ISO/IEC 27001:2022 — Information Security

Specialty — Information security

ISO/IEC 27001:2022

Information Security Management System (ISMS) — protect the confidentiality, integrity and availability of your information.

ISO/IEC 27001:2022 is the international reference standard for information security management. It provides a rigorous framework to identify, treat and monitor risks affecting your data — whether digital, paper-based, or carried by your employees.

Why pursue ISO 27001:2022 certification?

  • Client and partner trust — Tangible proof that you take data security seriously. Increasingly required in B2B and public procurement.
  • Regulatory compliance — Alignment with GDPR, Quebec’s Law 25, Canada’s PIPEDA, and sector-specific regulations.
  • Cyber risk reduction — Structured approach to identifying and treating vulnerabilities. Fewer incidents, lower hidden costs.
  • Commercial advantage — Differentiation in markets where security is a selection criterion (finance, healthcare, defence, critical infrastructure).

The 2022 revision — what’s changed

The 2022 version of ISO 27001 (published October 2022) introduces significant changes from the 2013 version. Organisations certified under the older version had to transition by 31 October 2025 — non-transitioned organisations risk losing certification.

  • 93 security controls (down from 114), restructured into 4 themes: organisational, people, physical, technological
  • 11 new controls added, including: threat intelligence, cloud security, ICT readiness and continuity, physical monitoring, configuration management, information deletion, data masking, leak prevention, secure coding, web filtering, etc.
  • Stronger Annex SL alignment for better integration with ISO 9001, 14001, 45001 and 22301
  • Modernised risk-based approach — better coverage of current threats (ransomware, supply chain, remote work)

Our team is trained and experienced on the 2022 version. We support both new certifications and 2013→2022 transitions for already-certified organisations.

Our 6-step approach

  1. Initial diagnosis and information asset mapping — Inventory of your critical data, systems, providers, flows. Gap analysis vs the standard.
  2. ISMS scope and security policy definition — Which processes, sites, technologies? What security objectives?
  3. Risk analysis and treatment — Methodology: EBIOS RM, ISO 27005 or proprietary, depending on context. Statement of Applicability (SoA).
  4. Implementation of the 93 applicable controls — Policies, procedures, technical controls, team training.
  5. Internal audit and management review — Verification, adjustments, certification audit preparation.
  6. Certification audit support with an accredited body (BSI, PECB, MSECB) and post-certification follow-up.

Who is it for?

  • Digital service companies, SaaS providers, hosting, MSPs
  • Banks, insurers, FinTechs, financial institutions
  • Healthcare and HealthTech (sensitive data)
  • Industrials with critical intellectual property
  • Any organisation subject to contractual or regulatory information security requirements

Timeline and cost

Typical duration: 6 to 12 months for initial certification, depending on size and maturity.
Pricing: fixed-price for the full engagement, day-rate for one-off interventions (training, audit). Tailored quote within 48 hours.

Discuss my ISO 27001:2022 project
View 27001 training
Scroll to Top