ISO 27001 compliance

ISO 27001 compliance means your organization runs an Information Security Management System (ISMS) that meets the ISO/IEC 27001 requirements—i.e., you manage information security through a risk-based, continuously improving system, not ad-hoc controls.

What “compliance” usually means in practice

Most organizations use the term in one of two ways:

1) Conformance (internal compliance)

You align your policies, processes, and evidence to ISO 27001 requirements, but you may not be externally certified. Typical expectations:
– Defined ISMS scope (what systems, teams, and locations are included)
– Risk assessment + risk treatment plan (what risks you accept/mitigate)
– Implemented controls and operating procedures
– Evidence you operate and improve the ISMS (audits, reviews, corrective actions)

2) Certified compliance (externally audited)

An accredited certification body audits you and issues an ISO 27001 certificate if you pass a two-stage audit:
– Stage 1: documentation/readiness review
– Stage 2: implementation and effectiveness audit

Core ISO 27001 artifacts you’re expected to have

Common “must-have” items auditors look for:

ISMS governance and risk management

– ISMS scope and context
– Risk assessment method + risk register
– Risk treatment plan (what you do about each risk)
– Defined roles and responsibilities

Statement of Applicability (SoA)

The SoA is a central ISO 27001 document that lists the Annex A controls you’ve selected (and which you exclude, with justification), mapping them to your risks.

Annex A controls (ISO 27001:2022)

In the 2022 edition, Annex A has 93 controls grouped into:
– Organizational
– People
– Physical
– Technological

What auditors typically test

Beyond “documents exist,” auditors check effectiveness:
– Access control and identity management practices
– Incident handling and evidence of response
– Asset management and supplier/security expectations
– Change management, patching, backup/restore testing
– Internal audits and management review evidence

ISMS (Information Security Management System)
Statement of Applicability (SoA)
Risk Assessment
Annex A Controls
Incident Response Plan
Certificate Management
Secure Update Pipeline
Access Control

CityCharge Series

HomeBox Series

DC Chargers

Control & Payments

For Business

For Public

For Municipal

For Home

ISO 27001 compliance

What “compliance” usually means in practice

1) Conformance (internal compliance)

2) Certified compliance (externally audited)

Core ISO 27001 artifacts you’re expected to have

ISMS governance and risk management

Statement of Applicability (SoA)

Annex A controls (ISO 27001:2022)

What auditors typically test

What “compliance” usually means in practice

1) Conformance (internal compliance)

2) Certified compliance (externally audited)

Core ISO 27001 artifacts you’re expected to have

ISMS governance and risk management

Statement of Applicability (SoA)

Annex A controls (ISO 27001:2022)

What auditors typically test

Related Glossary Terms