In depth
ISO/IEC 27001 is the international standard for an Information Security Management System (ISMS) — the management framework an organisation uses to govern security across people, processes and technology. The current revision is ISO/IEC 27001:2022, which replaced the 2013 edition with a refreshed Annex A control set (93 controls organised under four themes: Organisational, People, Physical and Technological) aligned to the companion ISO/IEC 27002:2022 implementation guidance.
Unlike SOC 2, which is an attestation report, ISO 27001 is a true certification. An accredited certification body audits the ISMS against the standard's mandatory clauses (4 through 10 — context of the organisation, leadership, planning, support, operation, performance evaluation and improvement) and the applicable Annex A controls from the Statement of Applicability. A successful audit produces a three-year certificate with annual surveillance audits in years one and two and a full recertification in year three. The certificate is recognised globally and is increasingly a hard requirement in enterprise procurement.
Building toward certification typically takes nine-to-eighteen months from a standing start. The work breaks down into scope definition (which business units, sites, products), risk assessment (often using ISO 27005), Statement of Applicability development, policy and procedure authorship, control implementation (technical and operational), internal audit, management review, and the Stage 1 / Stage 2 external audit cycle. Penetration testing is required evidence under Annex A.8.8 (Management of technical vulnerabilities) and A.8.29 (Security testing in development and acceptance); SAST and SBOM evidence supports A.8.28 (Secure coding).
The most common reasons organisations adopt ISO 27001: it is the lingua franca of enterprise security questionnaires in EMEA and Asia (SOC 2 dominates in North America), it satisfies the "appropriate technical and organisational measures" language in GDPR and DPDP Act, and it forces a level of management-system discipline that ad-hoc security programmes lack. AxVeil engagements map each finding to the relevant Annex A control so the audit evidence pack drops straight into the auditor's request list. See compliance services.
Unlike SOC 2, which is an attestation report, ISO 27001 is a true certification. An accredited certification body audits the ISMS against the standard's mandatory clauses (4 through 10 — context of the organisation, leadership, planning, support, operation, performance evaluation and improvement) and the applicable Annex A controls from the Statement of Applicability. A successful audit produces a three-year certificate with annual surveillance audits in years one and two and a full recertification in year three. The certificate is recognised globally and is increasingly a hard requirement in enterprise procurement.
Building toward certification typically takes nine-to-eighteen months from a standing start. The work breaks down into scope definition (which business units, sites, products), risk assessment (often using ISO 27005), Statement of Applicability development, policy and procedure authorship, control implementation (technical and operational), internal audit, management review, and the Stage 1 / Stage 2 external audit cycle. Penetration testing is required evidence under Annex A.8.8 (Management of technical vulnerabilities) and A.8.29 (Security testing in development and acceptance); SAST and SBOM evidence supports A.8.28 (Secure coding).
The most common reasons organisations adopt ISO 27001: it is the lingua franca of enterprise security questionnaires in EMEA and Asia (SOC 2 dominates in North America), it satisfies the "appropriate technical and organisational measures" language in GDPR and DPDP Act, and it forces a level of management-system discipline that ad-hoc security programmes lack. AxVeil engagements map each finding to the relevant Annex A control so the audit evidence pack drops straight into the auditor's request list. See compliance services.