ISO 27001 Risk Assessment. Statement of Applicability and Annex A Controls. Industrial Information Security.
ISO/IEC 27001:2022 is the world's leading information security standard. IgeraIndustria makes every clause and every Annex A control queryable: risk assessment, Statement of Applicability (SoA), incident management and audit preparation. The security officer finds the answer in 3 seconds.
ISO 27001: the world's most widely implemented information security standard
With more than 70,000 active certificates, ISO 27001 is the global reference for information security management. The 2022 version reorganises controls into 4 categories and adds 11 new ones, requiring certified organisations to update their Statement of Applicability and risk treatment plan.
70,000+
Active ISO 27001 certificates worldwide. The most widely implemented information security standard, now with the 2022 version and 93 reorganised controls.
93
Annex A controls in ISO 27001:2022 (11 new compared to 2013). The Statement of Applicability (SoA) must analyse and justify each control.
Cl. 6.1.2
Security risk assessment: the central clause of the ISMS. Identifying assets, threats, vulnerabilities and evaluating risks requires a documented methodology.
Cl. 6.1.3
Statement of Applicability (SoA): mandatory and specific to each organisation. 48% of major NCs in audits stem from an incomplete SoA or one lacking justification.
The security officer spends hours searching for exactly what clause 6.1.3 requires to justify the exclusion of a control from the SoA, or what evidence the auditor expects for the new control A.5.7 (Threat intelligence). IgeraIndustria answers these questions in 3 seconds, citing the exact requirement, so the security team can focus on implementing real controls.
Instant ISO 27001 queries by clause and control
IgeraIndustria locates the clause or Annex A control that applies to each question and responds with the requirements, mandatory documentary evidence and the most common errors detected by ISO 27001 certification auditors.
Security risk assessment (6.1.2)
Methodology for identifying information assets, threats, vulnerabilities and evaluating inherent risk. Risk acceptance criteria, likelihood and impact scales, and how to document the process for the certification auditor.
Statement of Applicability — SoA (6.1.3)
Mandatory document that analyses all 93 Annex A controls, states whether they are implemented and justifies exclusions. How to structure the SoA, what level of detail auditors expect and how to keep it up to date.
Annex A Controls (ISO 27001:2022)
The 4 control groups (Organisational, People, Physical and Technological) and the 11 new controls in the 2022 version: threat intelligence, cloud security, privacy, ICT continuity. How to assess which ones apply and how to implement them.
Security incident management (Annex A.5.24–5.28)
Procedure for detecting, classifying, responding to and recovering from security incidents. Incident records, notification to authorities (GDPR Art.33 if personal data is involved) and lessons learned.
Internal ISMS audit (9.2)
Internal ISMS audit programme: criteria, scope, frequency, auditor selection and reports. Relationship between audit results, risk treatment plan and management review.
DPIA and data protection (Annex A.5.34)
Integration of Data Protection Impact Assessments (DPIA) into the ISO 27001 ISMS. Control A.5.34 and its relationship with GDPR Art.35: when a DPIA is required, minimum content and how to document it.
Complete ISO 27001 audit support
Whether for internal audits or visits from certification bodies, IgeraIndustria provides the support the security team needs at every phase of the audit cycle.
Gap analysis vs ISO 27001:2022
Identification of clauses and Annex A controls that are partially implemented. Especially useful for organisations migrating from the 2013 version (114 controls) to 2022 (93 reorganised controls).
Statement of Applicability (SoA) review
Verification that the SoA covers all 93 controls, that exclusion justifications are defensible and that implemented controls have sufficient documentary evidence.
Security audit simulation
Typical questions from ISO 27001 certification auditors: risk methodology, implemented controls vs SoA, incident management and penetration testing. Prepares the CISO or security officer.
Risk treatment plan (6.1.3)
How to structure the plan that links each accepted or treated risk to the selected Annex A controls, the owner, the deadline and the estimated cost. A format that satisfies certification auditors.
Security NC closure
Support for root-cause analysis of ISMS non-conformities, definition of corrective actions appropriate to Annex A controls and effectiveness verification.
Management review (9.3) — ISMS inputs
Mandatory ISMS inputs: audit results, status of the risk treatment plan, security incidents, context changes, resources and improvement opportunities.
The 4 key clauses of ISO 27001:2022
These clauses concentrate the majority of non-conformities in certification and surveillance audits. IgeraIndustria explains them with the exact requirements, practical examples and the most common mistakes.
6.1.2 — Risk analysis and assessment
The central clause of the ISMS. The organisation must define and apply a risk assessment process that identifies risks associated with the loss of confidentiality, integrity and availability of information. The process must be repeatable (same methodology, same results when applied by different people), documented and produce comparable results. The standard does not prescribe any specific methodology (MAGERIT, OCTAVE, FAIR, etc.) but does require evidence of the process and its results.
6.1.3 — Risk treatment and SoA
Based on the identified risks, the organisation selects the Annex A controls that apply and prepares the Statement of Applicability (SoA). The SoA must include: all Annex A controls (including excluded ones), justification for each control (applicable or excluded and why), and whether they are implemented or being implemented. The SoA is the document the certification auditor reviews in most detail and must be perfectly synchronised with the risk treatment plan.
Annex A — Controls (ISO 27001:2022)
The 2022 version reorganises controls into 4 categories (Organisational: 37, People: 8, Physical: 14, Technological: 34) and adds 11 new ones not present in the 2013 version. Among the new ones: A.5.7 Threat intelligence, A.5.23 Information security for use of cloud services, A.5.30 ICT readiness for business continuity, A.8.9 Configuration management, A.8.12 Data leakage prevention (DLP). The transition from ISO 27001:2013 had to be completed before October 2025.
9.2 / 9.3 — Internal audit and management review
The internal audit programme must cover the complete ISMS within the certification cycle (3 years). The internal auditor must be independent of the areas audited. The management review must have documented inputs on incidents, risks, audits and objectives, and must produce outputs with decisions on improvements, resources and changes in ISMS scope. Both must have records that the certification auditor may request at any surveillance audit.
How IgeraIndustria works for ISO 27001
Five steps from loading your information security management system to receiving an answer with the exact clause and required evidence.
Index your Information Security Management System
Upload your risk assessment, SoA, treatment plan, security procedures and incident records. IgeraIndustria processes them together with the ISO 27001:2022 standard and all Annex A controls.
Connect the assistant to your CISO or security officer
Embed in the security portal, Teams or as a restricted bot for the security committee. Role-based access control (not everyone needs to be able to query the SoA or the risk plan).
The security officer asks in natural language
«Which Annex A controls apply to the new cloud service?», «How do we justify the exclusion of control A.8.12 (DLP) from the SoA?», «What evidence does the auditor need for clause 6.1.2?»
IgeraIndustria searches across 2 knowledge layers
First in your internal documentation (risk assessment, SoA, security procedures, incident records), then in the ISO 27001:2022 standard and the 93 indexed Annex A controls.
Answer with clause, control and required evidence
The answer cites the applicable Annex A clause or control, indicates what level of implementation is sufficient and warns of the most common errors in ISO 27001 certification audits.
IgeraIndustria in action — SoA and Annex A ISO 27001
Query about how to justify the exclusion of an Annex A control from the Statement of Applicability.
CISO / Security Officer
Control A.5.7 (Threat intelligence) is new in ISO 27001:2022. Do we have to implement it mandatorily or can we exclude it in the SoA?
IgeraIndustria
ISO 27001:2022 — Annex A.5.7 Threat intelligence (new control vs 2013)
OBLIGATION: The SoA must mention A.5.7 always — even if excluded (clause 6.1.3.c)
- • EXCLUSION is possible if: the justification is defensible (e.g., «disproportionate cost relative to the organisation's size»)
- • Minimum acceptable IMPLEMENTATION: subscription to a free feed (INCIBE-CERT, ENISA) + documented monthly review
2024 trend: auditors request active evidence of A.5.7. Exclusion without solid justification generates an NC
✓ ISO 27001:2022 Annex A.5.7 · Confidence: 99.4%
180
employees, industrial technology company
6 wks
SoA with 93 controls completed
0 NCs
major findings at first audit
We had ISO 27001:2013 and had to migrate to the 2022 version with the 11 new controls. Our CISO did not know how to justify the new controls in the SoA — especially threat intelligence and cloud security. With IgeraIndustria, he was able to answer any auditor question in real time during the visit itself. First audit of the new version with no major non-conformity.
*Representative testimonial based on real client results
Frequently asked questions — ISO 27001:2022
How is the risk assessment carried out under clause 6.1.2 of ISO 27001?
Clause 6.1.2 requires the organisation to define and apply an information security risk assessment process. This process must establish and maintain risk criteria (including acceptance criteria and criteria for evaluating risks), identify risks associated with the loss of confidentiality, integrity and availability, analyse risks (likelihood and impact) and compare the results with the defined risk criteria. The standard does not prescribe any specific methodology (MAGERIT, OCTAVE, FAIR, ISO 31010 or any other can be used), but the process must be repeatable: different people must obtain comparable results when applying the same methodology. The entire assessment must be documented as retained documented information.
Which Annex A controls are mandatory to implement?
ISO 27001 does not define any set of Annex A controls as mandatory for all organisations. The controls that apply depend on the risks identified in the risk assessment and the decisions taken in the risk treatment plan (clause 6.1.3). The Statement of Applicability (SoA) must mention all 93 Annex A controls — including those that are excluded — with the corresponding justification. A control can be excluded if it does not apply by nature of the business, is outside the scope of the ISMS, or an equivalent compensatory control exists. The 11 new controls in the 2022 version (threat intelligence, cloud security, DLP, etc.) receive special attention from auditors and exclusions must be well-argued.
What is a security incident and how must it be managed under ISO 27001?
An information security incident is one or more unwanted or unexpected information security events that have a significant probability of compromising business operations and threatening information security. Annex A controls A.5.24 to A.5.28 cover incident management: planning and preparation (A.5.24), detection and reporting (A.5.25), assessment and decision (A.5.26), response (A.5.27) and learning (A.5.28). The procedure must define how incidents are classified and prioritised, who is responsible for response, what records are maintained and how escalation works. If the incident involves personal data, it may trigger the obligation to notify the supervisory authority within 72 hours (GDPR Art.33).
When is a Data Protection Impact Assessment (DPIA) required in the ISO 27001 context?
A DPIA (Data Protection Impact Assessment) is a GDPR requirement (Art.35), not directly an ISO 27001 requirement. However, Annex A control A.5.34 of ISO 27001:2022 (Privacy and protection of personally identifiable information) requires the organisation to identify privacy and data protection requirements and integrate them into its security controls. In practice, organisations with ISO 27001 that process personal data must carry out DPIAs for high-risk processing activities: large-scale video surveillance, profiling, large-scale processing of special categories of data, etc. The DPIA complements the ISO 27001 risk assessment and must be included in the ISMS documentation when applicable.
How should an internal ISMS audit be planned and executed?
Clause 9.2 requires the organisation to plan, establish, implement and maintain an internal audit programme that covers the complete ISMS within the certification cycle (3 years). The programme must define frequency, methods, responsibilities and planning requirements. Internal auditors must be independent of the areas they audit (one must not audit their own work). Each audit must have an audit plan with scope, criteria and dates, and produce a report recording findings and non-conformities detected. Internal audit records are documented information that the organisation must retain and that the certification auditor may request at any surveillance audit.
How long does it take for a company to obtain ISO 27001 certification for the first time?
The typical time for a first ISO 27001 certification in a company of 50-200 employees is 9 to 18 months, depending on the maturity of the existing security system. The main phases are: diagnosis and gap analysis (1-2 months), ISMS design and documentation including risk assessment and SoA (3-6 months), control implementation and training (3-6 months), prior internal audit (1 month) and certification (phase 1 + phase 2 audit, 1-2 months). IgeraIndustria significantly reduces the time spent in the documentation phase because the team can query what each clause and control requires without needing external consultancy for every question.
IgeraIndustria ISO 27001 plans
No lock-in. Cancel any time.
Starter
For industrial SMEs beginning ISO 27001 certification that need to query clauses and Annex A controls without depending on external consultants.
- ISO 27001:2022 + Annex A pre-indexed
- Queries by clause and control
- SoA checklist for 93 controls
- 1,000 queries/month
- Widget for the CISO or security officer
- Email support
Professional
For organisations with an active ISMS, periodic audits and a need for continuous support to the security team for risk management and controls.
- ISO 27001 + internal documentation indexed
- Assisted SoA management and treatment plan
- Audit simulation by clause
- 5,000 queries/month
- Standard update and new controls alerts
- Priority support
Enterprise
For industrial groups with ISO 27001 integrated with ISO 9001 and ISO 27701, multiple sites and internal audit teams.
- Multi-site and multi-standard
- ISO 27001 + 27701 + 9001 integrated
- Assisted context change management (4.1)
- Unlimited queries
- 99.9% uptime SLA
- Dedicated customer success
Manage ISO 27001 clause by clause. Start today.
- Free trial 14 days — no credit card required
- Full ISO 27001:2022 + 93 Annex A controls pre-indexed from day 1
- Upload your risk assessment, SoA and internal security procedures
- Control checklist by clause ready for certification audits
