ISO/IEC 27001 — Information Security Management

ISO 27001, evidence-driven.

The de-facto international standard for information security. 93 controls in Annex A. Continuous improvement. The Agency keeps your evidence trail live and your control-mapping current — not just at audit time.

The numbers your team already knows.

ISO 27001 isn't a one-time certification — it's a system you maintain, with annual surveillance audits and a Statement of Applicability that has to stay in lockstep with the controls actually in place.

93 controls
Annex A control set in ISO 27001:2022
Down from 114 in 2013
Annual
Surveillance audits between three-year recertifications
Living evidence
SoA
The Statement of Applicability — a living document, not a one-shot
Continuous attestation

ARIA, TARA, VANCE — your living SoA.

Three of The Agency's leads keep ISO 27001 evidence current, controls mapped, and the audit pack composed from live data instead of last quarter's.

ARIA avatar
ARIA
Evidence & Document Intelligence

All 93 controls, evidenced and mapped. ARIA structures every piece of evidence against the Annex A controls and the 157 Universal Controls — your Statement of Applicability stays in lockstep with what's actually in place.

What you get
  • Annex A 2022 control mapping kept current
  • Documents structured against the 157 Universal Controls
  • Trust-centre and contract evidence ingested automatically
TARA avatar
TARA
Compliance & Remediation

Risk treatment plans tracked between audits. TARA continuously assesses control posture across your vendor portfolio and tracks treatment plans with deadlines — so surveillance audits stop being a quarterly scramble.

What you get
  • Continuous control gap analysis across the portfolio
  • Risk treatment plans with deadlines and SLA tracking
  • Surveillance-ready evidence at any moment
VANCE avatar
VANCE
Audit Composition

Audit packs composed, not assembled. VANCE generates ISO 27001 evidence bundles from current data — Statement of Applicability, control evidence, treatment plans — formatted for your certification body.

What you get
  • Statement of Applicability composed from live evidence
  • Audit packs generated, not hand-assembled
  • Tamper-evident audit trail per output

Four shifts you'll feel at the next surveillance audit.

ISO 27001 stops being a sprint to the audit window and becomes a continuous evidence layer the certification body can review at any moment.

Statement of Applicability stays live

Mapped to evidence. When a control changes or a vendor changes, the SoA updates the same week — not at the next surveillance.

Surveillance audits stop being a scramble

Continuous evidence means the auditor sees current state, not assembled state. Less archaeology, less prep.

All 93 Annex A controls covered concurrently

Not in waves. Each control has live evidence, mapped to the right artefact, ready for review.

Treatment plans tracked, not lost

TARA tracks risk treatment plans against deadlines between audits. Nothing falls through the gap year.

We replaced two analysts' worth of questionnaire chasing with The Agency in eight weeks. The risk team is finally doing risk work.

JM
CISO
FTSE 250 Insurance

See it on your vendors.

Book a 30-minute call and we'll have NOVA, ARIA and REX produce a complete posture report on one of your live vendors inside 24 hours.