ISO 27001 is the only framework in the Atlas that issues a certificate — a binary outcome from an accredited body operating to its own ISO standard. Most teams treat ISO 27001 as "Annex A controls plus paperwork." The certification body sees the inverse: a management system whose Annex A is merely the toolkit.
The CB is itself accredited under ISO/IEC 17021-1 by a national body (UKAS, ANAB, RvA). The discipline runs three years deep: Stage 1 + Stage 2, then surveillance years 1 and 2, then recertification at year 3.
The audit is of the management system, not the controls. Most teams think ISO 27001 means "implement Annex A's 93 controls." Wrong question. The CB audits whether your ISMS — your governance, risk management, internal audit, management review, and continual improvement processes — actually operates. Annex A is the output. A team with weak ISMS but strong individual controls fails. A team with disciplined ISMS but pragmatic Annex A choices passes.
Stage 1 is not a formality. Stage 1 reviews your documented ISMS — scope, policy, risk assessment, SoA, internal audit results, management review records — and tells you whether you're ready for Stage 2. Most teams treat it as a paperwork check; experienced auditors use it to flag every weakness in advance. If Stage 1 raises 8 findings, expect Stage 2 to raise more. The correct response to Stage 1 findings is full remediation, not "we'll address it during Stage 2."
Surveillance audits change focus year-over-year. Year 1 typically tests Cl. 4–10 + about a third of your in-scope Annex A controls. Year 2 covers a different third (with mandatory clauses always re-tested). Year 3 is the recertification audit — full scope re-examined, like a smaller Stage 2. The CB's audit plan rotates, but Cl. 9 (performance evaluation) and Cl. 10 (improvement) are always tested. Don't let your internal audit program lapse between certifications.
The 2022 transition deadline (October 31, 2025) has passed. Any organization still on ISO 27001:2013 is now uncertified — their certificate is invalid. The 2022 update reorganized 114 controls in 14 categories into 93 controls in 4 themes (Organizational, People, Physical, Technological), introduced 11 new controls, and merged or replaced others. Treat any reference to "Annex A.5–A.18" as legacy; the current map is "A.5–A.8" by theme.
Treating Clauses 4–10 as overhead. Teams new to ISO 27001 build a control library against Annex A and consider themselves done. Then Stage 1 raises a finding on Cl. 4.3 (scope), another on Cl. 6.1.2 (risk methodology), another on Cl. 9.2 (no internal audit). The CB doesn't audit Annex A in isolation — it audits whether your process for selecting, implementing, and verifying Annex A actually exists.
The 11 new 2022 controls are not optional. Threat intelligence (A.5.7), ICT readiness for BC (A.5.30), data masking (A.8.11), DLP (A.8.12), monitoring activities (A.8.16), web filtering (A.8.23), secure coding (A.8.28), and configuration management (A.8.9) — these are the controls cloud-native organizations actually need and where 2013-era programs are weakest. Auditors are explicitly looking for evidence here in 2024–2026 audits because the transition is fresh.
The themes are not equally weighted in audit time. A.5 (Organizational, 37 controls) and A.8 (Technological, 34) account for 60–70% of audit time. A.6 (People, 8) and A.7 (Physical, 14) are simpler and faster — though A.7 frequently gets marked "not applicable" by cloud-only organizations, which the auditor will challenge if your customers' data ever sits in offices, on laptops, or on physical media.
The SoA is treated as a checkbox. Many teams produce an SoA listing 93 controls with one-line "applicable / yes" justifications. That fails Stage 2. Each entry must explain which risk the control treats, where the policy lives, how the control operates, and what evidence demonstrates it. The SoA is a 50–100 page document, not a spreadsheet. It is the most-read artifact in the audit.
Internal audit done late or by the wrong person. Cl. 9.2 requires that internal audits be performed by competent, objective auditors. A junior employee auditing their own manager fails. Many small organizations hire an external consultant for internal audits — entirely valid, often advisable. What's not valid is having no internal audit before Stage 2, or running it the week before the CB shows up. Auditors look for trend data — internal audit findings improving over multiple cycles is itself evidence of a working ISMS.
Management review without management. Cl. 9.3 requires top management to participate. "Top management" means the people accountable for the organization's overall direction — typically CEO, CTO, or equivalent, not the head of security. Meeting minutes signed only by the CISO with no top-management presence is a near-certain finding. Look for the agenda, attendees, decisions, and resource commitments.
Risk methodology is the silent killer. Cl. 6.1.2 requires you to define the risk assessment methodology — the criteria, the scale, the owners, the cycle. Many teams skip this and dive into the assessment, then the auditor asks "how did you decide this risk is High?" and there's no documented answer. Define methodology first; assessment second. The methodology document is short (often 5–10 pages) but mandatory.
| ISO 27001 domain | SOX | SOC 2 (TSC) | NIST CSF 2.0 | PCI DSS v4.0.1 | HIPAA | HITRUST v11 | Shared evidence |
|---|---|---|---|---|---|---|---|
| Cl. 4 — Context of organization | ELC · scoping memo |
CC1.1 |
GV.OC |
Req 12.5 |
§164.306 |
00.a |
Org context document, interested parties register, ISMS scope statement |
| Cl. 5 — Leadership | ELC · tone-at-top |
CC1.2 · CC1.3 |
GV.RR |
Req 12.4 |
§164.308(a)(2) |
02.a |
Info sec policy, leadership communications, role/RACI |
| Cl. 6.1 — Risk mgmt | ELC · risk assessment memo |
CC3.1 – CC3.4 |
GV.RM · ID.RA |
Req 12.3 |
§164.308(a)(1)(ii)(A) |
03.a · 03.b |
Risk methodology, risk register, treatment plan, SoA |
| Cl. 9.2 — Internal audit | Internal Audit function | CC4.1 |
ID.IM |
Req 12.10 |
§164.308(a)(8) |
06.h |
Audit programme, auditor competence records, findings log |
| Cl. 9.3 — Mgmt review | AC oversight | CC4.2 |
GV.OV |
Req 12.4.1 |
§164.308(a)(1)(ii)(D) |
06.h |
Mgmt review minutes, decisions log, action items |
| A.5.15–A.5.18 — Access control | ITGC — Access |
CC6.1 – CC6.3 |
PR.AA-01 · PR.AA-05 |
Req 7 · Req 8 |
§164.308(a)(3) · §164.308(a)(4) |
01.b · 01.c · 01.v |
JML tickets, UAR exports, IAM config, MFA enforcement |
| A.5.19–A.5.23 — Supplier mgmt | ITGC + BPC · TPRM |
CC9.2 |
GV.SC |
Req 12.8 · Req 12.9 |
§164.308(b) · BAAs |
05.k |
Vendor inventory, due-diligence pkg, contracts, vendor SOC 2s |
| A.5.24–A.5.28 — Incident mgmt | BPC · ITGC ops |
CC7.3 – CC7.5 |
RS.MA · RS.AN |
Req 12.10 |
§164.308(a)(6) |
11.a – 11.c |
Incident tickets, post-incident reports, comms log |
| A.5.29 / A.5.30 — BC & ICT readiness | BPC · resilience | A1.2 · A1.3 |
RC.RP · RC.CO |
Req 12.10 |
§164.308(a)(7) |
12.b · 12.c |
BIA, BCP/DRP, last-test report, RTO/RPO documentation |
| A.6.3 — Awareness & training | ELC · COSO Comp.4 |
CC1.4 |
PR.AT-01 · PR.AT-02 |
Req 12.6 |
§164.308(a)(5) |
02.e · 02.f |
Completion reports, phishing test results, attestations |
| A.7 — Physical security | ITGC — Operations |
CC6.4 |
PR.AA-06 · PR.IR-02 |
Req 9 |
§164.310 |
08.b · 08.j |
Badge logs, CCTV retention, visitor records, asset disposal |
| A.8.2 — Privileged access | ITGC — Access |
CC6.1 · CC6.3 |
PR.AA-05 · PR.PS-01 |
Req 7.2 · Req 8.2 |
§164.308(a)(4) |
01.q · 01.v |
PAM logs, SoD ruleset, role-conflict report |
| A.8.7 — Malware protection | ITGC — Operations |
CC6.8 |
PR.PS-05 |
Req 5 |
§164.308(a)(5)(ii)(B) |
09.j |
EDR/AV deployment reports, scan logs, IOC alerts |
| A.8.8 — Vulnerability mgmt | ITGC — Operations |
CC7.1 |
ID.RA-01 · PR.PS-02 |
Req 6.3 · Req 11.3 |
§164.308(a)(1)(ii)(B) |
10.k · 10.m |
Scan reports, patch SLAs, exception register |
| A.8.16 — Monitoring activities (NEW) | ITGC — Operations |
CC7.1 · CC7.2 |
DE.CM-01 · DE.CM-09 |
Req 10 |
§164.312(b) |
09.aa |
SIEM rules, log retention config, alert tuning evidence |
| A.8.24 — Cryptography | ITGC — Operations |
CC6.1 · CC6.7 |
PR.DS-01 · PR.DS-02 |
Req 3 · Req 4 |
§164.312(a)(2)(iv) |
10.f · 09.s |
KMS config, TLS scan, cert inventory, key rotation logs |
| A.8.25–A.8.28 — Secure dev | ITGC — SDLC |
CC8.1 |
PR.PS-06 |
Req 6.2 · Req 6.3 |
— | 10.a · 10.b |
SAST/DAST reports, code review records, pen test report |
| A.8.32 — Change management | ITGC — Change |
CC8.1 |
PR.PS-06 |
Req 6.5 |
§164.308(a)(8) |
10.h |
Change tickets, CAB minutes, PR approvals, deploy logs |
ISO 27001's Annex A maps more cleanly to other frameworks than any other source in the Atlas. SOC 2's CC6 ↔ Annex A.5/A.8. NIST CSF's PR.AA ↔ A.5.15. PCI DSS Req 7 ↔ A.5.15/A.8.2. HIPAA's administrative safeguards ↔ A.5/A.6. HITRUST is essentially Annex A reorganized. Build to Annex A and you are 70%+ of the way to every other framework's controls.
What does not travel is the management system. Cl. 4–10 — context, leadership, risk, support, operation, performance, improvement — has no SOC 2 equivalent, no PCI DSS equivalent, only weak parallels in HITRUST. This is the part of ISO 27001 that takes the longest to mature and provides the least immediate reuse value to other audits. It is also the part that gives the certificate its credibility. Customers reading your ISO 27001 cert assume you run a real ISMS, not just a control library.
The dual ISO + SOC 2 strategy is the smart play. Roughly 70% control overlap, with a single evidence collection cycle. The CPA and CB do separate audits but draw from the same artifacts. Many service organizations run one combined readiness program and let two different external bodies form their respective opinions. The cost of doing both is ~1.4× the cost of doing one.