Question 1

What is the difference between ISO 27001:2013 and ISO 27001:2022?

Accepted Answer

ISO 27001 was significantly updated in 2022. The 2022 version restructured Annex A from 114 controls in 14 domains to 93 controls across 4 themes (Organizational, People, Physical, Technological) and added 11 new controls covering areas like threat intelligence, cloud security, data masking, secure coding, and ICT readiness for business continuity. Organizations certified under the 2013 version were required to transition to the 2022 standard by October 2025. All new certifications are issued under the 2022 standard.

Question 2

How long does ISO 27001 certification take?

Accepted Answer

For most organizations, 9-15 months from kickoff to certificate issuance. The timeline includes 3-6 months for gap assessment and control implementation, followed by 2-3 months of ISMS operation to gather evidence, followed by Stage 1 and Stage 2 audits (typically 4-8 weeks combined). Larger organizations or those with complex environments may take longer. The most common delay is insufficient ISMS operation time - the certification body needs to see evidence of your management system running, not just documented.

Question 3

Which certification body should we use?

Accepted Answer

ISO 27001 certificates must be issued by an accredited certification body - one accredited by a national accreditation body member of the IAF (International Accreditation Forum). Reputable examples include BSI, Bureau Veritas, DNV, Intertek, LRQA, and SGS. Selection criteria include your industry, geographic footprint (some bodies are stronger in certain regions), audit team expertise, and cost. Dark Rock is certification body-agnostic and can facilitate competitive selection or work with your preferred body.

Question 4

Do we need ISO 27001 if we already have SOC 2?

Accepted Answer

SOC 2 and ISO 27001 address similar objectives but serve different markets. SOC 2 is primarily a North American framework recognized by US enterprise buyers. ISO 27001 is the global standard required by European, APAC, and international buyers. Organizations with global ambitions often pursue both - and there is substantial control overlap, so doing them together or sequentially is more efficient than treating them as separate projects. Dark Rock manages dual-framework programs to minimize redundant effort.

Question 5

What is the Statement of Applicability?

Accepted Answer

The Statement of Applicability (SoA) is a required document that lists all 93 Annex A controls and states for each whether it is applicable to your ISMS, whether it is implemented, and the justification for inclusion or exclusion. It is a core deliverable for your certification audit - the certification body reviews it to understand your control selection rationale. Every control has a defensible justification, even excluded ones. Dark Rock develops your SoA in close collaboration with your team to ensure it accurately reflects your environment and risk decisions.

Question 6

What happens during surveillance audits?

Accepted Answer

After initial certification, you undergo annual surveillance audits (Year 1 and Year 2) and a full recertification audit in Year 3. Surveillance audits are shorter and focus on a subset of controls, internal audit records, management reviews, and any significant changes to your ISMS scope. They verify you are maintaining your ISMS, not just having certified it. Dark Rock provides year-round surveillance readiness support - ensuring your evidence is current and your team is prepared before each audit visit.

ISO 27001 Certification: World-Class Information Security

Why ISO 27001 Is the Global Standard for Information Security

Our Approach

Assess

Remediate

Implement

Certify

What You Get

Get ISO 27001 Ready

Related Frameworks

Frequently Asked Questions