✓ ISO 27001:2022 Readiness

ISO 27001 training & readiness for SMBs.

"A 45-person MSP in Manchester achieved ISO 27001 certification in 11 months — no dedicated compliance team."

ISO 27001 is the most internationally recognised information security standard. Certification signals to clients, partners, and regulators that your ISMS is legitimate — not just a policy document. We built the readiness checklist and training programme that gets SMBs to audit-ready in under a year.

Download the Readiness Checklist → See what auditors examine →
500+ professionals trained
6+ compliance frameworks covered
98% satisfaction rate
Zoom / Meet / Teams platform preference, your call
Annex A Controls — 4 Domains · 93 Controls

14 control domains across ISO 27001:2022 Annex A.

The checklist below maps all 93 Annex A controls to their four domain groups. Your Statement of Applicability must address each applicable control with evidence of implementation and review.

Annex A · A.5
Information Security Policies
  • Policies documented, approved by management, published, reviewed annually
  • Policy review includes legal, regulatory, contractual changes
  • Information security policy and supporting policies reviewed as a set
Annex A · A.6
Organisation of Information Security
  • Information security roles and responsibilities defined across the org
  • Segregation of duties implemented for sensitive operations
  • Contact with authorities maintained (regulators, law enforcement, CERT)
  • Contact with special interest groups / security forums
  • Project management includes information security from the start
Annex A · A.7
Human Resource Security
  • Screening and background checks conducted pre-hire
  • Terms of employment include information security obligations
  • Information security awareness, education, and training provided annually
  • Termination or change of role includes clear return of assets and access revocation
Annex A · A.8
Asset Management
  • Asset inventory maintained — owners, classification, sensitivity assigned
  • Information classification scheme applied to all assets
  • Labelling handled according to the classification scheme
  • Asset return process defined for all personnel departing the org
Annex A · A.9
Access Control
  • Access control policy documented and reviewed annually
  • User access provisioned/deprovisioned according to role-based rules
  • Privileged access rights reviewed quarterly for all admin accounts
  • Password policy enforced: complexity, expiry, no reuse
  • Multi-factor authentication enforced for all remote access and admin roles
  • Access logs reviewed monthly — anomalies escalated to CISO
Annex A · A.10
Cryptography
  • Cryptographic controls policy in place — key management, algorithm standards
  • Encryption at rest enforced for all databases, file stores, and backups
  • Encryption in transit enforced (TLS 1.2+) for all data in transit
  • Key management process documented — rotation, storage, revocation
Annex A · A.11
Physical & Environmental Security
  • Physical security perimeter defined — badge access, visitor log, CCTV
  • Physical entry controls prevent unauthorised access to server rooms and offices
  • Environmental controls: fire suppression, temperature monitoring, flood protection
Annex A · A.12
Operations Security
  • Operating procedures documented and reviewed when changes occur
  • Change management process defined — approval chain, rollback plan, post-change review
  • Vulnerability management: scans run monthly, critical CVEs patched within 72h
  • Malware protection deployed and signatures updated daily
  • Backup policy enforced: daily incremental, weekly full, monthly retention test
  • Logging enabled on all critical systems; logs retained 12 months minimum
  • Event logs reviewed weekly; anomalies escalated and documented
Annex A · A.13
Communications Security
  • Network segmentation defined — production, DMZ, internal, guest
  • Network perimeter controls: firewall rules, IDS/IPS, VPN for remote access
  • Secure transfer agreements in place for all file/data transfer methods used
Annex A · A.14
System Acquisition & Development
  • Security requirements included in all new system specifications
  • Secure development lifecycle enforced for all custom software
  • Change requests reviewed for security impact before any code goes to production
  • UAT environments isolated from production; no production data used in testing
Annex A · A.15
Supplier Relationships
  • Supplier register maintained — all third parties with data access listed
  • Security requirements documented in all supplier contracts (NDAs, DPAs)
  • Annual supplier security assessments conducted for all critical vendors
  • Supplier access to org assets revoked within 24h of contract termination
Annex A · A.16
Information Security Incident Management
  • Incident response procedure documented, tested annually (tabletop exercise)
  • All incidents logged, categorised, severity assigned, and managed to resolution
  • Evidence preserved from all security incidents — chain of custody maintained
  • Lessons learned review conducted within 30 days of incident closure
Annex A · A.17
Business Continuity Management
  • Business impact analysis completed — critical processes, RTO, RPO defined
  • Business continuity plans documented and reviewed annually
  • BCP tested at least annually — tabletop or full exercise with documented results
Annex A · A.18
Compliance
  • All applicable legal, regulatory, and contractual information security obligations identified
  • Privacy and data protection obligations mapped to Annex A controls (GDPR, etc.)
  • Internal audit of the ISMS conducted at least annually — findings tracked to closure
  • Management review of ISMS performance conducted at least annually — minutes retained
What Certification Auditors Flag First

4 failures that stall or kill SMB ISO 27001 certification attempts.

Statement of Applicability Gaps

The SoA is the first thing a certification auditor reviews. It must list every Annex A control, state whether it applies, and provide a justification for each. Teams that skip the SoA or under-document it fail Stage 1 before the audit even starts. The checklist includes a SoA structure guide with justification templates.

Internal Audit Failures

ISO 27001 Clause 9.2 requires at least one internal audit per year before external certification. Most SMBs skip this because "we're busy enough." Auditors check the internal audit report — if it doesn't exist, you fail Stage 1. If it exists but findings aren't closed, you fail Stage 2. Build the audit into your ISMS from month one.

ISMS Scope Errors

Scoping the ISMS too narrowly means you miss controls that apply. Scoping it too broadly means you have an unmanageable control set and fail the audit. Certification bodies look at your scope statement carefully — it must be accurate, cover all data flows and locations in scope, and align with the SoA. The checklist covers scope definition.

Supplier Risk Unmanaged

Annex A.15 requires documented supplier assessments for all third parties with access to your data or systems. Most SMBs have no supplier register, no contracts with security clauses, and no annual review process. A single supplier without a DPA can disqualify your certification. The checklist covers the supplier risk management controls in detail.

Free Download

Download the ISO 27001 Readiness Checklist

93 controls · 14 Annex A domains · SoA structure guide included

Used by SMBs and management consultancies building an ISMS from scratch or preparing for external certification. Includes control mapping by domain, evidence checklist, SoA structure guide, and risk treatment plan template.

No spam. Unsubscribe any time. Checklist delivered via Postmark within seconds.

How SecurEveryone solves this

ISO 27001-aligned training — with evidence for your ISMS audit file.

Our Business session ($900) delivers ISO 27001-aligned training for all personnel in a single 2-hour live webinar. Individual attendance records with timestamps — the A.7.2 evidence your certification auditor will ask for. We provide an evidence packet including the session summary, curriculum outline, and attendance log.

Annex A.5–A.18 controls covered: policies, access, assets, human resources, supplier, incident, BC Individual attendance records per participant for A.7.2 evidence Full evidence packet for your ISMS audit evidence management system Annex A.16 incident management playbook walkthrough included
Personal — $150 → Executive — $390 → Business — $900 flat →
📋 Audit evidence we provide

Every ISO 27001 training engagement includes these artefacts for your ISMS evidence management:

Individual attendance records

Employee name, timestamp, session ID — A.7.2 training evidence for your Stage 2 audit file.

Session summary document

Date, duration, topics covered, instructor name — A.5 information security policy training evidence.

Dated curriculum outline

Versioned curriculum with date — suitable for auditor review and Stage 2 evidence package.

Incident response debrief workbook

Annex A.16 walkthrough materials — used in the session and provided as a reusable incident response template.

Pricing

One flat rate covers your ISO 27001 training obligation.

Personal
$150
For individuals who need real security skills.
  • 60-minute personalised session on Zoom, Meet, or Teams
  • ISO 27001 Annex A overview and your ISMS obligations
  • Personal information security assessment
  • Attendance record for compliance file
  • 24/7 emergency session access (+$100)
Attendance record provided for your ISO 27001 audit file.
Book this session →
Executive
$390
ISMS governance obligations for management.
  • 90-minute executive briefing
  • ISO 27001 Clause 5 leadership obligations
  • Risk treatment plan review and approval duties
  • Management review process and Cl. 9.2 responsibilities
  • Priority emergency support (+$100)
Designed for board members, C-suite, and senior management.
Book this session →
Business (unlimited users)
$900
Unlimited users · $900 flat — satisfies Annex A.7 training requirements.
  • 2-hour comprehensive live webinar
  • Unlimited participants — no per-seat fees
  • Annex A.5 through A.18 coverage (all 14 domains)
  • Interactive Q&A and scenario exercises
  • Attendance record + session summary provided
$900 flat. Train your entire organisation at once.
Book this session →
FAQ

Common questions from SMBs pursuing ISO 27001.

How long does ISO 27001 certification take?

Most SMBs take 6–18 months from initial gap assessment to certification. Teams with existing information security practices can move faster. The checklist covers the Annex A controls your auditor will examine in Stage 1.

What's the difference between ISO 27001 and SOC 2?

ISO 27001 certifies a full Information Security Management System (ISMS) — it's a management standard, not just a controls checklist. SOC 2 is an AICPA attestation focused on a defined set of controls (the Trust Services Criteria). ISO 27001 is internationally recognised (ISO/IEC 27001:2022), globally portable, and often preferred in supply chain and enterprise contexts. Many companies pursue both.

What are the 14 Annex A control domains?

Annex A in ISO 27001:2022 organises 93 controls into four groups: Organizational (A.5–A.8), People (A.9–A.10), Physical (A.11–A.12), and Technological (A.13–A.14). There is no fifth group — this is a common misconception. The checklist covers all 93 controls mapped to their domains.

What does an SMB actually need to certify?

ISO 27001 applies to any organisation regardless of size or sector. The key decisions are your ISMS scope (what's in and out) and which Annex A controls are applicable (documented in the Statement of Applicability). SMBs typically scope to their core business processes, cloud infrastructure, and key personnel — not the whole org if it's not necessary.

What is the Statement of Applicability (SoA)?

The SoA is a document listing every Annex A control, whether it applies to your organisation, and the justification for inclusions and exclusions. It's the first thing a certification auditor reviews. A poorly structured SoA is the most common reason SMBs fail Stage 1. The checklist includes a SoA structure guide.

What does ISO 27001 training actually cover?

Our ISO 27001-aligned training covers Annex A controls by domain — specifically the human-factors controls your staff need to understand: A.5 (information security policies), A.6 (organisation of information security), A.7 (human resource security), A.8 (asset management), A.9 (access control), A.10 (cryptography), and A.11–A.14 (physical, operations, communications, and system acquisition). Individual attendance records with timestamps are provided for your audit evidence.

Resources

Further reading on ISO 27001 and certification.

Identity-Based Attacks Playbook 2026 → SOC 2 Type II Readiness → NIS2 Article 20 & 21 Training → GDPR Article 32 Readiness → NIST CSF 2.0 Security Maturity Assessment → View All Compliance Programmes →

Book an ISO 27001 readiness assessment.

No-form call. 30 minutes. We map your current Annex A coverage, identify your ISMS scope, and give you a 6-month certification sequence — free.

Personal — $150 Executive — $390 Book Business — $900 → View all compliance programmes →