ISO/IEC 27001:2022
Compliance Readiness
End-to-end ISMS implementation support — from your current security posture to full certification readiness in approximately 12 weeks.
~12 weeks
overlapping phases
Engagement Duration
93 controls
across 4 themes
Annex A Controls
17 documents
all produced by CRS
Mandatory Artefacts
What is ISO/IEC 27001:2022?
ISO/IEC 27001:2022 is the internationally recognised standard for Information Security Management Systems (ISMS). Certification demonstrates to customers, regulators, and partners that your organisation systematically manages information security risks.
The 2022 revision introduced a restructured Annex A with 93 controls across four themes — replacing the 114-control structure of the 2013 version. All new certifications and recertifications must now align with the 2022 standard.
Organisational
37
Policies, roles, responsibilities, risk treatment, supplier relations, incident management, BCM
People
8
Screening, terms of employment, information security awareness, training, disciplinary process
Physical
14
Physical security perimeters, entry controls, equipment security, clear desk/screen policies
Technological
34
Endpoint security, network controls, IAM, encryption, SIEM, vulnerability management, SDLC
Five-Phase Engagement Approach
A structured, overlapping delivery model designed to reach certification readiness in approximately 12 weeks.
Scoping & Gap Analysis
Weeks 1–2
- ISMS scope agreement and boundary definition
- Current-state mapping against all 93 Annex A controls
- Audit Readiness Report — prioritised gap list
- Complimentary penetration test in Week 1
ISMS Build
Weeks 3–6
- Full management-system documentation drafting
- All 17 mandatory ISMS artefacts produced
- CRS ACTION-Field system — only organisation-specific fields left open
- Master Completion Action Index for searchable checklist
Implementation Support
Weeks 5–9
- Tooling-to-control mapping for existing security investments
- Gap remediation guidance and prioritisation
- Staff awareness and competence materials
- Evidence collection support for Annex A controls
Internal Audit & Management Review
Week 10
- Mandatory internal audit execution (Clause 9.2)
- Facilitated management review (Clause 9.3)
- Non-conformity identification and corrective actions
- Audit programme and procedure documentation
Certification Support
Weeks 11–12
- Pre-certification readiness check
- Certification body liaison and submission support
- Stage 1 and Stage 2 audit preparation
- Post-audit corrective action assistance
17 Mandatory ISMS Artefacts
CRS produces every mandatory document as a pre-drafted template using the ACTION-Field system — only organisation-specific fields are left open, reducing completion from weeks to hours.
ISMS Scope Statement
Clause / Control: 4.3
Information Security Policy
Clause / Control: 5.2
Risk Assessment & Treatment Methodology
Clause / Control: 6.1.2/3
Risk Assessment Report & Risk Register
Clause / Control: 8.2
Risk Treatment Plan
Clause / Control: 6.1.3/8.3
Statement of Applicability (SoA) — 93 controls
Clause / Control: 6.1.3d
Information Security Objectives & Plan
Clause / Control: 6.2
Asset Inventory / Asset Register
Clause / Control: A.5.9
Supplier & Third-Party Register
Clause / Control: A.5.19–22
Access Control Policy
Clause / Control: A.5.15–18
Acceptable Use Policy
Clause / Control: A.5.10
Information Security Incident Management Procedure
Clause / Control: A.5.24–28
Business Continuity & ICT Disaster Recovery Plan
Clause / Control: A.5.29–30
Backup Policy
Clause / Control: A.8.13
Internal Audit Programme & Procedure
Clause / Control: 9.2
Management Review Procedure & Records Template
Clause / Control: 9.3
Corrective Action / Non-conformity Register
Clause / Control: 10.2
Why CRS for ISO 27001?
ACTION-Field System
Pre-drafted ISMS templates with only organisation-specific fields left open. Master Completion Action Index makes the process searchable and auditable.
Tooling-to-Control Mapping
Your existing security investments (EDR, SIEM, backup, MFA, firewall) are mapped directly to the relevant Annex A controls — maximising your current security spend.
Complimentary Pen Test
A penetration test is included in Week 1 of every engagement at no additional cost — providing real threat evidence for your risk register from day one.
End-to-End Support
From scope definition through to Stage 2 certification audit support — CRS manages the full journey. No need to coordinate multiple consultants.
Fixed Engagement Model
A defined, fixed-fee structure with clear milestones and deliverables. No open-ended retainers. Engage CRS with confidence on scope and timeline.
Africa-Based Expertise
CRS operates across 28+ countries in Africa. We understand local regulatory landscapes, data residency requirements, and industry-specific compliance pressures.
Start Your Gap Analysis
Request a Proposal
Complete the form below and a CRS GRC consultant will review your submission and respond within 1–2 business days with a tailored ISO/IEC 27001:2022 readiness proposal.
Already a CRS partner? Submit via the Partner Portal for faster processing.