ISO 27001 Implementation: Building an ISMS That Passes the Audit

By Acreus Editorial

Why ISO 27001 Is the Standard That Scales Globally — and Why Most Implementations Fail

ISO/IEC 27001 is the most widely recognized international standard for information security management. Over 70,000 organizations across 150 countries hold current ISO 27001 certification. For MSPs and network engineering firms with international operations or enterprise clients with global operations, it’s increasingly a prerequisite — not a differentiator.

The standard doesn’t prescribe specific technical controls in the way that PCI DSS or HIPAA do. Instead, it requires organizations to build, implement, maintain, and continually improve an Information Security Management System (ISMS) — a systematic, risk-based approach to managing information security that fits the organization’s context. The certification demonstrates that the management system is real, documented, operating, and improving.

That flexibility is also why implementations fail. Organizations mistake ISO 27001 for a documentation project — generate the required policies, pass the audit, file the certificate. Certification bodies that issue certificates to organizations with paper ISMSs and no operational evidence are a problem in the industry. Sophisticated clients who require ISO 27001 are increasingly asking for more than the certificate — they want to see audit reports, nonconformity logs, and internal audit records.

If you’re an MSP or network engineering firm evaluating ISO 27001 certification, or a client evaluating a vendor’s ISO 27001 claim, this guide covers what a genuine implementation looks like and how to evaluate whether an organization actually has an ISMS or just a certificate.

---

The 2022 Revision: What Changed in ISO/IEC 27001:2022

ISO 27001 was significantly revised in 2022 (full title: ISO/IEC 27001:2022). If you’re building a new ISMS or renewing an existing certification, the 2022 version is the current standard. Key changes from the 2013 version:

Reduced number of controls: Annex A (the reference control set) was consolidated from 114 controls across 14 domains to 93 controls across 4 themes (Organizational, People, Physical, Technological). This is a reorganization and consolidation, not a reduction in security rigor.

11 new controls added: Including threat intelligence, information security for cloud services, ICT readiness for business continuity, physical security monitoring, configuration management, information deletion, data masking, data leakage prevention, monitoring activities, web filtering, and secure coding. Several of these were previously implied but not explicitly stated — the 2022 revision makes them mandatory for organizations that select them as applicable.

Attribute tagging system: The 2022 revision introduced attribute tags for each control (#preventive, #detective, #corrective; #confidentiality, #integrity, #availability; etc.) to facilitate mapping controls to threat scenarios and frameworks like NIST CSF.

Transition timeline: The International Accreditation Forum (IAF) mandated that organizations certified under ISO 27001:2013 must transition to ISO 27001:2022 by October 31, 2025. Organizations beginning new certifications must use the 2022 version. If you’re evaluating a vendor’s ISO 27001 certificate, confirm it was issued or recertified under the 2022 version.

---

The ISMS Architecture: What You’re Actually Building

An ISMS is not a set of security controls. It’s a management system that applies to information security — with a defined structure, documented processes, and evidence of operation. ISO 27001 requires the following:

Understanding the Organization and Its Context (Clause 4)

Before implementing any controls, you must define:

• The internal and external issues that affect information security (regulatory environment, business context, technology landscape, threat landscape)
• The interested parties (customers, regulators, investors, suppliers) and their requirements
• The scope of the ISMS — exactly which assets, processes, locations, and organizational units are in scope

Scope definition is one of the most consequential decisions in an ISO 27001 implementation. Scope that’s too narrow produces a certificate that doesn’t cover the services clients care about. Scope that’s too broad creates audit obligations that overwhelm the organization. Practitioners working with MSPs typically recommend scoping to the services provided to clients — the managed services delivery infrastructure — rather than the entire business.

Leadership and Commitment (Clause 5)

ISO 27001:2022 requires demonstrated top management commitment — not delegated acknowledgment. This includes:

• An information security policy signed by leadership with actual organizational authority
• Defined roles and responsibilities (typically an Information Security Officer or equivalent)
• Integration of ISMS requirements into organizational processes
• Adequate resources for the ISMS

Certification auditors look for evidence that leadership is actually engaged — meeting minutes, management review records, resource allocation documentation. A policy signed by the CEO with no evidence of management review for 18 months is a finding.

Risk Assessment and Risk Treatment (Clauses 6 and 8)

This is the analytical engine of the ISMS. ISO 27001 requires a repeatable, documented risk assessment process:

Risk identification: For each asset in scope, identify threats and vulnerabilities that could compromise confidentiality, integrity, or availability. For MSPs, assets include customer data, management infrastructure, service delivery tools, personnel knowledge, and third-party dependencies.

Risk analysis and evaluation: Assess likelihood and impact for each identified risk combination. Determine risk levels and compare against risk acceptance criteria defined by management.

Risk treatment: For each risk that exceeds the acceptance threshold, select a treatment option:

• Risk modification — implement controls to reduce likelihood or impact (most common)
• Risk retention — accept the risk (requires documented management acceptance)
• Risk avoidance — exit the activity that creates the risk
• Risk sharing — transfer the risk (e.g., insurance, contractual transfer)

The Statement of Applicability (SoA) — required by ISO 27001 — documents which of the 93 Annex A controls are applicable, which are implemented, and the justification for any controls excluded from scope. The SoA is one of the most scrutinized documents during certification audits and must be current, accurate, and defensible.

Annex A Controls: The 4 Themes in ISO 27001:2022

Organizational Controls (Controls 5.1–5.37, 37 controls)

Covers information security policies, roles and responsibilities, threat intelligence, information security in project management, supplier relationships, incident management, business continuity for information security, and legal/compliance requirements.

Notable for MSPs: Control 5.19 (Information security in supplier relationships), 5.20 (Addressing information security within supplier agreements), 5.21 (Managing information security in the ICT supply chain), and 5.22 (Monitoring, review, and change management of supplier services). Your ISMS must address how you assess, contract with, and monitor your own technology vendors — not just your clients’ security posture.

People Controls (Controls 6.1–6.8, 8 controls)

Covers screening (background checks), terms and conditions of employment, information security awareness and training, and responsibilities after termination. For MSPs: your workforce training program, background check policies, and offboarding processes with access revocation must be documented and evidenced.

Physical Controls (Controls 7.1–7.14, 14 controls)

Covers physical perimeters, physical entry controls, office and facility security, equipment security, and clear desk/clear screen policy. For MSPs with remote or distributed workforces, the physical controls for home office environments require specific policy treatment.

Technological Controls (Controls 8.1–8.34, 34 controls)

The most operationally intensive category for MSPs. Covers:

• User endpoint devices and privileged access rights
• Identity management, authentication, and access control
• Cryptography and key management
• Secure development and configuration management
• Protection from malware and backup
• Logging, monitoring, and clock synchronization
• Network security and web filtering
• New in 2022: data masking (8.11), data leakage prevention (8.12), information deletion (8.10), secure coding (8.28), cloud service security (8.25 context, 5.23 organizational)

---

The Certification Process: Three-Stage Audit

ISO 27001 certification is granted by accredited certification bodies (CBs) — third-party organizations accredited by national accreditation bodies (in the US, ANAB; in the UK, UKAS; globally, through IAF). Choosing an accredited CB is important — certificates from non-accredited bodies are not recognized as ISO 27001 certification.

Stage 1 Audit (Documentation Review)

The auditor reviews your ISMS documentation: scope, information security policy, risk assessment methodology, risk treatment plan, SoA, and key documented procedures. Stage 1 determines whether the ISMS is sufficiently designed and documented to proceed to Stage 2. Common Stage 1 findings: incomplete SoA, risk assessment methodology not documented, scope not clearly defined.

Stage 2 Audit (Implementation Verification)

The auditor conducts on-site (or remote) interviews with personnel, reviews evidence of control operation, and tests whether the ISMS is actually implemented as documented. This is where paper ISMSs fail — auditors probe for operational evidence, not just policy documents.

Common Stage 2 findings that delay certification:

• Internal audits not completed before Stage 2
• Management review not conducted before Stage 2
• No evidence of risk assessment having been performed (the template exists but was never populated)
• Controls documented but not implemented (e.g., access review policy exists but no access reviews have been conducted)

Surveillance and Recertification Audits

ISO 27001 certification is valid for 3 years, with annual surveillance audits in years 1 and 2, and a full recertification audit in year 3. Surveillance audits verify that the ISMS is being maintained and continuously improved. Failure to maintain the ISMS between audits results in suspension or withdrawal of certification.

---

The Implementation Roadmap: Realistic Timelines

For a small-to-mid-size MSP (20–100 employees) implementing ISO 27001:2022 for the first time:

Phase 1: Foundation (Months 1–2)

• Define scope, context, and interested parties
• Appoint Information Security Officer or assign responsibility
• Develop information security policy
• Select and engage an accredited certification body (early engagement allows pre-assessment input)
• Begin asset inventory

Phase 2: Risk Assessment and SoA (Months 2–4)

• Conduct asset-based risk assessment
• Complete risk treatment planning
• Draft Statement of Applicability
• Begin implementing high-priority risk treatment controls
• Develop required documented information (procedures for each applicable control)

Phase 3: Implementation and Evidence Generation (Months 4–7)

• Complete control implementation
• Begin generating operational evidence (access review records, training records, change management tickets, incident logs)
• Launch internal audit program
• Conduct management review

Phase 4: Certification Audit (Months 7–9)

• Stage 1 audit (typically 1–2 days)
• Remediate any Stage 1 nonconformities
• Stage 2 audit (2–4 days for small-mid organizations)
• Respond to findings; receive certification decision

Total realistic timeline: 7–12 months from project initiation to certification. Organizations that rush the risk assessment or skip the internal audit before Stage 2 typically add 3–6 months due to rework.

---

Common Misconceptions That Derail ISO 27001 Projects

“ISO 27001 is just a documentation exercise.”

Certification bodies accredited by ANAB or UKAS test operational evidence. If your access reviews, internal audits, and management reviews are all happening in the week before the Stage 2 audit, the auditor will notice. Genuine ISO 27001 certification requires the ISMS to be running — not just documented.

“We need to implement all 93 Annex A controls.”

You don’t. Annex A controls are applied based on risk assessment results. Controls that are not applicable (with documented justification) can be excluded from the SoA. An MSP with no software development activity can legitimately exclude secure development controls. The exclusion must be justified — not just asserted.

“Any ISO 27001 certificate is equivalent.”

Certificates from non-accredited certification bodies are not recognized as legitimate ISO 27001 certifications. Always verify that the certifying body is accredited through an IAF-member accreditation body. The IAF’s CertSearch database (iafcertsearch.org) allows verification of current certificates.

“Certification means we’re secure.”

ISO 27001 certifies that you have an operational ISMS that manages information security risk systematically. It does not guarantee the absence of vulnerabilities or the impossibility of a breach. Sophisticated clients understand this — they use ISO 27001 as evidence of a mature security management posture, not an absolute security guarantee.

---

Evaluating a Vendor’s ISO 27001 Claim

If you’re evaluating a vendor or MSP partner’s ISO 27001 status:

1. Verify the certificate on the certification body’s registry or iafcertsearch.org
2. Confirm the certification body is accredited — check against ANAB (US), UKAS (UK), or other IAF member body registries
3. Check the certificate scope statement — what services, processes, and locations are covered?
4. Confirm the standard version — ISO/IEC 27001:2022? Organizations still on 2013 after October 31, 2025 have lapsed compliance
5. Check the expiry date — valid for 3 years from initial certification; annual surveillance audits must be current
6. Ask for the SoA — this is not confidential and should be shared on request. It shows which controls are implemented and which are excluded with justification

---

FAQ Schema

Q: What is the difference between ISO 27001 certification and ISO 27001 compliance?

A: “Compliance” is an informal claim that an organization follows ISO 27001 principles or maps to the standard. “Certification” means an accredited certification body has audited your ISMS and issued a formal certificate. Only certification is verifiable by third parties and recognized in enterprise procurement and regulatory contexts. Many organizations use “compliant” loosely — always ask whether they mean certified by an accredited CB.

Q: How much does ISO 27001 certification cost?

A: Costs depend on organization size, scope, and whether a consulting partner is engaged. For a small-to-mid MSP: readiness consulting ($20,000–$60,000), certification audit ($10,000–$25,000), and annual surveillance audits ($5,000–$15,000). Total first-year investment of $30,000–$85,000 is typical. Organizations with an existing compliance program (e.g., SOC 2 or NIST CSF) have lower readiness costs due to control overlap.

Q: Can ISO 27001 and SOC 2 be implemented simultaneously?

A: Yes, and the overlap is substantial. AICPA has published mapping documentation between the TSC Common Criteria and ISO 27001 controls. Organizations pursuing both typically implement a unified control framework, collect shared evidence, and conduct separate audits. The efficiency gain is significant — building both programs simultaneously costs less than building them sequentially.

Q: What is a nonconformity in an ISO 27001 audit?

A: A nonconformity is an auditor’s finding that a requirement of ISO 27001 is not being met — either because a required element is absent (e.g., no management review conducted) or because documented procedures are not being followed in practice. Major nonconformities (failure of a fundamental system requirement) must be resolved before certification can be granted. Minor nonconformities are documented findings that must be addressed before the next surveillance audit.

Q: Is ISO 27001 required for CMMC compliance?

A: No. CMMC is based on NIST SP 800-171, not ISO 27001. They share control concepts but are separate frameworks with separate compliance paths. ISO 27001 is not a substitute for CMMC and does not satisfy DFARS 252.204-7012 cybersecurity requirements. For organizations needing CMMC compliance, visit cmmcfirst.com. certifydefense.com focuses on ISO 27001 and other non-CMMC compliance frameworks.

---

Build an ISMS That Holds Up Under Scrutiny

The difference between an ISO 27001 certificate and genuine ISMS maturity is what sophisticated clients are asking about. Building a program that passes the audit and keeps passing it requires systematic risk management and operational evidence — not just documentation. A compliance assessment identifies where your gaps are relative to ISO 27001:2022 requirements and builds a realistic implementation roadmap.

Request a Free ISO 27001 Readiness Assessment →

CertifyDefense serves MSPs and network engineering firms implementing ISO 27001. Our assessments are built against ISO/IEC 27001:2022 and ISO/IEC 27002:2022 — the current active standards.

---

Sources: ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection — Information security management systems — Requirements; ISO/IEC 27002:2022, Information security, cybersecurity and privacy protection — Information security controls; International Accreditation Forum (IAF), IAF MD 26:2023 Transition requirements for ISO/IEC 27001:2022. Last reviewed: February 2026.