0
Major Non-Conformities
at Stage 2 Audit
93
Controls in ISO 27001:2022
2022
Current version we implement against
International
Recognised in 130+ countries
ISMS
Information security management system
Gap Assessment & Implementation Planning
Most organizations discover their gaps are either larger than expected, in which case an unrealistic timeline creates pressure to cut corners, or smaller than feared, meaning they are overcomplicating a program that could be certified faster. We assess your current state against ISO/IEC 27001:2022 requirements, define the right implementation scope for your business, and build a prioritized plan that is honest about effort and timeline. You know what you are committing to before implementation begins.
ISMS Design & Operating Model
An ISMS that requires a dedicated full-time compliance team to maintain is not a program, it is a liability. We design your ISMS scope, governance structure, roles, objectives, and operating model around what your organization can actually sustain. Every process and responsibility is assigned to someone who will actually own it, so the system keeps running after the certification audit, not just before it.
Risk Assessment & Risk Treatment
ISO 27001's risk assessment requirement is where many programs stall, organizations either produce a risk register nobody uses, or spend months building something so complex it becomes unmanageable. We facilitate a structured risk assessment that identifies the threats and vulnerabilities relevant to your specific context, evaluates them against your risk appetite, and produces a Risk Treatment Plan that maps each decision to Annex A controls with documented rationale. Auditors can follow the logic. Your team can update it without hiring a consultant.
Control Implementation Support
ISO 27001 Annex A contains 93 controls across 4 themes, not all of which apply to every organization. Implementing controls your organization does not need wastes resources and creates maintenance burden. We implement only what your risk assessment and Statement of Applicability require: access management, incident response, asset management, supplier security, cryptography, physical security, and operational controls, each built to close a real gap, not to fill a checklist.
Policies, Procedures & Documentation
Certification auditors check your documentation as carefully as your technical controls. Missing a required document, or having a policy that clearly does not reflect how your organization actually operates, is a nonconformity finding that delays certification. We develop every mandatory document ISO 27001 requires: your information security policy, Statement of Applicability, risk treatment plan, internal audit procedures, and management review records, written to your actual context and signed off by the right people.
Internal Audit & Certification Support
Going into Stage 1 or Stage 2 without an internal audit is how organizations discover nonconformities in front of their certification body rather than in private, which means delays, additional fees, and remediation under time pressure. We conduct a full internal audit against your ISMS before certification, surface and close any remaining gaps, and prepare your team for what Stage 1 and Stage 2 reviewers will look for. When the certification body arrives, your team is ready.
Understanding ISO 27001
What organizations need to know before pursuing certification
What is ISO 27001?
ISO/IEC 27001 is an international standard for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). Published by the International Organization for Standardization, the current version is ISO 27001:2022. Certification is issued by an accredited certification body after a two-stage audit process and renewed every three years through annual surveillance audits.
Who pursues it?
ISO 27001 is pursued by technology companies, financial institutions, healthcare organizations, government contractors, and any business that needs to demonstrate information security governance to customers, partners, or regulators. It is particularly common in European enterprise procurement and among organizations seeking to expand into markets where ISO 27001 is a baseline supplier requirement.
Why does it matter?
ISO 27001 certification signals to customers and partners that your security program is audited, governed, and continually improved, not self-assessed. For enterprise sales and government procurement, it is increasingly a threshold requirement. Organizations without it are often excluded before the RFP stage. A lapsed or suspended certificate can be more damaging commercially than starting without one.
How does certification work?
Certification requires building an ISMS, conducting a formal risk assessment, implementing Annex A controls relevant to your scope, and passing a two-stage audit. Stage 1 reviews your documentation and readiness. Stage 2 assesses whether your ISMS is operating as documented. Annual surveillance audits maintain the certificate. A full recertification audit occurs every three years.
What Makes Us Different From Others
- Aligned to ISO/IEC 27001:2022 We implement against the current version of the standard, including the updated Annex A control set and the new organizational, people, physical, and technological control categories.
- ISMS Built for Actual Use We design management systems that your team can operate without external support after implementation. A certification that requires a consultant to maintain is not a mature ISMS.
- Risk-Driven, Not Control-Driven ISO 27001 is a risk management standard. We approach implementation through the lens of your actual risks, not by implementing all 93 Annex A controls regardless of relevance.
- Documentation That Serves a Purpose Required documentation is written to be genuinely useful for your team, not just to satisfy auditors. If a policy cannot be followed by the people it applies to, it does not belong in your ISMS.
- Certification Body Neutral We do not steer you toward a preferred certification body. We help you select the right accredited body for your industry, customer expectations, and geographic requirements.
- Post-Certification Continuity ISO 27001 requires ongoing surveillance audits and continual improvement. We support organizations through the full certification lifecycle, not just the initial certification.
garrisonOne guided us through our entire ISO 27001:2022 implementation from scoping through certification. They built our risk treatment plan, designed controls that matched how we actually operate, and prepared our team for the Stage 2 audit. We achieved certification on the first attempt with zero major non-conformities.
Client results
See how we have helped
Technology / SaaS
SaaS Startup — AWS Security Hardening
A seed-stage SaaS startup had customer data in a public S3 bucket. garrisonOne conducted a full AWS security assessment against CIS benchmarks and hardened the environment in 4 weeks.
3
Public S3 buckets closed
19
Overprivileged IAM roles fixed
100%
Security review passed
Legal
Law Firm — Security Assessment
A 90-day remediation roadmap delivered after a full security assessment. The firm met enterprise client security requirements and avoided a regulatory incident.
90 days
Remediation roadmap
Critical
Risks addressed
100%
Client requirements met
Industry focus
Industries we serve
Related Services: SOC 2 Compliance | Security Risk Management | Security Assessment & Audit | All Compliance Services
Frequently asked questions
What is ISO 27001?
ISO 27001 is the international standard for Information Security Management Systems. It specifies requirements for establishing, implementing, maintaining, and continually improving a documented management system that protects the confidentiality, integrity, and availability of information. Certification against ISO 27001 demonstrates to customers, partners, and regulators that your information security is managed through a recognized and auditable framework.
What changed in ISO/IEC 27001:2022?
The 2022 version introduced a restructured Annex A with 93 controls organized into four categories: organizational, people, physical, and technological. Eleven new controls were added covering areas such as threat intelligence, cloud security, data masking, and secure coding. Organizations certified against the 2013 version had until October 2025 to transition. We implement against the current 2022 standard.
Do we need to implement all 93 Annex A controls?
No. ISO 27001 requires you to consider all Annex A controls and document your reasoning in a Statement of Applicability, but you only implement the controls that are relevant to your risks and context. Controls can be excluded with documented justification. We help you make these decisions based on your actual risk assessment rather than implementing everything by default.
How long does ISO 27001 certification take?
Organizations with some existing security controls typically achieve certification in three to six months. Those starting from a lower baseline may take six to twelve months. The timeline depends on scope, organizational size, and how quickly your team can implement required changes. We provide a realistic estimate after the initial gap assessment.
What is the certification audit process?
Certification involves two stages. Stage 1 is a documentation review where the auditor assesses whether your ISMS is designed appropriately and your documentation is in order. Stage 2 is the main certification audit where the auditor tests whether your controls are implemented and operating effectively. Both stages are conducted by an accredited certification body.
How long does ISO 27001 certification last?
ISO 27001 certificates are issued for three years. During this period, the certification body conducts annual surveillance audits to verify that the ISMS continues to operate effectively. A recertification audit is required at the end of the three-year cycle. Continual improvement is a core requirement of the standard throughout the certification period.
Is ISO 27001 relevant for small and mid-size organizations?
Yes. ISO 27001 is scalable and appropriate for organizations of any size. The standard explicitly allows the scope and complexity of the ISMS to be proportionate to the organization's context and risk profile. We have implemented ISO 27001 for organizations ranging from small technology companies to large enterprises across multiple sectors.
How does ISO 27001 relate to other frameworks like SOC 2 or GDPR?
ISO 27001 has significant overlap with SOC 2 security criteria and with the security requirements of GDPR. Organizations pursuing multiple frameworks can design a single integrated control environment that satisfies shared requirements rather than running separate programs. We design implementations with this overlap in mind to reduce duplication and overall effort.
Resources
Company
Contact
- US: 4752 Euclid Rd Suite 11,
Virginia Beach, VA 23462 - India: Orchard Street, Sector 61,
Gurgaon, Haryana - Phone: (301) 825-5518
- info@garrisonone.com
