ISO/IEC 27001:2022
ISO/IEC 27001 is published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). It defines the requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS) — a systematic approach to managing sensitive information so that it remains secure. The 2022 revision is the current version, replacing ISO 27001:2013. It reorganized the Annex A control set from 114 controls across 14 domains to 93 controls across 4 themes (Organizational, People, Physical, and Technological), reflecting how modern security programs are structured. The revision also introduced 11 new controls covering areas such as threat intelligence, data masking, configuration management, and cloud security. Unlike compliance frameworks that define a fixed checklist of required controls, ISO 27001 certification requires demonstrating a functioning management system — documented policies, a risk-based approach to control selection, evidence of continuous improvement, and an independent audit. Ayliea’s 110-question assessment evaluates both your Annex A control implementation and the governance structures that underpin a certifiable ISMS.What Ayliea Assesses
The assessment covers the ISMS governance requirements alongside the four Annex A control themes.ISMS Governance (Clauses 4–10)
ISMS Governance (Clauses 4–10)
The management system requirements that must be in place for any ISO 27001 certification. Evaluates context of the organization, leadership commitment and policy, planning (risk assessment and treatment), support (resources, awareness, communication, documented information), operational controls, performance evaluation (internal audit, management review), and continual improvement processes.
Organizational Controls (Annex A Theme 1)
Organizational Controls (Annex A Theme 1)
37 controls covering policies, roles and responsibilities, threat intelligence, information security in supplier relationships, incident management, business continuity, and legal and regulatory compliance. Includes the 11 new controls introduced in 2022.
People Controls (Annex A Theme 2)
People Controls (Annex A Theme 2)
8 controls governing the human factor: screening, terms of employment, security awareness training, disciplinary processes, responsibilities after termination, and remote working security.
Physical Controls (Annex A Theme 3)
Physical Controls (Annex A Theme 3)
14 controls protecting physical environments — physical security perimeters, entry controls, securing offices and facilities, protection against physical and environmental threats, equipment maintenance, and secure disposal.
Technological Controls (Annex A Theme 4)
Technological Controls (Annex A Theme 4)
34 controls covering endpoint security, privileged access management, access control, cryptography, secure development, vulnerability management, network security, and monitoring. Includes new controls for configuration management, data masking, and web filtering.
Who Needs This Assessment
- Organizations pursuing ISO 27001 certification for the first time — use the assessment to identify gaps before engaging a certification body
- Currently certified organizations conducting internal audits between surveillance audits
- Procurement and vendor management teams evaluating supplier ISMS maturity
- SaaS companies, cloud providers, and IT services firms that face ISO 27001 requirements from enterprise customers
- Organizations operating internationally or in markets where ISO 27001 is a standard vendor qualification requirement
- Security teams that want a management-system-oriented complement to control-focused frameworks like CIS or NIST