ISO 27001 Audit — Information Security Management System
ISO 27001

ISO 27001 Audit — Information Security Management System

Comprehensive ISMS evaluation per ISO/IEC 27001:2022 focused on critical controls and residual risk.

ISO 27001 Lead AuditorISO 27701 Specialist
93Controls assessed
200+Audits performed
Schedule assessment

ISO/IEC 27001:2022 replaced the structure of 114 controls in 14 domains with 93 controls in 4 categories (organizational, people, physical, and technological). This change is not cosmetic: it requires redesigning the Statement of Applicability (SoA), recalibrating the risk assessment, and generating new operational evidence. What most organizations underestimate is that the transition is not just mapping old controls to new ones — there are 11 entirely new controls (such as threat intelligence, cloud security, and data leakage prevention) that require rollout from scratch. Organizations that treat the transition as a documentation exercise arrive at the certification audit with operational gaps that result in major nonconformities.

Deliverables

01

93-control assessment

Systematic review of Annex A against the organization's actual operations.

02

Residual risk analysis

Identification of critical gaps and unmitigated risk.

03

2022 transition roadmap

Migration plan from the 2013 version with prioritized timeline.

04

Board report

Executive translation of technical findings into business language.

Intervention Flow

01

Scoping

ISMS scope definition and critical asset identification.

02

Field audit

Document review, interviews and control testing.

03

Report and closing

Executive report delivery and closing session with management.

Technical Inquiries

An initial assessment with gap analysis takes 5 to 10 business days depending on scope (number of sites, employees in scope, and technology complexity). A full field audit requires 15 to 30 days. The factor that most impacts timelines is not organization size but documentation maturity: if risk registers, the SoA, and control evidence are outdated, the data gathering process extends significantly. We recommend starting with the 72-hour assessment to dimension the actual effort.

A typical compliance vendor operates with generic checklists and delivers a status report. An assessment with ISO lead auditor rigor applies risk-based sampling, verifies operational evidence against each clause's requirements, and simulates the criteria the certification body will use. The difference is in finding depth: we do not report 'compliant/non-compliant' but classify each nonconformity by business impact and likelihood of detection in a formal audit.

Related Services

ISO 42001 — AI Management

Independent evaluation of the AI management system per ISO/IEC 42001:2023.

View service

ISO 27701 — Privacy

ISO 27001 extension for personal data management and privacy regulation compliance.

View service

Cybersecurity

Comprehensive cybersecurity posture assessment focused on technical and organizational controls.

View service

Related Research

Data and findings that support this service

INV-05

ISO 27001 in LATAM: Certifications Grew 34% but Real Maturity Remains Low

Read research
INV-14

Transition to ISO 27001:2022: 55% of Organizations Underestimate the Effort of New Controls

Read research
INV-15

Incidents in Certified Organizations: Certification Reduces Impact by 43% but Does Not Prevent the Event

Read research

Fernando Arrieta offers evaluation, assessment, and methodological guidance services for management systems. These activities are independent of the certification process, which is carried out exclusively by accredited certification bodies.