Free Assessment

Table of Contents

Reach SOC 2 Compliance in 6 Weeks or Less.

Request a Demo

Home

  / ,

  / ISO 27001 Implementation Roadmap: A Step-by-Step Guide to Certification

ISO 27001 Implementation Roadmap: A Step-by-Step Guide to Certification

Picture of Pedro Dias
Copy Link

Most organisations that fail their first ISO 27001 certification audit don’t fail because their security is lacking. They fail because they lack a systemic approach to their IT systems. ISO 27001:2022 is not a technology exercise. It is a governance framework, and getting certified requires your entire organisation to demonstrate that it manages information security systematically, continuously, and with documented intent.

This guide provides a practical, phase-by-phase roadmap to ISO 27001 implementation, covering everything from initial scoping to certification audit preparation. Whether you are building an ISMS from scratch or modernizing a legacy system, the structure below reflects how implementation actually works in practice.

The ISO 27001 Implementation Roadmap at a Glance

An ISO 27001 implementation roadmap is a structured project plan that takes an organization from its current security posture to certified compliance with ISO/IEC 27001:2022. The roadmap defines phases, deliverables, roles, and timelines, giving your team a clear line of sight from day one through to the certification audit.

The standard itself has two components. Clauses 4 through 10 define the mandatory management system requirements: context, leadership, planning, support, operations, performance evaluation, and improvement. Annex A provides a reference catalogue of 93 security controls, organised into four themes: organisational (37 controls), people (8 controls), physical (14 controls), and technological (34 controls). A well-structured roadmap addresses both components in a logical sequence, with risk driving every decision.

Pro Tip: What Procurement Teams Actually Accept

In our experience at Axipro, most sophisticated procurement teams care about three things: (1) that an independent auditor tested your controls, (2) that the criteria used are recognised and rigorous, and (3) that the report covers a recent period (ideally the last 12 months). Whether the cover page says “SOC 2” or “ISAE 3000” matters less than you think, unless the policy explicitly mandates one or the other. Always ask.

Prerequisites and Planning Before You Start

Define the Scope of Your ISMS

Scope definition is the single most consequential decision in the entire implementation. The scope should reflect the business units, locations, processes, and information assets that are most critical to your organization and most relevant to your customers and stakeholders.

A well-defined scope document should identify the boundaries of the ISMS, the interfaces and dependencies with external parties, and any intentional exclusions, with justification for each. Auditors scrutinize scope boundaries carefully. Any exclusion that appears to cherry-pick convenient systems will attract challenge.

Form Your ISO 27001 Implementation Team

Three roles are non-negotiable: an executive sponsor with authority to allocate resources and enforce decisions; a project manager who owns the day-to-day implementation timeline; and an information security lead who understands both the technical controls and the documentation requirements. Larger organisations may also need departmental representatives from IT, HR, legal, and operations.

The most common implementation failure mode is assigning ISO 27001 entirely to the IT team. The standard requires evidence that security is embedded across the organisation. HR owns the people controls. Legal owns the contractual and regulatory requirements. Finance owns the asset valuation. If those functions are not engaged early, you will discover gaps at the worst possible time. If your organisation lacks in-house expertise, working with an experienced ISO 27001 consultant can bridge that gap efficiently.

ISO 27001 Implementation Roadmap: Phase-by-Phase Breakdown

Phase 1 (2 weeks): Foundation and Planning Phase

The first 14 days establish the governance foundation. Key deliverables include a documented ISMS scope; an approved information security policy signed by top management; a defined organisational context covering internal and external issues, interested parties, and legal requirements; and a completed gap assessment that maps your current state against the standard’s requirements.

From this list, the gap assessment is the most important document. It identifies which controls are already in place, which need to be built from scratch, and which exist informally but require documentation. Our gap analysis services are designed specifically for this phase, helping organisations cut through the ambiguity and get a clear remediation picture fast. 

Phase 2 (2 weeks): Implementation Phase

The second 14 days focus on risk and documentation. Your team completes the formal risk assessment, identifies and values assets, maps threats and vulnerabilities, and determines risk levels against your defined risk appetite. From this, you produce a Risk Treatment Plan that specifies which risks will be mitigated, accepted, transferred, or avoided, and which Annex A controls address each risk.

The Statement of Applicability (SoA) is produced during this phase. It documents all 93 Annex A controls, the justification for including or excluding each one, and the current implementation status. The SoA is typically the first document an auditor requests. It connects your risk assessment to your control selection and demonstrates that your ISMS is risk-driven rather than checklist-driven.

Phase 3 (1 to 3 weeks): Audit and Approval

The final phase focuses on executing the controls, training staff, and preparing for audit. Technical controls from the risk treatment plan are deployed. Operational procedures are finalised and approved. Security awareness training is delivered to all staff. An ISO 27001 internal audit is conducted to identify nonconformities before the certification body arrives. A management review is completed to demonstrate leadership engagement.

This 6-week timeline is achievable for most organizations with existing security foundations and dedicated implementation resources. Rushing the process to meet an arbitrary deadline is the leading cause of audit failures and certification theatre, a situation where documented controls exist only on paper and fall apart under auditor questioning. For a detailed breakdown of where implementations go wrong, see our guide on common pitfalls in ISO 27001.

6-Week Detailed Implementation Timeline

Week 1: Project Initiation

Secure executive sponsorship in writing. Establish the project team and define roles. Brief key stakeholders on the standard’s requirements and business case. Set up project governance, including a steering committee and regular status reporting.

Week 2: Define ISMS Scope and Context and Conduct Gap Assessment

Document the organisational context using Clause 4 requirements. Identify interested parties and their requirements. Define and document the ISMS scope boundary. Obtain approval from top management.

Assess current security controls against ISO 27001 requirements and all 93 Annex A controls. A thorough ISO 27001 gap analysis produces a gap report that quantifies the remediation work required, prioritises gaps by risk impact and implementation effort, and forms the foundation of a credible project plan and budget.

Week 3: Policy Development and Leadership Alignment

Draft the overarching information security policy. Develop supporting topic-specific policies covering areas such as access control, acceptable use, incident management, and supplier relationships. Obtain formal approval from top management.

Week 4: Risk Assessment Framework and Assessment

Define the risk assessment methodology, including criteria for likelihood, impact, and risk acceptance thresholds. Create the asset inventory. Establish the risk register structure and tooling. Agree the risk appetite with the executive sponsor.

Identify and assess information security risks across all assets and processes within scope. Assign risk owners. Evaluate each risk against the defined criteria. Produce the initial risk register with risk scores and preliminary treatment decisions.

Develop the Risk Treatment Plan with control selections, owners, timelines, and residual risk levels. Produce the Statement of Applicability, documenting justifications for all 93 Annex A controls. Obtain formal approval from management.

Week 5: Develop Operational Procedures and Control Implementation

Document operational procedures for the selected controls. These are the how-to instructions that evidence the controls are actually being operated, not just defined. Procedures should be concise, practical, and version-controlled.

Deploy technical controls from the risk treatment plan. This typically includes access controls, network security configurations, logging and monitoring, backup and recovery systems, and physical security measures. Capture evidence of implementation as you go. For organisations with significant technical exposure, this is also the right point to schedule vulnerability assessment and penetration testing to validate that controls are functioning as intended.

Week 6: Employee Security Awareness and Training, Internal Audit, and Audit Preparation

Deliver security awareness training to all staff within scope. Cover key policies, reporting obligations, phishing and social engineering awareness, and incident escalation procedures. Record completion. Auditors routinely test staff awareness during the Stage 2 audit — this is not a box-tick exercise.

Conduct the internal audit against all applicable clauses and Annex A controls. The internal auditor must be independent of the processes being audited. Document findings, classify nonconformities and observations, and issue corrective actions. Verify that corrective actions are implemented before the certification audit.

Conduct the management review, covering ISMS performance, audit results, risk status, and improvement opportunities. Produce formal management review minutes. Assemble the certification audit evidence pack. Confirm Stage 1 and Stage 2 audit logistics with the certification body.

Key Stages of the ISO 27001 Certification Process

ISO 27001 Readiness Assessment

Before engaging a certification body, organisations typically conduct an internal readiness assessment to evaluate whether the ISMS is mature enough for external audit. This is distinct from the gap assessment conducted at the start of implementation. The readiness assessment asks whether documented controls are operating effectively, whether evidence is available and current, and whether staff can demonstrate awareness of their security responsibilities.

Gap Assessment

The formal ISO 27001 gap analysis maps your current security posture against the standard’s requirements. It identifies missing documentation, absent controls, and areas where informal practices need to be formalised. A well-executed gap assessment produces a prioritised remediation list that forms the foundation of the implementation plan.

Stage 1 Audit

The Stage 1 audit is a documentation review. The auditor evaluates whether your ISMS is designed correctly: whether the scope is defined, whether the information security policy is in place, whether the risk assessment has been completed, and whether the Statement of Applicability is present and coherent. Stage 1 typically lasts one to two days. Any major nonconformities identified at Stage 1 must be resolved before Stage 2 can proceed.

Stage 2 Audit

The Stage 2 audit is the certification audit. The auditor conducts an on-site or remote assessment of whether the controls documented in your ISMS are actually operating effectively. Auditors interview staff, review evidence records, inspect systems, and test whether the processes described in your documentation match what is happening in practice. A Stage 2 audit typically takes three to seven days depending on organisation size.

Experienced auditors ask questions that reveal whether controls are understood or just documented. They ask staff: what would happen if a server went down, how they would report a phishing email, who is responsible for approving access to sensitive data. Your answers must be consistent with your documented procedures. Zero incidents reported is a red flag, not a sign of excellence.

Surveillance Audit

ISO 27001 certificates are valid for three years. Annual surveillance audits — typically shorter than the initial certification audit — verify that the ISMS continues to operate effectively and that improvements are being made. Surveillance audits focus on areas where nonconformities were previously identified, as well as any significant changes to the organisation, its risk environment, or its technology landscape.

Recertification

At the end of the three-year cycle, a full recertification audit reassesses the entire ISMS. This resembles the original Stage 2 audit in scope and depth. Organisations that have maintained their ISMS diligently through annual surveillance cycles typically find recertification straightforward. Those that have allowed the ISMS to drift often face significant remediation work before they are ready to re-engage the certification body.

Core Components of ISO 27001 Implementation- Checklist

Build Your Information Security Management System (ISMS) 

The ISMS is the governance framework above all individual controls,  defining how your organisation identifies risks, operates controls, and improves. It requires active leadership and clear accountability, not just a folder of policies.

Create and Publish ISMS Policies, Procedures, and Documentation 

Policies set direction, procedures describe execution, and records prove compliance. All three are mandatory and all three are assessed at audit.

Conduct Risk Assessment and Risk Treatment 

Every control decision flows from the risk assessment,  identifying assets, mapping threats, estimating likelihood and impact, and documenting treatment decisions. Aim for 40 to 80 well-scoped risks rather than hundreds of near-identical entries.

Prepare the Statement of Applicability (SoA) 

The SoA lists all 93 Annex A controls and justifies every inclusion and exclusion. You do not need to implement every control, but unjustified exclusions are a leading cause of Stage 1 failures.

Implement Access Control and Authentication Processes 

Access must be granted on a need-to-know basis, reviewed regularly, and revoked promptly when staff leave. MFA is required as a minimum for all remote and privileged access.

Protect Against Network and Web-Based Threats 

Network segmentation, intrusion detection, vulnerability management, and the 2022 additions of web filtering (A.8.23) and data leakage prevention (A.8.12) are baseline expectations,  auditors want to see them operating with documented evidence.

Ensure Data Backup and Recovery 

Backups must be tested and proven restorable. Auditors ask for evidence of recovery tests, not just confirmation that backups are being taken.

Implement Physical Security Measures 

Entry controls, visitor management, clean desk policies, and secure media disposal are all in scope. These controls are routinely underestimated in planning,  budget time for them early.

Monitor and Review Your ISMS 

Define what you measure, how often, and what triggers action. Monitoring outputs must feed into management reviews, which produce documented improvement decisions.

Continuously Improve Your ISMS 

Nonconformities from audits, incidents, or reviews must be root-cause analysed, resolved, and verified closed. This cycle is what separates a functioning ISMS from one that exists only on paper.

Mandatory Documents Required for ISO 27001 Implementatio

ISO 27001:2022 mandates a specific set of documented information. Auditors request these as a baseline during Stage 1:

  • ISMS Scope (Clause 4.3) — defines the boundaries and applicability of the management system
  • Information Security Policy (Clause 5.2) — top management’s formal commitment to information security
  • Risk Assessment Process (Clause 6.1.2) — your methodology for identifying, analysing, and evaluating risks
  • Risk Treatment Plan (Clause 6.1.3) — documented decisions on how each identified risk will be treated
  • Statement of Applicability (Clause 6.1.3d) — the definitive reference for all 93 Annex A control decisions
  • Information Security Objectives (Clause 6.2) — measurable targets linked to the policy and risk assessment
  • Evidence of Competence (Clause 7.2) — training and qualification records for ISMS-related roles
  • Operational Planning Results (Clause 8.1) — evidence that security operations are carried out as planned
  • Risk Assessment Results (Clause 8.2) — the documented output of the risk assessment process
  • Internal Audit Programme and Results (Clause 9.2) — confirmation that internal audits have been planned and conducted
  • Management Review Records (Clause 9.3) — minutes and decisions from management reviews
  • Nonconformity and Corrective Action Records (Clause 10.1) — documentation of identified nonconformities and their resolution

How to Accelerate Your ISO 27001 Implementation

Common Delays to Avoid

Scope creep. Expanding scope mid-project forces rework across the risk assessment, SoA, and documentation set. Define boundaries precisely at the start and hold them.

Weak executive engagement. Implementations stall at policy approvals and resource decisions when sponsors delegate and disengage. The sponsor should attend steering meetings and have weekly visibility during active phases.

Late-stage documentation. Deferring documentation until after controls are implemented produces thin, retrospective evidence. Write documentation in parallel with implementation, not after.

Accelerators That Speed Up the Process

Templates. ISO 27001-aligned policy and procedure templates can compress the documentation phase by several weeks. Adapt them to your context rather than treating them as off-the-shelf compliance.

GRC tools. Purpose-built platforms provide structure for risk registers, the SoA, and audit evidence management — replacing spreadsheets that become unmanageable at scale. Our compliance tools comparison covers the leading platforms in depth.

External consultants. Their value is pattern recognition: they know what auditors scrutinise, which documentation gaps attract nonconformities, and what a credible risk assessment looks like. For organisations without in-house expertise, consultant engagement typically pays for itself in avoided rework. Our Compliance Accelerator Program offers a structured, supported path to certification through software automation with a free 30-day trial.

Pro Tip: What Procurement Teams Actually Accept

In our experience at Axipro, most sophisticated procurement teams care about three things: (1) that an independent auditor tested your controls, (2) that the criteria used are recognised and rigorous, and (3) that the report covers a recent period (ideally the last 12 months). Whether the cover page says “SOC 2” or “ISAE 3000” matters less than you think, unless the policy explicitly mandates one or the other. Always ask.

What tools can help accelerate compliance?

Once certified, maintaining your ISMS requires continuous monitoring, evidence collection, and audit readiness. GRC and compliance automation tools take much of that manual burden off your team. Our Drata vs Thoropass vs Vanta comparison is a good starting point for evaluating your options.

The most consistently cited challenges are: securing sustained top management engagement beyond the initial sponsorship conversation; maintaining momentum through the documentation-heavy middle phases of implementation; achieving cross-functional participation from HR, legal, and operations teams that may not see information security as their responsibility; and building a risk assessment that is genuinely risk-driven rather than a mechanical exercise designed to justify a predetermined control set.

Yes. Organisations with experienced information security professionals and strong project management capability routinely achieve certification without external consultants. The standard’s requirements are publicly available, and the approach is logical once understood. The risk of a DIY implementation is not that it cannot be done, but that it takes longer and is more susceptible to documentation gaps and scoping errors. For organisations without in-house expertise, engaging a consultant on the gap assessment and SoA phases alone, with internal teams handling implementation, often provides the best balance of cost and quality.

Axipro Author

Picture of Pedro Dias

Pedro Dias

Pedro has been writing online for over 10 years. With experience in all things programming, cyber security, and compliance, he is our editor-in-chief at Axipro.
Copy Link

Blog Highlights

Explore More Articles

Read More Blogs

ISO 27001 & GDPR: Why Certification Isn’t Compliance

Plenty of companies treat an ISO 27001 certificate as proof of GDPR compliance. It is not. The two frameworks overlap heavily, but they answer different questions, and the gap between them is exactly where regulators tend to look. ISO 27001 tells you how to build a defensible security program. GDPR tells you what the law expects when that program touches personal data. Run one without understanding the other, and you will either over-engineer security you do not strictly need, or miss privacy obligations that carry real financial exposure. This article maps where ISO 27001 and GDPR meet, where they part ways, and how to run them as a single coordinated effort rather than two competing projects. What Is ISO 27001? ISO/IEC 27001 is the international standard for an Information Security Management System, or ISMS. The current edition is ISO 27001:2022. It is not a checklist of technical fixes. It is a management framework: a structured, repeatable way to identify information security risks, decide how to treat them, document those decisions, and improve over time. Clauses 4 to 10 of the standard define the mandatory ISMS requirements, covering leadership, risk assessment, internal audit, and management review. Annex A then lists 93 controls grouped into four themes: organisational, people, physical, and technological. You do not implement all 93 by default. You select the controls that address your assessed risks and justify your choices in a document called the Statement of Applicability. Certification against ISO 27001 is voluntary and is granted by an accredited third-party body after an audit. What Is GDPR? The General Data Protection Regulation is European Union law. It has been applied since 25 May 2018, and it applies to any organisation that processes the personal data of people in the EU, wherever that organisation is based. GDPR is fundamentally about the rights of individuals, not just the security of data. It grants people rights over their personal data, including access, correction, erasure and portability. It places obligations on the organisations that decide how data is used (controllers) and those that process it on their behalf (processors). It requires a lawful basis for every processing activity, mandates breach notification, and demands transparency about what happens to people’s information. You do not implement GDPR and receive a certificate. You obey it, and a regulator decides whether you have. Key Differences Between ISO 27001 and GDPR Scope and Purpose ISO 27001 protects all information assets an organisation holds: intellectual property, financial records, operational data, source code and, yes, personal data. Its purpose is the confidentiality, integrity and availability of information in general. GDPR is narrower in one sense and broader in another. It covers only personal data of individuals in the EU, but it protects the person behind the data, not merely the data itself. A system can be flawlessly secure and still violate GDPR. Legal Obligation vs. Voluntary Certification This is the difference that catches people out. GDPR is binding law. If you process EU personal data, compliance is not optional, and there is no opting out. ISO 27001 is a voluntary standard. Organisations pursue it for assurance, for competitive advantage, and because customers increasingly demand it. Crucially, there is no such thing as a GDPR certificate. Regulators assess compliance through investigation and enforcement, not through a badge you can display. Penalties for Non-Compliance GDPR fines run on two tiers under Article 83. Less severe infringements — such as failures around records of processing or breach notification — can reach €10 million or 2% of global annual turnover, whichever is higher. The more serious tier, covering breaches of the core processing principles and data subject rights, can reach €20 million or 4% of global annual turnover. Failing an ISO 27001 audit carries no legal fine at all. The consequence is commercial: you do not get the certificate, or you lose it, and that can cost you contracts. How ISO 27001 and GDPR Align Despite their different purposes, the two frameworks were built on compatible logic, which is why running them together works. Both treat information security as central. GDPR Article 32 requires “appropriate technical and organisational measures” to secure personal data. That phrasing is almost a direct description of what an ISO 27001 ISMS produces. The controls an organisation selects for confidentiality and access already serve the regulation’s security expectations. Both are risk-based. ISO 27001 starts every control decision from a risk assessment. GDPR expects the same proportionality: the measures you apply should match the sensitivity of the data and the likelihood and severity of harm. One risk methodology can serve both, provided you assess personal data processing risks alongside broader security risks. Both demand incident response. ISO 27001’s incident management controls require organisations to detect, assess and respond to security events. GDPR Article 33 requires notifying the supervisory authority of a personal data breach within 72 hours of becoming aware of it. The ISO process is the engine that makes the GDPR deadline achievable. How ISO 27001 Can Help You Comply With GDPR Four areas of an ISMS do direct, practical work toward GDPR compliance. Asset management. ISO 27001 requires an inventory of information and associated assets, with owners assigned. You cannot protect personal data, respond to access requests, or maintain records of processing if you do not know where that data lives. The asset inventory is the foundation for both frameworks. Access control. Identity management, privileged access controls and the principle of least privilege limit who can see personal data. That directly supports the GDPR requirement to ensure confidentiality and to prevent unauthorised access. Operational security. Logging, malware protection, backup and secure configuration keep personal data accurate, available and resistant to compromise. These map cleanly onto the integrity and availability expectations in Article 32. Techniques such as data masking for GDPR and ISO 27001 also sit within this space, reducing exposure without sacrificing operational utility. Incident management. A defined process for detecting and handling security events gives you the evidence trail and the response capability you need to

Read more

SOC 2 to ISO 27001 Mapping: A Crosswalk Guide

A company that already holds a SOC 2 report has, by most industry estimates, already built somewhere between 60 and 80 percent of what ISO 27001 certification requires. Yet only a small fraction of organizations actually capture that overlap. Teams run the second framework as a fresh project, rewrite policies that already exist, and re-collect evidence they already have on file. The result is paying twice for the same security program. SOC 2 to ISO 27001 mapping is the discipline that stops this. It is a control crosswalk: a structured comparison that shows which SOC 2 controls already satisfy which ISO 27001 requirements, where the genuine gaps sit, and what new work the second framework actually demands. Done well, it turns the second audit from a rebuild into a mapping exercise. What Is SOC 2 to ISO 27001 Mapping? SOC 2 to ISO 27001 mapping links each SOC 2 Trust Services Criterion to its corresponding ISO 27001 clause or Annex A control. The output is a single control library: each control is defined once, tagged to both frameworks, and backed by evidence that both auditors will accept. Worth being clear about upfront: a crosswalk does not make you compliant with anything. It shows where coverage already exists and where it does not. The real work still sits in control design, evidence discipline, and keeping the mapping current as systems and vendors change. A spreadsheet built once and never touched again becomes an audit liability, not an asset. For a structured starting point, a thorough SOC 2 to ISO 27001 gap analysis will surface those liabilities before an auditor does.   SOC 2 Trust Services Criteria: An Overview SOC 2 is an attestation framework from the American Institute of Certified Public Accountants (AICPA). It is built on five Trust Services Categories: Security, Availability, Processing Integrity, Confidentiality, and Privacy. Security is the only mandatory category, and every SOC 2 report includes it. The Security category is evaluated through the Common Criteria, written as CC1 through CC9, containing 32 individual criteria in total. CC1 through CC5 cover the control environment, communication, risk assessment, monitoring, and control activities, and they align directly with the COSO internal control framework. CC6 through CC9 are more technology-specific, covering logical and physical access, system operations, change management, and risk mitigation. A SOC 2 audit produces one of two report types. A Type 1 report assesses control design at a single point in time. A Type 2 report assesses both design and operating effectiveness across an observation window, usually 3 to 12 months. A licensed CPA firm issues the report. SOC 2 is an attestation, not a certification, and there is no such thing as a SOC 2 certificate. ISO 27001 Annex A Controls: An Overview ISO/IEC 27001 is the international standard for an information security management system, or ISMS. The current version, ISO 27001:2022, has two distinct layers, and the distinction matters for any mapping effort. Clauses 4 through 10 define the management system itself: organizational context, leadership, planning, risk treatment, support, operations, performance evaluation, and improvement. These clauses are mandatory. Annex A is the second layer, a reference catalogue of 93 controls grouped into four themes: Organizational (37 controls), People (8), Physical (14), and Technological (34). The 2022 revision consolidated the previous 114 controls and 14 domains and added 11 new controls covering areas such as threat intelligence and cloud security. Annex A controls are not all mandatory. Organizations select controls based on a risk assessment and record their choices, including any exclusions and the reasoning behind them, in a Statement of Applicability. Certification is granted by an accredited body, lasts three years, and requires annual surveillance audits. Learn more about what the full certification process involves.   Key Structural Differences That Affect Mapping The two frameworks share a large security foundation, but they are built differently, and a mapping that ignores the structural gaps will fail. Understanding ISO 27001 vs SOC 2 at a structural level is the prerequisite for any mapping work worth doing. Four differences matter most. ISO 27001 certifies a management system, while SOC 2 attests to a set of controls. ISO Clauses 4 through 10 have no direct SOC 2 equivalent, because SOC 2 never asks you to prove you run a continuous, governed program; it asks only whether specific controls met specific criteria during the review period. Scope differs too. An ISO 27001 ISMS is expected to cover the organization broadly, while SOC 2 scope is set at the level of a system or service. The outputs differ as well: ISO produces a pass or fail certificate, whereas a SOC 2 report can carry noted exceptions or a qualified opinion and still be a valid, useful report. And because SOC 2 Type 2 tests evidence across a defined window, a control that worked only on audit day will not pass. The most common mapping mistake is treating ISO 27001 as SOC 2 plus a few extra controls. It is not. The Annex A controls map cleanly, but the ISMS management clauses, including internal audit, management review, and continual improvement, are a separate body of work with no SOC 2 starting point. Budget for them as net-new.   SOC 2 Common Criteria to ISO 27001 Control Mapping The Common Criteria map to ISO 27001 with a high degree of overlap. The table below is a practical starting crosswalk for the CC series. It lists the primary ISO 27001 references rather than every possible match, and your auditor’s judgment will shape the final mapping. SOC 2 Common Criteria Topic Primary ISO 27001:2022 References CC1 Control Environment Clauses 5 (Leadership), 6 (Planning), A.5.1, A.5.2, A.6.1–A.6.4 CC2 Communication and Information Clause 7.4 (Communication), A.5.1, A.6.3, A.8.2 CC3 Risk Assessment Clause 6.1 (Risk Assessment), A.5.7, A.8.8 CC4 Monitoring Activities Clause 9 (Performance Evaluation), A.5.35, A.5.36, A.8.16 CC5 Control Activities Clause 6.1.3 (Risk Treatment), A.5.37, A.8.9 CC6 Logical and Physical Access A.5.15–A.5.18, A.5.31, A.7.1–A.7.4, A.8.2–A.8.5, A.8.18 CC7 System Operations and Incident Response A.5.24–A.5.28, A.8.15, A.8.16 CC8

Read more

The EU AI Act in 2026: What It Means for Businesses

The world’s first comprehensive AI law is not a single switch that flips on in August 2026. It is a layered regulation that has been activating in stages since February 2025. As of May 2026, it is already being rewritten to give companies more time on the hardest parts. Anyone trying to plan around a single deadline is working from a map that no longer matches the territory. The law’s reach is also global. Just as GDPR exported European privacy norms worldwide, the EU AI Act is producing a Brussels Effect for artificial intelligence: a regulation drafted in Europe that becomes the de facto global standard. Companies in the US, the UK, Bahrain, and anywhere else with EU customers or EU-facing outputs are already in scope, whether or not they have a European office. This guide cuts through the noise. It explains what the EU AI Act actually requires, who it applies to, which rules are already live, which were just pushed back by the EU’s recent simplification deal, and what the penalties really look like for companies of different sizes. What Is the EU AI Act? The EU AI Act (Regulation (EU) 2024/1689) is a horizontal law that sets harmonised rules for developing, placing on the market, and using artificial intelligence systems across the European Union. It is the first comprehensive AI law passed by any major regulator anywhere in the world, and it entered into force on 1 August 2024. The Act takes a risk-based approach. Rather than regulating AI as a single category, it sorts AI systems into tiers based on the harm they could cause to health, safety, or fundamental rights. The higher the risk, the stricter the obligations. Prohibited uses are banned outright. High-risk uses are heavily regulated. Most everyday AI — like spam filters and product recommenders — is left alone. The law also creates a separate, parallel regime for general-purpose AI (GPAI) models, the foundation models behind systems like ChatGPT, Claude, and Gemini. That regime is enforced at the EU level rather than at the national level. Why Was the EU AI Act Created? The official answer is to foster trustworthy AI in Europe. The real answer is broader: the EU watched generative AI go mainstream in late 2022 and concluded that existing law — particularly GDPR — was not enough to address the specific risks AI systems pose. Opacity in decision-making, bias in hiring tools, biometric surveillance, and the manipulation potential of generative models all sat uneasily in the regulatory gap between data protection law and product safety law. The EU’s stated goals are to protect health, safety, and fundamental rights, while preserving innovation and the single market. The political subtext is the Brussels Effect: do for AI what GDPR did for privacy, and let European rules become the global default by virtue of market access. Brazil, Canada, the UK, several US states, and Gulf jurisdictions, including Bahrain, are already drafting AI rules that borrow heavily from the EU framework. For a broader view of how AI governance is likely to evolve through the end of the decade, the trajectory is already becoming clear. Who Does the EU AI Act Apply To? The Act does not apply to AI itself. It applies to people and organisations that build, sell, or use AI systems. Article 3 defines those roles without reference to company size, so a two-person startup is in scope on the same legal basis as a Fortune 500 enterprise. Providers and Developers A provider is anyone who develops an AI system — or has one developed — and places it on the EU market or puts it into service under their own name or trademark. Providers carry the heaviest load of obligations, particularly for high-risk systems: risk management, technical documentation, conformity assessment, post-market monitoring, and incident reporting. A provider is distinct from a downstream developer who simply integrates a third-party AI component. But the line moves: if you take a general-purpose model and put your name on the resulting product, you can become a provider yourself. Deployers and Operators A deployer is anyone using an AI system in a professional capacity. If you are a bank running a credit-scoring model you bought from a vendor, you are a deployer. Deployers have lighter obligations than providers but still carry real ones: ensuring human oversight, monitoring system behaviour, informing affected individuals, and conducting fundamental rights impact assessments where required. The term operator in the Act is an umbrella that covers providers, deployers, importers, distributors, and authorised representatives. Application Outside the EU This is where many non-EU companies get caught. The AI Act applies extraterritorially. A US LLC training a model in Texas, a UK firm running an AI hiring tool, or a Bahrain-based fintech using AI for credit scoring is in scope the moment the output affects someone in the EU. If a US company develops an AI hiring tool and a German employer uses it on German candidates, the US provider is in scope — even with no EU office. The trigger is whether the system’s output is used in the Union, not where the company sits. Pro Tip: Selling AI tools to EU customers outside the EU. If you sell AI tools to EU customers from outside the EU, you must appoint an authorised representative established in a Member State before placing high-risk systems on the market. This is not optional and is one of the most commonly missed obligations for non-EU providers. The Risk-Based Approach: How the EU AI Act Classifies AI Systems The framework sorts AI systems into four tiers. The obligations scale with the tier. Unacceptable Risk: Prohibited AI Practices Article 5 prohibits eight categories of AI practice outright. These prohibitions became enforceable on 2 February 2025, well before the rest of the Act. The banned practices are: Subliminal or manipulative techniques are designed to distort behaviour and cause significant harm. Exploitation of vulnerabilities related to age or disability. Social scoring by public or private actors —

Read more