What is ISO 27001?
ISO/IEC 27001:2022 is the world's reference standard for managing information security. It defines the requirements for an Information Security Management System (ISMS) — the governance, risk and control framework an organisation uses to protect the confidentiality, integrity and availability of its information.
The 2022 revision restructures Annex A into 93 controls across four themes — organisational, people, physical and technological — and introduces attributes that make controls easier to map to other frameworks such as NIS2, DORA and the national baselines.
The 93 Annex A controls, in 4 themes
A.5 — Organisational (37)
A.6 — People (8)
A.7 — Physical (14)
A.8 — Technological (34)
ISO 27001 with ResiPlan
ResiPlan ships the full ISO 27001:2022 Annex A catalogue. Run a maturity GAP analysis (0–4) control by control, attach evidence, and watch your Statement of Applicability and compliance score build themselves.
Thanks to cross-framework mapping, the work you do for ISO 27001 carries over to NIS2, DORA and the national baselines — assess a control once, prove compliance many times.
Frequently asked questions
How many controls are in ISO 27001:2022?
93 controls in Annex A, grouped into four themes: 37 organisational (A.5), 8 people (A.6), 14 physical (A.7) and 34 technological (A.8).
What is the Statement of Applicability (SoA)?
The SoA records which Annex A controls apply, their implementation status and the justification for any exclusion. ResiPlan generates it from your assessment.
Does ISO 27001 help with NIS2 and DORA?
Yes. ISO 27001 controls map directly to NIS2 measures and DORA's ICT-risk requirements. In ResiPlan, an ISO assessment auto-fills the equivalent NIS2 and CYRA controls via cross-mapping.
How long does ISO 27001 certification take?
Typically 6–12 months to build and operate the ISMS before a Stage 1/Stage 2 audit. A gap analysis at the start tells you exactly how far you are.