ISO/IEC 27001Free Resource

ISO/IEC 27001 Run the ISMS from scope to certification evidence

Use this ISO/IEC 27001:2022 hub to turn the standard into operating decisions: define the ISMS boundary, assign leadership accountability, assess information security risks, choose risk treatments, maintain the Statement of Applicability, and keep Annex A control evidence current.

The topic pages focus on the records that auditors, customers, and internal owners actually need: risk registers, treatment approvals, SoA justifications, control ownership, internal audit findings, management review outputs, surveillance evidence, and corrective actions.

Jump to guides
Publication details
Editorial metadata for this artifact
Author
Sorena AI
Published
Mar 4, 2026
Updated
Mar 4, 2026
What this hub helps you do
Scope and leadership
Set the ISMS boundary around products, services, locations, processes, interested parties, and accountable roles before evidence work starts.
Risk, SoA, and controls
Connect risk assessment, treatment decisions, Annex A control selection, exclusions, control owners, and residual-risk acceptance in one traceable record.
Certification readiness
Prepare internal audit, management review, corrective action, certification-body evidence, surveillance, and continual-improvement records before audit sampling.
By Sorena AIUpdated 2026No signup required
Quick scan
ISO/IEC 27001
Scope and leadership
Document the ISMS boundary, required interested-party needs, security policy, accountable roles, objectives, resources, and communication rules.
Risk, SoA, and controls
Use the risk process to justify treatment options, Annex A applicability, exclusions, implementation status, and residual-risk approvals.
Certification readiness
Keep internal audit plans, findings, management review decisions, nonconformities, corrective actions, and surveillance updates tied to live ISMS changes.
The goal is operational clarity: every ISMS decision should have an owner, risk basis, evidence record, exception path, approval, and review trigger.
Guides
Deep pages
FAQ
Standalone answers
Compare
Side-by-side
Evidence
Reusable
Scope
Evidence
Review

Topic guides

Deep dive pages for implementation planning, controls, reporting, and evidence.

1
ISO/IEC 27001 Annex A Control Evidence Guide
Build useful ISO/IEC 27001:2022 Annex A control evidence: selected controls, SoA rationale, owners, implementation proof, effectiveness checks, audit records, and improvement actions.
Read Guide
2
ISO/IEC 27001 Audit Readiness Guide
Prepare ISO/IEC 27001 audit evidence across ISMS scope, risk assessment, risk treatment, Statement of Applicability, Annex A controls, internal audit, management review, and corrective actions.
Read Guide
3
ISO/IEC 27001 Certification Stage Workflow
A practical ISO/IEC 27001 certification workflow for scope readiness, Stage 1 document review, Stage 2 evidence, nonconformities, corrective action, certification decision, surveillance, and recertification.
Read Guide
4
ISO/IEC 27001 Compliance Guide: ISMS Evidence
Build ISO/IEC 27001 compliance around ISMS scope, risk assessment, risk treatment, Statement of Applicability, Annex A controls, audits, management review, and corrective action evidence.
Read Guide
5
ISO/IEC 27001 FAQ: ISMS Scope, Risk and SoA
Practical ISO/IEC 27001 FAQ covering ISMS scope, risk assessment, risk treatment, Statement of Applicability, Annex A controls, certification evidence, audits, management review, and surveillance readiness.
Read Guide
6
ISO/IEC 27001 Implementation Roadmap Guide
ISO/IEC 27001 Implementation Roadmap for ISO/IEC 27001:2022 Information Security Management System: scope decisions, ownership, evidence records, and review actions.
Read Guide
7
ISO/IEC 27001 Internal Audit and Management Review Guide
ISO/IEC 27001 Internal Audit and Management Review for ISO/IEC 27001:2022 Information Security Management System: scope decisions, ownership, evidence records, and review actions.
Read Guide
8
ISO/IEC 27001 Requirements Guide
ISO/IEC 27001 Requirements for ISO/IEC 27001:2022 Information Security Management System: scope decisions, ownership, evidence records, and review actions.
Read Guide
9
ISO/IEC 27001 Risk Treatment and Residual Risk Guide
ISO/IEC 27001 Risk Treatment and Residual Risk for ISO/IEC 27001:2022 Information Security Management System: scope decisions, ownership, evidence records, and review actions.
Read Guide
10
ISO/IEC 27001 Risk Treatment Register Workflow
ISO/IEC 27001 Risk Treatment Register Workflow for ISO/IEC 27001:2022 Information Security Management System: scope decisions, ownership, evidence records, and review actions.
Read Guide
11
ISO/IEC 27001 SoA: workflow for gathering and documenting control evidence
ISO/IEC 27001 Statement of Applicability Evidence Workflow for ISO/IEC 27001:2022 Information Security Management System: scope decisions, ownership, evidence records, and review actions.
Read Guide
12
ISO/IEC 27001 Statement of Applicability template: Annex A control selection and justification
ISO/IEC 27001 Statement of Applicability Template for ISO/IEC 27001:2022 Information Security Management System: scope decisions, ownership, evidence records, and review actions.
Read Guide
13
ISO/IEC 27001 vs NIS2 Comparison
ISO/IEC 27001 vs NIS2 for ISO/IEC 27001:2022 Information Security Management System: scope decisions, ownership, evidence records, and review actions.
Read Guide
14
ISO/IEC 27001 vs NIST CSF 2.0 Comparison
ISO/IEC 27001 vs NIST CSF 2.0 for ISO/IEC 27001:2022 Information Security Management System: scope decisions, ownership, evidence records, and review actions.
Read Guide
15
ISO/IEC 27001 vs SOC 2 Comparison
ISO/IEC 27001 vs SOC 2 for ISO/IEC 27001:2022 Information Security Management System: scope decisions, ownership, evidence records, and review actions.
Read Guide
Next step

Turn ISO/IEC 27001 into governed ISMS work

Route ISO/IEC 27001 implementation into owned tasks, risk decisions, SoA updates, evidence requests, internal reviews, and certification checkpoints so the ISMS stays current after the first audit.

What this unlocks
  • Start from the page that matches the current ISMS gap: scope, risk treatment, SoA, control evidence, audit, or management review.
  • Use Research Copilot to answer ISO/IEC 27001 interpretation questions with cited source support.
  • Use SSOT to keep owners, risk decisions, evidence records, nonconformities, and review history governed.
Recommended route
Open Research Copilot
Answer ISO/IEC 27001 scope and interpretation questions with cited outputs.
Supporting route
Open SSOT
Keep ISO/IEC 27001 evidence, decisions, and control records in one governed system.
Talk to Sorena
Talk through implementation
Review scope, evidence gaps, and next implementation steps.
Discuss your setup