Build your ISMS, prepare for audit, get certified Book your 30-min intro
ISO 27001:2022 ISMS platform

Build your ISMS, prepare for audit, get certified. All in one platform.

Updated
Key Takeaways: Priverion is a Swiss-hosted ISMS platform that automates ISO 27001:2022 certification — from gap analysis and SoA to risk treatment and audit-ready documentation.
Getting ISO 27001 certified takes real effort — typically 6–12 months depending on your maturity. We won’t pretend otherwise. But we will cut out the manual documentation work that makes it feel like 24 months.
Book your 30-min intro Not ready yet?
Trusted by 50+ privacy teams across 14 countries
Healthcare
Aviation
Energy
Legal
Technology
Liferay logo
CareerFairy logo
Voicepoint logo
Kellerhals Carrard logo
Aclaris logo
Avantec logo
Diakonie Bethanien logo
Tapeze logo
Liferay logo
CareerFairy logo
Zurzach logo
Voicepoint logo
Medtec logo
Kellerhals Carrard logo
AYA logo
Aclaris logo
Avantec logo
Diakonie Bethanien logo
The ISMS lifecycle

7 steps from policy to certification

Priverion guides you through the entire ISO 27001:2022 journey — from initial gap analysis through SoA creation to audit-ready documentation. No spreadsheets, no consulting army.
ISMS foundation

Information Security Policy

The ISO/IEC 27001 Information Security Policy is a top-level, senior-management document that commits to protecting information by defining objectives, scope, principles, and the overall approach for managing risk, controls, and ongoing improvement. It establishes leadership support, enables risk-based decisions, ensures roles and expectations, supports compliance, and guides behaviour, implementation, and monitoring of the information security program.

Key points:
  • Leadership commitment, resource allocation, and accountability.
  • Foundation for risk management and continual improvement (Plan-Do-Check-Act).
  • Defines scope, objectives, and guiding principles/controls.
  • Guides behaviour (roles, responsibilities, incident reporting, acceptable use).
  • Supports compliance with legal, regulatory, and contractual obligations and informs procedures, training, and audits.
Result: Start with ISO 27001:2022 policy templates, customize to your org, and distribute with read-receipt tracking.
Threat analysis

Risk Evaluation

The ISO/IEC 27001 risk evaluation process involves identifying information assets, threats and vulnerabilities, and then assessing the potential impact and likelihood of each risk to determine its level. This evaluation uses defined risk criteria (severity, probability, and tolerable risk) to produce a risk rating (e.g., high, medium, low) for each threat–vulnerability pair, considering both inherent and residual risk after existing controls. The results inform decisions on risk treatment options, acceptance, and prioritization, and they form the basis for the organization's risk treatment plan and ongoing monitoring.
Result: Identify and score risks systematically — with structured threat-vulnerability pairing instead of ad-hoc spreadsheets.
Control selection

Statement of Applicablity

The Statement of Applicability (SoA) in ISO/IEC 27001 is a formal document that lists the controls from Annex A that the organization has chosen to implement to manage information security risks. It explains for each control whether it is applied or excluded and provides justification for any exclusions, as well as the current status and any implemented filters or compensating controls. The SoA links the results of risk assessment and treatment to the actual controls in place, serving as a baseline for monitoring, internal audits, and certification, and it demonstrates how the information security management system (ISMS) satisfies the required controls and management expectations.
Result: Map all Annex A controls to your organization in one view — SoA creation in days, not weeks.
Control implementation

Risk Treatment Plan

The risk treatment plan is a documented plan that defines how identified information security risks will be treated, including the chosen controls, actions, owners, timelines, and resources needed to reduce risk to an acceptable level. It links the risk assessment results to specific control measures and any necessary compensating controls, and it specifies residual risk acceptance criteria and how progress will be monitored. The plan also assigns responsibilities, sets milestones, and aligns with the organization’s overall ISMS objectives to support ongoing risk management and continual improvement.
Result: Track every control action, owner, and deadline — 2x faster mitigation than manual tracking.
Ready to see how the SoA and risk register look in Priverion?
Book your 30-min walkthrough
Implementation status

Controls Implementation

For every Information Security Officer, the current status of the implementation of controls is an important aspect. With the Risk Treatment Console you are able to monitor the implementation status of the controls.
Result: Real-time visibility into control implementation across your entire organization.
Compliance review

Internal Audit

An internal audit is a systematic, independent, and documented activity that assesses the ISMS against the ISO standard and the organization’s own requirements. It evaluates whether the information security controls are effectively implemented and maintained, and whether the ISMS complies with the SoA, risk treatment plans, policies, and procedures. The audit uses objective evidence to identify nonconformities and opportunities for improvement, and it results in an audit report and corrective actions to enhance the system, with findings tracked through an ongoing audit program.
Result: Run your internal audit and track findings — all evidence linked back to controls and the SoA.
ISO certification

External Audit

An external audit is conducted by an accredited certification body to verify that the organization's ISMS conforms to the standard and to the scope defined in the certificate. It typically includes a document review and an on-site assessment with interviews and evidence gathering to evaluate the implementation and effectiveness of controls, the SoA, risk treatment, and supporting processes. The audit results in findings or nonconformities that require corrective actions; if all criteria are met, a certification is issued and surveillance audits are conducted at intervals to maintain the certification.
Result: Generate auditor-ready reports instantly — 200+ hours saved in ISO 27001 preparation (based on Medtec results).
Related frameworks

ISO 27001 + GDPR + Swiss FADP in one platform

200h+
Saved in ISO 27001 preparation
Based on Medtec results
1
Platform for InfoSec and privacy
No duplicate documentation across frameworks
2x
Faster risk mitigation
Based on customer-reported control implementation times

Ready to simplify your privacy management?

You’re in good company. Priverion replaces scattered Excel sheets and manual workflows with a unified, smart platform for privacy and InfoSec. Our team guides you from day one to ensure a smooth rollout and long-term success.
See how it works
About this page — references, definitions, and FAQs

Key Takeaways — ISO 27001 Compliance with Priverion

Priverion is a Swiss-hosted SaaS platform purpose-built for ISO 27001:2022 certification. It automates the full ISMS lifecycle — from information security policy creation and risk evaluation through Statement of Applicability (SoA) generation, risk treatment planning, control implementation tracking, and internal audit management. Organizations using Priverion report saving over 200 hours in audit preparation and achieving 2× faster risk mitigation compared to manual spreadsheet-based approaches. The platform also unifies ISO 27001 with GDPR and Swiss FADP compliance in a single workspace, eliminating duplicate documentation across frameworks.

Definitions

What is an ISMS (Information Security Management System)?

ISMS stands for Information Security Management System. According to ISO/IEC 27001, an ISMS is a systematic approach to managing sensitive company information so that it remains secure. It includes people, processes, and IT systems by applying a risk management process, giving assurance that information security risks are adequately managed.

What is the Statement of Applicability (SoA)?

The Statement of Applicability is a mandatory document required by ISO 27001 Clause 6.1.3(d). It lists all 93 Annex A controls from ISO 27001:2022, indicates whether each is implemented or excluded, and provides justification. The SoA serves as the bridge between risk assessment and control implementation. Source: ISO 27001:2022

What is a Risk Treatment Plan?

A Risk Treatment Plan documents how identified information security risks will be addressed. It specifies chosen controls, responsible owners, timelines, and resources. ISO 27001 Clause 6.1.3 requires organizations to formulate a risk treatment plan and obtain risk owner approval for residual risks.

What are Annex A Controls?

Annex A Controls are the reference set of information security controls in ISO 27001:2022. The 2022 revision consolidated the previous 114 controls (in 14 domains) into 93 controls across four themes: Organizational (37), People (8), Physical (14), and Technological (34). Eleven new controls were introduced, including threat intelligence, cloud security, and data masking. Source: ISO/IEC 27001:2022

Statistics and Industry Context

According to the ISO Survey of Certifications 2023, there were over 70,000 valid ISO/IEC 27001 certificates worldwide — a year-on-year increase of approximately 20%, reflecting growing demand for formalized information security management. The European Union Agency for Cybersecurity (ENISA) has repeatedly recommended ISO 27001 as a baseline framework for organizations seeking to comply with the NIS2 Directive. A 2023 Gartner analysis projected that by 2025, 60% of organizations would use cybersecurity risk as a primary determinant in third-party transactions, making ISO 27001 certification a competitive differentiator. The IAPP-EY 2023 Privacy Governance Report found that 58% of privacy professionals reported increased budgets for compliance technology, underscoring the shift from manual processes to automated platforms.

ISO 27001:2022 vs. ISO 27001:2013 — Key Changes

AspectISO 27001:2013ISO 27001:2022
Number of Annex A controls114 controls in 14 domains93 controls in 4 themes
New controls introduced11 new controls (e.g., threat intelligence, cloud security, data masking)
Control themes14 domains (A.5–A.18)4 themes: Organizational, People, Physical, Technological
Attributes for controlsNot included5 attributes: control type, security property, cybersecurity concept, operational capability, security domain
Transition deadline31 October 2025 (all certificates must transition)

Frequently Asked Questions

What is ISO 27001:2022 and why does it matter?

ISO 27001:2022 is the international standard for information security management systems (ISMS), published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). It provides a systematic framework for managing sensitive information through risk assessment, control implementation, and continual improvement. Certification demonstrates to customers, regulators, and partners that an organization meets globally recognized security benchmarks. Under the EU's NIS2 Directive, ENISA recommends ISO 27001 as a baseline compliance framework.

How long does ISO 27001 certification typically take?

ISO 27001 certification typically takes 6–12 months depending on organizational maturity, scope, and existing controls. According to industry benchmarks, the documentation phase alone can consume 40–60% of total project time. Organizations using dedicated ISMS software like Priverion can reduce documentation effort significantly — customers report saving 200+ hours in audit preparation based on real-world results.

What is a Statement of Applicability (SoA) in ISO 27001?

The Statement of Applicability (SoA) is a mandatory document required by ISO 27001 Clause 6.1.3(d). It lists all Annex A controls, states whether each is applied or excluded, and provides justification for exclusions. The SoA links risk assessment results to implemented controls and serves as a baseline for internal audits, surveillance audits, and certification decisions.

How does Priverion help with ISO 27001 compliance?

Priverion provides a Swiss-hosted SaaS platform that automates the entire ISMS lifecycle: policy creation with templates, structured risk evaluation with threat-vulnerability pairing, automated SoA generation, risk treatment plan tracking with owners and deadlines, real-time control implementation monitoring, and internal audit management with evidence linking. It replaces spreadsheets with structured workflows and generates auditor-ready reports instantly.

Can Priverion handle ISO 27001 alongside GDPR and Swiss FADP?

Yes. Priverion unifies ISO 27001, GDPR, and Swiss FADP compliance in a single platform. Controls and risk assessments are mapped across all applicable regulations, eliminating duplicate documentation. This integrated approach is particularly valuable for Swiss and European organizations that must demonstrate compliance with multiple overlapping frameworks simultaneously.

What are the 93 Annex A controls in ISO 27001:2022?

ISO 27001:2022 Annex A contains 93 controls organized into four themes: Organizational (37 controls covering policies, roles, asset management, access control, and supplier relationships), People (8 controls for screening, awareness, and disciplinary processes), Physical (14 controls for perimeters, equipment, and environmental threats), and Technological (34 controls for endpoint security, logging, cryptography, secure development, and cloud services). Eleven controls are entirely new compared to the 2013 version. Source: ISO/IEC 27001:2022

What is the transition deadline from ISO 27001:2013 to 2022?

The International Accreditation Forum (IAF) set 31 October 2025 as the deadline for all existing ISO 27001:2013 certificates to transition to the 2022 version. After this date, 2013-version certificates are no longer valid. Organizations should plan their transition audit well in advance to avoid certification gaps.

How does ISO 27001 relate to the NIS2 Directive?

The EU's NIS2 Directive (Directive 2022/2555) requires essential and important entities to implement appropriate cybersecurity risk management measures. ENISA has identified ISO 27001 as a recognized framework that can help organizations demonstrate compliance with NIS2's security requirements. While ISO 27001 certification is not explicitly mandated by NIS2, it provides a structured, auditable approach that aligns closely with the directive's expectations.

Your trusted partner for a smarter, more efficient approach to data privacy management.
Product
Priverion Platform System Status
about us
About Priverion Careers
© 2024 Priverion
Imprint Privacy Notice Terms of Service Refund Policy
OneTrust, TrustArc, Drata, Vanta, BigID, DataGuard, Kertos, Securiti and Sprinto are trademarks of their respective owners. Priverion Solutions AG is an independent Swiss company and is not affiliated with, sponsored by, or endorsed by any of these companies. References to these products are made under the fair-use exception for comparative advertising (Swiss UWG Arts. 3(1)(a)(b)(e); EU Directive 2006/114/EC Art. 4) for the sole purpose of informing prospective customers. Methodology and sources for comparative claims are disclosed on each page that contains them; see also our comparative advertising policy. To challenge a specific claim, write to [email protected].