Skip to main content
Solutions GRC ServiceGovernance · Risk · Compliance

ISO/IEC 27001:2022
Compliance Readiness

End-to-end ISMS implementation support — from your current security posture to full certification readiness in approximately 12 weeks.

~12 weeks

overlapping phases

Engagement Duration

93 controls

across 4 themes

Annex A Controls

17 documents

all produced by CRS

Mandatory Artefacts

What is ISO/IEC 27001:2022?

ISO/IEC 27001:2022 is the internationally recognised standard for Information Security Management Systems (ISMS). Certification demonstrates to customers, regulators, and partners that your organisation systematically manages information security risks.

The 2022 revision introduced a restructured Annex A with 93 controls across four themes — replacing the 114-control structure of the 2013 version. All new certifications and recertifications must now align with the 2022 standard.

Organisational

37

Policies, roles, responsibilities, risk treatment, supplier relations, incident management, BCM

People

8

Screening, terms of employment, information security awareness, training, disciplinary process

Physical

14

Physical security perimeters, entry controls, equipment security, clear desk/screen policies

Technological

34

Endpoint security, network controls, IAM, encryption, SIEM, vulnerability management, SDLC

Five-Phase Engagement Approach

A structured, overlapping delivery model designed to reach certification readiness in approximately 12 weeks.

01

Scoping & Gap Analysis

Weeks 1–2

  • ISMS scope agreement and boundary definition
  • Current-state mapping against all 93 Annex A controls
  • Audit Readiness Report — prioritised gap list
  • Complimentary penetration test in Week 1
02

ISMS Build

Weeks 3–6

  • Full management-system documentation drafting
  • All 17 mandatory ISMS artefacts produced
  • CRS ACTION-Field system — only organisation-specific fields left open
  • Master Completion Action Index for searchable checklist
03

Implementation Support

Weeks 5–9

  • Tooling-to-control mapping for existing security investments
  • Gap remediation guidance and prioritisation
  • Staff awareness and competence materials
  • Evidence collection support for Annex A controls
04

Internal Audit & Management Review

Week 10

  • Mandatory internal audit execution (Clause 9.2)
  • Facilitated management review (Clause 9.3)
  • Non-conformity identification and corrective actions
  • Audit programme and procedure documentation
05

Certification Support

Weeks 11–12

  • Pre-certification readiness check
  • Certification body liaison and submission support
  • Stage 1 and Stage 2 audit preparation
  • Post-audit corrective action assistance

17 Mandatory ISMS Artefacts

CRS produces every mandatory document as a pre-drafted template using the ACTION-Field system — only organisation-specific fields are left open, reducing completion from weeks to hours.

01

ISMS Scope Statement

Clause / Control: 4.3

02

Information Security Policy

Clause / Control: 5.2

03

Risk Assessment & Treatment Methodology

Clause / Control: 6.1.2/3

04

Risk Assessment Report & Risk Register

Clause / Control: 8.2

05

Risk Treatment Plan

Clause / Control: 6.1.3/8.3

06

Statement of Applicability (SoA) — 93 controls

Clause / Control: 6.1.3d

07

Information Security Objectives & Plan

Clause / Control: 6.2

08

Asset Inventory / Asset Register

Clause / Control: A.5.9

09

Supplier & Third-Party Register

Clause / Control: A.5.19–22

10

Access Control Policy

Clause / Control: A.5.15–18

11

Acceptable Use Policy

Clause / Control: A.5.10

12

Information Security Incident Management Procedure

Clause / Control: A.5.24–28

13

Business Continuity & ICT Disaster Recovery Plan

Clause / Control: A.5.29–30

14

Backup Policy

Clause / Control: A.8.13

15

Internal Audit Programme & Procedure

Clause / Control: 9.2

16

Management Review Procedure & Records Template

Clause / Control: 9.3

17

Corrective Action / Non-conformity Register

Clause / Control: 10.2

Why CRS for ISO 27001?

ACTION-Field System

Pre-drafted ISMS templates with only organisation-specific fields left open. Master Completion Action Index makes the process searchable and auditable.

Tooling-to-Control Mapping

Your existing security investments (EDR, SIEM, backup, MFA, firewall) are mapped directly to the relevant Annex A controls — maximising your current security spend.

Complimentary Pen Test

A penetration test is included in Week 1 of every engagement at no additional cost — providing real threat evidence for your risk register from day one.

End-to-End Support

From scope definition through to Stage 2 certification audit support — CRS manages the full journey. No need to coordinate multiple consultants.

Fixed Engagement Model

A defined, fixed-fee structure with clear milestones and deliverables. No open-ended retainers. Engage CRS with confidence on scope and timeline.

Africa-Based Expertise

CRS operates across 28+ countries in Africa. We understand local regulatory landscapes, data residency requirements, and industry-specific compliance pressures.

Start Your Gap Analysis

Request a Proposal

Complete the form below and a CRS GRC consultant will review your submission and respond within 1–2 business days with a tailored ISO/IEC 27001:2022 readiness proposal.

Your Organisation

Your Contact Details

Certification Status

ISMS Scope

Existing ISMS Documentation

tick what already exists

Security Tools in Use

tick what is deployed

Priority & Requirements

Already a CRS partner? Submit via the Partner Portal for faster processing.