What ISO 27001 requires
ISO 27001 compliance is built around an Information Security Management System. The mandatory management clauses (4–10) require leadership commitment, a documented risk assessment, security objectives, competence and awareness, internal audits, and continual improvement. The defining idea is that the standard is risk-based: rather than handing you a fixed checklist, it requires you to assess your own risks and justify your own control decisions.
For a plain-English overview and how it compares to SOC 2, read our guide on what ISO 27001 is and whether Canadian companies need it.
The 93 Annex A controls
Annex A of ISO 27001:2022 lists 93 controls across four themes — Organizational (37), People (8), Physical (14), and Technological (34). You decide which apply to your ISMS based on your risk assessment and document each decision, with justification, in your Statement of Applicability. SecuritComply keeps every Annex A control organized so you always know your status and what evidence supports it.
How SecuritComply automates your ISMS
- All 93 Annex A controls pre-loaded and mapped to your ISMS
- Guided risk assessment with treatment tracking
- Statement of Applicability generated from your control decisions
- Policy templates aligned to ISO 27001 clauses and controls
- Centralized evidence for internal audits and certification audits
- Cross-mapping to SOC 2 so shared evidence counts once
- Canadian data residency — your ISMS records stay in Canada
The certification path
Certification follows a clear path: define scope, run your risk assessment, select controls and write your Statement of Applicability, implement and operate the ISMS, conduct an internal audit and management review, then pass the two-stage certification audit (Stage 1 reviews documentation; Stage 2 tests that the ISMS is operating). Compare costs across frameworks with our cost calculator, or find an ISO 27001 auditor in the marketplace. Need the controls operated for you? Our sister company Secur-IT Data Solutions provides managed cybersecurity services.
ISO 27001 compliance FAQ
What is ISO 27001 compliance?▾
ISO 27001 is the international standard for information security management. Compliance means building and operating an Information Security Management System (ISMS) — a risk-based, documented system for protecting information — and, if you choose to certify, passing an audit by an accredited certification body.
What are the 93 Annex A controls?▾
Annex A of ISO 27001:2022 is a catalogue of 93 security controls grouped into four themes: Organizational, People, Physical, and Technological. You select which apply based on your risk assessment and record your decisions in a Statement of Applicability.
How long does ISO 27001 certification take?▾
For a typical Canadian SMB, building the ISMS takes roughly 3 to 6 months, followed by a two-stage certification audit. The certificate is valid for three years with annual surveillance audits.
Is ISO 27001 better than SOC 2?▾
Neither is "better" — they serve different markets. ISO 27001 is an internationally recognized certificate favoured outside North America, while SOC 2 is an attestation report favoured by US buyers. The controls overlap heavily, so one strong program can satisfy both. See our ISO 27001 guide for the full comparison.
How does SecuritComply automate ISO 27001 compliance?▾
SecuritComply maps all 93 Annex A controls, guides your risk assessment, generates your Statement of Applicability, manages policies, and centralizes evidence — all with your data hosted in Canada.