Komplyo
ISO/IEC 27001:2022

Prepare ISO 27001 certification: assessment, gaps, Statement of Applicability

ISO 27001 certification appears increasingly often in large accounts' RFPs. Komplyo structures the preparation. Assessment of the 93 Annex A controls, ISMS requirements, a generated Statement of Applicability and continuously measured readiness. You face the auditor knowing your gaps.

Why (and when) to pursue ISO 27001

ISO 27001 is voluntary. But in practice, the market often decides:

A commercial requirement

Public tenders, large accounts and international buyers ask for the certificate as an entry condition. Especially in B2B, where your customers must themselves prove control over their suppliers.

Internal structure

The ISMS enforces a continuous-improvement cycle: risk analysis, treatment plan, internal audit, management review. A useful frame even before certification.

Regulatory leverage

ISO 27001 controls cover a large share of NIS2's requirements and GDPR Article 32: the preparation serves several compliance goals at once.

What the auditor will expect

Certification covers two distinct sets that are often conflated:

The ISMS (clauses 4 to 10)

Context, leadership, planning, support, operation, evaluation, improvement: the management system, with evidence it actually runs (reviews, audits, indicators).

The 93 Annex A controls

Organisational, people, physical and technological controls (ISO 27001:2022). Every control you retain must be implemented and documented.

The Statement of Applicability (SoA)

The pivotal audit document. For each of the 93 controls (applicable or not, justification, and implementation status).

Risk analysis and treatment

A formalised methodology, a living risk register and a treatment plan approved by management.

Internal audit and management review

At least one full cycle before the certification audit. The item that most often pushes the date back.

Derived readiness first, then comprehensive

Komplyo projects your NIST CSF 2.0 assessment onto Annex A using the official NIST↔ISO crosswalk. You immediately see a readiness score derived from your existing answers, then complete only what is ISO-specific (SoA, risk-treatment methodology, internal audit, management review).

  • A dedicated ISO 27001 workspace. Every clause and every Annex A control with its coverage status.
  • A Statement of Applicability generated and exportable from your answers. No more hand-maintained spreadsheet.
  • Two readiness bars (derived and comprehensive), stored over time. You always know what stands between you and the audit.
Statement of Applicability (SoA) generated in Komplyo

Your preparation deliverables

Generated from the same assessment, aligned with what the certification body will request:

  • Exportable Statement of Applicability (SoA)
  • Security policy and associated topic policies
  • Risk register and treatment plan
  • Prioritised roadmap up to the audit
  • Score history: continuous-improvement evidence for the management review

ISO 27001. Frequently asked questions

How long does ISO 27001 certification take?

For an SME, typically 6 to 12 months of preparation, then the two-stage certification audit. The limiting factor is rarely technical: it's the ISMS cycle (internal audit, management review) that must have run at least once.

Does Komplyo issue the certificate?

No. No tool can. The certificate is issued by an accredited certification body after an audit. Komplyo prepares everything that audit examines (SoA, policies, risk register, evidence that the ISMS runs).

ISO 27001 or SOC 2. Which should we choose?

ISO 27001 dominates in Europe and public tenders. SOC 2 is the de-facto standard for selling into the US. Their controls overlap heavily. With Komplyo, the same assessment feeds both preparations.

Do we need a consultant to prepare?

An internal security lead, even part-time, plus a structuring tool covers most of the preparation. External eyes remain useful at specific points (mock audit), but you don't need a resident consultancy.

What does the 2022 revision change?

ISO/IEC 27001:2022 regroups Annex A into 93 controls across 4 themes (organisational, people, physical, technological) and adds items like threat intelligence, cloud security and secure coding. Komplyo is aligned with this version.

Does the preparation also serve NIS2?

Yes. Annex A controls cover a large share of NIS2 Article 21 requirements: in Komplyo, the same answers feed both projections with no duplicate entry.

Know exactly what stands between you and the certificate

Create your workspace, activate the ISO 27001 lens and get a derived readiness from your very first answers.