The Certification Enterprise Clients Ask For — Before They Sign.
ISO 27001:2022 certification signals that your organisation takes information security seriously — not just on paper, but in practice. Norvex Assurance handles the full implementation, so you get certified without the chaos.

ISO 27001 is the global standard for information security management. It gives organisations a structured framework to protect data, manage risk, and demonstrate security maturity — across people, processes, and technology. The current version — ISO/IEC 27001:2022 — covers 93 controls across four themes and requires continuous improvement, not just a one-time review.
Not sure if you need ISO 27001?
Talk to one of our experts — free, no obligation.
ISO 27001:2022 — What Changed The 2022 revision restructured the standard significantly. Whether you're certifying for the first time or transitioning from 2013, here's what's different:
114 controls across 14 domains consolidated into 93 controls across 4 themes — Organizational, People, Physical, and Technological. Eleven new controls added covering threat intelligence, cloud security, and data masking.
Cloud infrastructure, data leakage prevention, and continuous monitoring are now explicitly required — areas the 2013 version didn't address. Directly relevant if your stack runs on AWS, Azure, or GCP.
ISO 27001:2013 certifications expired October 31, 2025. Norvex Assurance certifies directly against the 2022 standard — no legacy gaps, no transition overhead.
ISO 27001 vs SOC 2 — Know Which One You Actually Need Different frameworks serve different buyers. Here's a direct comparison:
| Criteria | ISO 27001 | SOC 2 |
|---|---|---|
| What it is | International certification for your entire ISMS | Attestation report on security controls evaluated by a CPA firm |
| Issued by | Accredited certification body (BSI, Bureau Veritas, Schellman) | A licensed CPA firm under AICPA standards. |
| Scope | Organisation-wide — people, processes, and technology | Specific systems and services in scope |
| Recognition | Global — strongest in Europe, Middle East, and Asia-Pacific | Strongest in North America and US enterprise procurement |
| Validity | 3-year certificate with annual surveillance audits | Renewed annually — Type I (point-in-time) or Type II (period-based) |
| Best for | International expansion and regulated market access | SaaS companies selling to US enterprise buyers |
Many of our clients pursue ISO 27001 and SOC 2 together. The two frameworks share roughly 60–70% control overlap, which means you can achieve both without doubling your effort or budget. Norvex Assurance offers integrated audit planning that maps shared controls across both frameworks, reducing your total cost and compressing your timeline.
We define your ISMS boundaries — mapping systems, locations, business units, and data flows subject to the standard.
We assess your current posture against all 93 Annex A controls and deliver a risk-ranked findings report with a clear action roadmap.
We build your complete documentation suite — policies, procedures, risk treatment plan, and Statement of Applicability — written for your organisation, not from templates.
We work directly with your engineering and IT teams to implement required controls — access management, monitoring, and incident response workflows.
We conduct a structured internal audit mirroring the certification body's approach and resolve all findings before the external assessment begins.
We prepare your ISMS for Stage 1 and Stage 2 — and stay present throughout both, managing the certification body relationship directly.
We support annual surveillance audits and ISMS management reviews across the full three-year certificate cycle.
One team manages scoping to certificate — no vendor coordination, no handoff gaps, no generalist consultants.
Every engagement is led by IRCA and Exemplar Global credentialled auditors with direct experience across SaaS, fintech, healthcare, and enterprise tech.
We operate across the US, India, UAE, Singapore, and Europe — understanding certification body expectations in every market you work in.
Quoted after a scoping call. No hourly billing, no scope creep surprises. One number, delivered against.
Parallel workstreams and focused methodology keep your certification timeline tight without cutting corners on substance.
Surveillance audits, ISMS reviews, and improvement advisory — we stay engaged across the full certificate cycle.
93 controls selected and documented through your Statement of Applicability — covering every layer of your organisation's security posture.
Security policies, roles, asset management, supplier relationships, and incident management. The management foundation every ISO 27001 audit begins with.
Screening, awareness training, and employment lifecycle responsibilities. Your workforce is your first line of defence — and your most significant risk surface.
Protection of premises, equipment, and physical media from unauthorised access, damage, and environmental threats.
Access management, encryption, network security, vulnerability management, and monitoring. For cloud-native businesses, this is where the heaviest implementation work sits.
Everything required to achieve and maintain certification — no hidden extras.
"We needed ISO 27001 to close a contract with a European financial services client who wouldn't move forward without it. Norvex Assurance built our ISMS from scratch, got us audit-ready in 10 weeks, and we certified on the first attempt. That single contract paid for the entire engagement three times over."
Chief Technology Officer
B2B SaaS Platform — Series B
"Our internal team had tried to implement ISO 27001 using an automation tool and a few templates. After six months, we had a pile of documents and no clear path to certification. Norvex Assurance came in, restructured our approach, closed every gap, and got us certified in 14 weeks. We should have called them first."
VP of Engineering
Cloud Infrastructure Provider — Series A
"Operating across Singapore, India, and the US, we needed an ISO 27001 partner who understood multi-region complexity. Norvex Assurance scoped our ISMS across all three locations, managed the certification body relationship, and made the entire process feel structured rather than overwhelming. Our board was impressed."
Head of Compliance
HealthTech Company — Singapore HQ