STANDARD ISO/IEC 27001:2022 - ISMS

Prepare your ISO 27001 certification
without losing 6 months

ISO/IEC 27001 is the international reference standard for an Information Security Management System (ISMS). Increasingly required by customers, in tenders, by cyber insurers, or for access to certain export markets, SYAGA supports you from the gap assessment through to preparation for the certification audit.

93
Annex A controls (2022 ed.)
4
Security themes
7
Management clauses (4 to 10)
1
Statement of Applicability delivered

Context

ISO 27001 is not a general legal obligation, but it is becoming an unavoidable commercial prerequisite

📋

A voluntary certification, but increasingly requested

ISO/IEC 27001 remains a voluntary approach. It is nonetheless increasingly required in tenders, by large customers, by some cyber insurers, or as a prerequisite for access to certain export markets.

🔒

Few SMEs have formalized their ISMS

The majority of SMEs and mid-sized companies have not undertaken any structured approach to an Information Security Management System. The topic is perceived as complex, technical, and lengthy.

💰

Long and costly engagements

Classic certification engagements tie up your teams for several months and represent a substantial investment, often out of reach for an SME.

Your IT teams are already overloaded

Tying up the CIO or the security manager for months to build an ISMS is not viable in an SME where everyone already wears several hats.

The ISO27001-Express method

A structured approach in 3 phases, based on the same methodology already proven by SYAGA on PSSI-Express

1
Phase 1 - Gap Assessment

Assessment of the 93 Annex A controls

Scoping interview with management and the IT security manager, followed by a systematic assessment of each of the 93 security controls in Annex A (2022 edition), spread across the 4 themes: organizational, people, physical, and technological. Delivery of a factual gap report.

2
Phase 2 - ISMS documentation

Security policy, Statement of Applicability, and remediation plan

Drafting or updating the security policy (ISMS), the Statement of Applicability (SoA) justifying the application or exclusion of each of the 93 controls, and a prioritized remediation plan to close the gaps identified in phase 1.

3
Phase 3 - Support toward certification

Preparation for the audit by the certification body

Follow-up on the implementation of the remediation plan, documentary review, and preparation of your team for the audit carried out by an independent accredited certification body. SYAGA prepares you for the audit; the certification itself is issued by that third-party body.

What you receive

The core documents of the ISO 27001 certification file

📊

Gap Assessment Report

Factual assessment of your compliance level against the standard.

  • Assessment of the 93 Annex A controls
  • Status per control: compliant / partial / non-compliant
  • Summary by theme (organizational, people, physical, technological)
  • Factual findings, without value judgment
🔐

Statement of Applicability (SoA)

Central normative document of the ISO 27001 certification file.

  • Applicable/excluded status for each of the 93 controls
  • Justification for each exclusion
  • Reference to the ISMS documents
  • Ready to be presented to the certification body
📝

Security policy (ISMS)

The governance document required by clauses 4 to 10 of the standard.

  • Scope and context of the ISMS
  • Security roles and responsibilities
  • Risk management process
  • Continual improvement cycle (PDCA)
🎯

Prioritized remediation plan

The roadmap to close the identified gaps.

  • Actions ranked by priority
  • Organizational and technical measures
  • Progress tracking
  • Progressive preparation for the audit
📄

Operational procedures

Documents directly applicable by your teams.

  • Security incident management
  • Access and identity management
  • Change management
  • IT usage policy
💻

Editable files

All documents in formats you can evolve.

  • Standalone HTML (openable in any browser)
  • High-quality PDF (A4 print)
  • Editable DOCX (Microsoft Word)
  • Updated at each annual review

A shareable documentation base

The ISO 27001 ISMS naturally overlaps with several frameworks

ISO

ISO/IEC 27001:2022

Central framework: clauses 4 to 10 (management requirements) and Annex A (93 security controls spread across 4 themes).

N2

Bridge with NIS2

The cyber risk management measures required by the NIS2 directive largely overlap with the Annex A controls of ISO 27001. An ISO 27001 ISMS makes NIS2 compliance easier for entities in scope.

AN

ANSSI Guide - IT hygiene (France)

The measures in the IT hygiene guide published by ANSSI (the French national cybersecurity agency) overlap significantly with the Annex A controls of ISO 27001. Correspondence documented in the remediation plan.

RG

GDPR (Art. 32)

The appropriate technical and organizational measures required by Article 32 of the GDPR rely on the same good practices as Annex A of ISO 27001 (access control, encryption, incident management).

Offers tailored to your context

Every ISO 27001 engagement is scoped according to your perimeter and current maturity level. Always a personalized quote.

Gap Assessment

Initial snapshot of your gaps

On request
based on scope and headcount
  • Assessment of the 93 Annex A controls
  • Factual findings report
  • Summary by security theme
  • Presentation to management
  • HTML + PDF + DOCX formats
Request a quote

Annual maintenance

After certification or on an ongoing basis

On request
based on scope and headcount
  • Annual ISMS review
  • SoA update
  • Remediation plan update
  • Preparation for surveillance audits
Request a quote

Frequently asked questions

What is the ISO/IEC 27001 standard?
ISO/IEC 27001 is the international reference standard for establishing an Information Security Management System (ISMS). In its 2022 edition, it is structured into clauses 4 to 10 (management requirements: context, leadership, planning, support, operation, evaluation, improvement) and an Annex A of 93 security controls spread across 4 themes: organizational, people, physical, and technological.
Is ISO 27001 mandatory for my company?
No, ISO 27001 is a voluntary certification, unlike regulatory texts such as NIS2. However, it is increasingly required de facto: tenders, requirements from large customers, cyber insurance conditions, or access to certain export markets. It is more a strategic choice than a general legal obligation.
Does SYAGA issue the certification?
No. ISO 27001 certification is issued exclusively by an independent accredited certification body, following an external audit. SYAGA supports you in the preparation (gap assessment, ISMS documentation, remediation plan, preparing your teams), but does not itself issue the certificate.
What is the Statement of Applicability (SoA)?
The SoA is a mandatory normative document of the certification file. It lists each of the 93 Annex A controls and states whether it is applied or excluded, with the corresponding justification. It is one of the most closely scrutinized documents during the certification audit.
How much time do I need to commit my teams?
Most of the work (assessment, documentation drafting, remediation plan) is carried out by our auditors. Your teams are mainly involved during the initial scoping interview and the review meetings. The total duration of a certification journey depends heavily on your scope and starting maturity; it is estimated case by case in the quote.
What makes SYAGA qualified to support me?
SYAGA Consulting has been carrying out information system security audits since 2009. Our auditors work with clients of various sizes across several sectors. The gap assessment and document generation methodology used for ISO27001-Express relies on the same engine already used in our other compliance engagements (PSSI-Express).
SYAGA supports you in preparing your ISMS and your certification file. ISO/IEC 27001 certification itself is issued by an independent accredited certification body, not affiliated with SYAGA. This content is a support tool and does not constitute legal advice.

Ready to structure your ISO 27001 journey?

Contact us for a personalized quote based on your scope and current maturity level.