ISO 27001:2022 Compliance & Certification — AKATI Sekurity
+Secure | Governance & Compliance

ISO 27001:2022 Compliance & Certification

End-to-End ISMS Implementation, Gap Assessment, and Certification Support

ISO/IEC 27001:2022 is the internationally recognised standard for Information Security Management Systems (ISMS). It provides a systematic framework for managing sensitive information — ensuring confidentiality, integrity, and availability through risk-based controls across organisational, people, physical, and technological domains.

AKATI Sekurity — itself ISO 27001:2022 certified — provides end-to-end compliance consulting, from initial gap assessment through ISMS implementation to successful certification audit. We know the standard because we live it.

ISO/IEC 27001:2022
93 Annex A Controls
4 Control Themes
PDCA Cycle

ISO 27001:2022 replaces the 2013 edition. The 2022 revision restructured Annex A from 114 controls across 14 domains to 93 controls across 4 themes, added 11 new controls addressing cloud security, threat intelligence, and data masking, and strengthened alignment with ISO 27002:2022 implementation guidance. All organisations certified to the 2013 edition must transition by 31 October 2025.

2022 Edition
Why Certify

Business Value of ISO 27001:2022

Certification is more than a compliance exercise — it is a strategic differentiator that reduces risk, builds client confidence, and strengthens your competitive position.

Competitive Differentiation

Certification signals to clients, partners, and regulators that your organisation takes information security seriously — a decisive advantage in procurement evaluations and tender processes.

Regulatory Alignment

ISO 27001 maps directly to requirements in PDPA, BNM RMiT, SC TRM, MAS TRM, NCII Act 854, and GDPR — reducing duplication and simplifying multi-framework compliance.

Risk Reduction

A structured ISMS proactively identifies and treats information security risks before they become incidents — reducing breach likelihood, financial impact, and reputational damage.

Operational Clarity

ISO 27001 enforces clear ownership of information assets, defined responsibilities, and documented procedures — eliminating ambiguity as your organisation scales.

Client & Partner Confidence

Third-party certification by an accredited body provides independently verified assurance — replacing lengthy security questionnaires with a universally recognised credential.

Continuous Improvement

The PDCA (Plan-Do-Check-Act) cycle embedded in ISO 27001 drives ongoing maturity — annual surveillance audits ensure your ISMS evolves with the threat landscape.

ISMS Requirements

7 Mandatory Clauses

ISO 27001:2022 Clauses 4–10 define the mandatory requirements for establishing, implementing, maintaining, and continually improving an ISMS. Select any clause to explore what AKATI Sekurity assesses.

4
Context
5
Leadership
6
Planning
7
Support
8
Operation
9
Evaluation
10
Improvement
Clause 4

Context of the Organisation

Understanding internal and external factors, interested party requirements, and defining the ISMS scope.

  • Identify external and internal issues relevant to the ISMS purpose and strategic direction
  • Determine interested parties and their information security requirements
  • Define the ISMS scope considering interfaces, dependencies, and outsourced processes
  • Establish the ISMS including processes, interactions, and boundaries
Clause 5

Leadership

Top management commitment, information security policy, and organisational roles and responsibilities.

  • Top management demonstrates leadership and commitment to the ISMS
  • Establish information security policy aligned with strategic direction
  • Policy communicated, available as documented information, and reviewed
  • Assign and communicate ISMS roles, responsibilities, and authorities
  • Ensure ISMS achieves intended outcomes and drives continual improvement
  • Adequate resources allocated for ISMS establishment and maintenance
Clause 6

Planning

Risk assessment, risk treatment, information security objectives, and planning of changes.

  • Address risks and opportunities considering context and interested party requirements
  • Information security risk assessment process: criteria, identification, analysis, evaluation
  • Risk treatment: select appropriate options, determine controls, produce Statement of Applicability
  • Compare determined controls with Annex A to verify no necessary controls are omitted
  • Establish measurable information security objectives at relevant functions and levels
  • Plan changes to the ISMS in a structured manner
Clause 7

Support

Resources, competence, awareness, communication, and documented information management.

  • Determine and provide resources needed for ISMS establishment and continual improvement
  • Ensure personnel competence through education, training, or experience
  • Awareness: all persons working under the organisation's control understand the policy and their contribution
  • Determine internal and external communication needs for the ISMS
  • Documented information: creation, updating, control, retention, and disposition
  • Documented information of external origin identified and controlled
Clause 8

Operation

Operational planning, risk assessment execution, and risk treatment implementation.

  • Plan, implement, and control processes to meet ISMS requirements
  • Implement risk assessment process at planned intervals or when significant changes occur
  • Implement risk treatment plan and retain documented results
  • Control planned changes and review consequences of unintended changes
  • Control externally provided processes, products, and services relevant to ISMS
  • Retain documented information as evidence of risk assessment and treatment results
Clause 9

Performance Evaluation

Monitoring, measurement, internal audit, and management review of ISMS effectiveness.

  • Monitor, measure, analyse, and evaluate ISMS performance and effectiveness
  • Determine what needs to be monitored, methods, frequency, and who analyses results
  • Conduct internal audits at planned intervals to confirm ISMS conformity
  • Audit programme considering importance of processes and previous audit results
  • Management review at planned intervals covering status, changes, and improvement opportunities
  • Retain documented information as evidence of monitoring, audit, and review results
Clause 10

Improvement

Nonconformity management, corrective action, and continual ISMS improvement.

  • React to nonconformities: take action, evaluate need for corrective action, implement changes
  • Corrective actions proportionate to the effects of the nonconformities encountered
  • Evaluate need to eliminate root cause so nonconformity does not recur or occur elsewhere
  • Continually improve the suitability, adequacy, and effectiveness of the ISMS
Annex A Controls

93 Controls. 4 Themes.

ISO 27001:2022 restructured Annex A into 4 clear themes — replacing the 14-domain structure of the 2013 edition. The Statement of Applicability (SoA) maps your selected controls to identified risks.

37Controls

Organisational Controls (A.5)

  • Information security policies and roles
  • Threat intelligence (new in 2022)
  • Information security in project management
  • Asset management and classification
  • Access control and identity management
  • Supplier relationships and cloud services (new)
  • Incident management and business continuity
  • Compliance with legal and contractual requirements
8Controls

People Controls (A.6)

  • Screening and terms of employment
  • Information security awareness, education, and training
  • Disciplinary process and termination responsibilities
  • Remote working security (new in 2022)
  • Information security event reporting
  • Confidentiality and non-disclosure agreements
14Controls

Physical Controls (A.7)

  • Physical security perimeters and entry controls
  • Securing offices, rooms, and facilities
  • Physical security monitoring (new in 2022)
  • Equipment siting, maintenance, and disposal
  • Clear desk and clear screen policy
  • Storage media handling and secure disposal
  • Supporting utilities and cabling security
34Controls

Technological Controls (A.8)

  • Endpoint devices, privileged access, and access restriction
  • Secure authentication and source code management
  • Configuration management (new in 2022)
  • Information deletion and data masking (new)
  • Data leakage prevention (new in 2022)
  • Monitoring activities and web filtering (new)
  • Secure coding and vulnerability management
  • Network security, segregation, and cryptography
Your Path to Certification

AKATI Sekurity's 4-Phase Approach

From initial assessment to successful certification audit — AKATI Sekurity provides end-to-end support. You will never be left alone in this journey.

Gap Assessment

Comprehensive gap analysis against all 7 mandatory clauses and 93 Annex A controls. Prioritised findings with clear remediation roadmap and timeline to certification readiness.

ISMS Design & Build

Risk assessment methodology, risk treatment plan, Statement of Applicability, policies, procedures, and documented information — tailored to your organisation's context and risk profile.

Implementation Support

Hands-on guidance implementing controls, conducting internal audits, management reviews, and awareness training. We handhold your team through every requirement.

Certification Audit

Pre-audit readiness check, Stage 1 and Stage 2 audit preparation, evidence packaging, and on-site support. Vendor-neutral — we work with your preferred certification body.

Why AKATI Sekurity

Certified Ourselves. Proven for Clients.

We do not just consult on ISO 27001 — we are certified to it. AKATI Sekurity holds ISO 27001:2022 certification, giving us first-hand understanding of every requirement, evidence expectation, and auditor perspective.

We Live the Standard

As an ISO 27001:2022 certified organisation ourselves, we understand every clause, every control, and every audit expectation from direct experience — not just theory.

Vendor Neutral

Your choice of certification body. We work seamlessly with any accredited auditor — whether required by your group headquarters, clients, or business objectives.

End-to-End Handholding

From gap assessment through implementation to certification day, our compliance team stands beside your team at every step. No handoff, no gaps, no surprises.

Multi-Framework Expertise

ISO 27001 alongside PCI DSS, BNM RMiT, SC TRM, MAS TRM, NCII Act 854, SOC 2, and PDPA. We map overlapping controls to eliminate duplication and accelerate compliance.

Next Step

Start Your ISO 27001:2022 Journey

Whether you are pursuing first-time certification, transitioning from the 2013 edition, or preparing for a surveillance audit — AKATI Sekurity has the expertise to get you there.

← Return to Governance & Compliance Start Your ISO 27001 Journey →