ISO certification doesn’t have to take a year.
Most teams treat ISO 27001 like a one-off project — controls library built from scratch, evidence chased by email, surveillance audits feel like the original audit again. RiskWatch keeps the ISMS alive between audits so surveillance is confirmation, not re-litigation. The Statement of Applicability writes itself.
- All 93 Annex A 2022 controls + ISO 27002:2022 guidance
- Risk treatment + Statement of Applicability auto-generation
- Year-round evidence collection · audit-pack export in 2 clicks
- For compliance leads: certification body + surveillance-audit ready
What is ISO 27001 compliance software?
Surveillance audits stop feeling like the original audit again. RiskWatch keeps the ISMS alive between certifications — the 93 Annex A controls stay scored continuously, the Statement of Applicability writes itself from your control changes, and evidence is captured year-round so the certification body finds a paper trail, not a panic. 8–16 weeks to first certification vs the 6–12 months your last manual ISMS took.
The 93 controls are the easy part. Scoping the ISMS is what kills certification timelines.
ISMS managers we talk to are running their first or second cycle, with 50–500 employees and an auditor breathing down their neck. The pain isn't writing policies — it's the three things every ISO 27001 implementation guide warns about. Here's what that costs.
Scope too narrow misses critical systems. Too broad and you fail Stage 1.
The single most common reason ISO 27001 implementations stall is scope. The ISMS scope wizard walks you through context (Clause 4), interested parties (Clause 4.2), and boundary-setting — flags scoping decisions auditors will challenge before they cost you a Stage 1 finding.
8–15 hours/week writing policies. Auditors detect copy-paste in 30 seconds.
Small teams burn the equivalent of a quarter-time employee just maintaining ISO documentation. Policy library tailored to your scope — context-aware Smart Builder fills in your org name, scope statement, and control selection. Not the generic Word doc.
Stage-1 audit was a fire drill. Surveillance audit is going to be too.
ISO 27001 is a continuous-improvement standard. Most teams treat it like a one-time project. Continuous control monitoring + quarterly reassessment per Annex A theme + management review (Clause 9.3) running on autopilot — the surveillance audit becomes a 3-day walkthrough.
Every module an ISMS program needs — in one platform.
Sixteen modules sharing the Annex A control library, evidence vault, and audit trail. Built around the ISMS lifecycle so Stage 1 readiness, Stage 2 certification, and surveillance audits all read from the same source of truth.
Annex A coverage at a glance
Per-theme compliance %, top open SoA gaps, surveillance-audit countdown, evidence freshness, management-review status.
All 93 controls · ISO 27002:2022 guidance
4 themes (A.5 Organizational, A.6 People, A.7 Physical, A.8 Technological) with implementation guidance from ISO 27002:2022.
Avoid the over-/under-scope trap
Walk through Clause 4 context, Clause 4.2 interested parties, and boundary-setting. Flag scope decisions auditors challenge.
Auto-generated from your controls
SoA per Clause 6.1.3(d) auto-generates from control applicability + justification + implementation status. Versioned, exportable.
Clause 6.1.2 + 8.2 risk treatment
Risk identification, analysis, evaluation, treatment options. Maps risks to Annex A controls automatically per ISO 27005.
Context-aware, not template copy-paste
12+ policies tailored to your scope, name, control selection. Smart Builder fills in org context — not the generic Word doc.
Quarterly cadence per Annex A theme
Continuous control monitoring + quarterly reassessment. Surveillance audit becomes a walkthrough, not a fire drill.
Auditor-ready by design
Evidence linked to controls, controls to clauses. Stage-1 + Stage-2 + surveillance audits all draw from the same vault.
Audit programme + plans + reports
Schedule internal audits per Clause 9.2. Capture findings, corrective actions, and the audit programme that the certification body will review.
Clause 9.3 on autopilot
Quarterly management-review packs auto-assembled with KPI trends, audit results, risk register changes — Clause 9.3 inputs ready.
ISO 27001 + SOC 2 + HIPAA + NIST CSF + PCI
Each Annex A control maps to SOC 2 trust services, HIPAA §164 sections, NIST CSF subcategories, PCI DSS requirements.
Per-employee training tracked
Schedule, deliver, attest — A.6.3 awareness/training/education evidence per employee. Auditor sees per-person history.
Quarterly automated reviews
A.5.18 access rights reviews automated from Okta/AD/Azure. Attestation tracking. Evidence per review cycle.
"Who closed A.8.16?" answered instantly
Timestamped log of every control score, evidence upload, SoA change, management-review decision. Admissible for surveillance audit.
Major + minor + observations
Capture audit findings, root cause, correction, corrective action. Track to closure with evidence — Clause 10.2 satisfied.
Import 100 systems in 5 minutes
Bulk import asset register, system inventory, prior assessments. CSV + API sync. Customize fields without IT.
4 themes. From 14 control categories to 4.
The 2022 revision restructured Annex A from 14 categories into 4 themes — Organizational (37 controls), People (8), Physical (14), Technological (34) — and added 11 new controls covering threat intelligence, cloud security, monitoring, secure development, and data leakage. RiskWatch ships with all 93 controls, the ISO 27002:2022 implementation guidance per control, and the 5 control attributes (control type, info security properties, cybersecurity concepts, operational capabilities, security domains) for filtering and reporting.
- A.5 Organizational (37 controls) — policies, roles, governance, supplier mgmt, threat intel, business continuity, legal & regulatory
- A.6 People (8 controls) — screening, terms of employment, awareness/training/education, disciplinary, remote working, NDA
- A.7 Physical (14 controls) — physical perimeters, entry, monitoring, equipment, secure disposal, environmental threats
- A.8 Technological (34 controls) — user endpoint, privileged access, identity, secure development, monitoring, cryptography, web filtering
- 11 new controls in 2022 — A.5.7 threat intelligence, A.5.23 cloud services, A.5.30 ICT readiness, A.7.4 physical monitoring, A.8.9 config mgmt, A.8.10 information deletion, A.8.11 data masking, A.8.12 DLP, A.8.16 monitoring, A.8.23 web filtering, A.8.28 secure coding
ISO 27001 + SOC 2 + HIPAA + PCI + NIST.
Most teams running ISO 27001 also need SOC 2 (US enterprise customers), HIPAA (healthcare verticals), or PCI DSS (payment flows). RiskWatch maps every Annex A control to its counterpart in those frameworks so a single evidence set satisfies multiple audits. Customers running ISO 27001 + SOC 2 simultaneously typically reduce combined audit prep by 60% by starting from a complete Annex A scoring.
- SOC 2 trust services — A.5.16 ↔ CC6.1, A.8.16 ↔ CC7.2, A.5.30 ↔ A1.2 — full Common Criteria mapping
- HIPAA Security Rule — for healthcare orgs — A.5.16 ↔ §164.312(a), A.8.24 ↔ §164.312(e)(2)(ii)
- PCI DSS v4.0.1 — for payment-handling — A.5.15 ↔ Req 7, A.8.5 ↔ Req 8.3, A.8.16 ↔ Req 10.4
- NIST CSF 2.0 — Annex A controls mapped to Govern/Identify/Protect/Detect/Respond/Recover functions
- ISO 27017 + 27018 — cloud-extension standards layered on the ISO 27001 base for cloud service providers
Plan · Do · Check · Act.
Context, scope, leadership, planning, risk assessment, SoA, support
Operational planning, risk treatment, control implementation
Monitoring, internal audit (9.2), management review (9.3)
Nonconformity, corrective action, continual improvement
From scoping to certified in five stages.
Most teams complete Stage 1 readiness in 8–12 weeks. The Stage 2 certification audit follows in 4–8 weeks. Surveillance audits run annually — and with continuous monitoring, they're a walkthrough, not a fire drill.
Scope the ISMS
ISMS scope wizard walks Clause 4 context + interested parties + boundary. Avoid the over-/under-scoping trap.
Risk assessment + SoA
Identify risks, treat per Clause 6.1.2/8.3. SoA auto-generated from control applicability + implementation status per Clause 6.1.3(d).
Implement + evidence
Implement Annex A controls, capture evidence, run internal audit (Clause 9.2), management review (9.3). Stage 1 audit-ready.
Stage 2 + surveillance
Stage 2 certification audit in 4–8 weeks. Continuous control monitoring keeps the ISMS operating between annual surveillance audits.
Certified · maintained
ISO 27001 certificate issued by accredited registrar. 3-year cycle with annual surveillance audits — driven from the same evidence vault.
The Stage 2 audit that stopped requiring 6 months of consulting.
Real ISMS managers. Real Stage 1 → Stage 2 timelines. Real surveillance audits that didn't require a war room.
The ISMS scope wizard alone saved us a Stage 1 nonconformity. We caught two systems we'd under-scoped before the auditor ever opened our SoA.
“Smart Policy Builder caught what auditors would have flagged. Templates from previous tools read like Word docs from 2018 — these read like our org wrote them.”
“Cross-mapping is the only reason we run ISO 27001 + SOC 2 + HIPAA simultaneously with a 3-person GRC team. Same evidence, three audits.”
“Surveillance audit went from a 4-week scramble to a 3-day walkthrough. The continuous-monitoring evidence was already there — we just printed it.”
Plus every framework you run alongside ISO 27001 — cross-mapped.
Score one Annex A control, satisfy SOC 2, HIPAA, PCI DSS, NIST CSF, and ISO 27701 simultaneously. Customers running ISO 27001 + SOC 2 in parallel reduce combined audit prep by 60%.
Take RiskWatch home before you sign anything.
Three downloads. Use them to evaluate, share with your auditor or registrar, or build the ISO 27001 readiness business case.
ISO 27001:2022 Annex A Checklist (93 controls)
Forty-four pages walking all 93 Annex A 2022 controls with ISO 27002:2022 implementation guidance, the 5 control attributes per control, and a per-theme scoring worksheet. Includes the 11 new controls added in 2022.
- All 93 Annex A 2022 controls
- ISO 27002 implementation guidance
- 11 new 2022 controls highlighted
ISO 27001 SoA + Scope Workbook
Statement of Applicability template per Clause 6.1.3(d) with all 93 controls + applicability flag + justification + implementation status. Plus the ISMS Scope Workbook covering Clause 4 context and Clause 4.2 interested parties.
- SoA template (Clause 6.1.3(d))
- ISMS Scope Workbook (Clauses 4 + 4.2)
- Risk treatment plan worksheet
ISO 27001 Platform Buyer's Guide
Vendor scorecard, Vanta-vs-Drata-vs-Scytale-vs-RiskWatch comparison, automation depth, certification-timeline benchmarks, multi-framework support, pricing.
- Feature matrix · 6 vendors
- Certification timeline benchmarks
- Pricing benchmarks
Common questions, answered up front.
About ISO 27001:2022, Annex A controls, ISMS scoping, the Statement of Applicability, certification timelines, and how RiskWatch covers all of them.
What is ISO 27001 compliance software?
How long does ISO 27001 certification actually take?
How do you scope an ISO 27001 ISMS correctly?
What changed in ISO 27001:2022 vs ISO 27001:2013?
What is a Statement of Applicability (SoA)?
ISO 27001 vs SOC 2 — which should we pursue first?
Does the platform support ISO 27001 + SOC 2 + HIPAA simultaneously?
Is there a free trial?
Run your ISMS scope wizard this week.
Start a 30-day free trial — every Annex A 2022 control, ISO 27002 guidance, the ISMS scope wizard, SoA generation, Smart Policy Builder, and cross-framework mapping. No credit card required.
No credit card required · 30-day free trial · Cancel anytime