Build an internationally recognized Information Security Management System. palmiq delivers end-to-end ISO 27001:2022 readiness — from ISMS design and Annex A control implementation through Stage 1 and Stage 2 audit preparation
ISO/IEC 27001:2022 is the international standard for information security management. Published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), it provides a systematic framework for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS)..
Unlike compliance frameworks that focus on prescriptive checklists, ISO 27001 takes a risk-based approach. Organizations identify their unique information security risks, select appropriate controls from Annex A to mitigate those risks, and document their decisions in a Statement of Applicability (SoA).
The current version — updated in October 2022 — restructured the Annex A controls from 114 across 14 domains to 93 controls across 4 themes: Organizational, People, Physical, and Technological. Certification requires a Stage 1 audit (documentation review) followed by a Stage 2 audit (operational effectiveness) conducted by an accredited certification body.
93
Annex A Controls (2022 Edition)
4
Control Themes Org · People · Physical · Tech
7
Mandatory Clauses (Clauses 4–10)
11
New Controls Added in 2022
Is ISO 27001 Right for Your Organization?
ISO 27001 is the most widely recognized information security certification in the world. Organizations pursue it to win business, satisfy regulatory obligations, and systematically reduce risk.
SaaS & Cloud Providers
Enterprise buyers increasingly require ISO 27001 as a minimum threshold for vendor procurement. Certification removes barriers from sales cycles.
Financial Services & Fintech
Regulators and institutional partners expect internationally recognized ISMS certification. ISO 27001 satisfies due diligence requirements across multiple jurisdictions.
Entra ID, Defender, Intune
Expert deployment of the Microsoft security stack for identity management, endpoint protection, and access control practices required at Level 1.
Government Contractors
ISO 27001 maps to NIST 800-53, NIST 800-171, and CMMC controls. Certification shows a mature security program and strengthens competitive proposals.
Global Organizations
Operating across multiple countries? ISO 27001 is recognized in 160+ nations, providing a universal security standard that satisfies diverse regulatory landscapes.
MSPs & IT Service Providers
Clients trust MSPs with their most sensitive systems. ISO 27001 certification proves your internal operations meet the same standards you recommend to clients.
Sound Familiar?
These are the problems organizations bring to palmiq when pursuing ISO 27001 certification.
“We Don’t Know How to Build an ISMS from Scratch.”
palmiq designs your ISMS architecture from the ground up — defining scope, risk methodology, governance structure, and policy framework aligned with Clauses 4–10 before a single control is implemented.
“The Documentation Requirements Are Overwhelming.”
Our team produces every mandatory document: ISMS scope, risk assessment methodology, risk treatment plan, Statement of Applicability, security policies, procedures, and the evidence auditors require at each clause.
“We Need Technical Controls, Not Just Paperwork.”
As a full-stack MSP, palmiq doesn’t just write documentation. We implement and operate the Annex A technical controls — access management, SIEM, encryption, endpoint protection, backup, and monitoring.
“We Don’t Know How to Prepare for the Certification Audit.”
palmiq conducts a full internal audit, runs management review meetings, prepares evidence packages for both Stage 1 and Stage 2, and coordinates directly with your chosen certification body.
What palmiq’s ISO 27001 Services Include
End-to-end ISMS implementation from gap analysis through certification and ongoing surveillance audits.
1. Gap Analysis & Readiness Assessment
-
Evaluate current posture against all 7 mandatory clauses
-
Assess existing controls against Annex A requirements
-
Identify gaps in policies, technical controls, and evidence
-
Determine ISMS scope and boundaries
-
Deliver prioritized remediation roadmap with timelines
2. ISMS Design & Documentation
-
ISMS scope statement and context analysis (Clause 4)
-
Information security policy and objectives (Clause 5)
-
Risk assessment methodology and risk treatment plan (Clause 6)
-
Statement of Applicability (SoA) with control justifications
-
Roles, responsibilities, and competency frameworks (Clause 7)
-
Operational planning and control procedures (Clause 8)
3. Annex A Control Implementation
-
Access management, MFA, and identity governance (Entra ID, Okta)
-
SIEM deployment and centralized log management
-
Endpoint detection and response (CrowdStrike, SentinelOne)
-
Encryption, DLP, and data classification policies
-
Business continuity and disaster recovery (Acronis, Datto)
-
Vendor risk management and supply chain security
4. Internal Audit & Certification Preparation
-
Full internal ISMS audit against Clauses 4–10 (Clause 9.2)
-
Management review meetings and evidence (Clause 9.3)
-
Corrective action tracking and closure (Clause 10)
-
Stage 1 documentation package preparation
-
Stage 2 operational evidence collection
-
Direct certification body coordination
The Five Tru93 Controls Across Four Themesst Services Criteria
The 2022 update restructured Annex A from 14 domains into 4 themes, streamlining control selection and implementation.
37
Organizational
Policies, asset management, access control, supplier relationships, incident management, and business continuity.
8
People
Screening, terms of employment, security awareness training, disciplinary processes, and remote work policies.
Clauses 4–10 define the management system requirements your organization must satisfy for ISO 27001 certification.
Context of the Organization
Define your ISMS scope, identify internal and external issues, understand stakeholder needs, and document how your ISMS interacts with your broader business operations.
Leadership
Demonstrate top management commitment through signed policies, defined roles and responsibilities, resource allocation, and active participation in ISMS governance.
Planning
Conduct risk assessments, define risk treatment plans, select Annex A controls, produce the Statement of Applicability (SoA), and set measurable ISMS objectives.
Support
Provide the resources, competencies, awareness training, communication channels, and documented information your ISMS needs to function effectively.
Operation
Execute risk treatment plans, implement Annex A controls, and manage operational processes to ensure information security objectives are met.
Performance Evaluation
Monitor, measure, and evaluate ISMS performance. Conduct internal audits (9.2) and management reviews (9.3) to verify controls are operating as intended.
Improvement
Address nonconformities with corrective actions, track root causes, and drive continual improvement of the ISMS through a closed-loop process.
From Gap Analysis to Certified ISMS
A proven six-step process that takes your organization from initial assessment through certification and ongoing maintenance.
Gap Analysis & Scoping: We evaluate your current security posture against ISO 27001:2022, determine ISMS boundaries, identify gaps in all 7 mandatory clauses and applicable Annex A controls, and deliver a prioritized remediation roadmap.
ISMS Design & Risk Treatment: palmiq designs your ISMS architecture, establishes risk assessment methodology, conducts the initial risk assessment, produces the risk treatment plan, and creates the Statement of Applicability documenting every Annex A control decision.
Policy & Documentation Development: Our team writes all required policies, procedures, and work instructions: information security policy, access control policy, incident response plan, business continuity plan, supplier management policy, and every document auditors expect to see.
Technical Control Implementation: palmiq engineers deploy and configure the technical controls mapped to your risk treatment plan: identity management, SIEM, endpoint protection, encryption, network security, backup, vulnerability scanning, and monitoring tools.
Internal Audit & Management Review: We conduct a comprehensive internal audit against Clauses 4–10, facilitate management review meetings, track corrective actions to closure, and build the complete evidence package for your certification body.
Certification Audit Support & Ongoing Maintenance: palmiq coordinates directly with your certification body through Stage 1 and Stage 2 audits, resolves any findings, and provides ongoing support for annual surveillance audits and the three-year recertification cycle.
Build Your ISMS with Engineers, Not Just Consultants
Assess + Build + Operate
We don’t hand you a binder and walk away. palmiq designs, implements, and manages your ISMS controls as part of ongoing managed services.
Azure, Entra ID, Sentinel
Expert deployment of the Microsoft security stack for Annex A technological controls: identity, monitoring, endpoint protection, and cloud security.
Backup, DR & Continuity
Enterprise-grade backup and disaster recovery that directly satisfies Annex A business continuity, availability, and ICT readiness controls.
EndpoiISO + CMMC + SOC 2 + HIPAAnt & Backup
Map ISO 27001 controls to NIST 800-171, SOC 2 TSC, HIPAA, and CMMC simultaneously. One engagement, multiple compliance outcomes.
Ashburn, Virginia
Certified women-owned MSP serving government, defense, pharma, and commercial clients. No long-term contracts required.
English & Spanish
Full service delivery in English and Spanish, supporting organizations across the Americas with internationally recognized certification.
"palmiq built our ISMS from the ground up, implemented every technical control, ran the internal audit, and walked us through both Stage 1 and Stage 2 with zero nonconformities. We couldn’t have done it without their team."
— VP of Engineering, Global SaaS Provider
ISO 27001 as the Foundation for Multi-Standard Compliance
ISO 27001’s Annex SL structure and Annex A controls map directly to other security and privacy frameworks, reducing duplication and accelerating additional compliance programs.
NIST 800-171 & CMMC
ISO 27001 Annex A controls map extensively to NIST 800-171 families. Organizations pursuing both can share risk assessments, policies, and technical implementations.
SOC 2 Type II
The Trust Services Criteria align closely with ISO 27001. A certified ISMS provides a strong foundation for SOC 2 readiness, sharing evidence across both programs.
HIPAA
ISO 27001 Annex A controls cover administrative, physical, and technical safeguards that align with HIPAA Security Rule requirements for covered entities and business associates.
GDPR
Article 32 of GDPR requires appropriate technical and organizational measures. ISO 27001 certification demonstrates a systematic approach to data protection compliance.
ISO 27701 (Privacy)
ISO 27701 extends ISO 27001 with privacy-specific requirements. A certified ISMS is a prerequisite, making ISO 27001 the gateway to privacy management certification.
NIST Cybersecurity Framework
NIST CSF’s five functions (Identify, Protect, Detect, Respond, Recover) align naturally with ISO 27001 clause structure and Annex A control themes.
Frequently Asked Questions
What is the difference between ISO 27001 and ISO 27002?
What is the difference between ISO 27001 and ISO 27002?
How long does ISO 27001 certification take?
How long does ISO 27001 certification take?
Do we have to implement all 93 Annex A controls?
Do we have to implement all 93 Annex A controls?
What changed between ISO 27001:2013 and 2022?
What changed between ISO 27001:2013 and 2022?
What is a Statement of Applicability?
What is a Statement of Applicability?
How does ISO 27001 relate to CMMC and NIST 800-171?
How does ISO 27001 relate to CMMC and NIST 800-171?
Ready to Build an Internationally Certified ISMS?
Don’t let complexity slow you down. palmiq gives you a clear, managed path from gap analysis to ISO 27001 certification — with the engineering team to back it up.
