CA-03 · ISO standards

ISO 27001

ISO 27001:2022 with asset-level risk analysis, documented Annex A controls and continuous review. We coordinate the technical audit with Summum Sistemas.

StandardISO 27001:2022
Duration7 months
Annex A93 controls

ISO 27001 is now the standard that any enterprise client demands before signing a contract, and regulators are increasingly relying on it (NIS2, DORA, ENS). Without it, entire sectors — banking, private healthcare, defence, public sector — become inaccessible.

We implement with the 2022 revision (current) and the 93 controls of Annex A: per-asset risk analysis, explicit statement of applicability, signed policy, operating procedures, prior internal audit and continuity plan.

The regulatory and procedural side is covered by Calidad; the technical side — system-state audit, SOC, control evidence — is covered by Summum Sistemas. A single implementation, two coordinated disciplines.

The ISO 27001 process.

The process · four stages
01

Risk analysis

Per asset. Identification, assessment, treatment.

02

DoA

93 Annex A controls justified one by one.

03

Implementation

Policy, procedures, technical controls with Sistemas.

04

Audit

Internal, external, annual maintenance.

What is included

What ISO 27001 includes.

The operational detail: what we deliver as part of the engagement and what we keep active afterwards.

  • Per-asset risk analysis

    Inventory, threats, documented treatment.

  • Statement of applicability

    93 controls. Applies / not applicable / reason.

  • Policy and procedures

    Signed by management, per domain.

  • Technical controls (with Sistemas)

    EDR, SIEM, vulnerabilities, backups.

  • Internal audit

    Before the external one.

  • Continuity plan

    Coordinates with 22301.

Regulatory framework

The regulatory framework.

27001 is the standard. NIS2 and DORA use it as a reference.

ISO 27001 Applicable to this service
EU NIS2 Applicable to this service
EU DORA Applicable to this service
ES ENS Applicable to this service

Frequently asked questions about ISO 27001.

Is it mandatory?

Never a legal requirement as such. Enterprise clients demand it. NIS2 makes it quasi-mandatory.

Annex A 2022?

93 controls. Organisational, technical, physical.

With Sistemas?

Essential. Technical part handled by Sistemas; management, here.