Docs

Appearance

ISO/IEC 27001:2022 — ISMS foundations

ISO 27001 is a management-system standard. Audits test whether the ISMS works in practice — governance, risk management, control execution, continual improvement. This page covers the two artefacts that anchor every certification audit (the ISMS scope statement under Clause 4.3 and the mandatory Statement of Applicability under Clause 6.1.3 d) and the Stage 1 / Stage 2 / surveillance / recertification cycle.

Quick decision

  • You need to write the ISMS scope statement → Clause 4.3. Cover organisational functions, locations, business processes, information systems and assets. Anchor in Clause 4.1 context and 4.2 interested parties.
  • You need to build the Statement of Applicability → Annex A is normative; the SoA is mandatory under Clause 6.1.3 d. Include all 93 Annex A controls with inclusion/exclusion justification.
  • You are preparing for Stage 1 → focus on documentation completeness: scope, policy, risk and treatment records, SoA, internal-audit programme, management-review minutes.
  • You are preparing for Stage 2 → focus on operational evidence: control execution records, decisions, supplier and incident evidence, corrective actions, training records.

TL;DR

  • ISMS scope (Clause 4.3) is mandatory documented information naming the boundaries — functions, locations, processes, assets.
  • Statement of Applicability (Clause 6.1.3 d) is mandatory — covers all 93 Annex A controls with inclusion/exclusion justification. Unlike ISO 42001, this is non-negotiable.
  • Annex A is normative — the organisation considers every control and documents its position.
  • Stage 1 = documentation review. Stage 2 = operational audit. Surveillance annually for two years. Recertification at month 36.
  • Auditors sample operational reality, not documentation completeness — control execution records, decisions, evidence.

Primary source

ISO/IEC 27001:2022 — Clauses 4.1, 4.2, 4.3, 6.1.2, 6.1.3, 9.2, 9.3. Available via the ISO Online Browsing Platform. © ISO.

ISMS scope you can defend (Clause 4.3)

In ISO work, scoping is the contract with the auditor. The Stage 2 sampling plan flows from the scope statement.

A defensible ISMS scope statement is:

  • Specific — names what is included and explicitly excluded. "All systems supporting customer-facing services delivered from the Zurich data centre" is verifiable; "the organisation's information" is not.
  • Anchored in context — references the issues identified under Clause 4.1 and the interested-party requirements under 4.2.
  • Operational — names accountable functions and which processes apply.
  • Reviewable — describes how scope changes are approved and recorded.
  • Aware of interfaces — names dependencies on activities performed by other organisations (suppliers, group entities) that fall outside the ISMS scope.

For AI systems, the ISMS scope often extends beyond the model itself into the operational environment — infrastructure, vendors, data pipelines, incident handling. ISO/IEC 27001 is the security backbone; AI-specific risk and impact mechanisms sit in ISO/IEC 42001.

Statement of Applicability — the mandatory artefact (Clause 6.1.3 d)

The Statement of Applicability is the documented record of control selection. Under Clause 6.1.3 d it must contain:

  • The necessary controls — both those selected from Annex A and any additional controls the organisation has determined are required to treat the identified risks.
  • Justification for inclusion — what risk drives this control.
  • Implementation status — implemented, in progress, or planned (with target).
  • Justification for exclusion — where any Annex A control has been excluded, the rationale.

A workable SoA captures, per control:

  • Control reference (e.g., A.5.1, A.8.10).
  • Inclusion / exclusion decision.
  • Justification linked to the risk register.
  • Implementation status + responsible function.
  • Evidence reference — where the operational evidence is recorded.

Auditors sample the SoA throughout Stage 2 and surveillance. SoA discipline is one of the most-tested ISO 27001 disciplines.

Go deeper: Annex A (controls reference).

The certification audit cycle

StageTimingAuditor focus
Stage 1 — documentation reviewInitial certificationScope, policy, risk and treatment, SoA, audit programme, management review
Stage 1 findingsBefore Stage 2Typically closed before Stage 2 commences
Stage 2 — operational auditInitial certificationOn-site sampling of evidence; conformity + effectiveness
Certification decisionPost-Stage 2Certificate issued by the accredited certification body
Year 1 surveillance~12 months after certificationSample of clauses + always: nonconformities, audit, review, changes
Year 2 surveillance~24 monthsSame depth as year 1
Recertification~36 monthsFull audit at Stage 2 depth; new three-year certificate

The most important pattern: auditors sample operational reality (records, decisions, evidence) — not just the existence of policy documents. The ISMS has to operate, not just be written.

Annex A is normative — the SoA is mandatory

ISO 27001 differs from ISO 42001 here. Under ISO 27001, every Annex A control gets a position in the SoA — included or excluded with justification. Under ISO 42001, Annex A is informative and selection is risk-driven (though every accredited audit still expects an SoA-equivalent record).

How to operationalise scope + SoA in Modulos

Modulos models the ISMS scope + SoA against the OFF-9 framework template. The scope statement, Statement of Applicability and audit artefacts live as control-level evidence on the relevant ORF requirements:

Requirement (OFF-9)DescriptionISO 27001 clause
ORF-198Determining the scope of the ISMS4.3
ORF-199Information security management system4.4
ORF-201Policy5.2
ORF-204Information-security risk assessment6.1.2
ORF-205Information-security risk treatment + Statement of Applicability6.1.3 (incl. 6.1.3 d)
ORF-217 / ORF-218Internal audit + audit programme9.2.1 / 9.2.2
ORF-219 / ORF-220 / ORF-221Management review (process, inputs, outputs)9.3.1 / 9.3.2 / 9.3.3
ORF-222 / ORF-223Continual improvement + nonconformity and corrective action10.1 / 10.2

The Statement of Applicability lives as control-level evidence on ORF-205. Modulos does not provide a dedicated SoA workflow surface — the SoA is owner-authored documentation stored as evidence with versioning.

Cross-framework mapping (preview)

ISO 27001 elementAdjacent provision
Clause 4.3 ISMS scopeISO 42001 Clause 4.3 AIMS scope; ISO 27701 Clause 4.3 PIMS scope
Clause 6.1.3 d Statement of Applicability (mandatory)ISO 42001 Statement of Applicability (informative but expected); EU AI Act Annex IV technical documentation
Clause 6.1.2 risk assessmentISO 31000 risk-management process; ISO 42001 Clause 6.1.2
Stage 1 / Stage 2 / surveillance cycleIdentical across ISO 42001, 27001, 27701, 9001
Internal audit (Clause 9.2)ISO 42001 / 27701 / 9001 Clause 9.2
Management review (Clause 9.3)ISO 42001 / 27701 / 9001 Clause 9.3
ISO 27001 overview

Hub: ISMS structure, Annex SL backbone, Annex A themes

Clauses 4–10 (implementation guide)

Annex SL backbone — Context, Leadership, Planning, Support, Operation, Performance evaluation, Improvement

Annex A (controls reference)

93 controls in four themes — organizational, people, physical, technological

Operationalizing in Modulos

OFF-9 + MFF-9 rollout, ISMS evidence patterns

Source attribution

ISO/IEC 27001:2022Information security, cybersecurity and privacy protection — Information security management systems — Requirements, Clauses 4.1, 4.2, 4.3, 4.4, 5.2, 6.1.2, 6.1.3, 9.2, 9.3, 10.1, 10.2. © ISO/IEC. Available via the ISO Online Browsing Platform.

Disclaimer

This page is for general informational purposes and does not constitute legal or certification advice.