780],{},"No",[11,4782,4783],{},"Surveillance audits are shorter and less comprehensive, but they are not less serious. A major nonconformity found during surveillance carries the same weight as one found during initial certification and must be resolved within an agreed timeframe, usually 90 days, or the certificate may be suspended.",[29,4785,4787],{"id":4786},"preparing-for-surveillance-audits","Preparing for Surveillance Audits",[11,4789,4790],{},"The best preparation strategy is to maintain your ISMS as a living system rather than treating it as a certification artifact that gets dusted off before each audit. Here is what that looks like in practice.",[44,4792,4794],{"id":4793},"keep-the-risk-register-current","Keep the Risk Register Current",[11,4796,4797,4798,4801],{},"Your ",[15,4799,4800],{"href":369},"risk register"," should reflect current risks, not the risks that existed when you were first certified. Review and update it at planned intervals and whenever significant changes occur. Auditors will check that recent organizational or environmental changes have been reflected in your risk assessments.",[44,4803,4805],{"id":4804},"conduct-internal-audits-on-schedule","Conduct Internal Audits on Schedule",[11,4807,4808],{},"Plan your internal audit program to cover the full ISMS over the course of the three-year cycle. Ensure audits are actually conducted according to the plan, findings are documented, and corrective actions are tracked to closure. A common surveillance audit finding is that internal audits were not performed as planned.",[44,4810,4812],{"id":4811},"hold-management-reviews","Hold Management Reviews",[11,4814,4815],{},"Management reviews must happen at the frequency defined in your ISMS. Document the agenda, attendees, inputs reviewed, decisions made, and actions assigned. Auditors will ask to see management review records and will verify that actions from previous reviews have been completed.",[44,4817,4819],{"id":4818},"update-the-statement-of-applicability","Update the Statement of Applicability",[11,4821,4822,4823,4825],{},"If your control landscape has changed since the last audit (new controls implemented, controls modified, or controls that are no longer relevant), your ",[15,4824,382],{"href":381}," should reflect those changes. A stale SoA that does not match your actual control environment is a red flag.",[44,4827,4829],{"id":4828},"track-and-close-nonconformities","Track and Close Nonconformities",[11,4831,4832],{},"Any nonconformities from previous audits (internal or external) must have documented corrective actions. Auditors will verify that corrective actions were implemented, that root causes were addressed, and that the corrective actions were effective. Simply implementing a fix without confirming its effectiveness is a common gap.",[44,4834,4836],{"id":4835},"maintain-evidence","Maintain Evidence",[11,4838,4839],{},"Controls need ongoing evidence of operation. Access reviews should have records, training should have attendance logs, incidents should have response records, and backups should have test results. If the evidence trail goes cold between audits, it suggests the controls are not consistently operating.",[44,4841,4843],{"id":4842},"document-changes","Document Changes",[11,4845,4846],{},"Changes to the organization's structure, technology, processes, or external environment should be documented along with any impact assessment on the ISMS. Significant changes that were not reflected in updated risk assessments or control implementations are a frequent source of audit findings.",[29,4848,4850],{"id":4849},"the-recertification-audit","The Recertification Audit",[11,4852,4853],{},"In year three of the certification cycle, a full recertification audit replaces the surveillance audit. Recertification is essentially a repeat of the initial certification audit, though auditors will have the benefit of two years of surveillance audit history.",[11,4855,4856],{},"The recertification audit:",[55,4858,4859,4862,4865,4868],{},[58,4860,4861],{},"Covers the entire ISMS scope",[58,4863,4864],{},"Reassesses all clauses (4-10) and a comprehensive sample of Annex A controls",[58,4866,4867],{},"Evaluates the overall effectiveness and maturity of the ISMS over the previous cycle",[58,4869,4870],{},"Results in a new three-year certificate if successful",[11,4872,4873],{},"Recertification audits are longer than surveillance audits but typically shorter than the initial certification because the auditor already has a baseline understanding of the organization. Plan for roughly two-thirds of the initial audit duration.",[11,4875,4876],{},"It is critical to schedule recertification before your current certificate expires. If the certificate lapses, you may need to go through the full initial certification process again, including Stage 1.",[29,4878,4880],{"id":4879},"what-happens-if-you-fail","What Happens If You Fail",[11,4882,4883],{},"If a surveillance or recertification audit reveals a major nonconformity:",[952,4885,4886,4892,4898,4904],{},[58,4887,4888,4891],{},[61,4889,4890],{},"Corrective action period."," You are given a defined window (typically 90 days) to implement corrective action and provide evidence of resolution.",[58,4893,4894,4897],{},[61,4895,4896],{},"Verification."," The auditor verifies the corrective action, either through documentation review or a follow-up visit.",[58,4899,4900,4903],{},[61,4901,4902],{},"Suspension."," If corrective action is not satisfactorily completed, the CB may suspend your certificate. Suspension means you cannot claim certification until the issue is resolved.",[58,4905,4906,4909],{},[61,4907,4908],{},"Withdrawal."," If suspension is not resolved within a defined period (typically six months), the certificate is withdrawn entirely.",[11,4911,4912],{},"Minor nonconformities follow a similar process but are less likely to result in suspension if addressed promptly.",[29,4914,4916],{"id":4915},"common-surveillance-audit-findings","Common Surveillance Audit Findings",[11,4918,4919],{},"Based on typical audit outcomes, the most frequent findings include:",[55,4921,4922,4928,4934,4940,4946,4952,4958],{},[58,4923,4924,4927],{},[61,4925,4926],{},"Incomplete internal audit coverage."," The internal audit program did not cover all planned areas.",[58,4929,4930,4933],{},[61,4931,4932],{},"Overdue corrective actions."," Nonconformities from previous audits remain open past their target dates.",[58,4935,4936,4939],{},[61,4937,4938],{},"Outdated risk assessments."," The risk register has not been updated to reflect organizational or environmental changes.",[58,4941,4942,4945],{},[61,4943,4944],{},"Missing management review records."," Management reviews were not conducted or were insufficiently documented.",[58,4947,4948,4951],{},[61,4949,4950],{},"Evidence gaps."," Controls are documented in the SoA but evidence of ongoing operation is insufficient.",[58,4953,4954,4957],{},[61,4955,4956],{},"Awareness shortfalls."," New employees have not received information security awareness training.",[58,4959,4960,4963],{},[61,4961,4962],{},"Change management gaps."," Significant changes to systems or processes were not assessed for security impact.",[29,4965,4967],{"id":4966},"staying-audit-ready-year-round","Staying Audit-Ready Year-Round",[11,4969,4970],{},"The organizations that find surveillance audits painless are the ones that operate their ISMS continuously rather than in audit preparation sprints. Key practices include:",[55,4972,4973,4979,4985,4991],{},[58,4974,4975,4978],{},[61,4976,4977],{},"Monthly or quarterly control reviews"," where control owners verify their controls are operating and evidence is current.",[58,4980,4981,4984],{},[61,4982,4983],{},"Integrated processes"," where security reviews are embedded into change management, project management, and vendor management rather than running as separate tracks.",[58,4986,4987,4990],{},[61,4988,4989],{},"Automated evidence collection"," that captures control operation artifacts without manual effort.",[58,4992,4993,4996],{},[61,4994,4995],{},"Dashboard visibility"," so management and ISMS owners can see the current state of compliance at any time.",[11,4998,4999,5000,5003,5004,5006],{},"Tools like episki keep your risk register, ",[15,5001,5002],{"href":381},"SoA",", control evidence, and review schedules connected and current, making surveillance audits a verification of ongoing practice rather than a scramble to reconstruct twelve months of activity. Explore the full ",[15,5005,18],{"href":449}," framework to understand how surveillance fits into the broader compliance lifecycle.",{"title":452,"searchDepth":453,"depth":453,"links":5008},[5009,5010,5014,5015,5024,5025,5026,5027],{"id":4581,"depth":453,"text":4582},{"id":4623,"depth":453,"text":4624,"children":5011},[5012,5013],{"id":4630,"depth":459,"text":4631},{"id":4681,"depth":459,"text":4682},{"id":4708,"depth":453,"text":4709},{"id":4786,"depth":453,"text":4787,"children":5016},[5017,5018,5019,5020,5021,5022,5023],{"id":4793,"depth":459,"text":4794},{"id":4804,"depth":459,"text":4805},{"id":4811,"depth":459,"text":4812},{"id":4818,"depth":459,"text":4819},{"id":4828,"depth":459,"text":4829},{"id":4835,"depth":459,"text":4836},{"id":4842,"depth":459,"text":4843},{"id":4849,"depth":453,"text":4850},{"id":4879,"depth":453,"text":4880},{"id":4915,"depth":453,"text":4916},{"id":4966,"depth":453,"text":4967},"What happens after ISO 27001 certification, including annual surveillance audits, the three-year certification cycle, recertification requirements, and how to stay audit-ready.",{},[476,482],[487,1431,485,484,486],{"title":5033,"description":5034},"ISO 27001 Surveillance Audits — Annual Audits & Recertification Cycle","Understand ISO 27001 surveillance audits, the three-year certification cycle, recertification requirements, and strategies to stay audit-ready year-round.","5.frameworks\u002Fiso27001\u002Fsurveillance-audits","pzAi9DtvJ9EtuNmxMD1q_zg8FkmbFMwx7DY1ktDoK7I",{"id":5038,"title":5039,"advantages":5040,"body":5062,"checklist":5443,"cta":5454,"description":452,"extension":474,"faq":5457,"hero":5475,"meta":5491,"name":18,"navigation":479,"path":17,"resources":5492,"seo":5505,"slug":476,"stats":5508,"stem":5517,"__hash__":5518},"frameworks\u002F5.frameworks\u002Fiso27001.md","Iso27001",[5041,5048,5055],{"title":5042,"description":5043,"bullets":5044},"Statement of Applicability in minutes","Generate and maintain your SoA directly from your control graph with justification notes for every inclusion and exclusion.",[5045,5046,5047],"Auto-populate applicability status from existing controls","Link each control to risk treatment decisions","Export auditor-ready SoA documents on demand",{"title":5049,"description":5050,"bullets":5051},"Risk-driven control management","Connect your risk register to Annex A controls so treatment plans and evidence stay aligned as threats evolve.",[5052,5053,5054],"Risk assessment templates following ISO 27005 guidance","Heat maps show residual risk by domain","Treatment plans tie directly to control tasks and owners",{"title":5056,"description":5057,"bullets":5058},"Surveillance audit confidence","Keep your ISMS current between certification cycles with continuous monitoring and internal audit workflows.",[5059,5060,5061],"Automated evidence refresh and expiration alerts","Internal audit scheduling with finding tracking","Management review templates with trend data",{"type":8,"value":5063,"toc":5425},[5064,5068,5076,5079,5082,5085,5089,5092,5095,5098,5102,5105,5117,5121,5124,5131,5134,5136,5144,5147,5154,5157,5164,5167,5174,5178,5181,5225,5232,5238,5241,5244,5247,5253,5257,5260,5263,5272,5276,5279,5285,5288,5291,5297,5301,5304,5330,5337,5340,5343,5350,5354,5357,5364,5368,5371,5394,5400,5404,5407,5419,5422],[29,5065,5067],{"id":5066},"what-is-iso-27001","What is ISO 27001?",[11,5069,5070,5072,5073,5075],{},[15,5071,18],{"href":449}," is the world's most widely adopted international standard for information security management. Formally titled ISO\u002FIEC 27001, it defines the requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System, or ",[15,5074,23],{"href":22},". Organizations that align with ISO 27001 commit to a risk-based, process-driven approach to protecting the confidentiality, integrity, and availability of the information they hold on behalf of customers, employees, and business partners.",[11,5077,5078],{},"The standard is published jointly by two bodies. The International Organization for Standardization (ISO), headquartered in Geneva, develops consensus-based standards across nearly every industry. The International Electrotechnical Commission (IEC) is its counterpart for electrotechnical and information technology standards. Together, their joint technical committee ISO\u002FIEC JTC 1\u002FSC 27 maintains the ISO 27001 family, which includes supporting documents such as ISO 27002 (implementation guidance) and ISO 27005 (risk management guidance).",[11,5080,5081],{},"ISO 27001 was first released in 2005, revised in 2013, and most recently updated in October 2022. The 2022 revision is now the only version against which new ISO 27001 certifications are issued. Any discussion of ISO 27001 today should default to this edition, which reorganized the control set and introduced eleven new controls addressing modern risks like threat intelligence, data masking, and secure coding.",[11,5083,5084],{},"At the heart of ISO 27001 is the concept of an ISMS. An ISMS is not a product you can buy or a checklist you can run through once. It is the living combination of policies, processes, people, and technology that your organization uses to identify information security risks, decide how to treat them, implement controls, measure effectiveness, and continually improve. ISO 27001 provides the blueprint. Your ISMS is the thing you build from that blueprint.",[29,5086,5088],{"id":5087},"why-iso-27001-matters","Why ISO 27001 matters",[11,5090,5091],{},"ISO 27001 is recognized in more than 160 countries and frequently shows up as a procurement requirement for enterprise technology contracts, financial services partnerships, public sector work, and any organization selling into European or APAC markets. Unlike self-attested programs, ISO 27001 certification is issued by an independent accredited certification body, which gives customers and regulators external assurance that your security practices are real and not marketing.",[11,5093,5094],{},"Beyond procurement, ISO 27001 brings discipline. Many organizations treat security as a reactive function that only activates after an incident or failed audit. The ISO 27001 approach forces proactive risk identification, documented decisions, and measurable effectiveness. Even teams that never pursue certification often adopt the ISO 27001 framework as an internal operating model because it is mature, well-documented, and maps cleanly to other standards.",[11,5096,5097],{},"ISO 27001 also signals organizational maturity to investors. Due diligence for Series B and later funding rounds almost always includes a security review. Holding an ISO 27001 certificate short-circuits much of that review and accelerates close.",[29,5099,5101],{"id":5100},"the-iso-27001-certification-process","The ISO 27001 certification process",[11,5103,5104],{},"ISO 27001 certification follows a standardized two-stage audit model used worldwide. A Stage 1 audit reviews your ISMS documentation and readiness. A Stage 2 audit evaluates whether your ISMS is actually implemented and effective in practice. If there are no major nonconformities, the certification body recommends certification and a three-year certificate is issued. Annual surveillance audits follow, with full recertification every three years.",[11,5106,5107,5108,5111,5112,5116],{},"For a deep walkthrough of every phase of the journey, including timelines, auditor expectations, and common pitfalls, see the ",[15,5109,5110],{"href":106},"ISO 27001 certification process guide",". If you are still evaluating whether to pursue ISO 27001 at all, the ",[15,5113,5115],{"href":5114},"\u002Fnow\u002Fiso27001-certification-guide","ISO 27001 certification guide"," covers the business case and sequencing decisions.",[29,5118,5120],{"id":5119},"iso-270012022-what-changed","ISO 27001:2022 — What changed",[11,5122,5123],{},"The 2022 revision is the current version of the standard. Two changes matter most for teams implementing ISO 27001 today.",[11,5125,5126,5127,5130],{},"First, the control set was restructured. The 2013 edition had 114 controls across 14 domains. ISO 27001:2022 consolidates these into ",[61,5128,5129],{},"93 controls across four themes",": organizational (37 controls), people (8 controls), physical (14 controls), and technological (34 controls). Eleven entirely new controls were introduced, including threat intelligence, information security for cloud services, ICT readiness for business continuity, physical security monitoring, configuration management, information deletion, data masking, data leakage prevention, monitoring activities, web filtering, and secure coding.",[11,5132,5133],{},"Second, the clause-level requirements in sections 4 through 10 received targeted updates around planning, leadership commitment, and operational control. The Plan-Do-Check-Act structure remains, but the language is tighter and more aligned with other ISO management system standards such as ISO 9001 and ISO 14001. Organizations holding ISO 27001:2013 certificates were given a transition window, and most have now migrated. New certifications are assessed exclusively against ISO 27001:2022.",[29,5135,2376],{"id":1431},[11,5137,5138,5139,5143],{},"Annex A of ISO 27001 is the reference control set. The ",[15,5140,5142],{"href":5141},"\u002Fglossary\u002Fannex-a","93 Annex A controls"," are organized under the four themes described above and represent the universe of possible safeguards your ISMS might apply. Every control must be evaluated for applicability and either implemented or formally excluded with justification.",[11,5145,5146],{},"Organizational controls cover governance, policy, third-party management, incident response, and business continuity. People controls address screening, training, responsibilities, and remote working. Physical controls protect buildings, equipment, and storage media. Technological controls handle access control, cryptography, logging, vulnerability management, secure development, and cloud security.",[11,5148,5149,5150,5153],{},"For a full breakdown of every theme, example controls in each, and how to prioritize implementation, see the ",[15,5151,5152],{"href":480},"ISO 27001 Annex A controls reference",". ISO 27002:2022 provides detailed implementation guidance for each control and is invaluable as a companion reference, though it is not mandatory to follow prescriptively.",[29,5155,4165],{"id":5156},"statement-of-applicability-soa",[11,5158,5159,5160,5163],{},"The ",[15,5161,382],{"href":5162},"\u002Fglossary\u002Fstatement-of-applicability"," is arguably the single most important document in your ISO 27001 program. The SoA lists every Annex A control, records whether it is applicable to your ISMS, explains why, and summarizes how the control is implemented. It is the document auditors will open first, and it is the document customers may ask to see.",[11,5165,5166],{},"A well-built SoA ties directly to your risk assessment output. Controls are marked applicable because they treat identified risks, satisfy legal or contractual requirements, or reflect business decisions. Controls marked not applicable require a short but credible justification. Auditors routinely sample SoA entries during Stage 2 and ask for corresponding evidence.",[11,5168,5169,5170,5173],{},"See the dedicated guide on the ",[15,5171,5172],{"href":381},"ISO 27001 Statement of Applicability"," for format examples, justification patterns, and common SoA mistakes.",[29,5175,5177],{"id":5176},"building-your-isms","Building your ISMS",[11,5179,5180],{},"Implementing ISO 27001 is primarily an exercise in building a functioning ISMS. The standard walks through this in clauses 4 through 10:",[55,5182,5183,5189,5195,5201,5207,5213,5219],{},[58,5184,5185,5188],{},[61,5186,5187],{},"Clause 4 — Context of the organization."," Understand internal and external issues, interested parties, and define the ISMS scope.",[58,5190,5191,5194],{},[61,5192,5193],{},"Clause 5 — Leadership."," Top management must demonstrate commitment, approve the information security policy, and assign roles.",[58,5196,5197,5200],{},[61,5198,5199],{},"Clause 6 — Planning."," Identify risks and opportunities, set information security objectives, and plan how to achieve them.",[58,5202,5203,5206],{},[61,5204,5205],{},"Clause 7 — Support."," Provide resources, competence, awareness, communication, and documented information.",[58,5208,5209,5212],{},[61,5210,5211],{},"Clause 8 — Operation."," Execute the risk assessment and risk treatment process and operate the ISMS on an ongoing basis.",[58,5214,5215,5218],{},[61,5216,5217],{},"Clause 9 — Performance evaluation."," Monitor, measure, analyze, evaluate, conduct internal audits, and hold management reviews.",[58,5220,5221,5224],{},[61,5222,5223],{},"Clause 10 — Improvement."," Handle nonconformities and drive continual improvement.",[11,5226,5227,5228,5231],{},"Each clause has mandatory documented information and mandatory activities. The ",[15,5229,5230],{"href":507},"ISO 27001 ISMS implementation guide"," breaks down exactly what to produce at each stage.",[11,5233,5234,5235,5237],{},"Scope definition deserves special attention. A scope that is too narrow can fail to satisfy customers. A scope that is too broad inflates audit cost and implementation effort. The ",[15,5236,769],{"href":768}," guide walks through how to draw the right boundaries for your business.",[29,5239,2361],{"id":5240},"iso-27001-risk-assessment",[11,5242,5243],{},"Risk assessment is the engine that drives control selection in ISO 27001. The standard requires a documented, repeatable methodology. Most organizations use a qualitative or semi-quantitative approach that evaluates likelihood and impact across confidentiality, integrity, and availability. ISO 27005 provides detailed guidance but is not mandatory.",[11,5245,5246],{},"Outputs of the risk assessment feed directly into the risk treatment plan, which in turn feeds the Statement of Applicability. This chain is why ISO 27001 auditors spend significant time tracing from a risk to a treatment decision to a control to evidence of operation. Break this chain and you create nonconformities.",[11,5248,5249,5250,108],{},"For methodology, risk register structure, treatment options, and residual risk handling, see the ",[15,5251,5252],{"href":369},"ISO 27001 risk assessment guide",[29,5254,5256],{"id":5255},"internal-audits-and-management-review","Internal audits and management review",[11,5258,5259],{},"Two activities inside Clause 9 are frequent failure points for first-time ISO 27001 certifiers. Clause 9.2 requires internal audits of the ISMS at planned intervals. Clause 9.3 requires a formal management review with defined inputs and outputs. Both must be complete before your Stage 2 audit.",[11,5261,5262],{},"Internal audits must cover every clause of ISO 27001 and every applicable Annex A control across your audit cycle. Auditors must be objective and impartial, which typically means the person who built a control cannot audit it. Findings must be documented, communicated, and tracked to closure.",[11,5264,5265,5266,753,5269,108],{},"Management reviews force leadership engagement. Inputs include audit results, risk changes, nonconformities, and stakeholder feedback. Outputs include decisions on resources, improvement opportunities, and changes to the ISMS. Detailed coverage lives in the ",[15,5267,5268],{"href":1534},"internal audit guide",[15,5270,5271],{"href":1513},"management review guide",[29,5273,5275],{"id":5274},"nonconformities-and-corrective-action","Nonconformities and corrective action",[11,5277,5278],{},"When something in your ISMS does not meet ISO 27001 requirements, your own policies, or customer obligations, that is a nonconformity. Clauses 10.1 and 10.2 require you to react, contain the consequences, perform root cause analysis, implement corrective action, and verify effectiveness.",[11,5280,5281,5282,5284],{},"Mature organizations treat nonconformities as valuable signals rather than failures. The ",[15,5283,1547],{"href":1546}," guide walks through the full CAPA workflow auditors expect to see.",[29,5286,5287],{"id":2212},"Continual improvement",[11,5289,5290],{},"Clause 10.3 requires continual improvement of the suitability, adequacy, and effectiveness of the ISMS. This is not about constantly changing controls. It is about demonstrating measurable progress over time through metrics, KPIs, trend analysis, and lessons learned.",[11,5292,5293,5294,108],{},"Learn how to set ISMS metrics that auditors respect and leadership actually uses in the ",[15,5295,5296],{"href":1896},"continual improvement guide",[29,5298,5300],{"id":5299},"cost-and-timeline","Cost and timeline",[11,5302,5303],{},"ISO 27001 certification costs vary by scope, organization size, and maturity. A realistic budget range for a first-time certification at a small to mid-sized technology company looks like this:",[55,5305,5306,5312,5318,5324],{},[58,5307,5308,5311],{},[61,5309,5310],{},"Internal effort."," Six to twelve months of fractional time from an ISMS owner plus contributions from engineering, HR, legal, and IT. Equivalent fully loaded cost of $50,000 to $200,000.",[58,5313,5314,5317],{},[61,5315,5316],{},"External consulting (optional)."," Gap analysis and implementation support from a consultancy typically runs $20,000 to $100,000 depending on scope.",[58,5319,5320,5323],{},[61,5321,5322],{},"Certification body fees."," Stage 1 and Stage 2 audits combined usually cost $15,000 to $40,000. Annual surveillance audits run $8,000 to $20,000. Recertification in year three runs similar to the initial audit.",[58,5325,5326,5329],{},[61,5327,5328],{},"Platform and tooling."," GRC platforms like episki typically replace $30,000 or more in spreadsheet-driven consulting labor annually.",[11,5331,5332,5333,5336],{},"Total first-year ISO 27001 program cost for a 50 to 200 person company commonly lands between $60,000 and $150,000 all-in. Timeline from kickoff to certificate in hand is typically nine to fifteen months. See the ",[15,5334,5335],{"href":106},"cost and timeline discussion in the certification process guide"," for more detail.",[29,5338,5339],{"id":901},"Choosing a certification body",[11,5341,5342],{},"Only an accredited certification body can issue a recognized ISO 27001 certificate. Accreditation is granted by national bodies such as UKAS in the United Kingdom, ANAB in the United States, and JAS-ANZ in Australia and New Zealand, all operating under the International Accreditation Forum (IAF). A certificate from a non-accredited body has little value with enterprise customers.",[11,5344,5345,5346,5349],{},"Selection criteria include accreditation scope, industry experience, auditor availability, geographic coverage, and cost transparency. The ",[15,5347,5348],{"href":865},"certification body selection guide"," walks through the full evaluation.",[29,5351,5353],{"id":5352},"surveillance-audits-and-recertification","Surveillance audits and recertification",[11,5355,5356],{},"Once certified, your ISO 27001 certificate is valid for three years. Certification bodies conduct a lighter annual surveillance audit in years one and two to confirm the ISMS is still operating effectively. A full recertification audit occurs in year three. Nonconformities identified during surveillance can put your certificate at risk if not resolved within the specified timeframe.",[11,5358,5359,5360,5363],{},"See the ",[15,5361,5362],{"href":438},"surveillance audits guide"," for preparation checklists and what auditors typically sample during year-one and year-two visits.",[29,5365,5367],{"id":5366},"iso-27001-vs-soc-2-vs-nist-csf","ISO 27001 vs SOC 2 vs NIST CSF",[11,5369,5370],{},"Customers and leadership teams frequently ask how ISO 27001 compares to other frameworks. The short version:",[55,5372,5373,5383],{},[58,5374,5375,5382],{},[61,5376,5377,5378,108],{},"ISO 27001 vs ",[15,5379,5381],{"href":5380},"\u002Fframeworks\u002Fsoc2","SOC 2"," ISO 27001 is an international certification of an ISMS. SOC 2 is a US-centric attestation of controls aligned with the AICPA Trust Services Criteria. SOC 2 produces a detailed report; ISO 27001 produces a certificate. SOC 2 is faster to complete and often preferred by US buyers. ISO 27001 is stronger for European customers and regulated industries. Many organizations run both, mapping controls once in a tool like episki.",[58,5384,5385,5388,5389,5393],{},[61,5386,5387],{},"ISO 27001 vs NIST CSF."," NIST CSF is a voluntary US framework structured around five functions: Identify, Protect, Detect, Respond, and Recover. It is not a certification. Organizations often use NIST CSF as a maturity assessment tool and ISO 27001 as the formal certification. The two map cleanly at the control level. See ",[15,5390,5392],{"href":5391},"\u002Fframeworks\u002Fnistcsf\u002Fmapping-to-other-frameworks","NIST CSF mapping to other frameworks"," for a side-by-side comparison.",[11,5395,5396,5397,5399],{},"If you are weighing which framework to pursue first, the ",[15,5398,5115],{"href":5114}," covers framework sequencing for growing companies.",[29,5401,5403],{"id":5402},"getting-certified-with-episki","Getting certified with episki",[11,5405,5406],{},"Most teams discover that ISO 27001 certification is less about security expertise and more about sustained, organized execution across months of risk assessments, control implementation, evidence collection, and documentation. Spreadsheet-based ISO 27001 programs tend to collapse under their own weight, especially when the certification cycle extends across surveillance audits and the 2022 transition creates additional documentation churn.",[11,5408,5409,5410,3636,5414,5418],{},"episki was built to collapse that effort. The platform ships with the full 93-control Annex A library pre-mapped, automatic Statement of Applicability generation, a risk register tied to ISO 27005 treatment options, internal audit workflows, management review templates, and continuous evidence collection. Customers regularly compare episki against more established vendors; see ",[15,5411,5413],{"href":5412},"\u002Fcompare\u002Fvanta","episki vs Vanta",[15,5415,5417],{"href":5416},"\u002Fcompare\u002Fdrata","episki vs Drata"," for honest side-by-side views.",[11,5420,5421],{},"Teams using episki typically cut ISO 27001 preparation time by 60 percent compared to manual approaches and arrive at Stage 2 with a clean, auditor-ready evidence pack. Whether you are starting from zero or migrating an existing ISO 27001:2013 program to the 2022 standard, the platform scales with your scope.",[11,5423,5424],{},"Start a free trial, import your controls, and run your first ISO 27001 gap analysis in under an hour.",{"title":452,"searchDepth":453,"depth":453,"links":5426},[5427,5428,5429,5430,5431,5432,5433,5434,5435,5436,5437,5438,5439,5440,5441,5442],{"id":5066,"depth":453,"text":5067},{"id":5087,"depth":453,"text":5088},{"id":5100,"depth":453,"text":5101},{"id":5119,"depth":453,"text":5120},{"id":1431,"depth":453,"text":2376},{"id":5156,"depth":453,"text":4165},{"id":5176,"depth":453,"text":5177},{"id":5240,"depth":453,"text":2361},{"id":5255,"depth":453,"text":5256},{"id":5274,"depth":453,"text":5275},{"id":2212,"depth":453,"text":5287},{"id":5299,"depth":453,"text":5300},{"id":901,"depth":453,"text":5339},{"id":5352,"depth":453,"text":5353},{"id":5366,"depth":453,"text":5367},{"id":5402,"depth":453,"text":5403},{"title":5444,"description":5445,"items":5446},"ISO 27001 certification checklist inside episki","Everything you need to scope, implement, and certify your ISMS is preloaded in your free trial.",[5447,5448,5449,5450,5451,5452,5453],"ISMS scope definition and context of the organization templates","Full Annex A control library with implementation guidance","Risk assessment and treatment plan workflows","Statement of Applicability generator","Internal audit programme with finding management","Management review agenda and output templates","Corrective action tracking with root cause analysis",{"title":5455,"description":5456},"Start your ISO 27001 journey today","Import your controls, define your ISMS scope, and generate your first Statement of Applicability in under an hour.",{"title":5458,"items":5459},"ISO 27001 frequently asked questions",[5460,5463,5466,5469,5472],{"label":5461,"content":5462},"How long does ISO 27001 certification take?","Most organizations achieve certification in 6-12 months depending on scope and existing maturity. The process includes a Stage 1 documentation review and a Stage 2 implementation audit. episki reduces preparation time by up to 60% with pre-mapped controls and automated evidence.",{"label":5464,"content":5465},"What is the difference between ISO 27001 and SOC 2?","ISO 27001 is an international certification standard focused on building a complete information security management system (ISMS). SOC 2 is a US-based attestation that evaluates specific Trust Services Criteria. Many companies pursue both, and episki lets you map controls once and reuse them across frameworks.",{"label":5467,"content":5468},"What is an ISMS?","An Information Security Management System (ISMS) is the set of policies, procedures, controls, and processes an organization uses to manage information security risk. ISO 27001 provides the framework for establishing, implementing, maintaining, and continually improving an ISMS.",{"label":5470,"content":5471},"How much does ISO 27001 certification cost?","Certification costs vary by organization size and scope but typically range from $30,000 to $80,000 including auditor fees, with ongoing surveillance audit costs annually. episki's flat-rate pricing keeps the platform cost predictable at $500\u002Fmonth.",{"label":5473,"content":5474},"How often are ISO 27001 surveillance audits?","After initial certification, surveillance audits occur annually to confirm your ISMS remains effective. A full recertification audit is required every three years. episki's continuous monitoring keeps evidence current between audits.",{"headline":5476,"title":5477,"description":5478,"links":5479},"ISO 27001 certification on your timeline","Build and maintain your ISMS without drowning in spreadsheets","episki maps Annex A controls, tracks your Statement of Applicability, and keeps risk treatment plans linked to real evidence so certification audits run smoothly.",[5480,5484],{"label":5481,"icon":5482,"to":5483},"Start ISO 27001 trial","i-lucide-rocket","https:\u002F\u002Fepiski.app\u002Fauth\u002Fregister",{"label":5485,"icon":5486,"color":5487,"variant":5488,"to":5489,"target":5490},"Book a demo","i-lucide-message-circle","neutral","subtle","https:\u002F\u002Fcalendly.com\u002Fjustinleapline\u002Fepiski-demo","_blank",{},{"headline":5493,"title":5493,"description":5494,"items":5495},"ISO 27001 certification resources","Give leadership, auditors, and customers visibility into your ISMS maturity.",[5496,5499,5502],{"title":5497,"description":5498},"ISMS maturity dashboard","Visual progress across all Annex A domains with gap analysis and trending.",{"title":5500,"description":5501},"Auditor collaboration portal","Scoped access for certification bodies with evidence requests and Q&A threads.",{"title":5503,"description":5504},"Customer trust pack","Shareable ISO 27001 certification summary with scope details and control highlights.",{"title":5506,"description":5507},"ISO 27001 Compliance Platform","Build and certify your ISMS faster with episki. Annex A control mapping, SoA generation, and risk treatment plans in one workspace. Free 14-day trial.",[5509,5511,5514],{"value":5142,"description":5510},"Pre-mapped to your control graph with owners, evidence, and review cadences.",{"value":5512,"description":5513},"60% less prep","Average reduction in Stage 2 audit preparation time with episki's automation.",{"value":5515,"description":5516},"Continuous compliance","Surveillance audits stay painless with always-current evidence and risk registers.","5.frameworks\u002Fiso27001","fLJWn_ae0AR8PEz8xvdjLxG0f-8ic96hI5mgt8HsEmg",[5520,5737,5978,6125],{"id":5521,"title":5522,"body":5523,"description":452,"extension":474,"lastUpdated":477,"meta":5723,"navigation":479,"path":5724,"relatedFrameworks":5725,"relatedTerms":5729,"seo":5732,"slug":2210,"stem":5735,"term":5528,"__hash__":5736},"glossary\u002F8.glossary\u002Fevidence-collection.md","Evidence Collection",{"type":8,"value":5524,"toc":5713},[5525,5529,5532,5536,5539,5553,5557,5560,5610,5614,5617,5623,5629,5635,5639,5683,5687,5704,5706],[29,5526,5528],{"id":5527},"what-is-evidence-collection","What is Evidence Collection?",[11,5530,5531],{},"Evidence collection is the systematic process of gathering, organizing, and maintaining documentation that demonstrates security controls are implemented and operating effectively. It is a critical activity for any compliance program — without evidence, an organization cannot prove to auditors, customers, or regulators that its controls actually work.",[44,5533,5535],{"id":5534},"why-evidence-collection-matters","Why evidence collection matters",[11,5537,5538],{},"Controls that exist only in policy documents are insufficient. Auditors and assessors require proof that controls are executed consistently. Evidence collection bridges the gap between \"we have a policy\" and \"we follow the policy.\" Without organized evidence:",[55,5540,5541,5544,5547,5550],{},[58,5542,5543],{},"Audits take longer and cost more due to scrambling for documentation",[58,5545,5546],{},"Control gaps go undetected until audit time",[58,5548,5549],{},"Audit opinions may be qualified due to insufficient evidence",[58,5551,5552],{},"Customer trust erodes when security claims cannot be substantiated",[44,5554,5556],{"id":5555},"types-of-evidence","Types of evidence",[11,5558,5559],{},"Evidence takes many forms depending on the control being demonstrated:",[55,5561,5562,5568,5574,5580,5586,5592,5598,5604],{},[58,5563,5564,5567],{},[61,5565,5566],{},"Screenshots"," — system configurations, access control settings, dashboard views",[58,5569,5570,5573],{},[61,5571,5572],{},"Logs"," — audit logs, access logs, change management logs, security event logs",[58,5575,5576,5579],{},[61,5577,5578],{},"Documents"," — policies, procedures, meeting minutes, training records",[58,5581,5582,5585],{},[61,5583,5584],{},"Tickets"," — change management tickets, incident response tickets, access request tickets",[58,5587,5588,5591],{},[61,5589,5590],{},"Reports"," — vulnerability scan reports, penetration test reports, risk assessment reports",[58,5593,5594,5597],{},[61,5595,5596],{},"Certifications"," — employee training certificates, vendor SOC 2 reports, compliance attestations",[58,5599,5600,5603],{},[61,5601,5602],{},"Configurations"," — infrastructure-as-code files, system configuration exports",[58,5605,5606,5609],{},[61,5607,5608],{},"Interviews"," — auditor interviews with control owners (for live audits)",[44,5611,5613],{"id":5612},"evidence-collection-approaches","Evidence collection approaches",[11,5615,5616],{},"Organizations typically use one of three approaches:",[11,5618,5619,5622],{},[61,5620,5621],{},"Manual collection"," — control owners manually gather screenshots, exports, and documents on a scheduled basis. This is the most common starting point but is labor-intensive and error-prone.",[11,5624,5625,5628],{},[61,5626,5627],{},"Semi-automated collection"," — integrations with key systems (cloud providers, identity providers, ticketing systems) automatically pull evidence, supplemented by manual collection for controls without integration support.",[11,5630,5631,5634],{},[61,5632,5633],{},"Continuous automated collection"," — deep integrations with infrastructure and applications automatically collect and organize evidence on an ongoing basis, with minimal manual intervention.",[44,5636,5638],{"id":5637},"best-practices-for-evidence-collection","Best practices for evidence collection",[55,5640,5641,5647,5653,5659,5665,5671,5677],{},[58,5642,5643,5646],{},[61,5644,5645],{},"Define evidence requirements upfront"," — for each control, specify what evidence is needed, how often it should be collected, and who is responsible",[58,5648,5649,5652],{},[61,5650,5651],{},"Collect continuously, not just before audits"," — evidence collected throughout the period is more credible than evidence gathered in a rush before the audit",[58,5654,5655,5658],{},[61,5656,5657],{},"Timestamp everything"," — evidence must demonstrate when the control was operating, not just that it exists",[58,5660,5661,5664],{},[61,5662,5663],{},"Organize by control"," — structure evidence so it maps directly to controls and framework requirements",[58,5666,5667,5670],{},[61,5668,5669],{},"Maintain chain of custody"," — ensure evidence cannot be tampered with after collection",[58,5672,5673,5676],{},[61,5674,5675],{},"Review evidence quality"," — periodically verify that collected evidence actually demonstrates the control is working",[58,5678,5679,5682],{},[61,5680,5681],{},"Retain evidence appropriately"," — keep evidence for the required retention period (typically matching the audit cycle plus any regulatory requirements)",[44,5684,5686],{"id":5685},"common-challenges","Common challenges",[55,5688,5689,5692,5695,5698,5701],{},[58,5690,5691],{},"Evidence collection is distributed across many teams and systems",[58,5693,5694],{},"Control owners forget to collect on schedule",[58,5696,5697],{},"Evidence quality varies — screenshots may be unclear or incomplete",[58,5699,5700],{},"Evidence becomes stale if not collected at the right frequency",[58,5702,5703],{},"Storing and organizing large volumes of evidence is difficult without proper tooling",[44,5705,816],{"id":815},[11,5707,5708,5709,108],{},"episki automates evidence collection through integrations with cloud providers, identity systems, and development tools. The platform assigns collection tasks to control owners, sends reminders, validates evidence quality, and organizes everything by control and framework. When audit time arrives, evidence is already collected and organized. Learn more on our ",[15,5710,5712],{"href":5711},"\u002Fframeworks","compliance platform",{"title":452,"searchDepth":453,"depth":453,"links":5714},[5715],{"id":5527,"depth":453,"text":5528,"children":5716},[5717,5718,5719,5720,5721,5722],{"id":5534,"depth":459,"text":5535},{"id":5555,"depth":459,"text":5556},{"id":5612,"depth":459,"text":5613},{"id":5637,"depth":459,"text":5638},{"id":5685,"depth":459,"text":5686},{"id":815,"depth":459,"text":816},{},"\u002Fglossary\u002Fevidence-collection",[5726,476,5727,5728],"soc2","hipaa","pci",[2209,5730,1898,5731],"soc2-type-2","control-objectives",{"title":5733,"description":5734},"What is Evidence Collection? Definition & Compliance Guide","Evidence collection is the process of gathering documentation that proves security controls are implemented and operating effectively for compliance audits.","8.glossary\u002Fevidence-collection","GPkRF1T5KoTAunaW0xisMR-w9mNhEBY90EzK_CfJono",{"id":5738,"title":5739,"body":5740,"description":452,"extension":474,"lastUpdated":477,"meta":5963,"navigation":479,"path":5964,"relatedFrameworks":5965,"relatedTerms":5968,"seo":5973,"slug":3742,"stem":5976,"term":5745,"__hash__":5977},"glossary\u002F8.glossary\u002Fincident-response.md","Incident Response",{"type":8,"value":5741,"toc":5953},[5742,5746,5749,5753,5756,5761,5781,5786,5803,5808,5825,5830,5847,5851,5854,5892,5896,5920,5924,5927,5929,5946,5948],[29,5743,5745],{"id":5744},"what-is-incident-response","What is Incident Response?",[11,5747,5748],{},"Incident response (IR) is the organized approach to detecting, managing, and recovering from security incidents such as data breaches, malware infections, unauthorized access, and denial-of-service attacks. An effective incident response program minimizes damage, reduces recovery time, and preserves evidence for investigation and compliance purposes.",[44,5750,5752],{"id":5751},"the-incident-response-lifecycle","The incident response lifecycle",[11,5754,5755],{},"Most incident response programs follow the NIST SP 800-61 framework, which defines four phases:",[11,5757,5758],{},[61,5759,5760],{},"1. Preparation",[55,5762,5763,5766,5769,5772,5775,5778],{},[58,5764,5765],{},"Develop and document the incident response plan",[58,5767,5768],{},"Establish the incident response team and define roles",[58,5770,5771],{},"Deploy detection and monitoring tools",[58,5773,5774],{},"Conduct training and tabletop exercises",[58,5776,5777],{},"Establish communication channels and escalation procedures",[58,5779,5780],{},"Prepare forensic tools and evidence collection procedures",[11,5782,5783],{},[61,5784,5785],{},"2. Detection and analysis",[55,5787,5788,5791,5794,5797,5800],{},[58,5789,5790],{},"Monitor systems for indicators of compromise (IOCs)",[58,5792,5793],{},"Triage alerts to distinguish real incidents from false positives",[58,5795,5796],{},"Determine the scope, severity, and impact of the incident",[58,5798,5799],{},"Classify the incident (data breach, malware, unauthorized access, etc.)",[58,5801,5802],{},"Document findings and initial assessment",[11,5804,5805],{},[61,5806,5807],{},"3. Containment, eradication, and recovery",[55,5809,5810,5813,5816,5819,5822],{},[58,5811,5812],{},"Contain the incident to prevent further damage (short-term and long-term containment)",[58,5814,5815],{},"Eradicate the root cause (remove malware, close vulnerabilities, revoke compromised credentials)",[58,5817,5818],{},"Recover affected systems to normal operations",[58,5820,5821],{},"Verify that systems are clean and functioning properly",[58,5823,5824],{},"Monitor for signs of recurring activity",[11,5826,5827],{},[61,5828,5829],{},"4. Post-incident activity",[55,5831,5832,5835,5838,5841,5844],{},[58,5833,5834],{},"Conduct a lessons-learned review",[58,5836,5837],{},"Document the incident timeline, actions taken, and outcomes",[58,5839,5840],{},"Identify improvements to prevent similar incidents",[58,5842,5843],{},"Update the incident response plan based on lessons learned",[58,5845,5846],{},"Fulfill any regulatory notification requirements",[44,5848,5850],{"id":5849},"incident-response-team","Incident response team",[11,5852,5853],{},"An incident response team typically includes:",[55,5855,5856,5862,5868,5874,5880,5886],{},[58,5857,5858,5861],{},[61,5859,5860],{},"Incident commander"," — leads the response effort and makes key decisions",[58,5863,5864,5867],{},[61,5865,5866],{},"Security analysts"," — perform technical investigation and containment",[58,5869,5870,5873],{},[61,5871,5872],{},"IT operations"," — support system recovery and infrastructure changes",[58,5875,5876,5879],{},[61,5877,5878],{},"Legal counsel"," — advise on regulatory obligations and liability",[58,5881,5882,5885],{},[61,5883,5884],{},"Communications"," — manage internal and external communications",[58,5887,5888,5891],{},[61,5889,5890],{},"Executive sponsor"," — provides management authority and resources",[44,5893,5895],{"id":5894},"incident-response-in-compliance-frameworks","Incident response in compliance frameworks",[55,5897,5898,5903,5908,5914],{},[58,5899,5900,5902],{},[61,5901,5381],{}," — CC7.3 and CC7.4 require procedures for responding to identified security events and recovering from incidents",[58,5904,5905,5907],{},[61,5906,18],{}," — controls A.5.24 through A.5.28 address incident management planning, assessment, response, and learning",[58,5909,5910,5913],{},[61,5911,5912],{},"HIPAA"," — the Security Rule requires security incident procedures (45 CFR 164.308(a)(6)), and the Breach Notification Rule mandates notification following PHI breaches",[58,5915,5916,5919],{},[61,5917,5918],{},"NIST CSF"," — the Respond function (RS) addresses response planning, communications, analysis, mitigation, and improvements",[44,5921,5923],{"id":5922},"tabletop-exercises","Tabletop exercises",[11,5925,5926],{},"Regular tabletop exercises test the incident response plan in a low-pressure setting. The team walks through a hypothetical scenario, discussing decisions and actions at each stage. Tabletop exercises help identify gaps in the plan, clarify roles, and build team readiness without the stress of a real incident.",[44,5928,774],{"id":773},[55,5930,5931,5934,5937,5940,5943],{},[58,5932,5933],{},"No documented incident response plan",[58,5935,5936],{},"Team members unsure of their roles during an incident",[58,5938,5939],{},"Failure to preserve evidence for investigation",[58,5941,5942],{},"Delayed or incomplete regulatory notification",[58,5944,5945],{},"Not conducting post-incident reviews",[44,5947,816],{"id":815},[11,5949,5950,5951,108],{},"episki provides incident response plan templates, tracks tabletop exercises, and maintains documentation for compliance evidence. The platform includes breach notification workflows with timeline tracking to ensure regulatory deadlines are met. Learn more on our ",[15,5952,5712],{"href":5711},{"title":452,"searchDepth":453,"depth":453,"links":5954},[5955],{"id":5744,"depth":453,"text":5745,"children":5956},[5957,5958,5959,5960,5961,5962],{"id":5751,"depth":459,"text":5752},{"id":5849,"depth":459,"text":5850},{"id":5894,"depth":459,"text":5895},{"id":5922,"depth":459,"text":5923},{"id":773,"depth":459,"text":774},{"id":815,"depth":459,"text":816},{},"\u002Fglossary\u002Fincident-response",[5966,5726,476,5727,5967],"cmmc","nistcsf",[5969,2209,5970,5971,5972],"breach-notification","remediation","business-continuity","disaster-recovery",{"title":5974,"description":5975},"What is Incident Response? Definition & Compliance Guide","Incident response is the organized process of detecting, containing, and recovering from security incidents. Learn the phases, team roles, and compliance needs.","8.glossary\u002Fincident-response","wI-2eu6GpQhNaM-9HugoG6QV1SSFpvo9NxdYzjxUGIE",{"id":5979,"title":5980,"body":5981,"description":452,"extension":474,"lastUpdated":477,"meta":6115,"navigation":479,"path":22,"relatedFrameworks":6116,"relatedTerms":6117,"seo":6120,"slug":482,"stem":6123,"term":5467,"__hash__":6124},"glossary\u002F8.glossary\u002Fisms.md","Isms",{"type":8,"value":5982,"toc":6106},[5983,5986,5992,5996,5999,6013,6017,6020,6056,6060,6063,6089,6093,6096,6100],[29,5984,5467],{"id":5985},"what-is-an-isms",[11,5987,5988,5989,5991],{},"An ISMS (Information Security Management System) is a systematic framework of policies, processes, and controls that an organization uses to manage information security risks. It is the core requirement of ",[15,5990,18],{"href":17}," certification.",[44,5993,5995],{"id":5994},"purpose","Purpose",[11,5997,5998],{},"An ISMS provides a structured approach to:",[55,6000,6001,6004,6007,6010],{},[58,6002,6003],{},"Identifying information security risks and opportunities",[58,6005,6006],{},"Implementing controls proportionate to those risks",[58,6008,6009],{},"Monitoring and measuring security performance",[58,6011,6012],{},"Continually improving the security posture",[44,6014,6016],{"id":6015},"key-components","Key components",[11,6018,6019],{},"An effective ISMS typically includes:",[55,6021,6022,6028,6034,6040,6045,6051],{},[58,6023,6024,6027],{},[61,6025,6026],{},"Information security policy"," — top-level commitment from leadership",[58,6029,6030,6033],{},[61,6031,6032],{},"Risk assessment methodology"," — how the organization identifies, analyzes, and evaluates risks",[58,6035,6036,6039],{},[61,6037,6038],{},"Risk treatment plan"," — how identified risks are addressed (mitigate, accept, transfer, avoid)",[58,6041,6042,6044],{},[61,6043,382],{}," — which controls from Annex A apply and why",[58,6046,6047,6050],{},[61,6048,6049],{},"Internal audit program"," — regular reviews of ISMS effectiveness",[58,6052,6053,6055],{},[61,6054,3459],{}," — leadership evaluation of ISMS performance and direction",[44,6057,6059],{"id":6058},"isms-lifecycle","ISMS lifecycle",[11,6061,6062],{},"The ISMS follows a Plan-Do-Check-Act (PDCA) cycle:",[952,6064,6065,6071,6077,6083],{},[58,6066,6067,6070],{},[61,6068,6069],{},"Plan"," — establish objectives, policies, and processes for managing risk",[58,6072,6073,6076],{},[61,6074,6075],{},"Do"," — implement and operate the ISMS",[58,6078,6079,6082],{},[61,6080,6081],{},"Check"," — monitor, measure, and review against objectives",[58,6084,6085,6088],{},[61,6086,6087],{},"Act"," — take corrective actions and improve",[44,6090,6092],{"id":6091},"isms-vs-individual-controls","ISMS vs individual controls",[11,6094,6095],{},"An ISMS is not a list of controls — it is the management system that governs how controls are selected, implemented, monitored, and improved. Individual controls (like access management or encryption) operate within the ISMS framework.",[44,6097,6099],{"id":6098},"how-episki-supports-your-isms","How episki supports your ISMS",[11,6101,6102,6103,108],{},"episki provides the workspace for building and operating an ISMS: control libraries, risk registers, evidence tracking, ownership assignment, and review cadences. Learn more on our ",[15,6104,6105],{"href":17},"ISO 27001 page",{"title":452,"searchDepth":453,"depth":453,"links":6107},[6108],{"id":5985,"depth":453,"text":5467,"children":6109},[6110,6111,6112,6113,6114],{"id":5994,"depth":459,"text":5995},{"id":6015,"depth":459,"text":6016},{"id":6058,"depth":459,"text":6059},{"id":6091,"depth":459,"text":6092},{"id":6098,"depth":459,"text":6099},{},[476],[476,6118,484,6119],"annex-a","risk-treatment-plan",{"title":6121,"description":6122},"What is an ISMS? Information Security Management System Explained","An ISMS is a systematic framework for managing information security risks. Learn how an ISMS works, its components, and how it relates to ISO 27001 certification.","8.glossary\u002Fisms","rQdOoLmkQHwR1X4s6Q3AKwrLHhTEhcrGfNMBNM1CSvg",{"id":6126,"title":5039,"body":6127,"description":452,"extension":474,"lastUpdated":477,"meta":6712,"navigation":479,"path":449,"relatedFrameworks":6713,"relatedTerms":6714,"seo":6716,"slug":476,"stem":6719,"term":5067,"__hash__":6720},"glossary\u002F8.glossary\u002Fiso27001.md",{"type":8,"value":6128,"toc":6700},[6129,6131,6137,6145,6147,6170,6173,6176,6216,6220,6223,6249,6252,6255,6275,6279,6282,6337,6340,6344,6347,6353,6359,6365,6371,6377,6380,6382,6385,6469,6472,6475,6507,6510,6515,6529,6533,6536,6649,6652,6655,6658,6684,6690,6694],[29,6130,5067],{"id":5066},[11,6132,6133,6134,6136],{},"ISO 27001 is an international standard published by the International Organization for Standardization (ISO) that specifies requirements for establishing, implementing, maintaining, and continually improving an information security management system (",[15,6135,23],{"href":22},").",[11,6138,6139,6140,6144],{},"First published in 2005 and most recently revised in 2022, ISO 27001 is the world's most widely adopted information security framework. It takes a risk-based approach: rather than prescribing a fixed checklist, it requires organizations to identify their own security risks and select controls appropriate to their context. Certification is granted by accredited third-party ",[15,6141,6143],{"href":6142},"\u002Fglossary\u002Fcertification-body","certification bodies"," after a formal audit process.",[44,6146,6016],{"id":6015},[55,6148,6149,6154,6159,6164],{},[58,6150,6151,6153],{},[61,6152,23],{}," — a systematic approach to managing sensitive information through people, processes, and technology",[58,6155,6156,6158],{},[61,6157,2376],{}," — a reference set of 93 controls (in the 2022 revision) organized into four themes: organizational, people, physical, and technological",[58,6160,6161,6163],{},[61,6162,4165],{}," — a document listing which Annex A controls apply and justifying any exclusions",[58,6165,6166,6169],{},[61,6167,6168],{},"Risk assessment"," — a formal process for identifying and treating information security risks",[44,6171,6172],{"id":487},"Certification process",[11,6174,6175],{},"ISO 27001 certification involves:",[952,6177,6178,6184,6189,6194,6199,6204,6210],{},[58,6179,6180,6183],{},[61,6181,6182],{},"Gap analysis"," — compare current practices against the standard",[58,6185,6186,6188],{},[61,6187,752],{}," — build policies, controls, and processes",[58,6190,6191,6193],{},[61,6192,3426],{}," — verify the ISMS works as intended",[58,6195,6196,6198],{},[61,6197,1148],{}," — external auditor reviews documentation",[58,6200,6201,6203],{},[61,6202,1164],{}," — external auditor tests operational effectiveness",[58,6205,6206,6209],{},[61,6207,6208],{},"Surveillance audits"," — annual reviews to maintain certification",[58,6211,6212,6215],{},[61,6213,6214],{},"Recertification"," — full audit every three years",[44,6217,6219],{"id":6218},"who-needs-iso-27001","Who needs ISO 27001?",[11,6221,6222],{},"ISO 27001 certification is voluntary — no law mandates it — but it is increasingly expected by enterprise buyers and procurement teams. Organizations that benefit most include:",[55,6224,6225,6231,6237,6243],{},[58,6226,6227,6230],{},[61,6228,6229],{},"Companies targeting international customers"," — ISO 27001 is the de facto security standard in Europe, APAC, and the Middle East. Without it, you may not make it past vendor questionnaires.",[58,6232,6233,6236],{},[61,6234,6235],{},"Regulated industries"," — Financial services, healthcare, and government contractors often require suppliers to hold ISO 27001 certification as a baseline.",[58,6238,6239,6242],{},[61,6240,6241],{},"SaaS and cloud providers"," — Enterprise buyers routinely ask for ISO 27001 during procurement. It signals that your security program is structured and externally validated.",[58,6244,6245,6248],{},[61,6246,6247],{},"Organizations scaling into new markets"," — If you already serve the US with a SOC 2, adding ISO 27001 opens doors globally without rebuilding your program from scratch.",[11,6250,6251],{},"Even when not contractually required, holding the certification reduces the time spent answering security questionnaires and builds trust with prospects before the first sales call.",[11,6253,6254],{},"ISO 27001 is especially valued in:",[55,6256,6257,6263,6269],{},[58,6258,6259,6262],{},[61,6260,6261],{},"Europe"," — GDPR-conscious buyers view it as evidence of mature data protection practices.",[58,6264,6265,6268],{},[61,6266,6267],{},"APAC"," — Markets like Japan, Australia, and Singapore treat it as a baseline requirement for technology vendors.",[58,6270,6271,6274],{},[61,6272,6273],{},"Global enterprises"," — Companies like Google, Microsoft, and Salesforce require ISO 27001 from critical suppliers in their vendor risk management programs.",[44,6276,6278],{"id":6277},"iso-270012022-changes","ISO 27001:2022 changes",[11,6280,6281],{},"The 2022 revision of ISO 27001 (formally ISO\u002FIEC 27001:2022) brought the most significant structural changes since the standard's 2013 edition. The core ISMS requirements in clauses 4–10 received minor wording updates, but Annex A was overhauled:",[55,6283,6284,6290,6296],{},[58,6285,6286,6289],{},[61,6287,6288],{},"Restructured from 14 categories to 4 themes"," — The previous 14-domain layout was replaced with four broad themes: organizational, people, physical, and technological.",[58,6291,6292,6295],{},[61,6293,6294],{},"Consolidated from 114 controls to 93"," — Controls were merged and reorganized, not removed. The reduction reflects overlapping controls being combined into more coherent groupings.",[58,6297,6298,6301,6302],{},[61,6299,6300],{},"11 new controls added"," — The 2022 revision introduced controls that reflect the modern threat landscape, including:\n",[55,6303,6304,6307,6310,6313,6316,6319,6322,6325,6328,6331,6334],{},[58,6305,6306],{},"Threat intelligence",[58,6308,6309],{},"Information security for cloud services",[58,6311,6312],{},"ICT readiness for business continuity",[58,6314,6315],{},"Physical security monitoring",[58,6317,6318],{},"Configuration management",[58,6320,6321],{},"Information deletion",[58,6323,6324],{},"Data masking",[58,6326,6327],{},"Data leakage prevention",[58,6329,6330],{},"Monitoring activities",[58,6332,6333],{},"Web filtering",[58,6335,6336],{},"Secure coding",[11,6338,6339],{},"Organizations certified under the 2013 edition were required to transition to the 2022 revision by October 31, 2025. New certifications are issued exclusively against the 2022 standard.",[44,6341,6343],{"id":6342},"the-annex-a-control-themes","The Annex A control themes",[11,6345,6346],{},"The four themes in Annex A group controls by domain rather than by the asset or process they protect. This makes it easier to assign ownership and track implementation progress.",[11,6348,6349,6352],{},[61,6350,6351],{},"Organizational controls (37 controls)","\nThese cover governance, policies, and management-level activities. Examples include information security policies, defined roles and responsibilities, threat intelligence, asset management, access control policies, supplier security, and incident management.",[11,6354,6355,6358],{},[61,6356,6357],{},"People controls (8 controls)","\nFocused on the human side of security. Examples include pre-employment screening, information security awareness and training, disciplinary processes, responsibilities after termination, remote working arrangements, and confidentiality agreements.",[11,6360,6361,6364],{},[61,6362,6363],{},"Physical controls (14 controls)","\nAddress the protection of physical spaces and equipment. Examples include physical security perimeters, physical entry controls, securing offices and facilities, equipment maintenance, storage media handling, and supporting utility security.",[11,6366,6367,6370],{},[61,6368,6369],{},"Technological controls (34 controls)","\nCover technical safeguards applied to IT systems. Examples include user endpoint devices, privileged access rights, access restriction to information, secure authentication, capacity management, protection against malware, management of technical vulnerabilities, logging, network security, encryption, secure development lifecycle, and data masking.",[11,6372,6373,6374,6376],{},"Together, the 93 controls form the reference set from which you build your ",[15,6375,382],{"href":5162},". Not every control will apply — the SoA documents which you selected and why you excluded the rest.",[11,6378,6379],{},"A common approach is to assign theme ownership: IT leads technological controls, HR owns people controls, facilities manages physical controls, and a GRC or security team coordinates organizational controls. This clear division of responsibility is one reason the 2022 restructuring was widely welcomed by practitioners.",[44,6381,5300],{"id":5299},[11,6383,6384],{},"ISO 27001 certification is a significant investment in both money and internal effort. Typical ranges depend on organization size, complexity, and existing maturity:",[1102,6386,6387,6403],{},[1105,6388,6389],{},[1108,6390,6391,6394,6397,6400],{},[1111,6392,6393],{},"Factor",[1111,6395,6396],{},"Small org (\u003C 50 employees)",[1111,6398,6399],{},"Mid-size org (50–500)",[1111,6401,6402],{},"Enterprise (500+)",[1118,6404,6405,6421,6437,6453],{},[1108,6406,6407,6412,6415,6418],{},[1123,6408,6409],{},[61,6410,6411],{},"Implementation cost",[1123,6413,6414],{},"$30K–$50K",[1123,6416,6417],{},"$50K–$100K",[1123,6419,6420],{},"$100K+",[1108,6422,6423,6428,6431,6434],{},[1123,6424,6425],{},[61,6426,6427],{},"Timeline to certification",[1123,6429,6430],{},"6–9 months",[1123,6432,6433],{},"9–12 months",[1123,6435,6436],{},"12–18 months",[1108,6438,6439,6444,6447,6450],{},[1123,6440,6441],{},[61,6442,6443],{},"Certification audit fees",[1123,6445,6446],{},"$10K–$20K",[1123,6448,6449],{},"$20K–$40K",[1123,6451,6452],{},"$40K–$80K",[1108,6454,6455,6460,6463,6466],{},[1123,6456,6457],{},[61,6458,6459],{},"Annual surveillance audits",[1123,6461,6462],{},"$5K–$15K",[1123,6464,6465],{},"$15K–$25K",[1123,6467,6468],{},"$25K–$50K",[11,6470,6471],{},"These figures include consulting, tooling, auditor fees, and remediation. They do not include the internal time your team spends building policies, gathering evidence, and running internal audits — which is often the largest hidden cost.",[11,6473,6474],{},"The implementation timeline typically breaks down as:",[952,6476,6477,6483,6489,6495,6501],{},[58,6478,6479,6482],{},[61,6480,6481],{},"Months 1–2"," — Scoping, gap analysis, and risk assessment",[58,6484,6485,6488],{},[61,6486,6487],{},"Months 3–6"," — Policy development, control implementation, and staff training",[58,6490,6491,6494],{},[61,6492,6493],{},"Months 7–8"," — Internal audit and management review",[58,6496,6497,6500],{},[61,6498,6499],{},"Months 9–10"," — Stage 1 audit (documentation review)",[58,6502,6503,6506],{},[61,6504,6505],{},"Months 10–12"," — Remediation and Stage 2 audit (operational effectiveness)",[11,6508,6509],{},"After certification, expect ongoing costs for surveillance audits (annually) and a full recertification audit every three years.",[11,6511,6512],{},[61,6513,6514],{},"Tips for reducing cost and timeline:",[55,6516,6517,6520,6523,6526],{},[58,6518,6519],{},"Start with a gap analysis to avoid over-investing in areas you already cover.",[58,6521,6522],{},"Reuse existing policies and evidence from SOC 2 or NIST CSF if you have them.",[58,6524,6525],{},"Use a GRC platform to centralize evidence collection and automate control tracking.",[58,6527,6528],{},"Engage your certification body early for a pre-assessment to surface surprises before the formal audit.",[44,6530,6532],{"id":6531},"how-iso-27001-maps-to-other-frameworks","How ISO 27001 maps to other frameworks",[11,6534,6535],{},"If your organization already operates under another framework, ISO 27001 will share significant control overlap. Mapping controls across frameworks reduces duplicate work and accelerates certification timelines.",[1102,6537,6538,6553],{},[1105,6539,6540],{},[1108,6541,6542,6544,6546,6548,6550],{},[1111,6543],{},[1111,6545,18],{},[1111,6547,5381],{},[1111,6549,5918],{},[1111,6551,6552],{},"PCI DSS",[1118,6554,6555,6574,6592,6611,6630],{},[1108,6556,6557,6562,6565,6568,6571],{},[1123,6558,6559],{},[61,6560,6561],{},"Type",[1123,6563,6564],{},"Certifiable standard",[1123,6566,6567],{},"Attestation report",[1123,6569,6570],{},"Voluntary framework",[1123,6572,6573],{},"Mandatory standard",[1108,6575,6576,6580,6583,6586,6589],{},[1123,6577,6578],{},[61,6579,4731],{},[1123,6581,6582],{},"Global",[1123,6584,6585],{},"Primarily North America",[1123,6587,6588],{},"US-originated, global adoption",[1123,6590,6591],{},"Any org handling cardholder data",[1108,6593,6594,6599,6602,6605,6608],{},[1123,6595,6596],{},[61,6597,6598],{},"Structure",[1123,6600,6601],{},"ISMS + Annex A controls",[1123,6603,6604],{},"Trust Services Criteria",[1123,6606,6607],{},"6 functions, 22 categories",[1123,6609,6610],{},"12 requirements, 300+ sub-requirements",[1108,6612,6613,6618,6621,6624,6627],{},[1123,6614,6615],{},[61,6616,6617],{},"Validity",[1123,6619,6620],{},"3 years with surveillance",[1123,6622,6623],{},"Report covers observation period",[1123,6625,6626],{},"Self-assessed (no certification)",[1123,6628,6629],{},"Annual assessment",[1108,6631,6632,6637,6640,6643,6646],{},[1123,6633,6634],{},[61,6635,6636],{},"Control count",[1123,6638,6639],{},"93 (Annex A)",[1123,6641,6642],{},"~60 points of focus",[1123,6644,6645],{},"~100 subcategories",[1123,6647,6648],{},"300+",[11,6650,6651],{},"The overlap between ISO 27001 and SOC 2 is roughly 70–80% at the control level. NIST CSF aligns even more closely with ISO 27001 since both follow a risk-based approach. PCI DSS is more prescriptive but shares foundational controls around access management, logging, encryption, and incident response.",[11,6653,6654],{},"Organizations that already have one framework in place can typically achieve ISO 27001 certification 30–40% faster by reusing existing policies, evidence, and control implementations.",[11,6656,6657],{},"Key areas of overlap include:",[55,6659,6660,6666,6672,6678],{},[58,6661,6662,6665],{},[61,6663,6664],{},"Access control"," — covered by all four frameworks, though PCI DSS is the most prescriptive about password complexity and multi-factor authentication.",[58,6667,6668,6671],{},[61,6669,6670],{},"Incident response"," — ISO 27001, NIST CSF, and PCI DSS all require documented incident response plans and regular testing.",[58,6673,6674,6677],{},[61,6675,6676],{},"Risk management"," — ISO 27001 and NIST CSF both center on risk-based decision-making; SOC 2 addresses it through the Common Criteria.",[58,6679,6680,6683],{},[61,6681,6682],{},"Logging and monitoring"," — a universal requirement, with PCI DSS specifying exact log retention periods and ISO 27001 leaving implementation details to the organization.",[11,6685,6686,6687,108],{},"For a detailed breakdown of how controls map across frameworks, see our ",[15,6688,6689],{"href":5391},"framework mapping guide",[44,6691,6693],{"id":6692},"how-episki-helps-with-iso-27001","How episki helps with ISO 27001",[11,6695,6696,6697,108],{},"episki maps controls to Annex A, tracks your Statement of Applicability, and connects evidence across ISO 27001 and other frameworks. Learn more on our ",[15,6698,6699],{"href":17},"ISO 27001 compliance page",{"title":452,"searchDepth":453,"depth":453,"links":6701},[6702],{"id":5066,"depth":453,"text":5067,"children":6703},[6704,6705,6706,6707,6708,6709,6710,6711],{"id":6015,"depth":459,"text":6016},{"id":487,"depth":459,"text":6172},{"id":6218,"depth":459,"text":6219},{"id":6277,"depth":459,"text":6278},{"id":6342,"depth":459,"text":6343},{"id":5299,"depth":459,"text":5300},{"id":6531,"depth":459,"text":6532},{"id":6692,"depth":459,"text":6693},{},[476],[482,6118,867,6715],"surveillance-audit",{"title":6717,"description":6718},"What is ISO 27001? ISMS Certification Explained","ISO 27001 is the international standard for information security management systems (ISMS). Learn about certification requirements, Annex A controls, and how to prepare.","8.glossary\u002Fiso27001","uV0isz5GoX3td94Hc92c2WCNJWN788aXYZbx9q7FEeY",[6722,7271],{"id":6723,"title":6724,"body":6725,"description":452,"extension":474,"lastUpdated":477,"meta":7259,"navigation":479,"path":7260,"relatedFrameworks":7261,"relatedTerms":7262,"seo":7265,"slug":7268,"stem":7269,"term":6730,"__hash__":7270},"glossary\u002F8.glossary\u002Faccess-control.md","Access Control",{"type":8,"value":6726,"toc":7245},[6727,6731,6734,6738,6741,6767,6771,6777,6783,6789,6795,6799,6802,6808,6825,6831,6845,6851,6862,6866,6869,6917,6921,6924,6938,6942,6945,6968,6972,6975,7024,7028,7031,7144,7147,7150,7179,7183,7189,7192,7229,7232,7235,7238,7240],[29,6728,6730],{"id":6729},"what-is-access-control","What is Access Control?",[11,6732,6733],{},"Access control is the set of policies, procedures, and technical mechanisms that regulate who can access systems, data, and resources within an organization. It ensures that only authorized individuals can view, modify, or interact with sensitive information and critical systems. Access control is one of the most fundamental and universally required security controls across every major compliance framework.",[44,6735,6737],{"id":6736},"core-principles","Core principles",[11,6739,6740],{},"Access control is built on several foundational principles:",[55,6742,6743,6749,6755,6761],{},[58,6744,6745,6748],{},[61,6746,6747],{},"Least privilege"," — users are granted only the minimum access necessary to perform their job functions",[58,6750,6751,6754],{},[61,6752,6753],{},"Separation of duties"," — critical tasks are divided among multiple individuals to prevent any single person from having unchecked authority",[58,6756,6757,6760],{},[61,6758,6759],{},"Need to know"," — access to information is restricted to those who require it for a specific purpose",[58,6762,6763,6766],{},[61,6764,6765],{},"Default deny"," — access is denied by default unless explicitly granted",[44,6768,6770],{"id":6769},"types-of-access-control","Types of access control",[11,6772,6773,6776],{},[61,6774,6775],{},"Role-Based Access Control (RBAC)"," — access is determined by the user's role within the organization. Roles are defined with specific permissions, and users are assigned to roles. This is the most common model in enterprise environments.",[11,6778,6779,6782],{},[61,6780,6781],{},"Attribute-Based Access Control (ABAC)"," — access decisions are based on attributes of the user, the resource, and the environment (e.g., department, location, time of day, device type).",[11,6784,6785,6788],{},[61,6786,6787],{},"Discretionary Access Control (DAC)"," — resource owners decide who can access their resources. Common in file systems where owners set permissions.",[11,6790,6791,6794],{},[61,6792,6793],{},"Mandatory Access Control (MAC)"," — access is controlled by the system based on security labels and clearance levels. Common in government and military environments.",[44,6796,6798],{"id":6797},"access-control-components","Access control components",[11,6800,6801],{},"A complete access control program addresses:",[11,6803,6804,6807],{},[61,6805,6806],{},"Authentication"," — verifying the identity of users:",[55,6809,6810,6813,6816,6819,6822],{},[58,6811,6812],{},"Passwords and passphrases",[58,6814,6815],{},"Multi-factor authentication (MFA)",[58,6817,6818],{},"Single sign-on (SSO)",[58,6820,6821],{},"Biometric authentication",[58,6823,6824],{},"Certificate-based authentication",[11,6826,6827,6830],{},[61,6828,6829],{},"Authorization"," — determining what authenticated users can do:",[55,6832,6833,6836,6839,6842],{},[58,6834,6835],{},"Permission assignments",[58,6837,6838],{},"Role definitions",[58,6840,6841],{},"Access control lists",[58,6843,6844],{},"Policy enforcement points",[11,6846,6847,6850],{},[61,6848,6849],{},"Access lifecycle management"," — managing access throughout the user lifecycle:",[55,6852,6853,6856,6859],{},[58,6854,6855],{},"Provisioning (granting access when hired or role changes)",[58,6857,6858],{},"Review (periodic access certification)",[58,6860,6861],{},"Deprovisioning (revoking access upon termination or role change)",[44,6863,6865],{"id":6864},"access-control-in-compliance-frameworks","Access control in compliance frameworks",[11,6867,6868],{},"Every major framework requires access control:",[55,6870,6871,6878,6888,6901,6909],{},[58,6872,6873,6877],{},[61,6874,6875],{},[15,6876,5381],{"href":5380}," — CC6.1 through CC6.8 cover logical and physical access controls",[58,6879,6880,6884,6885,6887],{},[61,6881,6882],{},[15,6883,18],{"href":17}," — ",[15,6886,3933],{"href":5141}," controls A.5.15 through A.5.18 and A.8.2 through A.8.5 address access management",[58,6889,6890,6895,6896,6900],{},[61,6891,6892],{},[15,6893,5912],{"href":6894},"\u002Fframeworks\u002Fhipaa"," — the ",[15,6897,6899],{"href":6898},"\u002Fframeworks\u002Fhipaa\u002Fsecurity-rule","Security Rule"," requires access controls for ePHI (45 CFR 164.312(a))",[58,6902,6903,6908],{},[61,6904,6905],{},[15,6906,6552],{"href":6907},"\u002Fframeworks\u002Fpci"," — Requirements 7 and 8 address access restriction and user identification",[58,6910,6911,6916],{},[61,6912,6913],{},[15,6914,5918],{"href":6915},"\u002Fframeworks\u002Fnistcsf"," — PR.AC covers identity management, authentication, and access control",[44,6918,6920],{"id":6919},"access-reviews","Access reviews",[11,6922,6923],{},"Regular access reviews (also called access certifications) are a critical control:",[55,6925,6926,6929,6932,6935],{},[58,6927,6928],{},"Review user access rights periodically (quarterly is common for sensitive systems)",[58,6930,6931],{},"Verify that access aligns with current job responsibilities",[58,6933,6934],{},"Identify and remove excessive or unnecessary access",[58,6936,6937],{},"Document review results and remediation actions",[44,6939,6941],{"id":6940},"common-access-control-weaknesses","Common access control weaknesses",[11,6943,6944],{},"Even well-designed access control programs can degrade over time without ongoing attention. Watch for these common issues:",[55,6946,6947,6950,6953,6956,6959,6962,6965],{},[58,6948,6949],{},"Excessive permissions that accumulate over time (privilege creep)",[58,6951,6952],{},"Shared or generic accounts that prevent individual accountability",[58,6954,6955],{},"Delayed deprovisioning when employees leave or change roles",[58,6957,6958],{},"Lack of MFA on critical systems and remote access paths",[58,6960,6961],{},"Inconsistent access review processes with no documented remediation",[58,6963,6964],{},"Service accounts with standing privileged access and no rotation schedule",[58,6966,6967],{},"Lack of visibility into SaaS application access outside the corporate IdP",[44,6969,6971],{"id":6970},"implementing-access-control-in-practice","Implementing access control in practice",[11,6973,6974],{},"Effective access control programs start with planning and build toward automation. The following steps provide a practical roadmap for organizations at any maturity level:",[952,6976,6977,6983,6989,6995,7001,7007,7018],{},[58,6978,6979,6982],{},[61,6980,6981],{},"Map your environment"," — inventory all systems, applications, and data repositories that require access controls. You cannot protect what you have not identified. Include SaaS applications, cloud infrastructure, on-premises servers, databases, file shares, and third-party integrations.",[58,6984,6985,6988],{},[61,6986,6987],{},"Define roles based on job functions"," — create roles that reflect organizational responsibilities, not individual users. Align roles to the principle of least privilege so each role includes only the permissions required for that function. Review role definitions annually and whenever organizational structure changes.",[58,6990,6991,6994],{},[61,6992,6993],{},"Centralize authentication with SSO"," — implement single sign-on using SAML 2.0 or OpenID Connect (OIDC) to unify identity across cloud and on-premises systems. Centralized authentication reduces password sprawl and gives security teams a single point of enforcement. Ensure all business-critical applications are integrated with your SSO provider before considering the rollout complete.",[58,6996,6997,7000],{},[61,6998,6999],{},"Layer MFA on all critical systems"," — require multi-factor authentication for remote access, privileged accounts, email, cloud consoles, and any system that touches sensitive data. Phishing-resistant methods such as FIDO2 hardware keys are preferred over SMS-based codes. At a minimum, enforce MFA on identity providers, admin consoles, and VPN access.",[58,7002,7003,7006],{},[61,7004,7005],{},"Automate provisioning and deprovisioning"," — connect your HR system to your identity provider (IdP) and use SCIM or directory sync to automate account creation, role assignment, and account removal. When an employee is terminated in the HR system, access should be revoked within minutes, not days. Automation eliminates the human error that leads to orphaned accounts and privilege creep.",[58,7008,7009,7012,7013,7017],{},[61,7010,7011],{},"Build an access request and approval workflow"," — establish a formal process where users request access with documented business justification, managers approve, and the request is logged for audit. This creates an ",[15,7014,7016],{"href":7015},"\u002Fglossary\u002Faudit-trail","audit trail"," that satisfies compliance requirements.",[58,7019,7020,7023],{},[61,7021,7022],{},"Monitor and log access events"," — collect authentication and authorization logs centrally. Monitor for anomalies such as failed login attempts, access from unusual locations, and privilege escalation. Logs are essential for incident response and audit evidence.",[44,7025,7027],{"id":7026},"access-control-requirements-by-framework","Access control requirements by framework",[11,7029,7030],{},"Different frameworks address the same access control concepts with different control references. The table below maps common requirements to their framework-specific identifiers:",[1102,7032,7033,7050],{},[1105,7034,7035],{},[1108,7036,7037,7040,7042,7044,7046,7048],{},[1111,7038,7039],{},"Requirement",[1111,7041,5381],{},[1111,7043,18],{},[1111,7045,5912],{},[1111,7047,6552],{},[1111,7049,5918],{},[1118,7051,7052,7072,7091,7110,7127],{},[1108,7053,7054,7057,7060,7063,7066,7069],{},[1123,7055,7056],{},"Unique user IDs",[1123,7058,7059],{},"CC6.1",[1123,7061,7062],{},"A.5.16",[1123,7064,7065],{},"§164.312(a)(2)(i)",[1123,7067,7068],{},"Req 8.2.1",[1123,7070,7071],{},"PR.AC-1",[1108,7073,7074,7077,7079,7082,7085,7088],{},[1123,7075,7076],{},"MFA",[1123,7078,7059],{},[1123,7080,7081],{},"A.8.5",[1123,7083,7084],{},"Addressable",[1123,7086,7087],{},"Req 8.4",[1123,7089,7090],{},"PR.AC-7",[1108,7092,7093,7095,7098,7101,7104,7107],{},[1123,7094,6920],{},[1123,7096,7097],{},"CC6.2",[1123,7099,7100],{},"A.5.18",[1123,7102,7103],{},"§164.312(a)(1)",[1123,7105,7106],{},"Req 7.2",[1123,7108,7109],{},"PR.AC-4",[1108,7111,7112,7114,7117,7120,7122,7125],{},[1123,7113,6747],{},[1123,7115,7116],{},"CC6.3",[1123,7118,7119],{},"A.5.15",[1123,7121,7103],{},[1123,7123,7124],{},"Req 7.1",[1123,7126,7109],{},[1108,7128,7129,7132,7134,7136,7139,7142],{},[1123,7130,7131],{},"Deprovisioning",[1123,7133,7097],{},[1123,7135,7100],{},[1123,7137,7138],{},"§164.312(a)(2)(ii)",[1123,7140,7141],{},"Req 8.2.6",[1123,7143,7071],{},[11,7145,7146],{},"Organizations subject to multiple frameworks can use this mapping to build a unified access control program that satisfies overlapping requirements without duplicating effort.",[11,7148,7149],{},"A few notes on framework-specific nuances:",[55,7151,7152,7157,7165,7172],{},[58,7153,7154,7156],{},[61,7155,5912],{}," treats MFA as an \"addressable\" implementation specification, meaning covered entities must implement it or document why an equivalent alternative is reasonable. In practice, most organizations implement MFA because the risk of not doing so is difficult to justify.",[58,7158,7159,7164],{},[61,7160,7161,7163],{},[15,7162,6552],{"href":6907}," v4.0"," expanded MFA requirements (Req 8.4) to include all access into the cardholder data environment, not just remote access. Organizations processing card data should verify their MFA coverage meets the updated scope.",[58,7166,7167,7171],{},[61,7168,7169],{},[15,7170,5381],{"href":5380}," does not prescribe specific technologies but evaluates whether the controls in place are suitably designed and operating effectively. Auditors will look for evidence that access control policies are enforced consistently.",[58,7173,7174,7178],{},[61,7175,7176],{},[15,7177,5918],{"href":6915}," provides a flexible, risk-based approach. The PR.AC subcategory identifiers map to more detailed controls in NIST SP 800-53, which organizations can reference for implementation guidance.",[44,7180,7182],{"id":7181},"zero-trust-and-access-control","Zero trust and access control",[11,7184,7185,7186,108],{},"Traditional access control models assume that users inside the network perimeter can be trusted. Zero trust architecture rejects that assumption entirely: ",[61,7187,7188],{},"never trust, always verify",[11,7190,7191],{},"In a zero trust model, every access request is authenticated, authorized, and encrypted regardless of where it originates. Key principles include:",[55,7193,7194,7200,7206,7217,7223],{},[58,7195,7196,7199],{},[61,7197,7198],{},"Continuous verification"," — access decisions are re-evaluated throughout a session, not just at login. Changes in user behavior, location, or risk score can trigger step-up authentication or session termination.",[58,7201,7202,7205],{},[61,7203,7204],{},"Micro-segmentation"," — network resources are divided into small, isolated zones so that compromising one segment does not grant lateral access to others.",[58,7207,7208,7211,7212,7216],{},[61,7209,7210],{},"Device posture checks"," — the security state of the connecting device (patch level, endpoint protection status, disk ",[15,7213,7215],{"href":7214},"\u002Fglossary\u002Fencryption","encryption",") is evaluated before access is granted.",[58,7218,7219,7222],{},[61,7220,7221],{},"Identity-centric perimeter"," — the network perimeter is replaced by identity as the primary security boundary. Every user, device, and workload must prove its identity before accessing any resource.",[58,7224,7225,7228],{},[61,7226,7227],{},"Least privilege enforcement at the session level"," — access grants are scoped to the specific resource and action needed, and they expire when the session ends or conditions change.",[11,7230,7231],{},"NIST SP 800-207 defines the zero trust architecture and provides guidance on implementation. Many compliance frameworks are increasingly aligning their access control requirements with zero trust principles, making it a forward-looking strategy for organizations building or modernizing their access control programs.",[11,7233,7234],{},"Zero trust is not a single product but an architectural approach that spans identity, network, endpoints, and data.",[11,7236,7237],{},"Adopting zero trust does not require replacing your existing access control infrastructure overnight. Most organizations begin by enforcing MFA universally, segmenting their most sensitive assets, and adding device posture checks to their conditional access policies. Over time, these incremental improvements compound into a mature zero trust posture.",[44,7239,816],{"id":815},[11,7241,7242,7243,108],{},"episki tracks access control policies, monitors review schedules, and documents access provisioning and deprovisioning activities. The platform sends reminders for periodic access reviews and maintains evidence for auditors. Learn more on our ",[15,7244,5712],{"href":5711},{"title":452,"searchDepth":453,"depth":453,"links":7246},[7247],{"id":6729,"depth":453,"text":6730,"children":7248},[7249,7250,7251,7252,7253,7254,7255,7256,7257,7258],{"id":6736,"depth":459,"text":6737},{"id":6769,"depth":459,"text":6770},{"id":6797,"depth":459,"text":6798},{"id":6864,"depth":459,"text":6865},{"id":6919,"depth":459,"text":6920},{"id":6940,"depth":459,"text":6941},{"id":6970,"depth":459,"text":6971},{"id":7026,"depth":459,"text":7027},{"id":7181,"depth":459,"text":7182},{"id":815,"depth":459,"text":816},{},"\u002Fglossary\u002Faccess-control",[5966,5726,476,5727,5728,5967],[7263,2209,7215,7264],"minimum-necessary-rule","user-entity-controls",{"title":7266,"description":7267},"Access Control in Compliance: RBAC, MFA & Least Privilege","Access control restricts system and data access to authorized users. Learn RBAC, MFA, least privilege, and requirements across SOC 2, ISO 27001, HIPAA, and PCI DSS.","access-control","8.glossary\u002Faccess-control","aw9J1nXzlNuRVpTr3vx46B0ijrBB9hLxb3SnjmXE6cE",{"id":7272,"title":3933,"body":7273,"description":452,"extension":474,"lastUpdated":477,"meta":7402,"navigation":479,"path":5141,"relatedFrameworks":7403,"relatedTerms":7404,"seo":7406,"slug":6118,"stem":7409,"term":7278,"__hash__":7410},"glossary\u002F8.glossary\u002Fannex-a.md",{"type":8,"value":7274,"toc":7392},[7275,7279,7289,7292,7295,7317,7321,7324,7341,7344,7348,7351,7355,7358,7372,7375,7377,7385,7387],[29,7276,7278],{"id":7277},"what-is-iso-27001-annex-a","What is ISO 27001 Annex A?",[11,7280,7281,7282,7284,7285,7288],{},"ISO 27001 Annex A is the normative annex to the ",[15,7283,18],{"href":17}," standard that provides a reference list of information security controls. Organizations use Annex A as a checklist to ensure their ",[15,7286,7287],{"href":507},"Information Security Management System (ISMS)"," addresses a comprehensive range of security topics. As of the 2022 revision, Annex A contains 93 controls organized into four themes.",[44,7290,7291],{"id":41},"The four themes",[11,7293,7294],{},"The 2022 revision reorganized controls from the previous 14 categories into four themes:",[55,7296,7297,7302,7307,7312],{},[58,7298,7299,7301],{},[61,7300,6351],{}," — policies, roles and responsibilities, threat intelligence, information security in project management, supplier relationships, and more",[58,7303,7304,7306],{},[61,7305,6357],{}," — screening, terms and conditions of employment, security awareness training, disciplinary processes, and responsibilities after termination",[58,7308,7309,7311],{},[61,7310,6363],{}," — physical security perimeters, entry controls, securing offices and facilities, equipment protection, and clear desk policies",[58,7313,7314,7316],{},[61,7315,6369],{}," — user endpoint devices, privileged access management, access restrictions, secure authentication, malware protection, logging, encryption, and secure development",[44,7318,7320],{"id":7319},"how-annex-a-fits-into-iso-27001","How Annex A fits into ISO 27001",[11,7322,7323],{},"Annex A is not a standalone list of mandatory controls. Instead, it works in conjunction with the risk assessment process defined in clauses 6 and 8 of ISO 27001:",[952,7325,7326,7329,7332,7335,7338],{},[58,7327,7328],{},"The organization performs a risk assessment to identify information security risks",[58,7330,7331],{},"The organization determines how to treat each risk (mitigate, accept, transfer, or avoid)",[58,7333,7334],{},"For risks being mitigated, the organization selects appropriate controls",[58,7336,7337],{},"The organization compares selected controls against Annex A to ensure nothing has been overlooked",[58,7339,7340],{},"The results are documented in the Statement of Applicability",[11,7342,7343],{},"This approach ensures that control selection is risk-driven rather than checkbox-driven. An organization may determine that certain Annex A controls are not applicable based on their specific risk profile, and this is acceptable as long as the justification is documented.",[44,7345,7347],{"id":7346},"relationship-to-iso-27002","Relationship to ISO 27002",[11,7349,7350],{},"ISO 27002 provides detailed implementation guidance for each Annex A control. While Annex A lists the controls with brief descriptions, ISO 27002 explains the purpose, guidance, and other information for each control. Think of Annex A as the \"what\" and ISO 27002 as the \"how.\"",[44,7352,7354],{"id":7353},"changes-in-the-2022-revision","Changes in the 2022 revision",[11,7356,7357],{},"The 2022 update introduced several changes from the 2013 version:",[55,7359,7360,7363,7366,7369],{},[58,7361,7362],{},"Controls were consolidated from 114 to 93",[58,7364,7365],{},"The 14 categories were replaced with 4 themes",[58,7367,7368],{},"11 new controls were added, including threat intelligence, information security for cloud services, ICT readiness for business continuity, and data masking",[58,7370,7371],{},"Each control now includes attributes (control type, cybersecurity concept, operational capability, and security domain) to aid in filtering and mapping",[11,7373,7374],{},"Organizations certified under the 2013 version had a transition period to update their ISMS to align with the 2022 revision.",[44,7376,382],{"id":484},[11,7378,5159,7379,7381,7382,7384],{},[15,7380,4165],{"href":381}," is the document where an organization records which Annex A controls are applicable, which are not, and the justification for each decision. The SoA is a mandatory document for ",[15,7383,3851],{"href":106}," and is a key artifact reviewed during certification audits.",[44,7386,816],{"id":815},[11,7388,7389,7390,108],{},"episki includes all 93 Annex A controls with mappings to your risk treatment plan and Statement of Applicability. The platform helps you track implementation status, assign ownership, and collect evidence for each applicable control. Learn more on our ",[15,7391,6699],{"href":17},{"title":452,"searchDepth":453,"depth":453,"links":7393},[7394],{"id":7277,"depth":453,"text":7278,"children":7395},[7396,7397,7398,7399,7400,7401],{"id":41,"depth":459,"text":7291},{"id":7319,"depth":459,"text":7320},{"id":7346,"depth":459,"text":7347},{"id":7353,"depth":459,"text":7354},{"id":484,"depth":459,"text":382},{"id":815,"depth":459,"text":816},{},[476],[476,484,7405,5731,482],"iso-27002",{"title":7407,"description":7408},"ISO 27001 Annex A: All 93 Controls Explained (2022)","ISO 27001 Annex A lists 93 security controls in 4 themes. Learn each control category, how they map to your Statement of Applicability, and implementation tips.","8.glossary\u002Fannex-a","zOi6CCz1VDeAbyXEMKP138bq5vOHAu0XAZAldrru9F0",[7412,7712],{"id":5,"title":6,"body":7413,"description":473,"extension":474,"faq":475,"frameworkSlug":476,"lastUpdated":477,"meta":7708,"navigation":479,"path":480,"relatedTerms":7709,"relatedTopics":7710,"seo":7711,"stem":492,"__hash__":493},{"type":8,"value":7414,"toc":7689},[7415,7421,7423,7425,7427,7429,7431,7433,7435,7437,7467,7471,7473,7475,7477,7507,7509,7511,7513,7543,7545,7547,7549,7615,7617,7619,7641,7645,7647,7651,7653,7655,7657,7661,7663,7665,7667,7669,7671,7673,7675,7677,7679,7683,7685],[11,7416,13,7417,19,7419,24],{},[15,7418,18],{"href":17},[15,7420,23],{"href":22},[11,7422,27],{},[29,7424,32],{"id":31},[11,7426,35],{},[11,7428,38],{},[29,7430,42],{"id":41},[44,7432,47],{"id":46},[11,7434,50],{},[11,7436,53],{},[55,7438,7439,7443,7447,7451,7455,7459,7463],{},[58,7440,7441,64],{},[61,7442,63],{},[58,7444,7445,70],{},[61,7446,69],{},[58,7448,7449,76],{},[61,7450,75],{},[58,7452,7453,82],{},[61,7454,81],{},[58,7456,7457,88],{},[61,7458,87],{},[58,7460,7461,94],{},[61,7462,93],{},[58,7464,7465,100],{},[61,7466,99],{},[11,7468,103,7469,108],{},[15,7470,107],{"href":106},[44,7472,112],{"id":111},[11,7474,115],{},[11,7476,118],{},[55,7478,7479,7483,7487,7491,7495,7499,7503],{},[58,7480,7481,126],{},[61,7482,125],{},[58,7484,7485,132],{},[61,7486,131],{},[58,7488,7489,138],{},[61,7490,137],{},[58,7492,7493,144],{},[61,7494,143],{},[58,7496,7497,150],{},[61,7498,149],{},[58,7500,7501,156],{},[61,7502,155],{},[58,7504,7505,162],{},[61,7506,161],{},[44,7508,166],{"id":165},[11,7510,169],{},[11,7512,172],{},[55,7514,7515,7519,7523,7527,7531,7535,7539],{},[58,7516,7517,180],{},[61,7518,179],{},[58,7520,7521,186],{},[61,7522,185],{},[58,7524,7525,192],{},[61,7526,191],{},[58,7528,7529,198],{},[61,7530,197],{},[58,7532,7533,204],{},[61,7534,203],{},[58,7536,7537,210],{},[61,7538,209],{},[58,7540,7541,216],{},[61,7542,215],{},[44,7544,220],{"id":219},[11,7546,223],{},[11,7548,226],{},[55,7550,7551,7555,7559,7563,7567,7571,7575,7579,7583,7587,7591,7595,7599,7603,7607,7611],{},[58,7552,7553,234],{},[61,7554,233],{},[58,7556,7557,240],{},[61,7558,239],{},[58,7560,7561,246],{},[61,7562,245],{},[58,7564,7565,252],{},[61,7566,251],{},[58,7568,7569,258],{},[61,7570,257],{},[58,7572,7573,264],{},[61,7574,263],{},[58,7576,7577,270],{},[61,7578,269],{},[58,7580,7581,276],{},[61,7582,275],{},[58,7584,7585,282],{},[61,7586,281],{},[58,7588,7589,288],{},[61,7590,287],{},[58,7592,7593,294],{},[61,7594,293],{},[58,7596,7597,300],{},[61,7598,299],{},[58,7600,7601,306],{},[61,7602,305],{},[58,7604,7605,312],{},[61,7606,311],{},[58,7608,7609,318],{},[61,7610,317],{},[58,7612,7613,324],{},[61,7614,323],{},[29,7616,328],{"id":327},[11,7618,331],{},[55,7620,7621,7625,7629,7633,7637],{},[58,7622,7623,339],{},[61,7624,338],{},[58,7626,7627,345],{},[61,7628,344],{},[58,7630,7631,351],{},[61,7632,350],{},[58,7634,7635,357],{},[61,7636,356],{},[58,7638,7639,363],{},[61,7640,362],{},[11,7642,366,7643,371],{},[15,7644,370],{"href":369},[29,7646,375],{"id":374},[11,7648,378,7649,383],{},[15,7650,382],{"href":381},[11,7652,386],{},[29,7654,390],{"id":389},[44,7656,394],{"id":393},[11,7658,397,7659,400],{},[15,7660,370],{"href":369},[44,7662,404],{"id":403},[11,7664,407],{},[44,7666,411],{"id":410},[11,7668,414],{},[44,7670,418],{"id":417},[11,7672,421],{},[44,7674,425],{"id":424},[11,7676,428],{},[29,7678,432],{"id":431},[11,7680,435,7681,440],{},[15,7682,439],{"href":438},[11,7684,443],{},[11,7686,446,7687,450],{},[15,7688,18],{"href":449},{"title":452,"searchDepth":453,"depth":453,"links":7690},[7691,7692,7698,7699,7700,7707],{"id":31,"depth":453,"text":32},{"id":41,"depth":453,"text":42,"children":7693},[7694,7695,7696,7697],{"id":46,"depth":459,"text":47},{"id":111,"depth":459,"text":112},{"id":165,"depth":459,"text":166},{"id":219,"depth":459,"text":220},{"id":327,"depth":453,"text":328},{"id":374,"depth":453,"text":375},{"id":389,"depth":453,"text":390,"children":7701},[7702,7703,7704,7705,7706],{"id":393,"depth":459,"text":394},{"id":403,"depth":459,"text":404},{"id":410,"depth":459,"text":411},{"id":417,"depth":459,"text":418},{"id":424,"depth":459,"text":425},{"id":431,"depth":453,"text":432},{},[476,482],[484,485,486,487,488],{"title":490,"description":491},{"id":495,"title":496,"body":7713,"description":846,"extension":474,"faq":7942,"frameworkSlug":476,"lastUpdated":477,"meta":7949,"navigation":479,"path":865,"relatedTerms":7950,"relatedTopics":7951,"seo":7952,"stem":873,"__hash__":874},{"type":8,"value":7714,"toc":7923},[7715,7721,7723,7725,7727,7741,7743,7745,7747,7749,7771,7775,7777,7779,7781,7789,7791,7793,7795,7797,7799,7801,7803,7805,7807,7809,7811,7813,7815,7831,7833,7835,7837,7839,7841,7843,7845,7863,7865,7867,7869,7871,7873,7879,7883,7887,7889,7915,7917,7919],[11,7716,501,7717,504,7719,508],{},[15,7718,18],{"href":17},[15,7720,23],{"href":507},[11,7722,511],{},[29,7724,515],{"id":514},[11,7726,518],{},[55,7728,7729,7731,7733,7735,7737,7739],{},[58,7730,523],{},[58,7732,526],{},[58,7734,529],{},[58,7736,532],{},[58,7738,535],{},[58,7740,538],{},[11,7742,541],{},[29,7744,545],{"id":544},[11,7746,548],{},[11,7748,551],{},[55,7750,7751,7755,7759,7763,7767],{},[58,7752,7753,559],{},[61,7754,558],{},[58,7756,7757,565],{},[61,7758,564],{},[58,7760,7761,571],{},[61,7762,570],{},[58,7764,7765,577],{},[61,7766,576],{},[58,7768,7769,583],{},[61,7770,582],{},[11,7772,586,7773,590],{},[61,7774,589],{},[11,7776,593],{},[29,7778,597],{"id":596},[11,7780,600],{},[55,7782,7783,7785,7787],{},[58,7784,605],{},[58,7786,608],{},[58,7788,611],{},[11,7790,614],{},[29,7792,618],{"id":617},[11,7794,621],{},[44,7796,625],{"id":624},[11,7798,628],{},[44,7800,632],{"id":631},[11,7802,635],{},[44,7804,639],{"id":638},[11,7806,642],{},[44,7808,646],{"id":645},[11,7810,649],{},[44,7812,653],{"id":652},[11,7814,656],{},[55,7816,7817,7819,7821,7823,7825,7827,7829],{},[58,7818,661],{},[58,7820,664],{},[58,7822,667],{},[58,7824,670],{},[58,7826,673],{},[58,7828,676],{},[58,7830,679],{},[11,7832,682],{},[44,7834,686],{"id":685},[11,7836,689],{},[44,7838,693],{"id":692},[11,7840,696],{},[29,7842,700],{"id":699},[11,7844,703],{},[55,7846,7847,7851,7855,7859],{},[58,7848,7849,711],{},[61,7850,710],{},[58,7852,7853,717],{},[61,7854,716],{},[58,7856,7857,723],{},[61,7858,722],{},[58,7860,7861,729],{},[61,7862,728],{},[11,7864,732],{},[29,7866,736],{"id":735},[11,7868,739],{},[11,7870,742],{},[29,7872,746],{"id":745},[11,7874,749,7875,753,7877,756],{},[15,7876,752],{"href":507},[15,7878,107],{"href":106},[11,7880,759,7881,762],{},[15,7882,439],{"href":438},[11,7884,765,7885,770],{},[15,7886,769],{"href":768},[29,7888,774],{"id":773},[55,7890,7891,7895,7899,7903,7907,7911],{},[58,7892,7893,782],{},[61,7894,781],{},[58,7896,7897,788],{},[61,7898,787],{},[58,7900,7901,794],{},[61,7902,793],{},[58,7904,7905,800],{},[61,7906,799],{},[58,7908,7909,806],{},[61,7910,805],{},[58,7912,7913,812],{},[61,7914,811],{},[29,7916,816],{"id":815},[11,7918,819],{},[11,7920,822,7921,826],{},[15,7922,825],{"href":17},{"title":452,"searchDepth":453,"depth":453,"links":7924},[7925,7926,7927,7928,7937,7938,7939,7940,7941],{"id":514,"depth":453,"text":515},{"id":544,"depth":453,"text":545},{"id":596,"depth":453,"text":597},{"id":617,"depth":453,"text":618,"children":7929},[7930,7931,7932,7933,7934,7935,7936],{"id":624,"depth":459,"text":625},{"id":631,"depth":459,"text":632},{"id":638,"depth":459,"text":639},{"id":645,"depth":459,"text":646},{"id":652,"depth":459,"text":653},{"id":685,"depth":459,"text":686},{"id":692,"depth":459,"text":693},{"id":699,"depth":453,"text":700},{"id":735,"depth":453,"text":736},{"id":745,"depth":453,"text":746},{"id":773,"depth":453,"text":774},{"id":815,"depth":453,"text":816},{"items":7943},[7944,7945,7946,7947,7948],{"label":850,"content":851},{"label":853,"content":854},{"label":856,"content":857},{"label":859,"content":860},{"label":862,"content":863},{},[476,867,482],[487,488,869,486],{"title":871,"description":872},{"id":5038,"title":5039,"advantages":7954,"body":7961,"checklist":8205,"cta":8207,"description":452,"extension":474,"faq":8208,"hero":8215,"meta":8219,"name":18,"navigation":479,"path":17,"resources":8220,"seo":8225,"slug":476,"stats":8226,"stem":5517,"__hash__":5518},[7955,7957,7959],{"title":5042,"description":5043,"bullets":7956},[5045,5046,5047],{"title":5049,"description":5050,"bullets":7958},[5052,5053,5054],{"title":5056,"description":5057,"bullets":7960},[5059,5060,5061],{"type":8,"value":7962,"toc":8187},[7963,7965,7971,7973,7975,7977,7979,7981,7983,7985,7987,7989,7995,7997,7999,8003,8005,8007,8011,8013,8017,8019,8023,8025,8029,8031,8033,8063,8067,8071,8073,8075,8077,8081,8083,8085,8087,8093,8095,8097,8101,8103,8105,8109,8111,8113,8131,8135,8137,8139,8143,8145,8147,8151,8153,8155,8169,8173,8175,8177,8183,8185],[29,7964,5067],{"id":5066},[11,7966,7967,5072,7969,5075],{},[15,7968,18],{"href":449},[15,7970,23],{"href":22},[11,7972,5078],{},[11,7974,5081],{},[11,7976,5084],{},[29,7978,5088],{"id":5087},[11,7980,5091],{},[11,7982,5094],{},[11,7984,5097],{},[29,7986,5101],{"id":5100},[11,7988,5104],{},[11,7990,5107,7991,5111,7993,5116],{},[15,7992,5110],{"href":106},[15,7994,5115],{"href":5114},[29,7996,5120],{"id":5119},[11,7998,5123],{},[11,8000,5126,8001,5130],{},[61,8002,5129],{},[11,8004,5133],{},[29,8006,2376],{"id":1431},[11,8008,5138,8009,5143],{},[15,8010,5142],{"href":5141},[11,8012,5146],{},[11,8014,5149,8015,5153],{},[15,8016,5152],{"href":480},[29,8018,4165],{"id":5156},[11,8020,5159,8021,5163],{},[15,8022,382],{"href":5162},[11,8024,5166],{},[11,8026,5169,8027,5173],{},[15,8028,5172],{"href":381},[29,8030,5177],{"id":5176},[11,8032,5180],{},[55,8034,8035,8039,8043,8047,8051,8055,8059],{},[58,8036,8037,5188],{},[61,8038,5187],{},[58,8040,8041,5194],{},[61,8042,5193],{},[58,8044,8045,5200],{},[61,8046,5199],{},[58,8048,8049,5206],{},[61,8050,5205],{},[58,8052,8053,5212],{},[61,8054,5211],{},[58,8056,8057,5218],{},[61,8058,5217],{},[58,8060,8061,5224],{},[61,8062,5223],{},[11,8064,5227,8065,5231],{},[15,8066,5230],{"href":507},[11,8068,5234,8069,5237],{},[15,8070,769],{"href":768},[29,8072,2361],{"id":5240},[11,8074,5243],{},[11,8076,5246],{},[11,8078,5249,8079,108],{},[15,8080,5252],{"href":369},[29,8082,5256],{"id":5255},[11,8084,5259],{},[11,8086,5262],{},[11,8088,5265,8089,753,8091,108],{},[15,8090,5268],{"href":1534},[15,8092,5271],{"href":1513},[29,8094,5275],{"id":5274},[11,8096,5278],{},[11,8098,5281,8099,5284],{},[15,8100,1547],{"href":1546},[29,8102,5287],{"id":2212},[11,8104,5290],{},[11,8106,5293,8107,108],{},[15,8108,5296],{"href":1896},[29,8110,5300],{"id":5299},[11,8112,5303],{},[55,8114,8115,8119,8123,8127],{},[58,8116,8117,5311],{},[61,8118,5310],{},[58,8120,8121,5317],{},[61,8122,5316],{},[58,8124,8125,5323],{},[61,8126,5322],{},[58,8128,8129,5329],{},[61,8130,5328],{},[11,8132,5332,8133,5336],{},[15,8134,5335],{"href":106},[29,8136,5339],{"id":901},[11,8138,5342],{},[11,8140,5345,8141,5349],{},[15,8142,5348],{"href":865},[29,8144,5353],{"id":5352},[11,8146,5356],{},[11,8148,5359,8149,5363],{},[15,8150,5362],{"href":438},[29,8152,5367],{"id":5366},[11,8154,5370],{},[55,8156,8157,8163],{},[58,8158,8159,5382],{},[61,8160,5377,8161,108],{},[15,8162,5381],{"href":5380},[58,8164,8165,5388,8167,5393],{},[61,8166,5387],{},[15,8168,5392],{"href":5391},[11,8170,5396,8171,5399],{},[15,8172,5115],{"href":5114},[29,8174,5403],{"id":5402},[11,8176,5406],{},[11,8178,5409,8179,3636,8181,5418],{},[15,8180,5413],{"href":5412},[15,8182,5417],{"href":5416},[11,8184,5421],{},[11,8186,5424],{},{"title":452,"searchDepth":453,"depth":453,"links":8188},[8189,8190,8191,8192,8193,8194,8195,8196,8197,8198,8199,8200,8201,8202,8203,8204],{"id":5066,"depth":453,"text":5067},{"id":5087,"depth":453,"text":5088},{"id":5100,"depth":453,"text":5101},{"id":5119,"depth":453,"text":5120},{"id":1431,"depth":453,"text":2376},{"id":5156,"depth":453,"text":4165},{"id":5176,"depth":453,"text":5177},{"id":5240,"depth":453,"text":2361},{"id":5255,"depth":453,"text":5256},{"id":5274,"depth":453,"text":5275},{"id":2212,"depth":453,"text":5287},{"id":5299,"depth":453,"text":5300},{"id":901,"depth":453,"text":5339},{"id":5352,"depth":453,"text":5353},{"id":5366,"depth":453,"text":5367},{"id":5402,"depth":453,"text":5403},{"title":5444,"description":5445,"items":8206},[5447,5448,5449,5450,5451,5452,5453],{"title":5455,"description":5456},{"title":5458,"items":8209},[8210,8211,8212,8213,8214],{"label":5461,"content":5462},{"label":5464,"content":5465},{"label":5467,"content":5468},{"label":5470,"content":5471},{"label":5473,"content":5474},{"headline":5476,"title":5477,"description":5478,"links":8216},[8217,8218],{"label":5481,"icon":5482,"to":5483},{"label":5485,"icon":5486,"color":5487,"variant":5488,"to":5489,"target":5490},{},{"headline":5493,"title":5493,"description":5494,"items":8221},[8222,8223,8224],{"title":5497,"description":5498},{"title":5500,"description":5501},{"title":5503,"description":5504},{"title":5506,"description":5507},[8227,8228,8229],{"value":5142,"description":5510},{"value":5512,"description":5513},{"value":5515,"description":5516},{"id":8231,"title":8232,"body":8233,"comparison":8324,"competitorA":8369,"competitorB":8370,"cta":8371,"description":452,"extension":474,"faq":475,"hero":8374,"meta":8382,"navigation":479,"path":8383,"seo":8384,"slug":8387,"slugA":8388,"slugB":8389,"stem":8390,"verdict":8391,"__hash__":8395},"compareVs\u002F7.compare\u002Fvs\u002Fdrata-vs-secureframe.md","Drata Vs Secureframe",{"type":8,"value":8234,"toc":8314},[8235,8239,8242,8246,8249,8255,8258,8262,8265,8268,8271,8275,8278,8281,8285,8288,8291,8295,8298,8301,8305,8308,8311],[29,8236,8238],{"id":8237},"drata-vs-secureframe-the-closest-comparison-in-compliance","Drata vs Secureframe: the closest comparison in compliance",[11,8240,8241],{},"If Vanta is the 800-pound gorilla, Drata and Secureframe are the two challengers most often compared against each other. They target similar buyers, cover similar frameworks, and offer similar automation. The differences are real but subtle — and they matter most in how your team experiences the platform day to day.",[44,8243,8245],{"id":8244},"feature-parity-with-different-emphasis","Feature parity with different emphasis",[11,8247,8248],{},"On paper, Drata and Secureframe look nearly identical. Both automate evidence collection, monitor your compliance posture continuously, support 15+ frameworks, and provide auditor-facing portals. The overlap is so significant that choosing between them often comes down to three factors: onboarding style, dashboard experience, and pricing.",[11,8250,8251,8254],{},[61,8252,8253],{},"Onboarding style"," is the clearest differentiator. Drata leans toward self-serve. The platform guides you through integration setup, control mapping, and evidence configuration with in-app workflows. For teams with compliance experience, this speed is an advantage — you can be operational in 1–2 weeks without waiting for a human to walk you through every step.",[11,8256,8257],{},"Secureframe takes the opposite approach. Every customer gets access to dedicated compliance managers who help interpret requirements, map controls to your environment, and prepare for audit. This white-glove model adds a week or two to implementation but dramatically reduces the learning curve for first-time audit teams.",[44,8259,8261],{"id":8260},"the-dashboard-question","The dashboard question",[11,8263,8264],{},"Drata's compliance dashboard is one of its signature features. The real-time posture view shows passing and failing controls across every framework, with compliance percentages and trend data. For compliance leads who report to a CISO or board, this visual layer simplifies status updates and makes it easy to demonstrate progress.",[11,8266,8267],{},"Secureframe also provides dashboards, but they feel more functional than visual. The platform surfaces actionable items — controls that need attention, evidence that's expiring, gaps to remediate — in a task-oriented format. It's effective, but it doesn't deliver the same at-a-glance executive view that Drata provides.",[11,8269,8270],{},"For teams that need board-ready compliance reporting, Drata has the edge. For teams that care more about daily workflow and task management, Secureframe's approach may feel more productive.",[44,8272,8274],{"id":8273},"integration-depth","Integration depth",[11,8276,8277],{},"Secureframe holds a slight advantage in integration count, with 150+ connections compared to Drata's 100+. The extra integrations primarily cover developer tools, identity providers, and security platforms. For teams running complex stacks with multiple CI\u002FCD pipelines, vulnerability scanners, and endpoint management tools, Secureframe's broader integration library means less manual evidence collection.",[11,8279,8280],{},"Drata's integrations, while fewer in number, tend to offer deeper configuration options for the platforms they do support. If your stack is standard — AWS or GCP, Okta or Google Workspace, GitHub, and a common HR tool — both platforms will serve you equally well.",[44,8282,8284],{"id":8283},"pricing-opacity","Pricing opacity",[11,8286,8287],{},"Neither Drata nor Secureframe publishes pricing. Both require a sales conversation to get a quote, and both scale based on team size, framework count, and contract terms. Based on market data, Drata typically starts around $10,000–$15,000\u002Fyr while Secureframe starts slightly lower at $8,000–$12,000\u002Fyr. At scale, both reach $30,000–$50,000\u002Fyr for larger organizations.",[11,8289,8290],{},"This pricing opacity creates a frustrating buying experience. You can't model costs internally before engaging sales. You can't easily compare options. And renewal conversations often involve price increases that are hard to predict at the time of initial purchase.",[44,8292,8294],{"id":8293},"where-both-platforms-struggle","Where both platforms struggle",[11,8296,8297],{},"The irony of comparing Drata and Secureframe is that their most significant limitations are shared. Both use pricing models that punish team growth. Both rely on templated control libraries that resist customization. Both treat policy documentation as a secondary concern — something generated through forms rather than crafted through a proper writing experience.",[11,8299,8300],{},"And both lock you into their workflow assumptions. If your compliance program doesn't map cleanly to their templates — if you run hybrid frameworks, need custom controls, or want to structure programs differently than the default — you'll spend time working around the platform instead of working within it.",[44,8302,8304],{"id":8303},"the-case-for-a-different-approach","The case for a different approach",[11,8306,8307],{},"When two products are this similar, the deciding factor often isn't which one is better — it's whether either one is the right category of tool for your needs. If you want maximum automation and are comfortable with enterprise pricing, Drata and Secureframe both deliver.",[11,8309,8310],{},"But if you want flat pricing at $500\u002Fmo, a Notion-like editor for compliance documentation, and the freedom to build programs that reflect how your team actually operates — episki offers something neither Drata nor Secureframe provides. No per-seat scaling. No opaque quotes. No templated policies that read like every other company's.",[11,8312,8313],{},"Just a workspace your compliance team will use daily, at a price that doesn't make your CFO wince.",{"title":452,"searchDepth":453,"depth":453,"links":8315},[8316],{"id":8237,"depth":453,"text":8238,"children":8317},[8318,8319,8320,8321,8322,8323],{"id":8244,"depth":459,"text":8245},{"id":8260,"depth":459,"text":8261},{"id":8273,"depth":459,"text":8274},{"id":8283,"depth":459,"text":8284},{"id":8293,"depth":459,"text":8294},{"id":8303,"depth":459,"text":8304},[8325,8330,8334,8339,8344,8349,8354,8359,8364],{"feature":8326,"competitorA":8327,"competitorB":8328,"episki":8329},"Pricing model","Custom pricing, typically starting around $10,000–$15,000\u002Fyr","Custom pricing, typically starting around $8,000–$12,000\u002Fyr","Flat $500\u002Fmo or $5,000\u002Fyr with unlimited seats",{"feature":8331,"competitorA":8332,"competitorB":8332,"episki":8333},"Framework coverage","SOC 2, ISO 27001, HIPAA, PCI DSS, GDPR, and 15+ frameworks","SOC 2, ISO 27001, HIPAA, PCI DSS, NIST CSF, and custom frameworks",{"feature":8335,"competitorA":8336,"competitorB":8337,"episki":8338},"Automation depth","Automated evidence collection with real-time compliance dashboards","Automated monitoring with continuous evidence collection and alerts","AI-assisted drafting and structured workflows with manual evidence uploads",{"feature":8340,"competitorA":8341,"competitorB":8342,"episki":8343},"Integration count","100+ integrations covering major cloud and SaaS platforms","150+ integrations covering cloud, identity, HR, and developer tools","Growing integration library with focus on structured evidence reuse",{"feature":8345,"competitorA":8346,"competitorB":8347,"episki":8348},"Auditor collaboration","Auditor-facing portal with read-only access and evidence downloads","Auditor-ready evidence rooms with structured access controls","Built-in auditor portal with scoped access and Q&A threads",{"feature":8350,"competitorA":8351,"competitorB":8352,"episki":8353},"AI features","AI-assisted control mapping and compliance recommendations","AI-driven compliance recommendations and automated risk scoring","AI drafts policies, narratives, remediation steps, and questionnaire answers",{"feature":8355,"competitorA":8356,"competitorB":8357,"episki":8358},"Implementation time","1–3 weeks with self-serve setup and optional guided onboarding","2–3 weeks with guided onboarding and compliance expertise","Same-day setup with self-serve onboarding and optional demo",{"feature":8360,"competitorA":8361,"competitorB":8362,"episki":8363},"Support model","In-app chat, email support, and dedicated CSM for larger accounts","Dedicated compliance managers, email, and in-app support","Direct founder access, in-app chat, and shared Slack channels",{"feature":8365,"competitorA":8366,"competitorB":8367,"episki":8368},"Free trial","Demo-based sales process, limited free trial availability","Demo-based sales process, no public free trial","14-day free trial with full access, no credit card required","Drata","Secureframe",{"title":8372,"description":8373},"Skip the comparison. Try episki free.","14-day trial with full access. No credit card required.",{"headline":8375,"title":8376,"description":8377,"links":8378},"Drata vs Secureframe","Similar features, different approaches to compliance automation","Compare Drata and Secureframe across pricing, onboarding, and compliance workflows. Two closely matched platforms with subtle but important differences for your team.",[8379,8381],{"label":8380,"icon":5482,"to":5483},"Try episki free",{"label":5485,"icon":5486,"color":5487,"variant":5488,"to":5489,"target":5490},{},"\u002Fcompare\u002Fvs\u002Fdrata-vs-secureframe",{"title":8385,"description":8386},"Drata vs Secureframe (2026): Pricing, Features & Honest Comparison","Drata vs Secureframe compared on pricing, onboarding, framework coverage, and compliance automation. See which platform fits your team — or why neither might be the best choice.","drata-vs-secureframe","drata","secureframe","7.compare\u002Fvs\u002Fdrata-vs-secureframe",{"chooseA":8392,"chooseB":8393,"chooseEpiski":8394},"Choose Drata if you value self-serve speed and visual compliance dashboards. Drata gets you operational faster and provides the clearest real-time view of your compliance posture — ideal for teams with in-house compliance knowledge.","Choose Secureframe if you want more hands-on guidance from dedicated compliance managers. Secureframe's human-led onboarding is better for teams running their first audit without experienced GRC staff.","Choose episki if you want transparent pricing, a writing-first editor, and the flexibility to structure programs your way. episki is for teams that want to own their compliance narrative without paying enterprise prices.","HuA5a0qhJVkEPHNLT6GY_VEempd7yA1ONnXItxDt-ZQ",{"id":8397,"title":8369,"advantages":8398,"body":8420,"comparison":8471,"competitor":8369,"cta":8497,"description":452,"extension":474,"hero":8500,"meta":8508,"navigation":479,"path":5416,"seo":8509,"slug":8388,"stem":8512,"__hash__":8513},"compare\u002F7.compare\u002Fdrata.md",[8399,8406,8413],{"title":8400,"description":8401,"bullets":8402},"One flat price for everything","episki includes unlimited frameworks, teammates, and portals for a single monthly or annual fee. No tiers, no negotiations.",[8403,8404,8405],"Add frameworks without upgrading to a higher tier","Invite auditors, customers, and stakeholders at no extra cost","Predictable billing that does not scale with headcount",{"title":8407,"description":8408,"bullets":8409},"Connected programs and assessments","episki treats compliance as connected work. Programs, assessments, controls, tasks, and issues link together so nothing falls through the cracks.",[8410,8411,8412],"Run recurring programs and one-time assessments side by side","Tasks inherit context from parent controls and programs","Evidence attaches once and stays available across every framework",{"title":8414,"description":8415,"bullets":8416},"Fast, keyboard-driven workspace","episki is built for people who spend hours in the tool. Keyboard shortcuts, global search, and a rich editor make daily compliance work feel fast.",[8417,8418,8419],"Navigate between programs, controls, and evidence without lifting your hands","Inline editing for policies, narratives, and response drafts","Dark mode and responsive layout for any screen",{"type":8,"value":8421,"toc":8466},[8422,8426,8429,8432,8452,8456,8459,8463],[29,8423,8425],{"id":8424},"why-teams-evaluate-drata-alternatives","Why teams evaluate Drata alternatives",[11,8427,8428],{},"Drata has built a comprehensive compliance automation platform with strong automated evidence collection and a wide library of supported frameworks. It works well for organizations that want continuous monitoring with minimal manual intervention.",[11,8430,8431],{},"Some teams look for alternatives when they need:",[55,8433,8434,8440,8446],{},[58,8435,8436,8439],{},[61,8437,8438],{},"Simpler pricing"," — Drata's tiered pricing based on framework count and company size can make budgeting unpredictable, especially for organizations running multiple frameworks or growing quickly.",[58,8441,8442,8445],{},[61,8443,8444],{},"Unified program management"," — teams managing overlapping compliance programs want controls, evidence, and tasks connected across frameworks in a single workspace rather than managed as separate compliance tracks.",[58,8447,8448,8451],{},[61,8449,8450],{},"A daily-use workspace"," — compliance teams that spend significant time writing, reviewing, and collaborating want an editor and navigation experience that feels productive rather than transactional.",[29,8453,8455],{"id":8454},"when-drata-might-be-the-better-fit","When Drata might be the better fit",[11,8457,8458],{},"Drata is a strong choice for teams that prioritize automated continuous monitoring and need a platform with deep integration coverage across cloud, identity, HR, and development tools. If your primary concern is automating evidence collection and you operate in a well-defined framework like SOC 2 or ISO 27001, Drata's automation depth is compelling.",[29,8460,8462],{"id":8461},"when-episki-shines","When episki shines",[11,8464,8465],{},"episki is designed for teams that view compliance as ongoing, cross-functional work rather than a monitoring dashboard. If you run multiple programs, collaborate with auditors directly in the tool, and want a workspace that feels as fast as your engineering tools, episki delivers a different kind of compliance experience.",{"title":452,"searchDepth":453,"depth":453,"links":8467},[8468,8469,8470],{"id":8424,"depth":453,"text":8425},{"id":8454,"depth":453,"text":8455},{"id":8461,"depth":453,"text":8462},[8472,8474,8475,8479,8483,8486,8489,8493],{"feature":8326,"episki":8329,"competitor":8473},"Tiered pricing based on framework count and company size",{"feature":8331,"episki":8333,"competitor":8332},{"feature":8476,"episki":8477,"competitor":8478},"Control management","Linked control graph with cross-framework reuse and ownership","Control library with automated testing and monitoring",{"feature":8480,"episki":8481,"competitor":8482},"Evidence collection","Manual uploads with structured ownership and reuse across frameworks","Automated evidence collection with 100+ integrations",{"feature":8484,"episki":8353,"competitor":8485},"AI assistance","AI-powered compliance automation",{"feature":6676,"episki":8487,"competitor":8488},"Risk registers with remediation tracking tied to controls","Built-in risk management with scoring and treatment plans",{"feature":8490,"episki":8491,"competitor":8492},"Editor experience","Notion-like rich text editor with inline editing","Structured forms and workflow-based interface",{"feature":8494,"episki":8495,"competitor":8496},"Collaboration","Built-in auditor portal, customer portals, and team workspaces","Auditor-facing dashboards and team collaboration features",{"title":8498,"description":8499},"Try episki side by side with Drata","Start a free trial with all features enabled. Import your controls and see the difference.",{"headline":5417,"title":8501,"description":8502,"links":8503},"How episki compares to Drata for compliance teams","A head-to-head on pricing, workflow design, and framework flexibility. See why teams that want a faster, more collaborative compliance workspace switch from Drata to episki.",[8504,8506],{"label":8505,"icon":5482,"to":5483},"Start free trial",{"label":8507,"icon":5486,"color":5487,"variant":5488,"to":5489,"target":5490},"See a live demo",{},{"title":8510,"description":8511},"episki vs Drata (2026): Pricing, Flexibility & Why Teams Switch","Compare episki and Drata on pricing, workflow design, and framework flexibility. See why compliance teams switch from Drata to episki.","7.compare\u002Fdrata","rehdI9NC6n1m3mFaD-M9xGliPjg5awlPauCt-LCW_es",{"id":8515,"title":8516,"api":475,"authors":8517,"body":8523,"category":8702,"date":8703,"description":8704,"extension":474,"features":475,"fixes":475,"highlight":475,"image":8705,"improvements":475,"meta":8707,"navigation":479,"path":8709,"seo":8710,"stem":8711,"__hash__":8712},"posts\u002F3.now\u002Fdefined-roles-pci-compliance-mistakes.md","Defined Roles in PCI: The Compliance Mistakes That Fly Under the Radar",[8518],{"name":8519,"to":8520,"avatar":8521},"Justin Leapline","https:\u002F\u002Fwww.linkedin.com\u002Fin\u002Fjustinleapline\u002F",{"src":8522},"\u002Fimages\u002Fjustinleapline.png",{"type":8,"value":8524,"toc":8694},[8525,8531,8534,8537,8540,8543,8546,8548,8552,8562,8565,8568,8571,8573,8577,8580,8583,8586,8589,8591,8595,8603,8606,8609,8612,8614,8618,8621,8624,8627,8629,8633,8636,8639,8642,8645,8647,8651,8654,8657,8660,8662,8667,8679,8686,8688],[8526,8527,8528],"blockquote",{},[11,8529,8530],{},"When it comes to PCI DSS, most organizations focus on the technical controls — encryption, access management, logging. But one of the most persistent failure points isn't technical at all. It's the question of who owns what. Undefined or poorly assigned roles quietly undermine even the most well-resourced compliance programs. This post breaks down the most common role-related mistakes security leaders make in PCI — and what to do differently.",[8532,8533],"hr",{},[11,8535,8536],{},"Most PCI compliance failures don't happen because teams don't know the standard.",[11,8538,8539],{},"They happen because nobody agreed on who was responsible for following it.",[11,8541,8542],{},"It sounds simple. In practice, it's one of the hardest problems in compliance programs — and one of the least discussed. When a QSA walks in for an assessment and finds gaps, the root cause is often not a missing control. It's a missing owner.",[11,8544,8545],{},"For CISOs leading PCI programs, role clarity isn't a nice-to-have. It's the foundation everything else sits on.",[8532,8547],{},[29,8549,8551],{"id":8550},"mistake-1-treating-pci-ownership-as-an-it-problem","Mistake #1: Treating PCI Ownership as an IT Problem",[11,8553,8554,8556,8557,8561],{},[15,8555,6552],{"href":6907}," governs the entire ",[15,8558,8560],{"href":8559},"\u002Fglossary\u002Fcardholder-data-environment","cardholder data environment"," — and the cardholder data environment touches far more than IT.",[11,8563,8564],{},"It includes how sales teams handle card data over the phone. How finance processes refunds. How third-party vendors connect to your systems. How HR onboards employees who access payment infrastructure. And yet, in most organizations, PCI ownership sits almost exclusively with the security or IT team — while the business units that handle cardholder data daily operate with little awareness of their own obligations.",[11,8566,8567],{},"This creates a structural gap. Controls get implemented technically but not operationally. Policies exist on paper but aren't followed in practice because the people they govern don't know they apply to them.",[11,8569,8570],{},"The fix isn't adding more controls. It's expanding the ownership model. Every team that touches cardholder data needs a defined role in the compliance program — with accountability, not just awareness.",[8532,8572],{},[29,8574,8576],{"id":8575},"mistake-2-confusing-responsible-with-accountable","Mistake #2: Confusing \"Responsible\" with \"Accountable\"",[11,8578,8579],{},"One of the most reliable ways to spot a broken compliance program is to ask two people on the same team who owns a specific PCI requirement. If you get two different answers — or two blank stares — you have an accountability problem.",[11,8581,8582],{},"The distinction between responsibility and accountability matters here. Responsibility is operational: this person performs the task. Accountability is governance: this person owns the outcome. In PCI, these roles are often blurred or duplicated, which means that when something goes wrong, nobody is clearly on the hook — and when audits come around, multiple people claim ownership of the same control without any of them actually running it.",[11,8584,8585],{},"The RACI model (Responsible, Accountable, Consulted, Informed) is a well-worn solution to this problem — but only when applied with rigor. A RACI matrix that was built two years ago and hasn't been updated since an acquisition, a reorg, or a new product launch is often worse than no RACI at all. It creates false confidence.",[11,8587,8588],{},"PCI role assignments need to be reviewed every time the business changes — not just every time the standard does.",[8532,8590],{},[29,8592,8594],{"id":8593},"mistake-3-letting-vendor-relationships-create-ownership-gaps","Mistake #3: Letting Vendor Relationships Create Ownership Gaps",[11,8596,8597,8598,8602],{},"PCI DSS Requirement 12.8 is clear: organizations are responsible for managing the compliance of all ",[15,8599,8601],{"href":8600},"\u002Fglossary\u002Fthird-party-risk","third-party service providers"," who have access to cardholder data. In practice, many organizations interpret this requirement as \"get a copy of their AOC and file it.\"",[11,8604,8605],{},"That's not management. That's documentation.",[11,8607,8608],{},"The gap shows up when a vendor has a breach, when a third-party integration introduces a vulnerability, or when an assessor asks how the organization monitors the compliance posture of its vendors — and the answer is \"we check their certificate once a year.\"",[11,8610,8611],{},"Vendor ownership in PCI requires a named internal owner for each critical third-party relationship. Someone who understands what that vendor does, what data they access, what their contractual security obligations are, and what the escalation path looks like if something goes wrong. Without that, vendor risk exists on paper but is managed by nobody.",[8532,8613],{},[29,8615,8617],{"id":8616},"mistake-4-role-assignments-that-dont-survive-personnel-changes","Mistake #4: Role Assignments That Don't Survive Personnel Changes",[11,8619,8620],{},"PCI roles are often documented at the person level — \"Sarah owns firewall management,\" \"Marco is responsible for log review\" — rather than at the function level. When Sarah leaves or Marco moves to a different team, the role doesn't transfer cleanly. Institutional knowledge walks out the door, and the new person inherits a responsibility they weren't briefed on.",[11,8622,8623],{},"This is especially dangerous in small security teams, where one person often carries multiple PCI functions. When that person leaves without a proper transition, entire sections of the compliance program can become effectively unowned — sometimes for months before anyone notices.",[11,8625,8626],{},"Sustainable role assignment means documenting at the position level, not the individual level. It means keeping role documentation alive and connected to onboarding processes, so that new team members understand their compliance obligations from day one. And it means building succession into the program architecture, not treating it as an afterthought.",[8532,8628],{},[29,8630,8632],{"id":8631},"mistake-5-assuming-the-ciso-owns-everything-that-isnt-assigned-elsewhere","Mistake #5: Assuming the CISO Owns Everything That Isn't Assigned Elsewhere",[11,8634,8635],{},"In many organizations, the CISO is the implicit owner of last resort. If a PCI requirement doesn't have a clear owner, it defaults upward — and eventually lands on the security leader's desk.",[11,8637,8638],{},"This is a governance problem masquerading as an efficiency problem. When the CISO is the catch-all for unassigned compliance obligations, two things happen: the CISO is spending time on operational tasks that should be delegated, and the organization's compliance program lacks the distributed ownership structure it needs to function at scale.",[11,8640,8641],{},"The CISO's role in PCI should be strategic: defining the program, setting the accountability structure, owning the relationship with assessors, and reporting to the board on risk posture. The moment the CISO is personally responsible for reviewing firewall rule changes or validating log configurations, something in the ownership model has broken down.",[11,8643,8644],{},"A well-structured PCI program distributes operational ownership to the teams closest to the work — and gives the CISO visibility into all of it without requiring their direct involvement in any of it.",[8532,8646],{},[29,8648,8650],{"id":8649},"what-getting-it-right-actually-looks-like","What Getting It Right Actually Looks Like",[11,8652,8653],{},"The organizations that manage PCI compliance most effectively share a few traits. Their role assignments are documented at the function level and reviewed on a regular cadence. Their business unit owners understand their obligations — not just their technical ones. Their vendor relationships have named internal owners with active oversight responsibilities. And their CISO has clear visibility into the program without being buried in its day-to-day operations.",[11,8655,8656],{},"None of this requires a larger team. It requires a more deliberate structure.",[11,8658,8659],{},"PCI compliance isn't won or lost in the technical controls. It's won or lost in the clarity of who owns them, who monitors them, and who is accountable when they fail.",[8532,8661],{},[11,8663,8664],{},[61,8665,8666],{},"Is your PCI ownership model as clear as you think it is?",[11,8668,8669,8670,8674,8675,8678],{},"At ",[15,8671,8673],{"href":8672},"\u002F","episki",", we help security leaders build compliance programs where accountability is real — not just documented. From role mapping to third-party oversight to board-level reporting, we work alongside your team to make sure your ",[15,8676,8677],{"href":6907},"PCI"," program holds up when it matters most.",[11,8680,8681],{},[15,8682,8685],{"href":5489,"rel":8683},[8684],"nofollow","Let's talk →",[8532,8687],{},[11,8689,8690],{},[8691,8692,8693],"em",{},"Compliance on paper isn't compliance. It's paperwork.",{"title":452,"searchDepth":453,"depth":453,"links":8695},[8696,8697,8698,8699,8700,8701],{"id":8550,"depth":453,"text":8551},{"id":8575,"depth":453,"text":8576},{"id":8593,"depth":453,"text":8594},{"id":8616,"depth":453,"text":8617},{"id":8631,"depth":453,"text":8632},{"id":8649,"depth":453,"text":8650},"craft","2026-04-15","Unclear ownership is one of the most common — and costly — failures in PCI compliance. Here's what security leaders get wrong about defining roles, and how to fix it.",{"src":8706},"\u002Fimages\u002Fblog\u002FPCI.jpg",{"slug":8708},"defined-roles-pci-compliance-mistakes","\u002Fnow\u002Fdefined-roles-pci-compliance-mistakes",{"title":8516,"description":8704},"3.now\u002Fdefined-roles-pci-compliance-mistakes","0u0CncSJsrHMYJZWMH_BzWgau-vuQTBQ7NdBBVQMz7Q",{"id":8714,"title":8715,"advantages":8716,"body":8738,"checklist":8745,"cta":8754,"description":8742,"extension":474,"faq":475,"hero":8757,"meta":8765,"name":8766,"navigation":479,"path":8767,"resources":8768,"seo":8781,"slug":8784,"stats":8785,"stem":8795,"__hash__":8796},"industries\u002F6. industry\u002F1.healthcare.md","Healthcare",[8717,8724,8731],{"title":8718,"description":8719,"bullets":8720},"PHI-aware control mapping","Map administrative, technical, and physical safeguards to your stack without rebuilding every audit.",[8721,8722,8723],"Track EHR, identity, and cloud evidence with structured ownership","Track segmentation, backups, and log retention against HIPAA safeguards","Map once for HIPAA and reuse for HITRUST or regional requirements",{"title":8725,"description":8726,"bullets":8727},"Clinician-friendly workflows","Keep nurses, clinicians, and ops aligned without burying them in tickets.",[8728,8729,8730],"Role-aware tasks routed to the right owner with due dates","Playbooks show “what good looks like” for PHI handling","Attestations and approvals captured inline for auditors",{"title":8732,"description":8733,"bullets":8734},"Auditor and partner collaboration","Give regulators, payers, and partners scoped access instead of email threads.",[8735,8736,8737],"Auditor portal with threaded Q&A per safeguard","Secure uploads with expirations and access controls","Exports for SOC 2, PCI, or privacy questionnaires",{"type":8,"value":8739,"toc":8743},[8740],[11,8741,8742],{},"Healthcare buyers move fast when they trust your safeguards. episki keeps PHI protections documented, monitored, and shareable without slowing product or patient care.",{"title":452,"searchDepth":453,"depth":453,"links":8744},[],{"title":8746,"description":8747,"items":8748},"Healthtech compliance checklist","Use this inside your trial to assign owners, attach evidence, and track renewals.",[8749,8750,8751,8752,8753],"HIPAA safeguard library mapped to your systems","BAA tracker with renewal reminders and risk scoring","Incident response runbooks with timelines and owners","Access, logging, and backup verification tasks","Third-party risk reviews tied to PHI data flows",{"title":8755,"description":8756},"Launch a healthtech-ready workspace","Connect your stack, invite stakeholders, and show PHI protections the same day.",{"headline":8758,"title":8759,"description":8760,"links":8761},"HIPAA-grade governance without slowing clinicians","Keep PHI protections provable across cloud apps, clinics, and vendors","episki maps safeguards, automates evidence, and gives auditors scoped access so healthtech teams can keep shipping.",[8762,8764],{"label":8763,"icon":5482,"to":5483},"Start healthtech trial",{"label":5485,"icon":5486,"color":5487,"variant":5488,"to":5489,"target":5490},{},"healthcare and healthtech","\u002Findustry\u002Fhealthcare",{"headline":8769,"title":8769,"description":8770,"items":8771},"Healthcare enablement kit","Keep leadership, clinicians, and auditors aligned on the same story.",[8772,8775,8778],{"title":8773,"description":8774},"PHI data flow deck","Share sanitized diagrams plus segmentation notes for customers and partners.",{"title":8776,"description":8777},"Board + payer brief","Summarize control health, incidents, and remediation in plain language.",{"title":8779,"description":8780},"Auditor-ready workspace","Prebuilt template for requests, evidence, and walkthrough scheduling.",{"title":8782,"description":8783},"Healthcare Compliance Software","HIPAA-ready GRC for healthtech teams. Map safeguards, track PHI evidence, and collaborate with auditors in one secure workspace. Start your free trial.","healthcare",[8786,8789,8792],{"value":8787,"description":8788},"30-day rollout","Move from baseline controls to monitored safeguards in under a month.",{"value":8790,"description":8791},"PHI-safe sharing","Role-based portals keep BAAs, policies, and diagrams organized and protected.",{"value":8793,"description":8794},"Continuous watch","Drift detection across access, logging, vendors, and incidents.","6. industry\u002F1.healthcare","831E5Bdk5x1SUBhE8YrTZtQjqMJj9Q3vjQivX_AG0IQ",1776395346636]