Cybereen / Standards / ISO/IEC 27001
INTERNATIONAL · ISO/IEC 27001:2022

ISO 27001, the management system you'll actually maintain.

Build the ISMS, run it through PDCA, prove it to your certifier — without dragging a 90-page binder into Monday standups. Every Annex A control mapped to the evidence your auditor wants.

Start your ISMS baseline → See the 4 themes
At a glance → Owner · ISO + IEC (Geneva) Version · 27001:2022 + 27002:2022 Structure · Clauses 4–10 + Annex A (93 controls) Cycle · 3-year cert + annual surveillance Cybereen status · Live coverage
WHAT IT IS

An information security management system — not a checklist.

ISO/IEC 27001 is the world's most widely-adopted certifiable standard for information security. It's how you prove — to customers, regulators, and procurement teams — that you run security as a system, not a side-of-desk job.

The standard is split in two. Clauses 4–10 describe the management system itself: scope, leadership, risk treatment, monitoring, continual improvement. Annex A lists 93 candidate controls grouped into four themes — you pick which apply and explain why, in a document called the Statement of Applicability.

Certification is granted by an accredited body after a two-stage audit. After that you live on a three-year cycle — annual surveillance audits, full recertification at year three. The 2022 revision is mandatory: transition from 27001:2013 closes 31 October 2025.

The honest version: The hardest part of ISO 27001 isn't the controls. It's keeping the ISMS alive between audits — running risk reviews, logging management decisions, evidencing internal audits. That's what most teams underestimate, and what Cybereen runs for you.
THE ISMS LIFECYCLE

Plan · Do · Check · Act. Run it on a 12-month clock.

ISO 27001 is built around the Plan-Do-Check-Act cycle. Cybereen schedules every step, reminds the right owner, and keeps the audit trail in one place.

PLAN

Scope, risk, treat.

Define what's in the ISMS, run risk assessment, decide which Annex A controls apply, write the Statement of Applicability.

  • Scope statement
  • Risk register
  • Statement of Applicability
DO

Implement controls.

Roll out the controls you selected. Document policies, train staff, configure systems, collect evidence as you go — not the week before audit.

  • Policy library, signed
  • Evidence by control
  • Training records
CHECK

Monitor & review.

Internal audit, management review, KPI tracking. The auditor wants to see this happening throughout the year — not back-dated the night before.

  • Internal audit log
  • Management review minutes
  • Control KPI dashboard
ACT

Improve.

Close nonconformities, capture lessons, update risk treatment. Continual improvement isn't a slogan — it's clause 10, and certifiers test it.

  • NCR register
  • Corrective actions tracked
  • Improvement opportunities log
ANNEX A · 2022

93 controls. Four themes. All mapped.

The 2022 revision collapsed 114 controls into 93, regrouped into four themes. Cybereen tracks every one — with the evidence ask, policy template, and SoA justification.

A.5
Organisational controls

Policies, roles, supplier security, asset management. The "who-decides-what" layer.

37 controls SoA-heavy
A.6
People controls

Screening, terms of employment, awareness, disciplinary process. Pre-, during-, and post-employment.

8 controls HR-owned
A.7
Physical controls

Premises, secure areas, equipment, clear desk/screen, environment monitoring. The doors, locks, and cameras.

14 controls Facilities-owned
A.8
Technological controls

Access management, crypto, secure dev, network security, logging, vulnerability management. The biggest theme.

34 controls IT/Sec-owned
Controls AU auditors dig into hardest →
A.5.7
Threat intelligence

New in 2022. Show you systematically collect threat info and feed it into risk reviews.

Quarterly digest
A.5.23
Cloud services security

New in 2022. Treat cloud as supplier risk — agreements, exit plans, shared responsibility documented.

Cloud usage policy
A.8.12
Data leakage prevention

New in 2022. Tooling + policy preventing unauthorised data exfiltration. DLP rules and exceptions register.

DLP rule list
A.8.28
Secure coding

New in 2022. Build-time guardrails — code review, SAST, dependency hygiene — evidenced from your CI.

CI export
Policy — template + signature workflow Evidence — collected per control, dated, audit-trailed Auto-mapped to ISO 27002:2022 implementation guidance
INSIDE CYBEREEN

One ISMS dashboard. Every clause, every control.

From your Statement of Applicability to your management review minutes — Cybereen runs the operating rhythm and produces the documents your certifier expects.

  • Statement of Applicability — live, generated from your control selections + justifications.
  • Risk register — inherent and residual scores, treatment plan, next-review dates.
  • Management review pack — auto-assembled, clause 9.3 inputs covered, exportable to PDF.
  • Internal audit programme — scheduled, evidenced, NCRs tracked to closure.
  • Cross-framework reuse — your ISO evidence pre-fills SOC 2, NIST CSF, and Essential Eight.
app.cybereen.com / standards / iso-27001 / soa
LIVE
Cybereen ISO 27001 — Statement of Applicability and Annex A control library across all four themes
COMMON MISTAKES

Three places ISO 27001 audits go sideways.

Patterns Cybereen sees on first-time certifications, and the one-line fix for each.

Mistake 01

Saying yes to every Annex A control.

Selecting all 93 controls "to be safe" doesn't impress the auditor — it tells them you haven't done risk-based scoping. A well-justified exclusion is stronger than a blanket inclusion.

Fix: Justify each include and exclude in the SoA, tied to a risk.
Mistake 02

Treating the ISMS as a binder.

Auditors aren't testing the PDF you wrote 18 months ago. They're testing whether it's alive — minutes, decisions, training records, audit logs from this quarter.

Fix: Run management review every quarter, not annually.
Mistake 03

Skipping the internal audit.

Clause 9.2 mandates an internal audit by competent, independent personnel before your external one. A back-dated checkbox here is the fastest way to a major nonconformity.

Fix: Use Cybereen's internal audit template + an external reviewer.
ISO 27001 FAQ

Questions before you start your transition.

If yours isn't here, the trial form has a free-text field — answers go in the next page revision.

How long does first-time certification take?
For a 50–250-person org starting from scratch: 6–9 months typical, of which 3–4 months are implementation and the rest is the documentation cycle, internal audit, and waiting on the external certifier. Cybereen compresses the implementation half — most of the timeline is regulated by your certifier's calendar, which we can't speed up.
We're on 27001:2013 — do we have to transition?
Yes. The transition period to 27001:2022 closes on 31 October 2025. After that, 2013 certificates are not recognised. Cybereen runs the gap analysis automatically — we'll show you the 11 new controls and the merged/retired ones in a single side-by-side report.
Do we need ISO 27002 as well?
27001 is the certifiable standard (requirements + Annex A). 27002 is the implementation guidance — the "how" behind each Annex A control. You don't certify against 27002, but you'll want it open on your desk. Cybereen embeds the 27002:2022 guidance text against every control, so you don't need a separate copy.
How does Cybereen handle the Statement of Applicability?
The SoA is generated live from your control selections, justifications, and implementation status. Every change is versioned and dated — when your certifier asks "when did you decide A.5.7 was applicable?", the audit trail answers immediately. Export is a one-click PDF, or a read-only link for your certifier.
Which certification bodies do you work with?
Cybereen is certifier-agnostic. The reports and evidence we produce have been used in successful audits with the major IAF-accredited bodies operating in AU/NZ — including BSI, SAI Global, BV, DNV, and Lloyds. You pick your certifier; we produce what they ask for.
How does ISO 27001 relate to SOC 2 or Essential Eight?
Significant overlap. The same control evidence — MFA, patching, access reviews, backups — supports ISO Annex A, SOC 2's Security TSC, and 6 of the 8 Essential Eight mitigations. Cybereen's cross-framework reuse answers each evidence ask once and maps it everywhere — typically ~3× saving on evidence collection.

Get a defensible Statement of Applicability in a week.

Pick your controls, justify your exclusions, attach the policies. Cybereen does the document plumbing — you keep the security decisions. Free trial, no card.

Start free trial → Book a 20-minute walk-through
Other standards on Cybereen →
Essential Eight APRA CPS 230 ISO 27001 ISO 27002 ISO 42001 NIST CSF 2.0