ISO 27001 isn't a certification you earn once — it's an Information Security Management System you operate. Most teams treat the ISMS like documentation to be renewed, not a program to be lived. We run the ISMS as continuous operations — controls tracked live, evidence captured as it happens, surveillance audits that feel like status reports.
ISO 27001:2022 is certification against a management system standard — the standard defines what you must document, decide, and demonstrate. The 93 Annex A controls are the checklist people focus on, but the ISMS itself is what auditors actually assess.
Policies, risk assessments, control objectives, operating cadences, management review, corrective actions, continual improvement — the whole management system. Most teams have components scattered across tools; we consolidate them so the ISMS is legible to auditors.
The SoA documents which Annex A controls you've implemented, which you've excluded, and the justification for each decision. Auditors read this first. Ours is generated from live program data — it stays current as controls evolve, not stale in a Word document.
Stage 1 (documentation review), 3+ months of operating the ISMS, then Stage 2 (operational effectiveness). Certifications are good for 3 years with annual surveillance audits and a recertification at year 3. Plan on 9–14 months from kickoff to initial certification.
Most ISO 27001 programs pass Stage 2 and immediately start decaying. The ISMS was built for the audit, not for operating the business — so within 12 months the SoA is stale, risk assessments are outdated, and management reviews are on autopilot. Then Year 2 surveillance shows up and it's a mini-scramble all over again.
The Statement of Applicability lives in a Word document that's read once a year. New systems get deployed, controls change, but the SoA never gets updated — so the audit trail diverges from what's actually operating in production.
Risk assessments become copy-paste of last year's version. The methodology is documented but never actually run against new threats, new vendors, or new business initiatives. Auditors notice; buyers do too.
Clause 9.3 requires management review of the ISMS. When it becomes a checkbox meeting once a year with no real decisions, the ISMS loses executive sponsorship. Recertification at year 3 reveals the gap dramatically.
Our Managed Program treats ISO 27001 as continuous ISMS operation. The Statement of Applicability, risk register, and management review artifacts are all generated from live program data — not reconstructed at year-end. Same platform your certification body sees; same source of truth your team operates against.
A live ISMS produces a live Statement of Applicability and continuous risk register. This is the coverage view your certification body sees at surveillance — current, evidenced, and stable across the three-year cycle.
Northwind Health, Inc. · March 2026
| Annex A | Finding | Detected | Status |
|---|---|---|---|
| A.5.19 | Supplier relationship info security · one vendor missing signed T&Cs | 2026-03-09 | Tracked |
| A.8.12 | Data leakage prevention · DLP rule update pending | 2026-03-02 | Assigned |
| A.7.4 | Physical security monitoring · CCTV firmware out of support | 2026-02-24 | Remediating |
Plan on 9–14 months from kickoff to certification. The process: Stage 1 audit (documentation review), 3+ months of operating the ISMS, then Stage 2 audit (operational effectiveness). Certifications are good for 3 years with annual surveillance audits. We've shortened this for clients who already have mature security programs — but most teams need the full timeline to build the management system correctly.
Yes. The 2022 revision reorganized the controls (Annex A went from 114 to 93) and added new ones for cloud, threat intelligence, and data masking. All new certifications use 2022, and certifications under 2013 must transition by October 2025. If you're starting today, you're on 2022 — and Adalace's mappings are already built around it.
An Information Security Management System is the documented framework — policies, procedures, risk assessments, control objectives, and operating cadences — that runs your security program. For ISO 27001, yes, you absolutely need one; the certification is for the ISMS itself, not just individual controls. The good news: you probably already have most of the components, just scattered. We consolidate them in Adalace and align them to the standard.