ISO 27001 Compliance Platform

ISO 27001:2022 Information Security Management System (ISMS)

Threatstealth ISO 27001 platform delivers a complete Information Security Management System (ISMS) — from risk register and Statement of Applicability through all 93 Annex A controls, internal audit management, and continuous evidence collection.

• Risk register — structured risk identification, assessment, and treatment aligned to ISO 27001 Clause 6.1
• Statement of Applicability (SoA) — auto-generated SoA with applicability decisions and control implementation status
• 93 Annex A controls — all 2022 Annex A controls mapped to live signals with continuous validation
• Internal audit management — plan, conduct, and report internal ISMS audits with corrective action tracking
• Continuous evidence — automated evidence collection for all 93 controls — no manual collection before audits
• Certification-ready export — export ISMS documentation and evidence pack for external certification audits

ISO 27001:2022 vs 2013: What Changed in the Latest Edition

ISO 27001:2022 was published in October 2022 with significant changes to Annex A — the control reference set that organisations select from when building their ISMS. The 2022 edition reduced the control count from 114 to 93, reorganised the four domain structure into four new themes (Organisational, People, Physical, Technological), and added 11 new controls addressing cloud security, data masking, configuration management, threat intelligence, and information deletion. All organisations certified to ISO 27001:2013 were required to transition to the 2022 edition by October 2025. Threatstealth's ISO 27001 platform is built entirely on the 2022 edition structure.

• Control count reduction — from 114 controls in 2013 edition to 93 controls in 2022 edition through merging and restructuring
• Four-theme organisation — Organisational (37), People (8), Physical (14), and Technological (34) control themes
• 11 new controls — cloud security, threat intelligence, configuration management, data masking, and information deletion
• Transition deadline — October 2025 mandatory transition date for organisations certified to 2013 edition
• Clause changes — updated leadership, planning, and performance evaluation requirements in the normative clauses

Risk Register and Information Security Risk Assessment

ISO 27001 Clause 6.1 requires organisations to define and apply an information security risk assessment process and maintain documented risk treatment decisions. The Threatstealth risk register implements a structured risk assessment methodology — identifying information assets, threats, vulnerabilities, existing controls, and residual risk ratings for each risk scenario. Risk treatment options (accept, avoid, transfer, or mitigate) are documented alongside treatment plans, risk owners, and target residual risk ratings. The risk register is continuously updated as the environment changes — new assets, new threats, and changes to existing controls trigger re-assessment prompts for affected risk scenarios.

• Asset-based risk identification — risks identified against specific information assets rather than generic control categories
• Threat and vulnerability assessment — structured assessment of applicable threats and current vulnerability state per asset
• Risk scoring — likelihood and impact scoring producing inherent and residual risk ratings per risk scenario
• Treatment plan tracking — documented treatment actions with owner assignment, target date, and completion status
• Risk register review workflow — periodic review triggers for risk owners to confirm risk ratings remain current

Statement of Applicability and Annex A Control Selection

The Statement of Applicability (SoA) is one of the most important documents in the ISO 27001 certification process — it documents which of the 93 Annex A controls are applicable to the organisation, why each applicable control was selected, and the current implementation status of each control. Threatstealth generates the SoA automatically from the risk register and a guided applicability assessment, populating justification text for each control selection and linking each applicable control to its implementation evidence. The SoA is a living document — control applicability decisions and implementation status are updated as the ISMS matures, with a full revision history maintained for certification audit review.

• Auto-generated SoA — populated from risk assessment outputs and guided applicability decisions for all 93 controls
• Applicability justification — documented reasons for each applicable and excluded Annex A control
• Implementation status tracking — real-time status (not implemented, partial, implemented) per control
• SoA revision history — full version history of applicability decisions for certification audit review
• Certification body export — SoA formatted for external certification body review in standard layout

Internal Audit Programme and Corrective Action Management

ISO 27001 Clause 9.2 requires organisations to conduct internal ISMS audits at planned intervals to verify that the ISMS conforms to the standard requirements and operates effectively. The Threatstealth internal audit module supports a structured audit programme — scheduling audits by scope, assigning auditor roles, conducting audits against a question bank aligned to ISO 27001 clauses and Annex A controls, recording audit findings, and tracking corrective actions through to verified closure. Internal audit reports are retained as ISMS evidence and feed into the management review process required by Clause 9.3.

• Audit programme planning — scheduled internal audits by scope area covering all ISMS clauses within defined cycle
• Auditor role assignment — internal auditor designation with independence requirements enforced
• Audit question bank — structured audit questions aligned to ISO 27001 clauses and all 93 Annex A controls
• Finding and observation recording — classified audit findings linked to specific ISMS requirements
• Corrective action tracking — CARs with root cause, corrective action plan, owner, target date, and verification