[{"data":1,"prerenderedAt":2778},["ShallowReactive",2],{"\u002Fglossary\u002Fsurveillance-audit":3,"\u002Fglossary\u002Fsurveillance-audit__related-terms":260,"explore-glossary-iso27001-\u002Fglossary\u002Fsurveillance-audit":271,"explore-topics-iso27001-\u002Fglossary\u002Fsurveillance-audit":1002,"explore-hub-iso27001":1850,"explore-compare-vs-\u002Fglossary\u002Fsurveillance-audit":2338,"explore-compare-\u002Fglossary\u002Fsurveillance-audit":2504,"explore-blog-iso27001-\u002Fglossary\u002Fsurveillance-audit":2623,"explore-industry-iso27001":1457},{"id":4,"title":5,"body":6,"description":229,"extension":242,"lastUpdated":243,"meta":244,"navigation":245,"path":246,"relatedFrameworks":247,"relatedTerms":249,"seo":254,"slug":257,"stem":258,"term":13,"__hash__":259},"glossary\u002F8.glossary\u002Fsurveillance-audit.md","Surveillance Audit",{"type":7,"value":8,"toc":228},"minimark",[9,14,18,23,26,61,65,68,94,97,101,104,136,139,143,146,184,188,191,208,212,215,219],[10,11,13],"h2",{"id":12},"what-is-a-surveillance-audit","What is a Surveillance Audit?",[15,16,17],"p",{},"A surveillance audit is a periodic assessment conducted by a certification body to verify that a certified organization's management system continues to operate in accordance with the standard requirements. In the context of ISO 27001, surveillance audits occur annually between the initial certification and the three-year recertification cycle.",[19,20,22],"h3",{"id":21},"what-is-the-purpose-of-surveillance-audits","What is the purpose of surveillance audits?",[15,24,25],{},"Surveillance audits serve several important purposes:",[27,28,29,37,43,49,55],"ul",{},[30,31,32,36],"li",{},[33,34,35],"strong",{},"Ongoing assurance"," — confirm that the ISMS has not degraded since the initial certification or last audit",[30,38,39,42],{},[33,40,41],{},"Continuous improvement verification"," — check that the organization is actively improving its ISMS rather than letting it stagnate",[30,44,45,48],{},[33,46,47],{},"Change assessment"," — evaluate how changes to the organization, its services, or its risk environment have been addressed",[30,50,51,54],{},[33,52,53],{},"Corrective action follow-up"," — verify that nonconformities identified in previous audits have been resolved",[30,56,57,60],{},[33,58,59],{},"Stakeholder confidence"," — maintain trust among customers, partners, and regulators that the certification remains valid",[19,62,64],{"id":63},"what-is-the-surveillance-audit-schedule","What is the surveillance audit schedule?",[15,66,67],{},"ISO 27001 certification follows a three-year cycle:",[27,69,70,76,82,88],{},[30,71,72,75],{},[33,73,74],{},"Year 0"," — initial certification audit (Stage 1 and Stage 2)",[30,77,78,81],{},[33,79,80],{},"Year 1"," — first surveillance audit",[30,83,84,87],{},[33,85,86],{},"Year 2"," — second surveillance audit",[30,89,90,93],{},[33,91,92],{},"Year 3"," — recertification audit (full audit to renew the certificate for another three years)",[15,95,96],{},"Surveillance audits are typically scheduled around the anniversary of the initial certification. Missing or failing a surveillance audit can result in suspension or withdrawal of the certificate.",[19,98,100],{"id":99},"what-is-the-scope-of-surveillance-audits","What is the scope of surveillance audits?",[15,102,103],{},"Surveillance audits do not cover the entire ISMS in the same depth as the initial certification. Instead, the certification body samples a subset of controls and processes. However, certain elements are always reviewed:",[27,105,106,112,118,124,130],{},[30,107,108,111],{},[33,109,110],{},"Internal audit results"," — evidence that the organization is conducting its own internal audits",[30,113,114,117],{},[33,115,116],{},"Management review"," — records showing that management regularly reviews ISMS performance",[30,119,120,123],{},[33,121,122],{},"Corrective actions"," — status of previously identified nonconformities",[30,125,126,129],{},[33,127,128],{},"Use of the certification mark"," — verification that the organization uses the ISO 27001 mark correctly",[30,131,132,135],{},[33,133,134],{},"Changes to the ISMS"," — assessment of any significant changes since the last audit",[15,137,138],{},"The certification body plans the surveillance audits to ensure that, across the three-year cycle, all significant areas of the ISMS are examined.",[19,140,142],{"id":141},"how-do-you-prepare-for-a-surveillance-audit","How do you prepare for a surveillance audit?",[15,144,145],{},"To prepare effectively:",[27,147,148,154,160,166,172,178],{},[30,149,150,153],{},[33,151,152],{},"Maintain your ISMS"," — do not treat certification as a one-time achievement; keep controls operating and evidence current",[30,155,156,159],{},[33,157,158],{},"Conduct internal audits"," — perform regular internal audits and document findings and corrective actions",[30,161,162,165],{},[33,163,164],{},"Hold management reviews"," — ensure management reviews occur at planned intervals with documented outcomes",[30,167,168,171],{},[33,169,170],{},"Track corrective actions"," — close out any nonconformities from previous audits with evidence of resolution",[30,173,174,177],{},[33,175,176],{},"Update documentation"," — keep policies, procedures, the risk register, and Statement of Applicability current",[30,179,180,183],{},[33,181,182],{},"Brief your team"," — ensure control owners understand the surveillance process and can speak to their controls",[19,185,187],{"id":186},"what-are-common-pitfalls-with-surveillance-audits","What are common pitfalls with surveillance audits?",[15,189,190],{},"Organizations frequently encounter issues during surveillance audits due to:",[27,192,193,196,199,202,205],{},[30,194,195],{},"Letting the ISMS become dormant between audits",[30,197,198],{},"Failing to conduct internal audits or management reviews",[30,200,201],{},"Not updating the risk assessment after significant changes",[30,203,204],{},"Incomplete corrective action records",[30,206,207],{},"Documentation that does not reflect current practices",[19,209,211],{"id":210},"what-happens-if-you-fail-a-surveillance-audit","What happens if you fail a surveillance audit?",[15,213,214],{},"If the certification body identifies major nonconformities during a surveillance audit, the organization typically receives a defined period to resolve them. If nonconformities are not resolved, the CB may suspend or withdraw the certification.",[19,216,218],{"id":217},"how-does-episki-help-with-surveillance-audits","How does episki help with surveillance audits?",[15,220,221,222,227],{},"episki keeps your ISMS active year-round with automated evidence collection, internal audit tracking, and management review workflows. The platform ensures you are always surveillance-audit-ready rather than scrambling to prepare. Learn more on our ",[223,224,226],"a",{"href":225},"\u002Fframeworks\u002Fiso27001","ISO 27001 compliance page",".",{"title":229,"searchDepth":230,"depth":230,"links":231},"",2,[232],{"id":12,"depth":230,"text":13,"children":233},[234,236,237,238,239,240,241],{"id":21,"depth":235,"text":22},3,{"id":63,"depth":235,"text":64},{"id":99,"depth":235,"text":100},{"id":141,"depth":235,"text":142},{"id":186,"depth":235,"text":187},{"id":210,"depth":235,"text":211},{"id":217,"depth":235,"text":218},"md","2026-04-16",{},true,"\u002Fglossary\u002Fsurveillance-audit",[248],"iso27001",[248,250,251,252,253],"certification-body","isms","statement-of-applicability","annex-a",{"title":255,"description":256},"What is a Surveillance Audit? Definition & Compliance Guide","A surveillance audit is an annual check by a certification body to verify that your ISO 27001 ISMS continues to operate effectively. Learn what to expect.","surveillance-audit","8.glossary\u002Fsurveillance-audit","jJBmuftExlStO3zC0agQCzOIUDUgNonZM_tMXHozlAQ",[261,263,265,267,269],{"slug":253,"term":262},"What is ISO 27001 Annex A?",{"slug":250,"term":264},"What is a Certification Body?",{"slug":251,"term":266},"What is an ISMS?",{"slug":248,"term":268},"What is ISO 27001?",{"slug":252,"term":270},"What is a Statement of Applicability?",[272,847],{"id":273,"title":274,"body":275,"description":229,"extension":242,"lastUpdated":243,"meta":829,"navigation":245,"path":830,"relatedFrameworks":831,"relatedTerms":837,"seo":841,"slug":844,"stem":845,"term":280,"__hash__":846},"glossary\u002F8.glossary\u002Faccess-control.md","Access Control",{"type":7,"value":276,"toc":815},[277,281,284,288,291,317,321,327,333,339,345,349,352,358,375,381,395,401,412,416,419,475,479,482,496,500,503,526,530,533,583,587,590,710,713,716,745,749,755,758,795,798,801,804,808],[10,278,280],{"id":279},"what-is-access-control","What is Access Control?",[15,282,283],{},"Access control is the set of policies, procedures, and technical mechanisms that regulate who can access systems, data, and resources within an organization. It ensures that only authorized individuals can view, modify, or interact with sensitive information and critical systems. Access control is one of the most fundamental and universally required security controls across every major compliance framework.",[19,285,287],{"id":286},"what-are-the-core-principles-of-access-control","What are the core principles of access control?",[15,289,290],{},"Access control is built on several foundational principles:",[27,292,293,299,305,311],{},[30,294,295,298],{},[33,296,297],{},"Least privilege"," — users are granted only the minimum access necessary to perform their job functions",[30,300,301,304],{},[33,302,303],{},"Separation of duties"," — critical tasks are divided among multiple individuals to prevent any single person from having unchecked authority",[30,306,307,310],{},[33,308,309],{},"Need to know"," — access to information is restricted to those who require it for a specific purpose",[30,312,313,316],{},[33,314,315],{},"Default deny"," — access is denied by default unless explicitly granted",[19,318,320],{"id":319},"what-are-the-types-of-access-control","What are the types of access control?",[15,322,323,326],{},[33,324,325],{},"Role-Based Access Control (RBAC)"," — access is determined by the user's role within the organization. Roles are defined with specific permissions, and users are assigned to roles. This is the most common model in enterprise environments.",[15,328,329,332],{},[33,330,331],{},"Attribute-Based Access Control (ABAC)"," — access decisions are based on attributes of the user, the resource, and the environment (e.g., department, location, time of day, device type).",[15,334,335,338],{},[33,336,337],{},"Discretionary Access Control (DAC)"," — resource owners decide who can access their resources. Common in file systems where owners set permissions.",[15,340,341,344],{},[33,342,343],{},"Mandatory Access Control (MAC)"," — access is controlled by the system based on security labels and clearance levels. Common in government and military environments.",[19,346,348],{"id":347},"what-are-access-control-components","What are access control components?",[15,350,351],{},"A complete access control program addresses:",[15,353,354,357],{},[33,355,356],{},"Authentication"," — verifying the identity of users:",[27,359,360,363,366,369,372],{},[30,361,362],{},"Passwords and passphrases",[30,364,365],{},"Multi-factor authentication (MFA)",[30,367,368],{},"Single sign-on (SSO)",[30,370,371],{},"Biometric authentication",[30,373,374],{},"Certificate-based authentication",[15,376,377,380],{},[33,378,379],{},"Authorization"," — determining what authenticated users can do:",[27,382,383,386,389,392],{},[30,384,385],{},"Permission assignments",[30,387,388],{},"Role definitions",[30,390,391],{},"Access control lists",[30,393,394],{},"Policy enforcement points",[15,396,397,400],{},[33,398,399],{},"Access lifecycle management"," — managing access throughout the user lifecycle:",[27,402,403,406,409],{},[30,404,405],{},"Provisioning (granting access when hired or role changes)",[30,407,408],{},"Review (periodic access certification)",[30,410,411],{},"Deprovisioning (revoking access upon termination or role change)",[19,413,415],{"id":414},"how-do-compliance-frameworks-address-access-control","How do compliance frameworks address access control?",[15,417,418],{},"Every major framework requires access control:",[27,420,421,430,443,457,466],{},[30,422,423,429],{},[33,424,425],{},[223,426,428],{"href":427},"\u002Fframeworks\u002Fsoc2","SOC 2"," — CC6.1 through CC6.8 cover logical and physical access controls",[30,431,432,437,438,442],{},[33,433,434],{},[223,435,436],{"href":225},"ISO 27001"," — ",[223,439,441],{"href":440},"\u002Fglossary\u002Fannex-a","Annex A"," controls A.5.15 through A.5.18 and A.8.2 through A.8.5 address access management",[30,444,445,451,452,456],{},[33,446,447],{},[223,448,450],{"href":449},"\u002Fframeworks\u002Fhipaa","HIPAA"," — the ",[223,453,455],{"href":454},"\u002Fframeworks\u002Fhipaa\u002Fsecurity-rule","Security Rule"," requires access controls for ePHI (45 CFR 164.312(a))",[30,458,459,465],{},[33,460,461],{},[223,462,464],{"href":463},"\u002Fframeworks\u002Fpci","PCI DSS"," — Requirements 7 and 8 address access restriction and user identification",[30,467,468,474],{},[33,469,470],{},[223,471,473],{"href":472},"\u002Fframeworks\u002Fnistcsf","NIST CSF"," — PR.AC covers identity management, authentication, and access control",[19,476,478],{"id":477},"what-are-access-reviews","What are access reviews?",[15,480,481],{},"Regular access reviews (also called access certifications) are a critical control:",[27,483,484,487,490,493],{},[30,485,486],{},"Review user access rights periodically (quarterly is common for sensitive systems)",[30,488,489],{},"Verify that access aligns with current job responsibilities",[30,491,492],{},"Identify and remove excessive or unnecessary access",[30,494,495],{},"Document review results and remediation actions",[19,497,499],{"id":498},"what-are-common-access-control-weaknesses","What are common access control weaknesses?",[15,501,502],{},"Even well-designed access control programs can degrade over time without ongoing attention. Watch for these common issues:",[27,504,505,508,511,514,517,520,523],{},[30,506,507],{},"Excessive permissions that accumulate over time (privilege creep)",[30,509,510],{},"Shared or generic accounts that prevent individual accountability",[30,512,513],{},"Delayed deprovisioning when employees leave or change roles",[30,515,516],{},"Lack of MFA on critical systems and remote access paths",[30,518,519],{},"Inconsistent access review processes with no documented remediation",[30,521,522],{},"Service accounts with standing privileged access and no rotation schedule",[30,524,525],{},"Lack of visibility into SaaS application access outside the corporate IdP",[19,527,529],{"id":528},"how-do-you-implement-access-control-in-practice","How do you implement access control in practice?",[15,531,532],{},"Effective access control programs start with planning and build toward automation. The following steps provide a practical roadmap for organizations at any maturity level:",[534,535,536,542,548,554,560,566,577],"ol",{},[30,537,538,541],{},[33,539,540],{},"Map your environment"," — inventory all systems, applications, and data repositories that require access controls. You cannot protect what you have not identified. Include SaaS applications, cloud infrastructure, on-premises servers, databases, file shares, and third-party integrations.",[30,543,544,547],{},[33,545,546],{},"Define roles based on job functions"," — create roles that reflect organizational responsibilities, not individual users. Align roles to the principle of least privilege so each role includes only the permissions required for that function. Review role definitions annually and whenever organizational structure changes.",[30,549,550,553],{},[33,551,552],{},"Centralize authentication with SSO"," — implement single sign-on using SAML 2.0 or OpenID Connect (OIDC) to unify identity across cloud and on-premises systems. Centralized authentication reduces password sprawl and gives security teams a single point of enforcement. Ensure all business-critical applications are integrated with your SSO provider before considering the rollout complete.",[30,555,556,559],{},[33,557,558],{},"Layer MFA on all critical systems"," — require multi-factor authentication for remote access, privileged accounts, email, cloud consoles, and any system that touches sensitive data. Phishing-resistant methods such as FIDO2 hardware keys are preferred over SMS-based codes. At a minimum, enforce MFA on identity providers, admin consoles, and VPN access.",[30,561,562,565],{},[33,563,564],{},"Automate provisioning and deprovisioning"," — connect your HR system to your identity provider (IdP) and use SCIM or directory sync to automate account creation, role assignment, and account removal. When an employee is terminated in the HR system, access should be revoked within minutes, not days. Automation eliminates the human error that leads to orphaned accounts and privilege creep.",[30,567,568,571,572,576],{},[33,569,570],{},"Build an access request and approval workflow"," — establish a formal process where users request access with documented business justification, managers approve, and the request is logged for audit. This creates an ",[223,573,575],{"href":574},"\u002Fglossary\u002Faudit-trail","audit trail"," that satisfies compliance requirements.",[30,578,579,582],{},[33,580,581],{},"Monitor and log access events"," — collect authentication and authorization logs centrally. Monitor for anomalies such as failed login attempts, access from unusual locations, and privilege escalation. Logs are essential for incident response and audit evidence.",[19,584,586],{"id":585},"what-are-the-access-control-requirements","What are the access control requirements?",[15,588,589],{},"Different frameworks address the same access control concepts with different control references. The table below maps common requirements to their framework-specific identifiers:",[591,592,593,613],"table",{},[594,595,596],"thead",{},[597,598,599,603,605,607,609,611],"tr",{},[600,601,602],"th",{},"Requirement",[600,604,428],{},[600,606,436],{},[600,608,450],{},[600,610,464],{},[600,612,473],{},[614,615,616,637,656,676,693],"tbody",{},[597,617,618,622,625,628,631,634],{},[619,620,621],"td",{},"Unique user IDs",[619,623,624],{},"CC6.1",[619,626,627],{},"A.5.16",[619,629,630],{},"§164.312(a)(2)(i)",[619,632,633],{},"Req 8.2.1",[619,635,636],{},"PR.AC-1",[597,638,639,642,644,647,650,653],{},[619,640,641],{},"MFA",[619,643,624],{},[619,645,646],{},"A.8.5",[619,648,649],{},"Addressable",[619,651,652],{},"Req 8.4",[619,654,655],{},"PR.AC-7",[597,657,658,661,664,667,670,673],{},[619,659,660],{},"Access reviews",[619,662,663],{},"CC6.2",[619,665,666],{},"A.5.18",[619,668,669],{},"§164.312(a)(1)",[619,671,672],{},"Req 7.2",[619,674,675],{},"PR.AC-4",[597,677,678,680,683,686,688,691],{},[619,679,297],{},[619,681,682],{},"CC6.3",[619,684,685],{},"A.5.15",[619,687,669],{},[619,689,690],{},"Req 7.1",[619,692,675],{},[597,694,695,698,700,702,705,708],{},[619,696,697],{},"Deprovisioning",[619,699,663],{},[619,701,666],{},[619,703,704],{},"§164.312(a)(2)(ii)",[619,706,707],{},"Req 8.2.6",[619,709,636],{},[15,711,712],{},"Organizations subject to multiple frameworks can use this mapping to build a unified access control program that satisfies overlapping requirements without duplicating effort.",[15,714,715],{},"A few notes on framework-specific nuances:",[27,717,718,723,731,738],{},[30,719,720,722],{},[33,721,450],{}," treats MFA as an \"addressable\" implementation specification, meaning covered entities must implement it or document why an equivalent alternative is reasonable. In practice, most organizations implement MFA because the risk of not doing so is difficult to justify.",[30,724,725,730],{},[33,726,727,729],{},[223,728,464],{"href":463}," v4.0"," expanded MFA requirements (Req 8.4) to include all access into the cardholder data environment, not just remote access. Organizations processing card data should verify their MFA coverage meets the updated scope.",[30,732,733,737],{},[33,734,735],{},[223,736,428],{"href":427}," does not prescribe specific technologies but evaluates whether the controls in place are suitably designed and operating effectively. Auditors will look for evidence that access control policies are enforced consistently.",[30,739,740,744],{},[33,741,742],{},[223,743,473],{"href":472}," provides a flexible, risk-based approach. The PR.AC subcategory identifiers map to more detailed controls in NIST SP 800-53, which organizations can reference for implementation guidance.",[19,746,748],{"id":747},"how-does-zero-trust-relate-to-access-control","How does zero trust relate to access control?",[15,750,751,752,227],{},"Traditional access control models assume that users inside the network perimeter can be trusted. Zero trust architecture rejects that assumption entirely: ",[33,753,754],{},"never trust, always verify",[15,756,757],{},"In a zero trust model, every access request is authenticated, authorized, and encrypted regardless of where it originates. Key principles include:",[27,759,760,766,772,783,789],{},[30,761,762,765],{},[33,763,764],{},"Continuous verification"," — access decisions are re-evaluated throughout a session, not just at login. Changes in user behavior, location, or risk score can trigger step-up authentication or session termination.",[30,767,768,771],{},[33,769,770],{},"Micro-segmentation"," — network resources are divided into small, isolated zones so that compromising one segment does not grant lateral access to others.",[30,773,774,777,778,782],{},[33,775,776],{},"Device posture checks"," — the security state of the connecting device (patch level, endpoint protection status, disk ",[223,779,781],{"href":780},"\u002Fglossary\u002Fencryption","encryption",") is evaluated before access is granted.",[30,784,785,788],{},[33,786,787],{},"Identity-centric perimeter"," — the network perimeter is replaced by identity as the primary security boundary. Every user, device, and workload must prove its identity before accessing any resource.",[30,790,791,794],{},[33,792,793],{},"Least privilege enforcement at the session level"," — access grants are scoped to the specific resource and action needed, and they expire when the session ends or conditions change.",[15,796,797],{},"NIST SP 800-207 defines the zero trust architecture and provides guidance on implementation. Many compliance frameworks are increasingly aligning their access control requirements with zero trust principles, making it a forward-looking strategy for organizations building or modernizing their access control programs.",[15,799,800],{},"Zero trust is not a single product but an architectural approach that spans identity, network, endpoints, and data.",[15,802,803],{},"Adopting zero trust does not require replacing your existing access control infrastructure overnight. Most organizations begin by enforcing MFA universally, segmenting their most sensitive assets, and adding device posture checks to their conditional access policies. Over time, these incremental improvements compound into a mature zero trust posture.",[19,805,807],{"id":806},"how-does-episki-help-with-access-control","How does episki help with access control?",[15,809,810,811,227],{},"episki tracks access control policies, monitors review schedules, and documents access provisioning and deprovisioning activities. The platform sends reminders for periodic access reviews and maintains evidence for auditors. Learn more on our ",[223,812,814],{"href":813},"\u002Fframeworks","compliance platform",{"title":229,"searchDepth":230,"depth":230,"links":816},[817],{"id":279,"depth":230,"text":280,"children":818},[819,820,821,822,823,824,825,826,827,828],{"id":286,"depth":235,"text":287},{"id":319,"depth":235,"text":320},{"id":347,"depth":235,"text":348},{"id":414,"depth":235,"text":415},{"id":477,"depth":235,"text":478},{"id":498,"depth":235,"text":499},{"id":528,"depth":235,"text":529},{"id":585,"depth":235,"text":586},{"id":747,"depth":235,"text":748},{"id":806,"depth":235,"text":807},{},"\u002Fglossary\u002Faccess-control",[832,833,248,834,835,836],"cmmc","soc2","hipaa","pci","nistcsf",[838,839,781,840],"minimum-necessary-rule","audit-trail","user-entity-controls",{"title":842,"description":843},"Access Control in Compliance: RBAC, MFA & Least Privilege","Access control restricts system and data access to authorized users. Learn RBAC, MFA, least privilege, and requirements across SOC 2, ISO 27001, HIPAA, and PCI DSS.","access-control","8.glossary\u002Faccess-control","06FHtOe5hEs65vhNnMjZcNgPP9NXCQTnLD9llz_jEjM",{"id":848,"title":441,"body":849,"description":229,"extension":242,"lastUpdated":243,"meta":992,"navigation":245,"path":440,"relatedFrameworks":993,"relatedTerms":994,"seo":997,"slug":253,"stem":1000,"term":262,"__hash__":1001},"glossary\u002F8.glossary\u002Fannex-a.md",{"type":7,"value":850,"toc":982},[851,854,865,869,872,898,902,905,922,925,929,932,936,939,953,956,960,973,977],[10,852,262],{"id":853},"what-is-iso-27001-annex-a",[15,855,856,857,859,860,864],{},"ISO 27001 Annex A is the normative annex to the ",[223,858,436],{"href":225}," standard that provides a reference list of information security controls. Organizations use Annex A as a checklist to ensure their ",[223,861,863],{"href":862},"\u002Fframeworks\u002Fiso27001\u002Fisms-implementation","Information Security Management System (ISMS)"," addresses a comprehensive range of security topics. As of the 2022 revision, Annex A contains 93 controls organized into four themes.",[19,866,868],{"id":867},"what-are-the-four-themes","What are the four themes?",[15,870,871],{},"The 2022 revision reorganized controls from the previous 14 categories into four themes:",[27,873,874,880,886,892],{},[30,875,876,879],{},[33,877,878],{},"Organizational controls (37 controls)"," — policies, roles and responsibilities, threat intelligence, information security in project management, supplier relationships, and more",[30,881,882,885],{},[33,883,884],{},"People controls (8 controls)"," — screening, terms and conditions of employment, security awareness training, disciplinary processes, and responsibilities after termination",[30,887,888,891],{},[33,889,890],{},"Physical controls (14 controls)"," — physical security perimeters, entry controls, securing offices and facilities, equipment protection, and clear desk policies",[30,893,894,897],{},[33,895,896],{},"Technological controls (34 controls)"," — user endpoint devices, privileged access management, access restrictions, secure authentication, malware protection, logging, encryption, and secure development",[19,899,901],{"id":900},"how-does-annex-a-fit-into-iso-27001","How does Annex A fit into ISO 27001?",[15,903,904],{},"Annex A is not a standalone list of mandatory controls. Instead, it works in conjunction with the risk assessment process defined in clauses 6 and 8 of ISO 27001:",[534,906,907,910,913,916,919],{},[30,908,909],{},"The organization performs a risk assessment to identify information security risks",[30,911,912],{},"The organization determines how to treat each risk (mitigate, accept, transfer, or avoid)",[30,914,915],{},"For risks being mitigated, the organization selects appropriate controls",[30,917,918],{},"The organization compares selected controls against Annex A to ensure nothing has been overlooked",[30,920,921],{},"The results are documented in the Statement of Applicability",[15,923,924],{},"This approach ensures that control selection is risk-driven rather than checkbox-driven. An organization may determine that certain Annex A controls are not applicable based on their specific risk profile, and this is acceptable as long as the justification is documented.",[19,926,928],{"id":927},"how-does-annex-a-relate-to-iso-27002","How does Annex A relate to ISO 27002?",[15,930,931],{},"ISO 27002 provides detailed implementation guidance for each Annex A control. While Annex A lists the controls with brief descriptions, ISO 27002 explains the purpose, guidance, and other information for each control. Think of Annex A as the \"what\" and ISO 27002 as the \"how.\"",[19,933,935],{"id":934},"what-changed-in-the-2022-revision-of-annex-a","What changed in the 2022 revision of Annex A?",[15,937,938],{},"The 2022 update introduced several changes from the 2013 version:",[27,940,941,944,947,950],{},[30,942,943],{},"Controls were consolidated from 114 to 93",[30,945,946],{},"The 14 categories were replaced with 4 themes",[30,948,949],{},"11 new controls were added, including threat intelligence, information security for cloud services, ICT readiness for business continuity, and data masking",[30,951,952],{},"Each control now includes attributes (control type, cybersecurity concept, operational capability, and security domain) to aid in filtering and mapping",[15,954,955],{},"Organizations certified under the 2013 version had a transition period to update their ISMS to align with the 2022 revision.",[19,957,959],{"id":958},"what-is-the-statement-of-applicability","What is the Statement of Applicability?",[15,961,962,963,967,968,972],{},"The ",[223,964,966],{"href":965},"\u002Fframeworks\u002Fiso27001\u002Fstatement-of-applicability","Statement of Applicability (SoA)"," is the document where an organization records which Annex A controls are applicable, which are not, and the justification for each decision. The SoA is a mandatory document for ",[223,969,971],{"href":970},"\u002Fframeworks\u002Fiso27001\u002Fcertification-process","ISO 27001 certification"," and is a key artifact reviewed during certification audits.",[19,974,976],{"id":975},"how-does-episki-help-with-annex-a","How does episki help with Annex A?",[15,978,979,980,227],{},"episki includes all 93 Annex A controls with mappings to your risk treatment plan and Statement of Applicability. The platform helps you track implementation status, assign ownership, and collect evidence for each applicable control. Learn more on our ",[223,981,226],{"href":225},{"title":229,"searchDepth":230,"depth":230,"links":983},[984],{"id":853,"depth":230,"text":262,"children":985},[986,987,988,989,990,991],{"id":867,"depth":235,"text":868},{"id":900,"depth":235,"text":901},{"id":927,"depth":235,"text":928},{"id":934,"depth":235,"text":935},{"id":958,"depth":235,"text":959},{"id":975,"depth":235,"text":976},{},[248],[248,252,995,996,251],"iso-27002","control-objectives",{"title":998,"description":999},"ISO 27001 Annex A: All 93 Controls Explained (2022)","ISO 27001 Annex A lists 93 security controls in 4 themes. Learn each control category, how they map to your Statement of Applicability, and implementation tips.","8.glossary\u002Fannex-a","7UuJknizYAej4wh0vgz3iQYe-_A9-r5bjizs222-Avw",[1003,1471],{"id":1004,"title":1005,"body":1006,"description":1456,"extension":242,"faq":1457,"frameworkSlug":248,"lastUpdated":243,"meta":1458,"navigation":245,"path":1459,"relatedTerms":1460,"relatedTopics":1461,"seo":1466,"stem":1469,"__hash__":1470},"frameworkTopics\u002F5.frameworks\u002Fiso27001\u002Fannex-a-controls.md","ISO 27001 Annex A Controls",{"type":7,"value":1007,"toc":1437},[1008,1019,1022,1026,1029,1032,1036,1040,1043,1046,1090,1096,1100,1103,1106,1150,1154,1157,1160,1204,1208,1211,1214,1312,1316,1319,1351,1359,1363,1370,1373,1377,1381,1387,1391,1394,1398,1401,1405,1408,1412,1415,1419,1427,1430],[15,1009,1010,1011,1013,1014,1018],{},"Annex A of ",[223,1012,436],{"href":225}," is the reference set of information security controls that organizations evaluate and, where applicable, implement within their ",[223,1015,1017],{"href":1016},"\u002Fglossary\u002Fisms","ISMS",". The 2022 revision of the standard restructured these controls significantly, consolidating the previous 114 controls across 14 domains into 93 controls organized under four themes.",[15,1020,1021],{},"Understanding the structure, purpose, and implementation expectations of Annex A is fundamental to building a compliant and effective security program.",[10,1023,1025],{"id":1024},"what-changed-in-iso-270012022","What Changed in ISO 27001:2022",[15,1027,1028],{},"The 2022 update replaced the 14-domain structure from the 2013 edition with four broader themes. Eleven new controls were introduced to address modern threats and practices. Several existing controls were merged where overlap existed, and all controls received updated guidance in the companion standard ISO 27002:2022.",[15,1030,1031],{},"Organizations certified under the 2013 version were given a transition period to align with the 2022 structure. New certifications are now assessed against the 2022 edition exclusively.",[10,1033,1035],{"id":1034},"the-four-themes","The Four Themes",[19,1037,1039],{"id":1038},"_1-organizational-controls-37-controls","1. Organizational Controls (37 Controls)",[15,1041,1042],{},"Organizational controls address the governance, policy, and procedural foundations of information security. They cover the \"who decides what\" and \"how things work\" aspects of your ISMS.",[15,1044,1045],{},"Key controls in this theme include:",[27,1047,1048,1054,1060,1066,1072,1078,1084],{},[30,1049,1050,1053],{},[33,1051,1052],{},"Policies for information security."," Establishing and maintaining a set of information security policies approved by management.",[30,1055,1056,1059],{},[33,1057,1058],{},"Roles and responsibilities."," Defining and allocating information security responsibilities across the organization.",[30,1061,1062,1065],{},[33,1063,1064],{},"Threat intelligence."," Collecting and analyzing information about threats relevant to the organization. This is a new control in 2022.",[30,1067,1068,1071],{},[33,1069,1070],{},"Information security in project management."," Integrating security considerations into project management practices regardless of project type.",[30,1073,1074,1077],{},[33,1075,1076],{},"Supplier relationships."," Managing security risks introduced by suppliers and third-party service providers.",[30,1079,1080,1083],{},[33,1081,1082],{},"Incident management."," Planning, detecting, reporting, and responding to information security incidents.",[30,1085,1086,1089],{},[33,1087,1088],{},"Business continuity."," Ensuring information security requirements are addressed during disruption.",[15,1091,1092,1093,227],{},"Organizational controls form the backbone of your ISMS and are heavily examined during both Stage 1 and Stage 2 of the ",[223,1094,1095],{"href":970},"certification process",[19,1097,1099],{"id":1098},"_2-people-controls-8-controls","2. People Controls (8 Controls)",[15,1101,1102],{},"People controls focus on the human element of information security. Despite being the smallest theme by count, these controls address one of the most significant risk areas.",[15,1104,1105],{},"Controls in this theme cover:",[27,1107,1108,1114,1120,1126,1132,1138,1144],{},[30,1109,1110,1113],{},[33,1111,1112],{},"Screening."," Background verification of personnel before and during employment.",[30,1115,1116,1119],{},[33,1117,1118],{},"Terms and conditions of employment."," Contractual obligations related to information security.",[30,1121,1122,1125],{},[33,1123,1124],{},"Information security awareness, education, and training."," Ensuring all personnel understand their security responsibilities.",[30,1127,1128,1131],{},[33,1129,1130],{},"Disciplinary process."," Formal processes for addressing security policy violations.",[30,1133,1134,1137],{},[33,1135,1136],{},"Responsibilities after termination or change of employment."," Protecting information when people leave or change roles.",[30,1139,1140,1143],{},[33,1141,1142],{},"Remote working."," Security measures for personnel working outside traditional office environments. This control was updated significantly in 2022.",[30,1145,1146,1149],{},[33,1147,1148],{},"Information security event reporting."," Mechanisms for personnel to report suspected security events.",[19,1151,1153],{"id":1152},"_3-physical-controls-14-controls","3. Physical Controls (14 Controls)",[15,1155,1156],{},"Physical controls protect the tangible assets and environments where information is processed and stored.",[15,1158,1159],{},"This theme includes controls for:",[27,1161,1162,1168,1174,1180,1186,1192,1198],{},[30,1163,1164,1167],{},[33,1165,1166],{},"Physical security perimeters and entry."," Controlling access to buildings, data centers, and secure areas.",[30,1169,1170,1173],{},[33,1171,1172],{},"Securing offices, rooms, and facilities."," Appropriate physical protection based on risk.",[30,1175,1176,1179],{},[33,1177,1178],{},"Physical security monitoring."," Surveillance and detection systems.",[30,1181,1182,1185],{},[33,1183,1184],{},"Protecting against physical and environmental threats."," Fire, flood, power loss, and other environmental risks.",[30,1187,1188,1191],{},[33,1189,1190],{},"Equipment security."," Protecting hardware from theft, damage, and unauthorized access, including off-site equipment and secure disposal.",[30,1193,1194,1197],{},[33,1195,1196],{},"Clear desk and clear screen."," Reducing exposure of sensitive information in work areas.",[30,1199,1200,1203],{},[33,1201,1202],{},"Storage media."," Managing the lifecycle of removable and fixed storage media.",[19,1205,1207],{"id":1206},"_4-technological-controls-34-controls","4. Technological Controls (34 Controls)",[15,1209,1210],{},"Technological controls address the technical safeguards that protect information systems and data.",[15,1212,1213],{},"Notable controls include:",[27,1215,1216,1222,1228,1234,1240,1246,1252,1258,1264,1270,1276,1282,1288,1294,1300,1306],{},[30,1217,1218,1221],{},[33,1219,1220],{},"User endpoint devices."," Securing laptops, phones, and other devices that access organizational information.",[30,1223,1224,1227],{},[33,1225,1226],{},"Privileged access rights."," Restricting and monitoring the use of elevated system privileges.",[30,1229,1230,1233],{},[33,1231,1232],{},"Access control."," Managing who can access what information and systems based on business and security requirements.",[30,1235,1236,1239],{},[33,1237,1238],{},"Secure authentication."," Implementing strong authentication mechanisms.",[30,1241,1242,1245],{},[33,1243,1244],{},"Configuration management."," Ensuring systems are configured securely and consistently. This is new in 2022.",[30,1247,1248,1251],{},[33,1249,1250],{},"Information deletion."," Securely removing information when it is no longer needed. Also new in 2022.",[30,1253,1254,1257],{},[33,1255,1256],{},"Data masking."," Protecting sensitive data through masking techniques. New in 2022.",[30,1259,1260,1263],{},[33,1261,1262],{},"Data leakage prevention."," Detecting and preventing unauthorized disclosure of information. New in 2022.",[30,1265,1266,1269],{},[33,1267,1268],{},"Monitoring activities."," Monitoring systems, networks, and applications for anomalous behavior. New in 2022.",[30,1271,1272,1275],{},[33,1273,1274],{},"Web filtering."," Controlling access to external websites to reduce exposure to malicious content. New in 2022.",[30,1277,1278,1281],{},[33,1279,1280],{},"Secure coding."," Applying security principles in software development. New in 2022.",[30,1283,1284,1287],{},[33,1285,1286],{},"Logging and monitoring."," Recording events and reviewing logs for security purposes.",[30,1289,1290,1293],{},[33,1291,1292],{},"Network security."," Protecting networks and network services.",[30,1295,1296,1299],{},[33,1297,1298],{},"Cryptography."," Using encryption and related techniques to protect information confidentiality, integrity, and authenticity.",[30,1301,1302,1305],{},[33,1303,1304],{},"Vulnerability management."," Identifying and addressing technical vulnerabilities.",[30,1307,1308,1311],{},[33,1309,1310],{},"Backup."," Maintaining and testing backup copies of information and software.",[10,1313,1315],{"id":1314},"control-attributes","Control Attributes",[15,1317,1318],{},"ISO 27001:2022 introduced a set of attributes that can be applied to each control, making it easier to filter and organize controls based on different perspectives:",[27,1320,1321,1327,1333,1339,1345],{},[30,1322,1323,1326],{},[33,1324,1325],{},"Control type:"," Preventive, detective, or corrective.",[30,1328,1329,1332],{},[33,1330,1331],{},"Information security properties:"," Confidentiality, integrity, or availability.",[30,1334,1335,1338],{},[33,1336,1337],{},"Cybersecurity concepts:"," Identify, protect, detect, respond, or recover (aligned with NIST CSF).",[30,1340,1341,1344],{},[33,1342,1343],{},"Operational capabilities:"," Governance, asset management, access control, and other operational groupings.",[30,1346,1347,1350],{},[33,1348,1349],{},"Security domains:"," Governance and ecosystem, protection, defense, or resilience.",[15,1352,1353,1354,1358],{},"These attributes are not mandatory to implement but provide useful ways to map controls to your ",[223,1355,1357],{"href":1356},"\u002Fframeworks\u002Fiso27001\u002Frisk-assessment","risk assessment"," outcomes and to communicate control coverage to different stakeholders.",[10,1360,1362],{"id":1361},"relationship-to-the-statement-of-applicability","Relationship to the Statement of Applicability",[15,1364,1365,1366,1369],{},"Every Annex A control must be evaluated and either declared applicable or excluded in your ",[223,1367,1368],{"href":965},"Statement of Applicability",". The SoA documents which controls you have selected, why, and how they are implemented. You cannot simply ignore a control without justification. Even controls that are not applicable must be listed with a rationale for their exclusion.",[15,1371,1372],{},"This evaluation is driven by your risk assessment. Controls are selected based on the risks they mitigate, regulatory requirements, contractual obligations, and business needs.",[10,1374,1376],{"id":1375},"implementation-approach","Implementation Approach",[19,1378,1380],{"id":1379},"start-with-risk-not-controls","Start with Risk, Not Controls",[15,1382,1383,1384,1386],{},"A common mistake is to start by trying to implement all 93 controls and then retrofit risk justifications. The standard requires the opposite flow: identify risks first through your ",[223,1385,1357],{"href":1356}," process, then select controls that treat those risks appropriately.",[19,1388,1390],{"id":1389},"prioritize-based-on-risk-treatment","Prioritize Based on Risk Treatment",[15,1392,1393],{},"Not all controls carry equal weight for every organization. A cloud-native SaaS company will invest heavily in technological controls around access management, secure coding, and monitoring while spending less effort on physical perimeter security. A manufacturing firm with on-premises data centers will have the opposite emphasis.",[19,1395,1397],{"id":1396},"use-iso-27002-for-guidance","Use ISO 27002 for Guidance",[15,1399,1400],{},"ISO 27002:2022 is the companion standard that provides detailed implementation guidance for each control. While ISO 27001 tells you what controls exist, ISO 27002 tells you how to implement them. It is not mandatory to follow ISO 27002 prescriptively, but it is an invaluable reference.",[19,1402,1404],{"id":1403},"document-proportionally","Document Proportionally",[15,1406,1407],{},"Each control needs evidence of implementation, but the level of documentation should be proportionate to the risk and complexity involved. A small organization does not need the same volume of documentation as a multinational enterprise. Auditors look for effectiveness, not paperwork volume.",[19,1409,1411],{"id":1410},"map-controls-to-existing-practices","Map Controls to Existing Practices",[15,1413,1414],{},"Many organizations already have security practices in place that satisfy Annex A controls without realizing it. During your gap analysis, map existing practices to controls before building new processes. This reduces duplication and avoids creating parallel systems.",[10,1416,1418],{"id":1417},"keeping-controls-current","Keeping Controls Current",[15,1420,1421,1422,1426],{},"Annex A controls are not a set-and-forget exercise. Your control implementation should evolve as your risk landscape changes, new threats emerge, and your business grows. Regular internal audits, management reviews, and ",[223,1423,1425],{"href":1424},"\u002Fframeworks\u002Fiso27001\u002Fsurveillance-audits","surveillance audits"," provide structured checkpoints to assess whether controls remain effective.",[15,1428,1429],{},"Platforms like episki help organizations maintain a living map between risks, controls, and evidence so that control coverage stays visible and gaps are identified early rather than during an external audit.",[15,1431,1432,1433,1436],{},"For a broader view of how ",[223,1434,436],{"href":1435},"\u002Fglossary\u002Fiso27001"," fits into your compliance strategy, explore the full framework overview.",{"title":229,"searchDepth":230,"depth":230,"links":1438},[1439,1440,1446,1447,1448,1455],{"id":1024,"depth":230,"text":1025},{"id":1034,"depth":230,"text":1035,"children":1441},[1442,1443,1444,1445],{"id":1038,"depth":235,"text":1039},{"id":1098,"depth":235,"text":1099},{"id":1152,"depth":235,"text":1153},{"id":1206,"depth":235,"text":1207},{"id":1314,"depth":230,"text":1315},{"id":1361,"depth":230,"text":1362},{"id":1375,"depth":230,"text":1376,"children":1449},[1450,1451,1452,1453,1454],{"id":1379,"depth":235,"text":1380},{"id":1389,"depth":235,"text":1390},{"id":1396,"depth":235,"text":1397},{"id":1403,"depth":235,"text":1404},{"id":1410,"depth":235,"text":1411},{"id":1417,"depth":230,"text":1418},"An overview of all 93 Annex A controls in the ISO 27001:2022 standard, organized by their four themes, with guidance on implementation and prioritization.",null,{},"\u002Fframeworks\u002Fiso27001\u002Fannex-a-controls",[248,251],[252,1462,1463,1464,1465],"risk-assessment","isms-implementation","certification-process","surveillance-audits",{"title":1467,"description":1468},"ISO 27001 Annex A Controls — All 93 Controls Explained (2022)","Explore the 93 Annex A controls in ISO 27001:2022 organized by four themes. Learn implementation approaches and how controls map to your ISMS.","5.frameworks\u002Fiso27001\u002Fannex-a-controls","0iPvCsRN3ufyW68RrURLICsdaAOeZDSPxFbI4OyTGlQ",{"id":1472,"title":1473,"body":1474,"description":1822,"extension":242,"faq":1823,"frameworkSlug":248,"lastUpdated":243,"meta":1840,"navigation":245,"path":1841,"relatedTerms":1842,"relatedTopics":1843,"seo":1845,"stem":1848,"__hash__":1849},"frameworkTopics\u002F5.frameworks\u002Fiso27001\u002Fcertification-body-selection.md","Choosing an ISO 27001 Certification Body",{"type":7,"value":1475,"toc":1803},[1476,1485,1488,1492,1495,1515,1518,1522,1525,1528,1560,1567,1570,1574,1577,1588,1591,1595,1598,1602,1605,1609,1612,1616,1619,1623,1626,1630,1633,1656,1659,1663,1666,1670,1673,1677,1680,1706,1709,1713,1716,1719,1723,1733,1739,1747,1751,1789,1793,1796],[15,1477,1478,1479,1481,1482,1484],{},"You cannot self-certify ",[223,1480,436],{"href":225},". A certificate is only meaningful if it is issued by an accredited certification body that audited your ",[223,1483,1017],{"href":862}," against the standard and found it conforming. The certification body you choose will be your audit partner for at least three years through the initial audit, two surveillance audits, and eventual recertification. The decision deserves more care than most teams give it.",[15,1486,1487],{},"This guide walks through what a certification body actually is, how accreditation works, how to evaluate options, and what to ask before signing.",[10,1489,1491],{"id":1490},"what-a-certification-body-does","What a certification body does",[15,1493,1494],{},"A certification body, sometimes called a registrar, is an organization accredited to audit management systems against ISO standards and issue certificates. For ISO 27001, the certification body:",[27,1496,1497,1500,1503,1506,1509,1512],{},[30,1498,1499],{},"Plans the audit engagement based on your scope.",[30,1501,1502],{},"Conducts Stage 1 and Stage 2 audits during initial certification.",[30,1504,1505],{},"Issues your certificate if Stage 2 passes.",[30,1507,1508],{},"Conducts annual surveillance audits.",[30,1510,1511],{},"Conducts full recertification every three years.",[30,1513,1514],{},"Maintains your certificate in their public register.",[15,1516,1517],{},"The certification body's authority comes from its accreditation, not from the certification body itself. Without accreditation, the certificate is essentially a vendor's opinion.",[10,1519,1521],{"id":1520},"accreditation-explained","Accreditation explained",[15,1523,1524],{},"Accreditation is the layer above certification. Accreditation bodies assess certification bodies for competence and impartiality. They do not audit your ISMS directly. They audit the firms that audit your ISMS.",[15,1526,1527],{},"Major accreditation bodies relevant to ISO 27001 include:",[27,1529,1530,1536,1542,1548,1554],{},[30,1531,1532,1535],{},[33,1533,1534],{},"UKAS (United Kingdom Accreditation Service)."," The UK national accreditation body. UKAS accreditation is well-respected globally and often specified in enterprise procurement.",[30,1537,1538,1541],{},[33,1539,1540],{},"ANAB (ANSI National Accreditation Board)."," The US equivalent, part of ANSI. ANAB accreditation is the default for US-headquartered buyers.",[30,1543,1544,1547],{},[33,1545,1546],{},"JAS-ANZ (Joint Accreditation System of Australia and New Zealand)."," Covers Australia and New Zealand.",[30,1549,1550,1553],{},[33,1551,1552],{},"DAkkS (Deutsche Akkreditierungsstelle)."," Germany.",[30,1555,1556,1559],{},[33,1557,1558],{},"A2LA (American Association for Laboratory Accreditation)."," Another US accreditation body covering some certification bodies.",[15,1561,1562,1563,1566],{},"All legitimate accreditation bodies are members of the ",[33,1564,1565],{},"International Accreditation Forum (IAF)",", which operates a multilateral recognition arrangement. An IAF MLA certificate from one member body is recognized by the others. When evaluating a certification body, the core question is: are they accredited for ISO\u002FIEC 27001 by an IAF member?",[15,1568,1569],{},"Non-accredited \"certificates\" exist. Some are issued by firms that never sought accreditation. Some are issued by firms whose accreditation was withdrawn. Enterprise procurement teams increasingly verify accreditation through the IAF CertSearch database before accepting a certificate. A non-accredited certificate may be worse than no certificate because it signals that the customer expected compliance and the supplier cut a corner.",[10,1571,1573],{"id":1572},"major-certification-bodies-in-the-iso-27001-market","Major certification bodies in the ISO 27001 market",[15,1575,1576],{},"Without recommending any specific provider, the ISO 27001 market includes:",[27,1578,1579,1582,1585],{},[30,1580,1581],{},"Multinational certification bodies such as BSI, DNV, TÜV, SGS, and Bureau Veritas, which originated in broader quality and standards certification.",[30,1583,1584],{},"Security-focused firms such as Schellman, Coalfire ISO, A-LIGN, and Prescient Assurance, which also offer SOC 2 and other security attestations.",[30,1586,1587],{},"Regional firms with strong accreditation from specific bodies.",[15,1589,1590],{},"Each has tradeoffs. Larger firms offer geographic coverage and brand recognition. Security-focused firms tend to have deeper technical auditors but may have longer lead times due to demand. Regional firms often offer faster scheduling and lower cost but may lack the brand recognition enterprise customers look for.",[10,1592,1594],{"id":1593},"evaluation-criteria","Evaluation criteria",[15,1596,1597],{},"Use the following criteria to evaluate certification bodies.",[19,1599,1601],{"id":1600},"accreditation-scope","Accreditation scope",[15,1603,1604],{},"Confirm the certification body is accredited specifically for ISO\u002FIEC 27001. Some bodies are accredited for ISO 9001 or other standards but not 27001. Check the accreditation body's register directly, such as the UKAS or ANAB directories, rather than relying on marketing material.",[19,1606,1608],{"id":1607},"industry-and-technology-experience","Industry and technology experience",[15,1610,1611],{},"Auditors vary dramatically in their familiarity with modern technology estates. A cloud-native SaaS company benefits from an auditor who understands AWS shared responsibility, CI\u002FCD security, and SaaS identity patterns. A financial services firm benefits from auditors familiar with PCI overlap. Ask for example clients in your sector and for auditor bios.",[19,1613,1615],{"id":1614},"auditor-availability-and-scheduling","Auditor availability and scheduling",[15,1617,1618],{},"Lead times vary by certification body and by season. Some firms are booking new ISO 27001 clients three to six months out during peak periods. If you have a customer deadline driving certification timing, confirm availability before shortlisting.",[19,1620,1622],{"id":1621},"geographic-coverage","Geographic coverage",[15,1624,1625],{},"If you have multi-site operations, a certification body that can audit all locations is more efficient than coordinating multiple firms. For remote-first companies, ask how the certification body handles remote audits and travel expectations.",[19,1627,1629],{"id":1628},"cost-structure-and-transparency","Cost structure and transparency",[15,1631,1632],{},"Request a detailed proposal that breaks out:",[27,1634,1635,1638,1641,1644,1647,1650,1653],{},[30,1636,1637],{},"Stage 1 audit days and fees.",[30,1639,1640],{},"Stage 2 audit days and fees.",[30,1642,1643],{},"Surveillance audit days and fees for years one and two.",[30,1645,1646],{},"Recertification audit days and fees.",[30,1648,1649],{},"Travel and expenses policy.",[30,1651,1652],{},"Scope change fees.",[30,1654,1655],{},"Certificate maintenance fees.",[15,1657,1658],{},"Be wary of quotes that only cover the initial audit. The full three-year cycle is what matters.",[19,1660,1662],{"id":1661},"customer-reputation","Customer reputation",[15,1664,1665],{},"Ask for references from existing clients, ideally in your industry and size bracket. Talk to those references about audit quality, auditor professionalism, scheduling responsiveness, and how disputes were handled. Social proof from peers matters more than vendor testimonials.",[19,1667,1669],{"id":1668},"audit-approach","Audit approach",[15,1671,1672],{},"Different certification bodies emphasize different audit styles. Some are heavily documentation-focused. Others are more interview-driven. Some are collaborative. Others are adversarial. Ask how they handle findings, how disputes are resolved, and what the escalation path looks like.",[10,1674,1676],{"id":1675},"typical-cost-ranges","Typical cost ranges",[15,1678,1679],{},"For a small to mid-sized technology company with a single-site ISMS scope:",[27,1681,1682,1688,1694,1700],{},[30,1683,1684,1687],{},[33,1685,1686],{},"Stage 1 audit."," One to two auditor days. $3,000 to $8,000.",[30,1689,1690,1693],{},[33,1691,1692],{},"Stage 2 audit."," Three to ten auditor days depending on scope complexity. $10,000 to $35,000.",[30,1695,1696,1699],{},[33,1697,1698],{},"Surveillance audits."," One to three auditor days per year. $5,000 to $15,000 annually.",[30,1701,1702,1705],{},[33,1703,1704],{},"Recertification."," Similar to Stage 2. $10,000 to $30,000 every three years.",[15,1707,1708],{},"Across a three-year cycle, total certification body fees usually land between $40,000 and $90,000 for a mid-sized company. Multi-site scopes and global audits can push this significantly higher.",[10,1710,1712],{"id":1711},"independence-from-consulting","Independence from consulting",[15,1714,1715],{},"ISO 27001 accreditation rules prohibit the same firm from providing consulting or implementation services and then certifying the same client. Many certification bodies have consulting affiliates or offer related services, but the accreditation rules force separation between those and the audit engagement.",[15,1717,1718],{},"If you engaged a consultancy for gap analysis or ISMS implementation, that firm cannot also be your certification body for the same engagement. Plan accordingly and select the certification body independently of your consulting partner.",[10,1720,1722],{"id":1721},"how-this-fits-into-your-isms","How this fits into your ISMS",[15,1724,1725,1726,1729,1730,1732],{},"Certification body selection sits between ",[223,1727,1728],{"href":862},"ISMS implementation"," and the ",[223,1731,1095],{"href":970},". Ideally, the certification body is selected three to six months before you plan to begin Stage 1, giving time for scheduling and any pre-audit conversations.",[15,1734,1735,1736,1738],{},"After initial certification, the relationship continues through ",[223,1737,1425],{"href":1424},". Changing certification bodies is possible but carries some friction: the new firm will usually require a transfer audit to confirm your certificate is valid and in good standing. Most organizations stay with their initial certification body for at least one three-year cycle.",[15,1740,1741,1742,1746],{},"The certification body's audit approach also interacts with your ",[223,1743,1745],{"href":1744},"\u002Fframeworks\u002Fiso27001\u002Fisms-scope","ISMS scope",". A clear scope statement reduces audit days and audit cost. Ambiguous scope drives longer audits.",[10,1748,1750],{"id":1749},"common-pitfalls","Common pitfalls",[27,1752,1753,1759,1765,1771,1777,1783],{},[30,1754,1755,1758],{},[33,1756,1757],{},"Choosing based on price alone."," A cheap audit from an unfamiliar body can fail to carry weight in enterprise procurement and end up costing more in lost deals.",[30,1760,1761,1764],{},[33,1762,1763],{},"Not verifying accreditation."," Marketing sites sometimes overstate accreditation. Check the accreditation body's register directly.",[30,1766,1767,1770],{},[33,1768,1769],{},"Ignoring auditor tenure."," Newly minted ISO 27001 auditors may not spot the issues experienced auditors do. Ask about specific auditors likely to be assigned.",[30,1772,1773,1776],{},[33,1774,1775],{},"Selecting too late."," Scheduling pressure pushes organizations to accept the first available body rather than the best-fit body.",[30,1778,1779,1782],{},[33,1780,1781],{},"Assuming the same firm can audit across all frameworks."," Some certification bodies also issue SOC 2 reports, but ISO 27001 and SOC 2 require different qualifications. Evaluate each separately.",[30,1784,1785,1788],{},[33,1786,1787],{},"Ignoring surveillance audit cost."," A low initial audit with high surveillance fees can be more expensive over three years than a higher initial quote.",[10,1790,1792],{"id":1791},"how-episki-helps","How episki helps",[15,1794,1795],{},"episki helps by keeping your ISMS in an audit-ready state regardless of which certification body you choose. The platform generates the scope statement, Statement of Applicability, evidence pack, and audit trail that every accredited certification body expects. Customers entering certification body conversations can share a clean summary of their programme to get faster, more accurate proposals.",[15,1797,1798,1799,1802],{},"Return to the ",[223,1800,1801],{"href":225},"ISO 27001 framework overview"," for the full certification journey and how certification body selection fits in.",{"title":229,"searchDepth":230,"depth":230,"links":1804},[1805,1806,1807,1808,1817,1818,1819,1820,1821],{"id":1490,"depth":230,"text":1491},{"id":1520,"depth":230,"text":1521},{"id":1572,"depth":230,"text":1573},{"id":1593,"depth":230,"text":1594,"children":1809},[1810,1811,1812,1813,1814,1815,1816],{"id":1600,"depth":235,"text":1601},{"id":1607,"depth":235,"text":1608},{"id":1614,"depth":235,"text":1615},{"id":1621,"depth":235,"text":1622},{"id":1628,"depth":235,"text":1629},{"id":1661,"depth":235,"text":1662},{"id":1668,"depth":235,"text":1669},{"id":1675,"depth":230,"text":1676},{"id":1711,"depth":230,"text":1712},{"id":1721,"depth":230,"text":1722},{"id":1749,"depth":230,"text":1750},{"id":1791,"depth":230,"text":1792},"How to evaluate and select an ISO 27001 certification body, including accreditation (UKAS, ANAB, JAS-ANZ), cost, scope, and what to ask during selection.",{"items":1824},[1825,1828,1831,1834,1837],{"label":1826,"content":1827},"What is an ISO 27001 certification body?","A certification body, sometimes called a registrar, is an accredited organization that audits your ISMS and issues your ISO 27001 certificate if you pass. Examples include BSI, DNV, TÜV, Schellman, Coalfire ISO, and A-LIGN.",{"label":1829,"content":1830},"What does accreditation mean and why does it matter?","Accreditation is independent oversight of the certification body itself. Accreditation bodies like UKAS in the UK and ANAB in the US audit certification bodies to ensure they are competent and impartial. A certificate from a non-accredited body has limited value in enterprise procurement.",{"label":1832,"content":1833},"How much does an ISO 27001 certification body cost?","Certification audit costs typically range from $15,000 to $40,000 for Stage 1 and Stage 2 combined, depending on scope, complexity, and auditor location. Annual surveillance audits typically run $8,000 to $20,000. Recertification in year three is similar in scale to the original audit.",{"label":1835,"content":1836},"Should I pick the cheapest certification body?","No. The cheapest option is rarely the best. Accreditation status, industry familiarity, auditor availability, and customer reputation usually outweigh small price differences. A cheap audit that your customers do not respect is worse than no audit.",{"label":1838,"content":1839},"Can the same firm that helped us prepare also certify us?","No. ISO 27001 requires certification bodies to be independent. A firm that provided consulting, gap analysis, or implementation support cannot also perform your certification audit. Many firms have separate consulting and certification arms, and the accreditation rules still prohibit overlap on the same client.",{},"\u002Fframeworks\u002Fiso27001\u002Fcertification-body-selection",[248,250,251],[1464,1465,1844,1463],"isms-scope",{"title":1846,"description":1847},"ISO 27001 Certification Body Selection — UKAS, ANAB & More","Pick the right ISO 27001 certification body. Compare accreditation, cost, industry fit, and auditor availability with a practical evaluation checklist.","5.frameworks\u002Fiso27001\u002Fcertification-body-selection","_OesFcheTLTJMpFIixfiRWtY7P0oEz2AiyQV3Q_iltA",{"id":1851,"title":1852,"advantages":1853,"body":1875,"checklist":2262,"cta":2273,"description":229,"extension":242,"faq":2276,"hero":2293,"lastUpdated":2309,"meta":2310,"name":436,"navigation":245,"path":225,"resources":2311,"seo":2324,"slug":248,"stats":2327,"stem":2336,"__hash__":2337},"frameworks\u002F5.frameworks\u002Fiso27001.md","Iso27001",[1854,1861,1868],{"title":1855,"description":1856,"bullets":1857},"Statement of Applicability in minutes","Generate and maintain your SoA directly from your control graph with justification notes for every inclusion and exclusion.",[1858,1859,1860],"Auto-populate applicability status from existing controls","Link each control to risk treatment decisions","Export auditor-ready SoA documents on demand",{"title":1862,"description":1863,"bullets":1864},"Risk-driven control management","Connect your risk register to Annex A controls so treatment plans and evidence stay aligned as threats evolve.",[1865,1866,1867],"Risk assessment templates following ISO 27005 guidance","Heat maps show residual risk by domain","Treatment plans tie directly to control tasks and owners",{"title":1869,"description":1870,"bullets":1871},"Surveillance audit confidence","Keep your ISMS current between certification cycles with continuous monitoring and internal audit workflows.",[1872,1873,1874],"Automated evidence refresh and expiration alerts","Internal audit scheduling with finding tracking","Management review templates with trend data",{"type":7,"value":1876,"toc":2244},[1877,1880,1888,1891,1894,1897,1901,1904,1907,1910,1914,1917,1929,1933,1936,1943,1946,1950,1957,1960,1967,1970,1976,1979,1986,1990,1993,2037,2044,2050,2054,2057,2060,2066,2070,2073,2076,2087,2091,2094,2102,2106,2109,2116,2120,2123,2149,2156,2160,2163,2170,2174,2177,2184,2188,2191,2212,2218,2222,2225,2238,2241],[10,1878,268],{"id":1879},"what-is-iso-27001",[15,1881,1882,1884,1885,1887],{},[223,1883,436],{"href":1435}," is the world's most widely adopted international standard for information security management. Formally titled ISO\u002FIEC 27001, it defines the requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System, or ",[223,1886,1017],{"href":1016},". Organizations that align with ISO 27001 commit to a risk-based, process-driven approach to protecting the confidentiality, integrity, and availability of the information they hold on behalf of customers, employees, and business partners.",[15,1889,1890],{},"The standard is published jointly by two bodies. The International Organization for Standardization (ISO), headquartered in Geneva, develops consensus-based standards across nearly every industry. The International Electrotechnical Commission (IEC) is its counterpart for electrotechnical and information technology standards. Together, their joint technical committee ISO\u002FIEC JTC 1\u002FSC 27 maintains the ISO 27001 family, which includes supporting documents such as ISO 27002 (implementation guidance) and ISO 27005 (risk management guidance).",[15,1892,1893],{},"ISO 27001 was first released in 2005, revised in 2013, and most recently updated in October 2022. The 2022 revision is now the only version against which new ISO 27001 certifications are issued. Any discussion of ISO 27001 today should default to this edition, which reorganized the control set and introduced eleven new controls addressing modern risks like threat intelligence, data masking, and secure coding.",[15,1895,1896],{},"At the heart of ISO 27001 is the concept of an ISMS. An ISMS is not a product you can buy or a checklist you can run through once. It is the living combination of policies, processes, people, and technology that your organization uses to identify information security risks, decide how to treat them, implement controls, measure effectiveness, and continually improve. ISO 27001 provides the blueprint. Your ISMS is the thing you build from that blueprint.",[10,1898,1900],{"id":1899},"why-iso-27001-matters","Why ISO 27001 matters",[15,1902,1903],{},"ISO 27001 is recognized in more than 160 countries and frequently shows up as a procurement requirement for enterprise technology contracts, financial services partnerships, public sector work, and any organization selling into European or APAC markets. Unlike self-attested programs, ISO 27001 certification is issued by an independent accredited certification body, which gives customers and regulators external assurance that your security practices are real and not marketing.",[15,1905,1906],{},"Beyond procurement, ISO 27001 brings discipline. Many organizations treat security as a reactive function that only activates after an incident or failed audit. The ISO 27001 approach forces proactive risk identification, documented decisions, and measurable effectiveness. Even teams that never pursue certification often adopt the ISO 27001 framework as an internal operating model because it is mature, well-documented, and maps cleanly to other standards.",[15,1908,1909],{},"ISO 27001 also signals organizational maturity to investors. Due diligence for Series B and later funding rounds almost always includes a security review. Holding an ISO 27001 certificate short-circuits much of that review and accelerates close.",[10,1911,1913],{"id":1912},"the-iso-27001-certification-process","The ISO 27001 certification process",[15,1915,1916],{},"ISO 27001 certification follows a standardized two-stage audit model used worldwide. A Stage 1 audit reviews your ISMS documentation and readiness. A Stage 2 audit evaluates whether your ISMS is actually implemented and effective in practice. If there are no major nonconformities, the certification body recommends certification and a three-year certificate is issued. Annual surveillance audits follow, with full recertification every three years.",[15,1918,1919,1920,1923,1924,1928],{},"For a deep walkthrough of every phase of the journey, including timelines, auditor expectations, and common pitfalls, see the ",[223,1921,1922],{"href":970},"ISO 27001 certification process guide",". If you are still evaluating whether to pursue ISO 27001 at all, the ",[223,1925,1927],{"href":1926},"\u002Fnow\u002Fiso27001-certification-guide","ISO 27001 certification guide"," covers the business case and sequencing decisions.",[10,1930,1932],{"id":1931},"iso-270012022-what-changed","ISO 27001:2022 — What changed",[15,1934,1935],{},"The 2022 revision is the current version of the standard. Two changes matter most for teams implementing ISO 27001 today.",[15,1937,1938,1939,1942],{},"First, the control set was restructured. The 2013 edition had 114 controls across 14 domains. ISO 27001:2022 consolidates these into ",[33,1940,1941],{},"93 controls across four themes",": organizational (37 controls), people (8 controls), physical (14 controls), and technological (34 controls). Eleven entirely new controls were introduced, including threat intelligence, information security for cloud services, ICT readiness for business continuity, physical security monitoring, configuration management, information deletion, data masking, data leakage prevention, monitoring activities, web filtering, and secure coding.",[15,1944,1945],{},"Second, the clause-level requirements in sections 4 through 10 received targeted updates around planning, leadership commitment, and operational control. The Plan-Do-Check-Act structure remains, but the language is tighter and more aligned with other ISO management system standards such as ISO 9001 and ISO 14001. Organizations holding ISO 27001:2013 certificates were given a transition window, and most have now migrated. New certifications are assessed exclusively against ISO 27001:2022.",[10,1947,1949],{"id":1948},"annex-a-controls","Annex A controls",[15,1951,1952,1953,1956],{},"Annex A of ISO 27001 is the reference control set. The ",[223,1954,1955],{"href":440},"93 Annex A controls"," are organized under the four themes described above and represent the universe of possible safeguards your ISMS might apply. Every control must be evaluated for applicability and either implemented or formally excluded with justification.",[15,1958,1959],{},"Organizational controls cover governance, policy, third-party management, incident response, and business continuity. People controls address screening, training, responsibilities, and remote working. Physical controls protect buildings, equipment, and storage media. Technological controls handle access control, cryptography, logging, vulnerability management, secure development, and cloud security.",[15,1961,1962,1963,1966],{},"For a full breakdown of every theme, example controls in each, and how to prioritize implementation, see the ",[223,1964,1965],{"href":1459},"ISO 27001 Annex A controls reference",". ISO 27002:2022 provides detailed implementation guidance for each control and is invaluable as a companion reference, though it is not mandatory to follow prescriptively.",[10,1968,966],{"id":1969},"statement-of-applicability-soa",[15,1971,962,1972,1975],{},[223,1973,1368],{"href":1974},"\u002Fglossary\u002Fstatement-of-applicability"," is arguably the single most important document in your ISO 27001 program. The SoA lists every Annex A control, records whether it is applicable to your ISMS, explains why, and summarizes how the control is implemented. It is the document auditors will open first, and it is the document customers may ask to see.",[15,1977,1978],{},"A well-built SoA ties directly to your risk assessment output. Controls are marked applicable because they treat identified risks, satisfy legal or contractual requirements, or reflect business decisions. Controls marked not applicable require a short but credible justification. Auditors routinely sample SoA entries during Stage 2 and ask for corresponding evidence.",[15,1980,1981,1982,1985],{},"See the dedicated guide on the ",[223,1983,1984],{"href":965},"ISO 27001 Statement of Applicability"," for format examples, justification patterns, and common SoA mistakes.",[10,1987,1989],{"id":1988},"building-your-isms","Building your ISMS",[15,1991,1992],{},"Implementing ISO 27001 is primarily an exercise in building a functioning ISMS. The standard walks through this in clauses 4 through 10:",[27,1994,1995,2001,2007,2013,2019,2025,2031],{},[30,1996,1997,2000],{},[33,1998,1999],{},"Clause 4 — Context of the organization."," Understand internal and external issues, interested parties, and define the ISMS scope.",[30,2002,2003,2006],{},[33,2004,2005],{},"Clause 5 — Leadership."," Top management must demonstrate commitment, approve the information security policy, and assign roles.",[30,2008,2009,2012],{},[33,2010,2011],{},"Clause 6 — Planning."," Identify risks and opportunities, set information security objectives, and plan how to achieve them.",[30,2014,2015,2018],{},[33,2016,2017],{},"Clause 7 — Support."," Provide resources, competence, awareness, communication, and documented information.",[30,2020,2021,2024],{},[33,2022,2023],{},"Clause 8 — Operation."," Execute the risk assessment and risk treatment process and operate the ISMS on an ongoing basis.",[30,2026,2027,2030],{},[33,2028,2029],{},"Clause 9 — Performance evaluation."," Monitor, measure, analyze, evaluate, conduct internal audits, and hold management reviews.",[30,2032,2033,2036],{},[33,2034,2035],{},"Clause 10 — Improvement."," Handle nonconformities and drive continual improvement.",[15,2038,2039,2040,2043],{},"Each clause has mandatory documented information and mandatory activities. The ",[223,2041,2042],{"href":862},"ISO 27001 ISMS implementation guide"," breaks down exactly what to produce at each stage.",[15,2045,2046,2047,2049],{},"Scope definition deserves special attention. A scope that is too narrow can fail to satisfy customers. A scope that is too broad inflates audit cost and implementation effort. The ",[223,2048,1745],{"href":1744}," guide walks through how to draw the right boundaries for your business.",[10,2051,2053],{"id":2052},"iso-27001-risk-assessment","ISO 27001 risk assessment",[15,2055,2056],{},"Risk assessment is the engine that drives control selection in ISO 27001. The standard requires a documented, repeatable methodology. Most organizations use a qualitative or semi-quantitative approach that evaluates likelihood and impact across confidentiality, integrity, and availability. ISO 27005 provides detailed guidance but is not mandatory.",[15,2058,2059],{},"Outputs of the risk assessment feed directly into the risk treatment plan, which in turn feeds the Statement of Applicability. This chain is why ISO 27001 auditors spend significant time tracing from a risk to a treatment decision to a control to evidence of operation. Break this chain and you create nonconformities.",[15,2061,2062,2063,227],{},"For methodology, risk register structure, treatment options, and residual risk handling, see the ",[223,2064,2065],{"href":1356},"ISO 27001 risk assessment guide",[10,2067,2069],{"id":2068},"internal-audits-and-management-review","Internal audits and management review",[15,2071,2072],{},"Two activities inside Clause 9 are frequent failure points for first-time ISO 27001 certifiers. Clause 9.2 requires internal audits of the ISMS at planned intervals. Clause 9.3 requires a formal management review with defined inputs and outputs. Both must be complete before your Stage 2 audit.",[15,2074,2075],{},"Internal audits must cover every clause of ISO 27001 and every applicable Annex A control across your audit cycle. Auditors must be objective and impartial, which typically means the person who built a control cannot audit it. Findings must be documented, communicated, and tracked to closure.",[15,2077,2078,2079,1729,2083,227],{},"Management reviews force leadership engagement. Inputs include audit results, risk changes, nonconformities, and stakeholder feedback. Outputs include decisions on resources, improvement opportunities, and changes to the ISMS. Detailed coverage lives in the ",[223,2080,2082],{"href":2081},"\u002Fframeworks\u002Fiso27001\u002Finternal-audit","internal audit guide",[223,2084,2086],{"href":2085},"\u002Fframeworks\u002Fiso27001\u002Fmanagement-review","management review guide",[10,2088,2090],{"id":2089},"nonconformities-and-corrective-action","Nonconformities and corrective action",[15,2092,2093],{},"When something in your ISMS does not meet ISO 27001 requirements, your own policies, or customer obligations, that is a nonconformity. Clauses 10.1 and 10.2 require you to react, contain the consequences, perform root cause analysis, implement corrective action, and verify effectiveness.",[15,2095,2096,2097,2101],{},"Mature organizations treat nonconformities as valuable signals rather than failures. The ",[223,2098,2100],{"href":2099},"\u002Fframeworks\u002Fiso27001\u002Fnonconformity-and-corrective-action","nonconformity and corrective action"," guide walks through the full CAPA workflow auditors expect to see.",[10,2103,2105],{"id":2104},"continual-improvement","Continual improvement",[15,2107,2108],{},"Clause 10.3 requires continual improvement of the suitability, adequacy, and effectiveness of the ISMS. This is not about constantly changing controls. It is about demonstrating measurable progress over time through metrics, KPIs, trend analysis, and lessons learned.",[15,2110,2111,2112,227],{},"Learn how to set ISMS metrics that auditors respect and leadership actually uses in the ",[223,2113,2115],{"href":2114},"\u002Fframeworks\u002Fiso27001\u002Fcontinual-improvement","continual improvement guide",[10,2117,2119],{"id":2118},"cost-and-timeline","Cost and timeline",[15,2121,2122],{},"ISO 27001 certification costs vary by scope, organization size, and maturity. A realistic budget range for a first-time certification at a small to mid-sized technology company looks like this:",[27,2124,2125,2131,2137,2143],{},[30,2126,2127,2130],{},[33,2128,2129],{},"Internal effort."," Six to twelve months of fractional time from an ISMS owner plus contributions from engineering, HR, legal, and IT. Equivalent fully loaded cost of $50,000 to $200,000.",[30,2132,2133,2136],{},[33,2134,2135],{},"External consulting (optional)."," Gap analysis and implementation support from a consultancy typically runs $20,000 to $100,000 depending on scope.",[30,2138,2139,2142],{},[33,2140,2141],{},"Certification body fees."," Stage 1 and Stage 2 audits combined usually cost $15,000 to $40,000. Annual surveillance audits run $8,000 to $20,000. Recertification in year three runs similar to the initial audit.",[30,2144,2145,2148],{},[33,2146,2147],{},"Platform and tooling."," GRC platforms like episki typically replace $30,000 or more in spreadsheet-driven consulting labor annually.",[15,2150,2151,2152,2155],{},"Total first-year ISO 27001 program cost for a 50 to 200 person company commonly lands between $60,000 and $150,000 all-in. Timeline from kickoff to certificate in hand is typically nine to fifteen months. See the ",[223,2153,2154],{"href":970},"cost and timeline discussion in the certification process guide"," for more detail.",[10,2157,2159],{"id":2158},"choosing-a-certification-body","Choosing a certification body",[15,2161,2162],{},"Only an accredited certification body can issue a recognized ISO 27001 certificate. Accreditation is granted by national bodies such as UKAS in the United Kingdom, ANAB in the United States, and JAS-ANZ in Australia and New Zealand, all operating under the International Accreditation Forum (IAF). A certificate from a non-accredited body has little value with enterprise customers.",[15,2164,2165,2166,2169],{},"Selection criteria include accreditation scope, industry experience, auditor availability, geographic coverage, and cost transparency. The ",[223,2167,2168],{"href":1841},"certification body selection guide"," walks through the full evaluation.",[10,2171,2173],{"id":2172},"surveillance-audits-and-recertification","Surveillance audits and recertification",[15,2175,2176],{},"Once certified, your ISO 27001 certificate is valid for three years. Certification bodies conduct a lighter annual surveillance audit in years one and two to confirm the ISMS is still operating effectively. A full recertification audit occurs in year three. Nonconformities identified during surveillance can put your certificate at risk if not resolved within the specified timeframe.",[15,2178,2179,2180,2183],{},"See the ",[223,2181,2182],{"href":1424},"surveillance audits guide"," for preparation checklists and what auditors typically sample during year-one and year-two visits.",[10,2185,2187],{"id":2186},"iso-27001-vs-soc-2-vs-nist-csf","ISO 27001 vs SOC 2 vs NIST CSF",[15,2189,2190],{},"Customers and leadership teams frequently ask how ISO 27001 compares to other frameworks. The short version:",[27,2192,2193,2201],{},[30,2194,2195,2200],{},[33,2196,2197,2198,227],{},"ISO 27001 vs ",[223,2199,428],{"href":427}," ISO 27001 is an international certification of an ISMS. SOC 2 is a US-centric attestation of controls aligned with the AICPA Trust Services Criteria. SOC 2 produces a detailed report; ISO 27001 produces a certificate. SOC 2 is faster to complete and often preferred by US buyers. ISO 27001 is stronger for European customers and regulated industries. Many organizations run both, mapping controls once in a tool like episki.",[30,2202,2203,2206,2207,2211],{},[33,2204,2205],{},"ISO 27001 vs NIST CSF."," NIST CSF is a voluntary US framework structured around five functions: Identify, Protect, Detect, Respond, and Recover. It is not a certification. Organizations often use NIST CSF as a maturity assessment tool and ISO 27001 as the formal certification. The two map cleanly at the control level. See ",[223,2208,2210],{"href":2209},"\u002Fframeworks\u002Fnistcsf\u002Fmapping-to-other-frameworks","NIST CSF mapping to other frameworks"," for a side-by-side comparison.",[15,2213,2214,2215,2217],{},"If you are weighing which framework to pursue first, the ",[223,2216,1927],{"href":1926}," covers framework sequencing for growing companies.",[10,2219,2221],{"id":2220},"getting-certified-with-episki","Getting certified with episki",[15,2223,2224],{},"Most teams discover that ISO 27001 certification is less about security expertise and more about sustained, organized execution across months of risk assessments, control implementation, evidence collection, and documentation. Spreadsheet-based ISO 27001 programs tend to collapse under their own weight, especially when the certification cycle extends across surveillance audits and the 2022 transition creates additional documentation churn.",[15,2226,2227,2228,2232,2233,2237],{},"episki was built to collapse that effort. The platform ships with the full 93-control Annex A library pre-mapped, automatic Statement of Applicability generation, a risk register tied to ISO 27005 treatment options, internal audit workflows, management review templates, and continuous evidence collection. Customers regularly compare episki against more established vendors; see ",[223,2229,2231],{"href":2230},"\u002Fcompare\u002Fvanta","episki vs Vanta"," and ",[223,2234,2236],{"href":2235},"\u002Fcompare\u002Fdrata","episki vs Drata"," for honest side-by-side views.",[15,2239,2240],{},"Teams using episki typically cut ISO 27001 preparation time by 60 percent compared to manual approaches and arrive at Stage 2 with a clean, auditor-ready evidence pack. Whether you are starting from zero or migrating an existing ISO 27001:2013 program to the 2022 standard, the platform scales with your scope.",[15,2242,2243],{},"Start a free trial, import your controls, and run your first ISO 27001 gap analysis in under an hour.",{"title":229,"searchDepth":230,"depth":230,"links":2245},[2246,2247,2248,2249,2250,2251,2252,2253,2254,2255,2256,2257,2258,2259,2260,2261],{"id":1879,"depth":230,"text":268},{"id":1899,"depth":230,"text":1900},{"id":1912,"depth":230,"text":1913},{"id":1931,"depth":230,"text":1932},{"id":1948,"depth":230,"text":1949},{"id":1969,"depth":230,"text":966},{"id":1988,"depth":230,"text":1989},{"id":2052,"depth":230,"text":2053},{"id":2068,"depth":230,"text":2069},{"id":2089,"depth":230,"text":2090},{"id":2104,"depth":230,"text":2105},{"id":2118,"depth":230,"text":2119},{"id":2158,"depth":230,"text":2159},{"id":2172,"depth":230,"text":2173},{"id":2186,"depth":230,"text":2187},{"id":2220,"depth":230,"text":2221},{"title":2263,"description":2264,"items":2265},"ISO 27001 certification checklist inside episki","Everything you need to scope, implement, and certify your ISMS is preloaded in your free trial.",[2266,2267,2268,2269,2270,2271,2272],"ISMS scope definition and context of the organization templates","Full Annex A control library with implementation guidance","Risk assessment and treatment plan workflows","Statement of Applicability generator","Internal audit programme with finding management","Management review agenda and output templates","Corrective action tracking with root cause analysis",{"title":2274,"description":2275},"Start your ISO 27001 journey today","Import your controls, define your ISMS scope, and generate your first Statement of Applicability in under an hour.",{"title":2277,"items":2278},"ISO 27001 frequently asked questions",[2279,2282,2285,2287,2290],{"label":2280,"content":2281},"How long does ISO 27001 certification take?","Most organizations achieve certification in 6-12 months depending on scope and existing maturity. The process includes a Stage 1 documentation review and a Stage 2 implementation audit. episki reduces preparation time by up to 60% with pre-mapped controls and automated evidence.",{"label":2283,"content":2284},"What is the difference between ISO 27001 and SOC 2?","ISO 27001 is an international certification standard focused on building a complete information security management system (ISMS). SOC 2 is a US-based attestation that evaluates specific Trust Services Criteria. Many companies pursue both, and episki lets you map controls once and reuse them across frameworks.",{"label":266,"content":2286},"An Information Security Management System (ISMS) is the set of policies, procedures, controls, and processes an organization uses to manage information security risk. ISO 27001 provides the framework for establishing, implementing, maintaining, and continually improving an ISMS.",{"label":2288,"content":2289},"How much does ISO 27001 certification cost?","Certification costs vary by organization size and scope but typically range from $30,000 to $80,000 including auditor fees, with ongoing surveillance audit costs annually. episki's flat-rate pricing keeps the platform cost predictable at $500\u002Fmonth.",{"label":2291,"content":2292},"How often are ISO 27001 surveillance audits?","After initial certification, surveillance audits occur annually to confirm your ISMS remains effective. A full recertification audit is required every three years. episki's continuous monitoring keeps evidence current between audits.",{"headline":2294,"title":2295,"description":2296,"links":2297},"ISO 27001 certification on your timeline","Build and maintain your ISMS without drowning in spreadsheets","episki maps Annex A controls, tracks your Statement of Applicability, and keeps risk treatment plans linked to real evidence so certification audits run smoothly.",[2298,2302],{"label":2299,"icon":2300,"to":2301},"Start ISO 27001 trial","i-lucide-rocket","https:\u002F\u002Fepiski.app\u002Fauth\u002Fregister",{"label":2303,"icon":2304,"color":2305,"variant":2306,"to":2307,"target":2308},"Book a demo","i-lucide-message-circle","neutral","subtle","\u002Fdemo","_blank","2026-04-27",{},{"headline":2312,"title":2312,"description":2313,"items":2314},"ISO 27001 certification resources","Give leadership, auditors, and customers visibility into your ISMS maturity.",[2315,2318,2321],{"title":2316,"description":2317},"ISMS maturity dashboard","Visual progress across all Annex A domains with gap analysis and trending.",{"title":2319,"description":2320},"Auditor collaboration portal","Scoped access for certification bodies with evidence requests and Q&A threads.",{"title":2322,"description":2323},"Customer trust pack","Shareable ISO 27001 certification summary with scope details and control highlights.",{"title":2325,"description":2326},"ISO 27001 Compliance Platform","Build and certify your ISMS faster with episki. Annex A control mapping, SoA generation, and risk treatment plans in one workspace. Free 14-day trial.",[2328,2330,2333],{"value":1955,"description":2329},"Pre-mapped to your control graph with owners, evidence, and review cadences.",{"value":2331,"description":2332},"60% less prep","Average reduction in Stage 2 audit preparation time with episki's automation.",{"value":2334,"description":2335},"Continuous compliance","Surveillance audits stay painless with always-current evidence and risk registers.","5.frameworks\u002Fiso27001","aThn2G4vv-MUlfe5mhRJFQHtMgpdfJi3-UMVou77OZs",{"id":2339,"title":2340,"body":2341,"comparison":2432,"competitorA":2477,"competitorB":2478,"cta":2479,"description":229,"extension":242,"faq":1457,"hero":2482,"lastUpdated":2309,"meta":2490,"navigation":245,"path":2491,"seo":2492,"slug":2495,"slugA":2496,"slugB":2497,"stem":2498,"verdict":2499,"__hash__":2503},"compareVs\u002F7.compare\u002Fvs\u002Fdrata-vs-secureframe.md","Drata Vs Secureframe",{"type":7,"value":2342,"toc":2422},[2343,2347,2350,2354,2357,2363,2366,2370,2373,2376,2379,2383,2386,2389,2393,2396,2399,2403,2406,2409,2413,2416,2419],[10,2344,2346],{"id":2345},"drata-vs-secureframe-the-closest-comparison-in-compliance","Drata vs Secureframe: the closest comparison in compliance",[15,2348,2349],{},"If Vanta is the 800-pound gorilla, Drata and Secureframe are the two challengers most often compared against each other. They target similar buyers, cover similar frameworks, and offer similar automation. The differences are real but subtle — and they matter most in how your team experiences the platform day to day.",[19,2351,2353],{"id":2352},"feature-parity-with-different-emphasis","Feature parity with different emphasis",[15,2355,2356],{},"On paper, Drata and Secureframe look nearly identical. Both automate evidence collection, monitor your compliance posture continuously, support 15+ frameworks, and provide auditor-facing portals. The overlap is so significant that choosing between them often comes down to three factors: onboarding style, dashboard experience, and pricing.",[15,2358,2359,2362],{},[33,2360,2361],{},"Onboarding style"," is the clearest differentiator. Drata leans toward self-serve. The platform guides you through integration setup, control mapping, and evidence configuration with in-app workflows. For teams with compliance experience, this speed is an advantage — you can be operational in 1–2 weeks without waiting for a human to walk you through every step.",[15,2364,2365],{},"Secureframe takes the opposite approach. Every customer gets access to dedicated compliance managers who help interpret requirements, map controls to your environment, and prepare for audit. This white-glove model adds a week or two to implementation but dramatically reduces the learning curve for first-time audit teams.",[19,2367,2369],{"id":2368},"the-dashboard-question","The dashboard question",[15,2371,2372],{},"Drata's compliance dashboard is one of its signature features. The real-time posture view shows passing and failing controls across every framework, with compliance percentages and trend data. For compliance leads who report to a CISO or board, this visual layer simplifies status updates and makes it easy to demonstrate progress.",[15,2374,2375],{},"Secureframe also provides dashboards, but they feel more functional than visual. The platform surfaces actionable items — controls that need attention, evidence that's expiring, gaps to remediate — in a task-oriented format. It's effective, but it doesn't deliver the same at-a-glance executive view that Drata provides.",[15,2377,2378],{},"For teams that need board-ready compliance reporting, Drata has the edge. For teams that care more about daily workflow and task management, Secureframe's approach may feel more productive.",[19,2380,2382],{"id":2381},"integration-depth","Integration depth",[15,2384,2385],{},"Secureframe holds a slight advantage in integration count, with 150+ connections compared to Drata's 100+. The extra integrations primarily cover developer tools, identity providers, and security platforms. For teams running complex stacks with multiple CI\u002FCD pipelines, vulnerability scanners, and endpoint management tools, Secureframe's broader integration library means less manual evidence collection.",[15,2387,2388],{},"Drata's integrations, while fewer in number, tend to offer deeper configuration options for the platforms they do support. If your stack is standard — AWS or GCP, Okta or Google Workspace, GitHub, and a common HR tool — both platforms will serve you equally well.",[19,2390,2392],{"id":2391},"pricing-opacity","Pricing opacity",[15,2394,2395],{},"Neither Drata nor Secureframe publishes pricing. Both require a sales conversation to get a quote, and both scale based on team size, framework count, and contract terms. Based on market data, Drata typically starts around $10,000–$15,000\u002Fyr while Secureframe starts slightly lower at $8,000–$12,000\u002Fyr. At scale, both reach $30,000–$50,000\u002Fyr for larger organizations.",[15,2397,2398],{},"This pricing opacity creates a frustrating buying experience. You can't model costs internally before engaging sales. You can't easily compare options. And renewal conversations often involve price increases that are hard to predict at the time of initial purchase.",[19,2400,2402],{"id":2401},"where-both-platforms-struggle","Where both platforms struggle",[15,2404,2405],{},"The irony of comparing Drata and Secureframe is that their most significant limitations are shared. Both use pricing models that punish team growth. Both rely on templated control libraries that resist customization. Both treat policy documentation as a secondary concern — something generated through forms rather than crafted through a proper writing experience.",[15,2407,2408],{},"And both lock you into their workflow assumptions. If your compliance program doesn't map cleanly to their templates — if you run hybrid frameworks, need custom controls, or want to structure programs differently than the default — you'll spend time working around the platform instead of working within it.",[19,2410,2412],{"id":2411},"the-case-for-a-different-approach","The case for a different approach",[15,2414,2415],{},"When two products are this similar, the deciding factor often isn't which one is better — it's whether either one is the right category of tool for your needs. If you want maximum automation and are comfortable with enterprise pricing, Drata and Secureframe both deliver.",[15,2417,2418],{},"But if you want flat pricing at $500\u002Fmo, a Notion-like editor for compliance documentation, and the freedom to build programs that reflect how your team actually operates — episki offers something neither Drata nor Secureframe provides. No per-seat scaling. No opaque quotes. No templated policies that read like every other company's.",[15,2420,2421],{},"Just a workspace your compliance team will use daily, at a price that doesn't make your CFO wince.",{"title":229,"searchDepth":230,"depth":230,"links":2423},[2424],{"id":2345,"depth":230,"text":2346,"children":2425},[2426,2427,2428,2429,2430,2431],{"id":2352,"depth":235,"text":2353},{"id":2368,"depth":235,"text":2369},{"id":2381,"depth":235,"text":2382},{"id":2391,"depth":235,"text":2392},{"id":2401,"depth":235,"text":2402},{"id":2411,"depth":235,"text":2412},[2433,2438,2442,2447,2452,2457,2462,2467,2472],{"feature":2434,"competitorA":2435,"competitorB":2436,"episki":2437},"Pricing model","Custom pricing, typically starting around $10,000–$15,000\u002Fyr","Custom pricing, typically starting around $8,000–$12,000\u002Fyr","Flat $500\u002Fmo or $5,000\u002Fyr with unlimited seats",{"feature":2439,"competitorA":2440,"competitorB":2440,"episki":2441},"Framework coverage","SOC 2, ISO 27001, HIPAA, PCI DSS, GDPR, and 15+ frameworks","SOC 2, ISO 27001, HIPAA, PCI DSS, NIST CSF, and custom frameworks",{"feature":2443,"competitorA":2444,"competitorB":2445,"episki":2446},"Automation depth","Automated evidence collection with real-time compliance dashboards","Automated monitoring with continuous evidence collection and alerts","AI-assisted drafting and structured workflows with manual evidence uploads",{"feature":2448,"competitorA":2449,"competitorB":2450,"episki":2451},"Integration count","100+ integrations covering major cloud and SaaS platforms","150+ integrations covering cloud, identity, HR, and developer tools","Growing integration library with focus on structured evidence reuse",{"feature":2453,"competitorA":2454,"competitorB":2455,"episki":2456},"Auditor collaboration","Auditor-facing portal with read-only access and evidence downloads","Auditor-ready evidence rooms with structured access controls","Built-in auditor portal with scoped access and Q&A threads",{"feature":2458,"competitorA":2459,"competitorB":2460,"episki":2461},"AI features","AI-assisted control mapping and compliance recommendations","AI-driven compliance recommendations and automated risk scoring","AI drafts policies, narratives, remediation steps, and questionnaire answers",{"feature":2463,"competitorA":2464,"competitorB":2465,"episki":2466},"Implementation time","1–3 weeks with self-serve setup and optional guided onboarding","2–3 weeks with guided onboarding and compliance expertise","Same-day setup with self-serve onboarding and optional demo",{"feature":2468,"competitorA":2469,"competitorB":2470,"episki":2471},"Support model","In-app chat, email support, and dedicated CSM for larger accounts","Dedicated compliance managers, email, and in-app support","Direct founder access, in-app chat, and shared Slack channels",{"feature":2473,"competitorA":2474,"competitorB":2475,"episki":2476},"Free trial","Demo-based sales process, limited free trial availability","Demo-based sales process, no public free trial","14-day free trial with full access, no credit card required","Drata","Secureframe",{"title":2480,"description":2481},"Skip the comparison. Try episki free.","14-day trial with full access. No credit card required.",{"headline":2483,"title":2484,"description":2485,"links":2486},"Drata vs Secureframe","Similar features, different approaches to compliance automation","Compare Drata and Secureframe across pricing, onboarding, and compliance workflows. Two closely matched platforms with subtle but important differences for your team.",[2487,2489],{"label":2488,"icon":2300,"to":2301},"Try episki free",{"label":2303,"icon":2304,"color":2305,"variant":2306,"to":2307,"target":2308},{},"\u002Fcompare\u002Fvs\u002Fdrata-vs-secureframe",{"title":2493,"description":2494},"Drata vs Secureframe (2026): Pricing, Features & Honest Comparison","Drata vs Secureframe compared on pricing, onboarding, framework coverage, and compliance automation. See which platform fits your team — or why neither might be the best choice.","drata-vs-secureframe","drata","secureframe","7.compare\u002Fvs\u002Fdrata-vs-secureframe",{"chooseA":2500,"chooseB":2501,"chooseEpiski":2502},"Choose Drata if you value self-serve speed and visual compliance dashboards. Drata gets you operational faster and provides the clearest real-time view of your compliance posture — ideal for teams with in-house compliance knowledge.","Choose Secureframe if you want more hands-on guidance from dedicated compliance managers. Secureframe's human-led onboarding is better for teams running their first audit without experienced GRC staff.","Choose episki if you want transparent pricing, a writing-first editor, and the flexibility to structure programs your way. episki is for teams that want to own their compliance narrative without paying enterprise prices.","-9bT-xU4uDSMSn9zCOtrDaYtPz87mkvNHS5pQ2bXDTw",{"id":2505,"title":2477,"advantages":2506,"body":2528,"comparison":2579,"competitor":2477,"cta":2606,"description":229,"extension":242,"hero":2609,"lastUpdated":2309,"meta":2617,"navigation":245,"path":2235,"seo":2618,"slug":2496,"stem":2621,"__hash__":2622},"compare\u002F7.compare\u002Fdrata.md",[2507,2514,2521],{"title":2508,"description":2509,"bullets":2510},"One flat price for everything","episki includes unlimited frameworks, teammates, and portals for a single monthly or annual fee. No tiers, no negotiations.",[2511,2512,2513],"Add frameworks without upgrading to a higher tier","Invite auditors, customers, and stakeholders at no extra cost","Predictable billing that does not scale with headcount",{"title":2515,"description":2516,"bullets":2517},"Connected programs and assessments","episki treats compliance as connected work. Programs, assessments, controls, tasks, and issues link together so nothing falls through the cracks.",[2518,2519,2520],"Run recurring programs and one-time assessments side by side","Tasks inherit context from parent controls and programs","Evidence attaches once and stays available across every framework",{"title":2522,"description":2523,"bullets":2524},"Fast, keyboard-driven workspace","episki is built for people who spend hours in the tool. Keyboard shortcuts, global search, and a rich editor make daily compliance work feel fast.",[2525,2526,2527],"Navigate between programs, controls, and evidence without lifting your hands","Inline editing for policies, narratives, and response drafts","Dark mode and responsive layout for any screen",{"type":7,"value":2529,"toc":2574},[2530,2534,2537,2540,2560,2564,2567,2571],[10,2531,2533],{"id":2532},"why-teams-evaluate-drata-alternatives","Why teams evaluate Drata alternatives",[15,2535,2536],{},"Drata has built a comprehensive compliance automation platform with strong automated evidence collection and a wide library of supported frameworks. It works well for organizations that want continuous monitoring with minimal manual intervention.",[15,2538,2539],{},"Some teams look for alternatives when they need:",[27,2541,2542,2548,2554],{},[30,2543,2544,2547],{},[33,2545,2546],{},"Simpler pricing"," — Drata's tiered pricing based on framework count and company size can make budgeting unpredictable, especially for organizations running multiple frameworks or growing quickly.",[30,2549,2550,2553],{},[33,2551,2552],{},"Unified program management"," — teams managing overlapping compliance programs want controls, evidence, and tasks connected across frameworks in a single workspace rather than managed as separate compliance tracks.",[30,2555,2556,2559],{},[33,2557,2558],{},"A daily-use workspace"," — compliance teams that spend significant time writing, reviewing, and collaborating want an editor and navigation experience that feels productive rather than transactional.",[10,2561,2563],{"id":2562},"when-drata-might-be-the-better-fit","When Drata might be the better fit",[15,2565,2566],{},"Drata is a strong choice for teams that prioritize automated continuous monitoring and need a platform with deep integration coverage across cloud, identity, HR, and development tools. If your primary concern is automating evidence collection and you operate in a well-defined framework like SOC 2 or ISO 27001, Drata's automation depth is compelling.",[10,2568,2570],{"id":2569},"when-episki-shines","When episki shines",[15,2572,2573],{},"episki is designed for teams that view compliance as ongoing, cross-functional work rather than a monitoring dashboard. If you run multiple programs, collaborate with auditors directly in the tool, and want a workspace that feels as fast as your engineering tools, episki delivers a different kind of compliance experience.",{"title":229,"searchDepth":230,"depth":230,"links":2575},[2576,2577,2578],{"id":2532,"depth":230,"text":2533},{"id":2562,"depth":230,"text":2563},{"id":2569,"depth":230,"text":2570},[2580,2582,2583,2587,2591,2594,2598,2602],{"feature":2434,"episki":2437,"competitor":2581},"Tiered pricing based on framework count and company size",{"feature":2439,"episki":2441,"competitor":2440},{"feature":2584,"episki":2585,"competitor":2586},"Control management","Linked control graph with cross-framework reuse and ownership","Control library with automated testing and monitoring",{"feature":2588,"episki":2589,"competitor":2590},"Evidence collection","Manual uploads with structured ownership and reuse across frameworks","Automated evidence collection with 100+ integrations",{"feature":2592,"episki":2461,"competitor":2593},"AI assistance","AI-powered compliance automation",{"feature":2595,"episki":2596,"competitor":2597},"Risk management","Risk registers with remediation tracking tied to controls","Built-in risk management with scoring and treatment plans",{"feature":2599,"episki":2600,"competitor":2601},"Editor experience","Notion-like rich text editor with inline editing","Structured forms and workflow-based interface",{"feature":2603,"episki":2604,"competitor":2605},"Collaboration","Built-in auditor portal, customer portals, and team workspaces","Auditor-facing dashboards and team collaboration features",{"title":2607,"description":2608},"Try episki side by side with Drata","Start a free trial with all features enabled. Import your controls and see the difference.",{"headline":2236,"title":2610,"description":2611,"links":2612},"How episki compares to Drata for compliance teams","A head-to-head on pricing, workflow design, and framework flexibility. See why teams that want a faster, more collaborative compliance workspace switch from Drata to episki.",[2613,2615],{"label":2614,"icon":2300,"to":2301},"Start free trial",{"label":2616,"icon":2304,"color":2305,"variant":2306,"to":2307,"target":2308},"See a live demo",{},{"title":2619,"description":2620},"episki vs Drata (2026): Pricing, Flexibility & Why Teams Switch","Compare episki and Drata on pricing, workflow design, and framework flexibility. See why compliance teams switch from Drata to episki.","7.compare\u002Fdrata","cEQX4ERRc-uB7nEUxB1Uik-1ODue4boobvNZiV8Xrvk",{"id":2624,"title":2625,"api":1457,"authors":2626,"body":2632,"category":2768,"date":2769,"description":2770,"extension":242,"features":1457,"fixes":1457,"highlight":1457,"image":2771,"improvements":1457,"meta":2773,"navigation":245,"path":2774,"seo":2775,"stem":2776,"__hash__":2777},"posts\u002F3.now\u002Ftips.md","Tips for Building a Strong Security Culture",[2627],{"name":2628,"to":2629,"avatar":2630},"Justin Leapline","https:\u002F\u002Fwww.linkedin.com\u002Fin\u002Fjustinleapline\u002F",{"src":2631},"\u002Fimages\u002Fjustinleapline.png",{"type":7,"value":2633,"toc":2760},[2634,2637,2640,2643,2646,2650,2653,2656,2659,2663,2666,2678,2681,2685,2688,2691,2694,2698,2701,2704,2707,2711,2714,2717,2720,2724,2727,2730,2733,2738,2748,2755],[15,2635,2636],{},"You can have the best firewall on the market, a mature vulnerability management program, and a SOC running 24\u002F7 — and still be one phishing email away from a serious incident.",[15,2638,2639],{},"Not because your tools failed. Because your people weren't part of the security equation.",[15,2641,2642],{},"Security culture is the difference between an organization where employees see security as someone else's job and one where they actively contribute to it. Building that culture is one of the hardest things a security leader can do — and one of the most valuable.",[15,2644,2645],{},"Here's what actually works.",[10,2647,2649],{"id":2648},"start-with-leadership-not-policy","Start With Leadership, Not Policy",[15,2651,2652],{},"Security culture doesn't start with a training video or an acceptable use policy. It starts at the top.",[15,2654,2655],{},"When executives treat security as a business priority — when they ask about risk posture in board meetings, when they model good security behavior, when they make it clear that security matters — that signal travels through the organization. When they treat it as an IT problem that lives in a different department, that signal travels too.",[15,2657,2658],{},"CISOs who want to build strong security cultures spend time educating and engaging their executive peers, not just their own teams. They make security visible at the leadership level — not as a compliance obligation, but as a business value. That top-down commitment creates the permission structure that everything else depends on.",[10,2660,2662],{"id":2661},"make-security-relevant-to-each-teams-work","Make Security Relevant to Each Team's Work",[15,2664,2665],{},"One of the most common mistakes in security awareness programs is treating every employee the same. A developer, a finance analyst, and a customer service rep face completely different security risks in their day-to-day work — and generic training that doesn't acknowledge those differences gets tuned out quickly.",[15,2667,2668,2669,2673,2674,2677],{},"Effective security culture programs meet people where they are. They connect security concepts to the specific tasks, tools, and risks each team encounters. They explain not just ",[2670,2671,2672],"em",{},"what"," the policy says, but ",[2670,2675,2676],{},"why"," it matters in the context of that person's actual job. When a finance employee understands why wire transfer verification procedures exist — because of the real attacks that target exactly their role — the procedure stops feeling like bureaucracy and starts feeling like protection.",[15,2679,2680],{},"Relevance drives retention. Generic awareness drives compliance theater.",[10,2682,2684],{"id":2683},"reward-the-right-behaviors","Reward the Right Behaviors",[15,2686,2687],{},"Most security programs are designed to catch and punish failures — the employee who clicked the phishing link, the team that bypassed the approval process, the contractor who shared credentials. Consequence is a necessary part of any security program, but it's a poor foundation for culture.",[15,2689,2690],{},"Organizations with strong security cultures also celebrate the behaviors they want to see more of. They recognize employees who report suspicious emails, who raise security concerns in project planning, who push back on shortcuts that introduce risk. They create safe channels for people to admit mistakes without fear of blame, because transparency about near-misses is infinitely more valuable than silence about them.",[15,2692,2693],{},"Psychological safety is a security control. When people are afraid to report problems, problems don't get reported — they get discovered later, when they're much more expensive.",[10,2695,2697],{"id":2696},"integrate-security-into-existing-workflows","Integrate Security Into Existing Workflows",[15,2699,2700],{},"Security culture erodes when security is experienced as friction — a separate process, an additional approval, a tool that slows things down. It strengthens when security is built into how work already gets done.",[15,2702,2703],{},"This means embedding security checkpoints into product development cycles, not bolting them on at the end. It means making secure defaults the easy defaults, so the path of least resistance is also the more secure path. It means involving security early in new business initiatives, not bringing them in after decisions are already made.",[15,2705,2706],{},"The goal isn't to make security invisible — it's to make it natural. When a developer automatically considers threat modeling as part of design, or when a procurement team reflexively asks about vendor security as part of due diligence, culture is working.",[10,2708,2710],{"id":2709},"measure-what-matters-and-be-honest-about-it","Measure What Matters — and Be Honest About It",[15,2712,2713],{},"Security culture is notoriously hard to measure, which leads many organizations to measure the wrong things — training completion rates, phishing simulation click rates, policy acknowledgment counts. These metrics are easy to collect and tell you almost nothing about actual cultural change.",[15,2715,2716],{},"More meaningful signals include: How quickly do employees report suspicious activity? Are security concerns being raised earlier in project lifecycles? Is the volume of policy exception requests going up or down — and why? Are teams coming to security proactively, or only when required?",[15,2718,2719],{},"These measures require more effort to collect, but they reflect something real. And being honest about what the data shows — including the parts that reveal cultural gaps — is what allows leaders to make targeted interventions rather than repeat the same awareness programs and hope for different results.",[10,2721,2723],{"id":2722},"build-for-the-long-game","Build for the Long Game",[15,2725,2726],{},"Security culture isn't built in a quarter. It's built over years of consistent messaging, visible leadership commitment, relevant education, and reinforcement of the right behaviors. It erodes just as slowly — through apathy, through leadership turnover, through programs that go stale, through a security team that becomes adversarial rather than collaborative.",[15,2728,2729],{},"The organizations with the strongest security cultures treat it as an ongoing investment, not a one-time initiative. They revisit and refresh their programs regularly. They measure progress honestly. And they understand that every interaction between the security team and the rest of the business is an opportunity to either build or undermine the culture they're trying to create.",[15,2731,2732],{},"Technology protects systems. Culture protects organizations.",[15,2734,2735],{},[33,2736,2737],{},"Ready to build a security culture that actually sticks?",[15,2739,2740,2741,2747],{},"At ",[223,2742,2746],{"href":2743,"rel":2744},"https:\u002F\u002Fepiski.com",[2745],"nofollow","Episki",", we help security leaders go beyond policies and awareness programs to build the organizational habits and leadership alignment that make security a shared value. If you're ready to make culture a core part of your security strategy, we'd love to talk.",[15,2749,2750],{},[223,2751,2754],{"href":2752,"rel":2753},"https:\u002F\u002Fepiski.com\u002Fcontact",[2745],"Let's talk →",[15,2756,2757],{},[2670,2758,2759],{},"Tools protect systems. Culture protects organizations.",{"title":229,"searchDepth":230,"depth":230,"links":2761},[2762,2763,2764,2765,2766,2767],{"id":2648,"depth":230,"text":2649},{"id":2661,"depth":230,"text":2662},{"id":2683,"depth":230,"text":2684},{"id":2696,"depth":230,"text":2697},{"id":2709,"depth":230,"text":2710},{"id":2722,"depth":230,"text":2723},"craft","2026-05-11","Security tools and policies only go so far. The organizations that are truly resilient are the ones where security is part of how everyone thinks — not just what the security team does.",{"src":2772},"\u002Fimages\u002Fblog\u002FTips.jpg",{},"\u002Fnow\u002Ftips",{"title":2625,"description":2770},"3.now\u002Ftips","LtzuWX4I6GxP-GCS8QRdhlQQW0iHXTak5_7evvpUeK8",1778494680468]