ISO 27001:2022 · Continuous ISMS

ISO 27001,
run continuously.

ISO 27001 isn't a certification you earn once — it's an Information Security Management System you operate. Most teams treat the ISMS like documentation to be renewed, not a program to be lived. We run the ISMS as continuous operations — controls tracked live, evidence captured as it happens, surveillance audits that feel like status reports.

01 /

What ISO 27001 actually requires.

Beyond the Annex A checklist

ISO 27001:2022 is certification against a management system standard — the standard defines what you must document, decide, and demonstrate. The 93 Annex A controls are the checklist people focus on, but the ISMS itself is what auditors actually assess.

01
An ISMS, not just controls

Policies, risk assessments, control objectives, operating cadences, management review, corrective actions, continual improvement — the whole management system. Most teams have components scattered across tools; we consolidate them so the ISMS is legible to auditors.

02
A Statement of Applicability

The SoA documents which Annex A controls you've implemented, which you've excluded, and the justification for each decision. Auditors read this first. Ours is generated from live program data — it stays current as controls evolve, not stale in a Word document.

03
Two-stage certification, three-year cycle

Stage 1 (documentation review), 3+ months of operating the ISMS, then Stage 2 (operational effectiveness). Certifications are good for 3 years with annual surveillance audits and a recertification at year 3. Plan on 9–14 months from kickoff to initial certification.

02 /

Why most ISO 27001 programs drift after certification.

The three-year fade

Most ISO 27001 programs pass Stage 2 and immediately start decaying. The ISMS was built for the audit, not for operating the business — so within 12 months the SoA is stale, risk assessments are outdated, and management reviews are on autopilot. Then Year 2 surveillance shows up and it's a mini-scramble all over again.

Stale SoA

The Statement of Applicability lives in a Word document that's read once a year. New systems get deployed, controls change, but the SoA never gets updated — so the audit trail diverges from what's actually operating in production.

Risk assessment inertia

Risk assessments become copy-paste of last year's version. The methodology is documented but never actually run against new threats, new vendors, or new business initiatives. Auditors notice; buyers do too.

Management review theater

Clause 9.3 requires management review of the ISMS. When it becomes a checkbox meeting once a year with no real decisions, the ISMS loses executive sponsorship. Recertification at year 3 reveals the gap dramatically.

03 /

How we run ISO 27001 differently.

The ISMS as a living program

Our Managed Program treats ISO 27001 as continuous ISMS operation. The Statement of Applicability, risk register, and management review artifacts are all generated from live program data — not reconstructed at year-end. Same platform your certification body sees; same source of truth your team operates against.

/ 01
Live SoA and risk register
The Statement of Applicability and risk register update as the program evolves — new controls, new vendors, new risks all flow into the live record. What the auditor sees at surveillance is the same view your team uses daily.
/ 02
Operating cadences that stick
Access reviews, vendor assessments, internal audits, corrective action tracking — all on managed cadences with owners, deadlines, and evidence baked in. No calendar reminders, no orphaned tasks, no "we forgot Q3."
/ 03
Management review, done for real
Quarterly management review packs generated from live data — ISMS performance, risk changes, corrective actions, resource decisions. Not theater. The reviews leadership actually needs to make, in a format they'll actually read.
04 /

What ISO 27001 looks like on our platform.

Sample deliverable · Anonymized

A live ISMS produces a live Statement of Applicability and continuous risk register. This is the coverage view your certification body sees at surveillance — current, evidenced, and stable across the three-year cycle.

Sample

Framework Coverage · Live

Northwind Health, Inc. · March 2026

Frameworks Tracked · 5
Controls Mapped · 487
Last Sync · 7 min ago
SOC 2 TYPE II
94%
ISO 27001:2022
81%
HIPAA SEC. RULE
68%
NIST CSF 2.0
76%
PCI DSS 4.0
59%
ISO 27001 SoA · Drift & Exceptions · Last 14 Days
Annex AFindingDetectedStatus
A.5.19 Supplier relationship info security · one vendor missing signed T&Cs 2026-03-09 Tracked
A.8.12 Data leakage prevention · DLP rule update pending 2026-03-02 Assigned
A.7.4 Physical security monitoring · CCTV firmware out of support 2026-02-24 Remediating
05 /

ISO 27001 questions we hear most.

Straight answers
What's the certification timeline for ISO 27001?+

Plan on 9–14 months from kickoff to certification. The process: Stage 1 audit (documentation review), 3+ months of operating the ISMS, then Stage 2 audit (operational effectiveness). Certifications are good for 3 years with annual surveillance audits. We've shortened this for clients who already have mature security programs — but most teams need the full timeline to build the management system correctly.

ISO 27001:2022 vs 2013 — does it matter?+

Yes. The 2022 revision reorganized the controls (Annex A went from 114 to 93) and added new ones for cloud, threat intelligence, and data masking. All new certifications use 2022, and certifications under 2013 must transition by October 2025. If you're starting today, you're on 2022 — and Adalace's mappings are already built around it.

What's an ISMS, and do we really need one?+

An Information Security Management System is the documented framework — policies, procedures, risk assessments, control objectives, and operating cadences — that runs your security program. For ISO 27001, yes, you absolutely need one; the certification is for the ISMS itself, not just individual controls. The good news: you probably already have most of the components, just scattered. We consolidate them in Adalace and align them to the standard.

See All ISO 27001 FAQs

Ready to run ISO 27001 as a living program?

Book a Walkthrough