Home/Services/ISO 27001
International Standard

ISO 27001

The Certification Enterprise Clients Ask For — Before They Sign.

ISO 27001:2022 certification signals that your organisation takes information security seriously — not just on paper, but in practice. Norvex Assurance handles the full implementation, so you get certified without the chaos.

ISO 27001 compliance illustration

ISO 27001 Overview

ISO 27001 is the global standard for information security management. It gives organisations a structured framework to protect data, manage risk, and demonstrate security maturity — across people, processes, and technology. The current version — ISO/IEC 27001:2022 — covers 93 controls across four themes and requires continuous improvement, not just a one-time review.

Key Highlights

  • Recognised in 160+ countries across Europe, Asia-Pacific, Middle East, and North America
  • 93 controls: Organizational, People, Physical, and Technological
  • Required for government and regulated enterprise procurement in most major markets
  • Aligns with GDPR, NIS2, SOC 2, and other compliance frameworks

Who Needs ISO 27001?

SaaS & Cloud Platforms
Financial Institutions
Government Contractors
Healthcare & HealthTech

Not sure if you need ISO 27001?

Talk to one of our experts — free, no obligation.

2022 Update

2022 Update

ISO 27001:2022 — What Changed The 2022 revision restructured the standard significantly. Whether you're certifying for the first time or transitioning from 2013, here's what's different:

Restructured Annex A Controls

114 controls across 14 domains consolidated into 93 controls across 4 themes — Organizational, People, Physical, and Technological. Eleven new controls added covering threat intelligence, cloud security, and data masking.

New Focus Areas

Cloud infrastructure, data leakage prevention, and continuous monitoring are now explicitly required — areas the 2013 version didn't address. Directly relevant if your stack runs on AWS, Azure, or GCP.

Transition Deadline Passed

ISO 27001:2013 certifications expired October 31, 2025. Norvex Assurance certifies directly against the 2022 standard — no legacy gaps, no transition overhead.

Framework Comparison

ISO 27001 vs SOC 2 — Know Which One You Actually Need Different frameworks serve different buyers. Here's a direct comparison:

CriteriaISO 27001SOC 2
What it isInternational certification for your entire ISMSAttestation report on security controls evaluated by a CPA firm
Issued byAccredited certification body (BSI, Bureau Veritas, Schellman)A licensed CPA firm under AICPA standards.
ScopeOrganisation-wide — people, processes, and technologySpecific systems and services in scope
RecognitionGlobal — strongest in Europe, Middle East, and Asia-PacificStrongest in North America and US enterprise procurement
Validity3-year certificate with annual surveillance auditsRenewed annually — Type I (point-in-time) or Type II (period-based)
Best forInternational expansion and regulated market accessSaaS companies selling to US enterprise buyers

Do You Need Both?

Many of our clients pursue ISO 27001 and SOC 2 together. The two frameworks share roughly 60–70% control overlap, which means you can achieve both without doubling your effort or budget. Norvex Assurance offers integrated audit planning that maps shared controls across both frameworks, reducing your total cost and compressing your timeline.

Our ISO 27001 Process

01

Scoping & Context Analysis

We define your ISMS boundaries — mapping systems, locations, business units, and data flows subject to the standard.

02

Gap Analysis & Risk Assessment

We assess your current posture against all 93 Annex A controls and deliver a risk-ranked findings report with a clear action roadmap.

03

ISMS Design & Documentation

We build your complete documentation suite — policies, procedures, risk treatment plan, and Statement of Applicability — written for your organisation, not from templates.

04

Control Implementation

We work directly with your engineering and IT teams to implement required controls — access management, monitoring, and incident response workflows.

05

Internal Audit

We conduct a structured internal audit mirroring the certification body's approach and resolve all findings before the external assessment begins.

06

Certification Audit Support

We prepare your ISMS for Stage 1 and Stage 2 — and stay present throughout both, managing the certification body relationship directly.

07

Post-Certification Support

We support annual surveillance audits and ISMS management reviews across the full three-year certificate cycle.

Business Impact

Why Organisations Choose Norvex for ISO 27001 ?

End-to-End ISMS Implementation

One team manages scoping to certificate — no vendor coordination, no handoff gaps, no generalist consultants.

Certified Lead Auditors & Implementers

Every engagement is led by IRCA and Exemplar Global credentialled auditors with direct experience across SaaS, fintech, healthcare, and enterprise tech.

Global Delivery

We operate across the US, India, UAE, Singapore, and Europe — understanding certification body expectations in every market you work in.

Fixed-Fee Pricing

Quoted after a scoping call. No hourly billing, no scope creep surprises. One number, delivered against.

Structured Path to Certificate

Parallel workstreams and focused methodology keep your certification timeline tight without cutting corners on substance.

Three-Year Lifecycle Support

Surveillance audits, ISMS reviews, and improvement advisory — we stay engaged across the full certificate cycle.

ISO 27001:2022 Annex A Controls

93 controls selected and documented through your Statement of Applicability — covering every layer of your organisation's security posture.

Organizational Controls

37 Controls

Security policies, roles, asset management, supplier relationships, and incident management. The management foundation every ISO 27001 audit begins with.

People Controls

8 Controls

Screening, awareness training, and employment lifecycle responsibilities. Your workforce is your first line of defence — and your most significant risk surface.

Physical Controls

14 Controls

Protection of premises, equipment, and physical media from unauthorised access, damage, and environmental threats.

Technological Controls

34 Controls

Access management, encryption, network security, vulnerability management, and monitoring. For cloud-native businesses, this is where the heaviest implementation work sits.

11 New Controls Introduced in the 2022 Update

Threat Intelligence
Information Security for Cloud Services
ICT Readiness for Business Continuity
Physical Security Monitoring
Data Masking
Data Leakage Prevention
Monitoring Activities
Web Filtering
Secure Coding

What's Included in Your ISO 27001 Engagement

Everything required to achieve and maintain certification — no hidden extras.

01
Scoping session and organisational context analysis
02
Gap analysis against ISO 27001:2022 requirements and 93 Annex A controls
03
ISMS documentation suite (policies, procedures, SoA, risk treatment plan)
04
Control implementation guidance and remediation support
05
Staff security awareness training
06
Internal audit and corrective action support
07
Stage 1 & Stage 2 certification audit preparation and support
08
ISO 27001:2022 certificate + 3-year surveillance cycle support

What Our Clients Say

"We needed ISO 27001 to close a contract with a European financial services client who wouldn't move forward without it. Norvex Assurance built our ISMS from scratch, got us audit-ready in 10 weeks, and we certified on the first attempt. That single contract paid for the entire engagement three times over."

Chief Technology Officer

B2B SaaS Platform — Series B

"Our internal team had tried to implement ISO 27001 using an automation tool and a few templates. After six months, we had a pile of documents and no clear path to certification. Norvex Assurance came in, restructured our approach, closed every gap, and got us certified in 14 weeks. We should have called them first."

VP of Engineering

Cloud Infrastructure Provider — Series A

"Operating across Singapore, India, and the US, we needed an ISO 27001 partner who understood multi-region complexity. Norvex Assurance scoped our ISMS across all three locations, managed the certification body relationship, and made the entire process feel structured rather than overwhelming. Our board was impressed."

Head of Compliance

HealthTech Company — Singapore HQ

Common Questions About ISO 27001

Ready to Start Your ISO 27001 Journey?

Get a Free Consultation

Response within 24 hours
Fixed-fee pricing
No obligation
Explore More

Other Services You May Need