ISO 27001:2022

ISO 27001:2022 compliance software

Run your ISO 27001:2022 ISMS in one place — the full Annex A control set, a live Statement of Applicability, evidence collection, and the three-role audit workflow certification bodies expect.

Start free Book a demo

Starter is free · Professional $890/mo · see pricing

What ISO 27001:2022 requires

ISO 27001:2022 is the international standard for an Information Security Management System (ISMS). Certification requires a documented Statement of Applicability over the 93 Annex A controls (organized into four themes — organizational, people, physical, and technological), a risk assessment and treatment process, and demonstrable, audited implementation evidence reviewed in a two-stage certification audit.

Build the ISMS around a living Statement of Applicability

The Statement of Applicability is the spine of an ISO 27001 certification — and the artifact auditors scrutinise first. SentinelPanda makes the SoA a first-class, living document: for each of the 93 Annex A:2022 controls you record applicability, implementation status, and a justification for inclusion or exclusion, all driven by your risk treatment decisions under clause 6.1.3. It stays in sync with your evidence, so the SoA you export is the SoA you can actually defend.

From risk assessment to Stage 2 — and every surveillance audit after

Certification is not a one-time event. SentinelPanda runs the full clause 6 risk assessment and treatment loop, then carries it through internal audit (clause 9.2), management review (9.3), and corrective action (10.1) so you arrive at the Stage 2 audit with the records a certification body expects. The same workspace then makes annual surveillance and three-year recertification routine instead of a fire drill, with an append-only history of every control decision.

How SentinelPanda helps

0193-control Annex A:2022 library across all four control themes

02Live Statement of Applicability (clause 6.1.3 d) — applicability, status, justification per control

03Clause 6 risk assessment and treatment, linked to controls

04Internal audit, management review, and corrective-action records

05Evidence collection with an HMAC-signed, append-only audit trail

06Cross-framework mapping so SOC 2 / NIST evidence credits ISO controls

ISO 27001:2022 — frequently asked questions

Does SentinelPanda produce a Statement of Applicability?

Yes — the SoA is a first-class artifact: for every Annex A control you record applicability, implementation status, and justification, exportable for your certification body.

Does it support the 2022 revision of Annex A?

Yes — the library reflects ISO 27001:2022, with 93 controls organized into the four themes (organizational, people, physical, technological), including the new controls such as threat intelligence and secure development.

Does it cover internal audit and management review?

Yes — clause 9.2 internal audits, 9.3 management reviews, and 10.1 corrective actions are tracked as records, so the full ISMS cycle lives in one place.

Can evidence be reused across frameworks?

Yes — cross-framework mapping means evidence for an ISO 27001 control auto-credits its equivalents in SOC 2, NIST CSF, and others.