Movalo
Need support? Contact Sales
All frameworks
International

ISO 27001 & 27002, ISMS-grade.

The international standard for an Information Security Management System. ISO 27001 is the certifiable spec; ISO 27002 provides the supporting control set. We build the ISMS, you take the certificate from the registrar.

What ISO 27001 actually requires.

ISO/IEC 27001 specifies the requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). The standard is risk-based: rather than mandating a fixed control list, it requires you to identify information security risks and apply controls that address them.

ISO/IEC 27002 is the companion guidance document. The 2022 revision restructured the control set into 93 controls across 4 themes (Organizational, People, Physical, Technological), replacing the older 114-control / 14-domain structure. Most organizations now reference 27002:2022.

Certification is a three-stage external audit by an accredited registrar: Stage 1 (documentation review), Stage 2 (implementation review), and ongoing surveillance audits in years 2 and 3, with recertification in year 3.

Organizational (37)

Policies, roles, supplier relationships, incident management.

People (8)

Screening, training, disciplinary process, working remotely.

Physical (14)

Physical security perimeter, equipment, environmental, secure disposal.

Technological (34)

User endpoint, access management, cryptography, secure development, monitoring.

When teams pursue ISO 27001.

ISO 27001 is voluntary, but it's the de facto international standard for vendor assurance. Common drivers:

What we implement.

An ISMS is a documented management system, not a checklist. The work is establishing the system, populating it with real controls, and operating it long enough to demonstrate effectiveness.

ISMS scope and context

Documented scope, interested parties, internal/external context. The first thing the registrar reads.

Risk assessment and treatment

Repeatable methodology, risk register, treatment plan tied to the 27002 controls applied. Statement of Applicability maintained.

Control implementation

The 93 controls of 27002:2022 implemented or formally excluded with rationale. Technical controls operated continuously.

Internal audit program

Documented audit schedule, qualified auditors, findings tracked to closure. The registrar will ask to see this.

Management review

Documented quarterly or semi-annual reviews by leadership. Outputs feed risk treatment.

Continual improvement

Nonconformity tracking, corrective actions, opportunities for improvement. Demonstrates the system actually operates.

Who owns what.

On us

  • ISMS documentation drafting and maintenance
  • Technical control implementation and operation
  • Risk assessment facilitation and risk register
  • Internal audit execution (or coordination of independent internal auditors)
  • Evidence collection across the surveillance cycle
  • Coordination with the registrar during audits

On you

  • Selection and engagement of an accredited registrar
  • Executive sponsor and ISMS owner roles
  • Risk appetite and acceptance decisions
  • Policy approval and management review participation
  • Final responses to nonconformities
  • Certificate distribution to customers

Common pitfalls we see.

Documentation-heavy ISMS with thin operation.

Registrars notice when policies and procedures don't match what people actually do. We build the ISMS from operational reality, not from a template.

Stuck on the 2013 control set.

If your Statement of Applicability still references the old 114 controls in 14 domains, you're working from an outdated version. We move clients to 27002:2022 as part of the engagement.

Scope set too broadly.

An ISMS scope covering the entire enterprise when only a SaaS product needs certification multiplies the audit effort. We scope tightly and grow it intentionally.

Internal audits that are pass-everyone exercises.

An internal audit that finds nothing makes the registrar suspicious. We treat internal audits as the rehearsal that catches issues before the surveillance audit does.

Related frameworks.

Frameworks that overlap or pair well with ISO 27001.

Service organizations

SOC 2 (Type I & II)

When the same vendor sells in North America. We map controls so both audits run from one set.

Baseline framework

NIST CSF 2.0

The management language that sits above ISO controls for board reporting.

Operational baseline

CIS Controls v8

The technical control set ISO 27002:2022 Technological controls map cleanly into.
Schedule a call

Let's talk for 30 minutes.
No slides.

Bring your customer questionnaires, your current Statement of Applicability, or your last surveillance audit findings. We'll come back with a written gap analysis, and what it would cost to be ready.

  • 30-min discovery, no slide deck
  • Free written assessment, yours to keep
  • A clear proposal, no pressure

Or call us directly: 904-639-0003

Schedule a call →