The threat landscape is in a constant state of evolution. What may have been a best practice a year ago to help protect your organization against cyber threats may quickly become outdated, no longer providing enough protection on its own.  

Consider the type of threats that have impacted organizations of all sizes and across industries, including cybersecurity organizations. Okta, a SaaS-based identity and access management company, fell victim to a third party data breach through the use of compromised credentials, and Shutterfly experienced a ransomware attack. And everyone remembers Colonial Pipeline’s ransomware incident that was the result of a compromised VPN password. 

But it doesn’t stop there. Organizations need to take proactive steps to prepare for any threat that could elevate their threat risk, like cyberwarfare. To create and maintain a strong cybersecurity posture, organizations should leverage various assessments to test the strength of their cybersecurity efforts. One of the most effective approaches is to start with a penetration test (pen test).  

What is pen testing? 

A pen test is a simulated cyber attack that aims to penetrate an organization’s network. Sometimes referred to as “ethical hacking,” a penetration test takes a preventative approach to cybersecurity, evaluating an organization’s infrastructure by utilizing the same tools and tactics threat actors use. This goal-based exercise targets their technology and system’s vulnerabilities to determine if a threat actor can exploit them to gain access. 

At A-LIGN, our penetration tests include six unique components that explore every part of an organization’s technologies and network. These include:

• API testing
• Network layer testing
• Mobile application testing
• Web application testing
• Wireless network testing
• Facility penetration testing

Though a pen test is extremely effective in helping organizations enhance their cybersecurity efforts, it’s important to note that it is not a one-and-done test. Most organizations conduct pen tests annually or after a big event, like switching from an on-prem to cloud architecture, development changes or feature enhancements that may introduce new functionality, or after hearing about a noteworthy cyberattack.  

Relying solely on annual pen tests, however, is bad practice. Since threats emerge and evolve every day, eternal vigilance is needed to ensure organizations don’t lull themselves into a false sense of security. Fortunately, there are options available to fill in the gaps that exist between tests.  

Pen tests + vulnerability scans  

To maintain an updated cybersecurity infrastructure, organizations should supplement their pen tests with a quarterly vulnerability scan. 

What is a vulnerability scan?  

A vulnerability scan, also referred to as a vulnerability assessment, checks an organization’s network and systems for any known vulnerabilities against a database of vulnerability information. Vulnerability scans can be automated to run quarterly, monthly, or even weekly, and can be highly targeted to detect any known vulnerabilities. This enables organizations to more effectively identify and remediate potential issues associated with a vulnerability in a timely manner.  

But it’s important to note that vulnerability scans are only used for detection of existing vulnerabilities; they cannot effectively detect a zero-day exploit. Pairing a vulnerability scan with a pen test is beneficial to an organization: The combination of the two provides a holistic approach to enhancing cybersecurity. 

Determine your best practice  

There is no one-size-fits-all approach to cybersecurity, but there are steps every organization should take to ensure they are effectively testing their security posture on a regular basis.  

Leveraging pen tests is just one part of the equation. Additional steps include: 

• Developing and implementing a framework. Do your research into existing frameworks, and leverage an acceptable framework, like NIST, to establish cybersecurity controls to reduce your cybersecurity risk. 
• Leaning into a zero trust architecture. Be aware of who has access to your most sensitive resources, and limit that access to only the people who need it. 
• Exploring additional cybersecurity assessments. Leveraging other assessments, like a Ransomware Preparedness Assessment, can provide even greater insight into your organization’s level of preparedness for a cyberattack. 
• Staying educated on the evolving threat landscape. This means knowing what threat actors will try to use to infiltrate your organization, from phishing to ransomware. (To better understand and recognize various cyber threats, download The Ultimate Cybersecurity Guide.)   

It’s not if, but when 

Every organization across every industry is at risk for a cybersecurity incident. Staying ahead of threat actors requires organizations to adopt a tactical approach to cybersecurity. This means knowing the infrastructure, the devices connected to the network, how they communicate, the characteristics of the organization’s data, and who has access to the data.  

Gain this insight by leveraging regular pen tests and supplement them with security scans and audits, including vulnerability scans and a Ransomware Preparedness Assessment.  

At A-LIGN, our OSEE, OSCE, and OSCP-certified pen testers emulate the techniques of actual attackers by creating scenarios and strategies unique to your organization so you’re well prepared to respond to any cybersecurity event. Contact us today to get started.

Earning ISO/IEC 27001 or ISO/IEC 42001 accreditation for a certification body is an impressive feat. It takes time, resources and dedication to meet a high level of quality in an organization’s information security and artificial intelligence management systems program. 

However, not all accreditation bodies are created equal. If you’re committing to protecting information and taking steps to improve your cybersecurity posture, don’t you want the highest level of quality from your accreditation body as possible? 

Which bodies can oversee ISO 27001 and 42001 accreditations? 

There are three major certification bodies in the United States: ANAB, IAS and UAF. The two most prominent bodies for ISO management system certification are the ANSI National Accreditation Board (ANAB) and the International Accreditation Service (IAS). 

ANAB was the first management systems accreditation body in the United States. It is the largest multi-disciplinary accreditation body in the western hemisphere, with more than 3,000 organizations accredited in approximately 80 countries. The organization is a non-governmental organization and subsidiary of the American National Standards Institute, a non-profit organization. ANAB accredits organizations in compliance with several ISO/IEC frameworks across industries. 

When you are looking for an auditor for ISO 27001 or ISO 42001 certification, make sure you choose a certification body that is accredited by a leading accreditation body. Most auditors have the accreditation body logo on their website, but if you don’t see it – do your due diligence and ask. 

Why A-LIGN trusts ANAB for ISO certification 

One of A-LIGN’s core values is “do the right thing, always.” That means we do the best thing for our clients as a part of our commitment to quality and don’t shy away from hard things. When it comes to choosing accreditation bodies, that means opting for the highest-quality choice. In the U.S., the gold standard for ISO accreditation is ANAB, which is why they have been our accreditation body of choice since the beginning.  

Keep reading to learn about ANAB’s commitment to quality and why they are the superior choice for ISO 27001 and ISO 42001 accreditation. 

Why ANAB: Stronger global and regulatory recognition 

One of the key advantages of ANAB accreditation is its global recognition within the information security industry. ANAB is a signatory of the International Accreditation Forum (IAF) and Multilateral Recognition Arrangement (MLA), which ensures that ISO 27001 certifications accredited by ANAB are recognized internationally. These memberships are critical for businesses operating across borders, as many global clients require an internationally accepted accreditation. 

Why ANAB: More rigorous accreditation process for ISO 27001 and 42001 

ANAB’s accreditation process for ISO certification bodies is notoriously stringent, ensuring that only the most competent, well-audited certification bodies can issue certifications. 

Key aspects of ANAB’s superior accreditation process include: 

• Comprehensive audits of certification bodies, including technical evaluations of their ability to assess ISMS compliance. 

• Strong oversight and continuous monitoring, ensuring accredited certification bodies maintain high standards. ANAB regularly looks for quality audits that follow the standards required for certification bodies. 

• Alignment with ISO/IEC 17021-1, the key standard for bodies certifying management systems, with enhanced scrutiny for information security assessments. 

Industry experts believe that ANAB’s high level of scrutiny results in stronger, more reliable ISO 27001 and ISO 42001 certifications, making it the preferred accreditation body for cybersecurity and compliance-driven organizations in North America. ANAB, trusted by firms including EY and Moss Adams, is associated with ANSI, an organization with more than 100 years of standards experience, which sets the stage for higher quality accreditation processes. 

Why ANAB: Market and industry preference for ANAB-accredited certifications 

In the cybersecurity and information security industries, ANAB accreditation is the gold standard. Many large enterprises, government agencies, and security-conscious organizations explicitly require ANAB-accredited ISO certification from their vendors and partners because of its high standards and reputation. 

Companies in sectors such as cloud computing, fintech, healthcare IT, and SaaS often prefer ANAB-accredited certifications because: 

• It enhances credibility with customers who prioritize security. 

• It facilitates compliance with regulatory frameworks like GDPR, HIPAA, and SOC 2. 

• It ensures international recognition, allowing businesses to operate in multiple regions without accreditation-related issues. 

Other accreditation bodies do not hold the same influence or trust in the cybersecurity and compliance space. ANAB accreditation is the clear choice for ISO certification in the information security industry. Its strong global recognition, regulatory trust, rigorous accreditation process, and industry preference makes ANAB the accreditation body with the highest standards. 

Ready to get started on your organization’s journey to ISO 27001 or 42001? Contact us today to get started with an ANAB-accredited certification body, A-LIGN. 

ISO/IEC 27001 is a prominent, globally recognized standard designed to administer and enhance the information security management system. When an organization decides to embark on its ISO 27001 certification journey, it agrees to adhere to a systemic approach to manage sensitive company information, ensuring secure exchange and protection of data. The standard is applicable to businesses across all industries, regardless of their size or the nature of their data. Read on to learn the key ISO 27001 requirements ahead of your organization’s audit. 

What are the ISO 27001 requirements?  

The ISO 27001 requirements are designed to provide a clear and rigorous framework for protecting and managing valuable data and information assets. These carry inherent business risks if not protected adequately. The standard encompasses key aspects of business, such as risk management, compliance, legal requirements, physical and technical controls around data access, usage, and transmission. All these facets collectively reflect the organization’s commitment to a higher level of data integrity, availability and confidentiality.  

If you’re planning on getting your business ISO 27001 certified, the ISO 27001 requirements are more than just getting a badge of honor. Achieving the ISO 27001 certification signals to clients, stakeholders, and regulators that your business has implemented an internationally accepted and independently validated information security management system. Furthermore, it offers a basis for legal compliance, demonstrating your commitment to information security and data privacy.   

What exactly are the ISO 27001 requirements? This standard is divided into clauses and annex controls. The former establishes a set of business procedures and processes necessary for managing an organization’s ISMS. The latter consists of 93 controls categorized into 4 groups, which provide guidelines on how to manage specific areas of information risk. Annex A is a comprehensive list of the controls to be considered during risk assessment, applicable based on the nature of the business.  

The requirements include, but are not limited to:  

Setting up an information security policy  

Establishing a clear and comprehensive information security policy is a foundational element to earning ISO 27001 certification. This element of ISO 27001 requirements should outline overarching objectives, principles, and responsibilities for safegaurding sensitive data. 

Defining an approach to risk assessment and treatment  

A structured approach to risk assessment and treatment is crucial for identifying, evaluating, and mitigating potential security threats. This involves recognizing vulnerabilities, determining their likelihood and potential impact, and implementing appropriate risk treatment measures. By continuously monitoring and updating this process, organizations can adapt to evolving threats and maintain robust information security and meet ISO 27001 requirements. 

Implementing data masking and web filtering controls  

ISO 27001 requirements mandate implementing data masking and web filtering controls to enhance the security of sensitive information and protect against unauthorized access. Data masking obscures sensitive data elements, reducing exposure during processing or testing, while web filtering restricts access to potentially harmful or inappropriate websites.  

Executing training and awareness programs  

Organizations must also execute training and awareness programs as part of ISO 27001 requirements. By educating employees about security policies, potential threats, and best practices, organizations can minimize human error and reinforce a proactive security culture. Ongoing awareness initiatives help keep information security top of mind and ensure everyone understands their role in protecting the organization’s assets. 

Gathering and analyzing information about threats  

Proactively gathering and analyzing information about potential security threats enables organizations to identify and respond to risks before they become a problem. This involves staying informed about emerging vulnerabilities, monitoring threat intelligence sources, and analyzing data to detect patterns or anomalies. 

Monitoring systems and implementing incident response procedures  

Continuous monitoring of systems and implementing effective incident response procedures are critical components of ISO 27001 requirements. Real-time system monitoring helps detect security incidents promptly, while a well-defined incident response plan ensures swift and coordinated action to mitigate impact.  

Deep dive into ISO 27001 requirements  

The ISO 27001 standard is a globally recognized information security standard that establishes the best practices for ISMS. Meeting ISO 27001 requirements and earning a certification offers various advantages, from improving efficiency to building stakeholder trust, underscoring the need to grasp and apply these standards.  

The ISO 27001 requirements are composed of foundational requirements essential for the effective functioning of an ISMS. These requirements, referred to as controls, are derived from ISO 27002 and found within ISO 27001 Annex A, and typically align with the organization’s information security risks. However, the organization retains the liberty to decide which controls apply to their specific circumstances and document the same accordingly.  

An imperative component of the ISO 27001 requirements is the set of mandates for logging and monitoring. These stipulations lay the groundwork for detecting, analyzing, and mitigating potential security incidents. ISO 27001 requirements ask organizations to document significant events and continually scrutinize system activities. This continuous monitoring and logging of activities aim to detect abnormalities quickly, allowing for immediate corrective actions.  

Starting from security policy and organization of information security to access control and incident management, the ISO 27001 requirements list is extensive and inherently interrelated. Therefore, stringent adherence and a deep understanding of these standards can fortify information security, thereby qualifying the organization for ISO 27001 certification.  

Gaining a comprehensive knowledge of the ISO 27001 requirements is pivotal for organizations pursuing robust information security governance and a strong culture of security. The articulated requirements and stipulations, including specifics like logging and monitoring, offer a holistic blueprint for an effective ISMS. Customizing and implementing these requirements, coupled with continuous monitoring, can lead an organization toward enhanced information security and ISO 27001 certification.  

AI is here to stay, making it crucial for organizations to build out their AI compliance strategies. Wondering where to start? The answer is ISO/IEC 42001:2023.  

ISO 42001 provides a comprehensive framework with clear guidelines and best practices for AI compliance. We’ve created this guide to provide you with everything you need to know about this standard, including a list of questions to ask when choosing the right auditor.  Click here to download the guide.

What is ISO 42001? 

ISO 42001 is designed to help organizations manage the risks associated with AI and ensure that their AI systems are developed and used responsibly. This standard provides a framework for organizations that design, develop, and deploy AI systems, focusing on aspects like transparency, accountability, bias identification and mitigation, safety, and privacy. It’s not a mandatory standard, but given its significance and recognition, it’s highly likely to become the benchmark for AI management systems in the future.  

While implementing ISO 42001, top management is expected to lead and commit to the AI management system (AIMS) and establish policies and objectives aligned with the organization’s strategy. They’re expected to identify and address AI-related risks and opportunities, provide necessary resources and support, establish processes for AI system development and maintenance, monitor and evaluate AI system performance, and continuously improve the AIMS to keep it effective. 

To help organizations manage this standard effectively, ISO 42001 has several annexes (Annexes A-D) that give detailed guidance on adoption. These annexes provide direction on system development and implementation, while addressing organizational objectives, risk management, and industry-specific standards to ensure tailored AI management practices.  

Benefits of ISO 42001

From driving innovation with responsible processes to mitigating AI risks through lifecycle monitoring, ISO 42001 brings a lot of value and benefits to businesses. Below are some of the key advantages of ISO 42001: 

Stay ahead of AI regulations  

ISO 42001 provides a unified framework to adapt to a variety of new regulations. Its focus on trust, transparency, and resilience in AI systems goes well beyond meeting regulatory minimums, making it a highly viable standard. 

Build trust and transparency 

An AIMS built on ISO 42001 demonstrates trust and accountability through clear communication (Clause 7.4) and transparency (Clause 7.5), building confidence in AI systems and fostering stronger stakeholder relationships.   

Minimize financial risk 

Adoption of ISO 42001 allows organizations to protect themselves from penalties and gain a competitive edge as certifications become necessary. Through its embedded risk management system, this standard will help companies avoid vulnerabilities and prevent costly overhauls down the line. 

Boost operational efficiency  

ISO 42001 enhances efficiency by identifying and mitigating risks, improving data quality, and enhancing oversight. Its lifecycle monitoring and stakeholder collaboration boost performance and trust, while its structured risk management minimizes disruptions. It’s adaptable to various organizational sizes and AI maturity levels, allowing it to align with innovation goals.   

Strengthen AI governance 

ISO 42001 integrates seamlessly with standards like ISO 27001 and ISO 27701, creating a unified governance framework for diverse compliance needs. This combined approach enhances data security, ensures traceable data inputs and outputs, and addresses privacy risks, strengthening AI governance and operational efficiency.   

Understanding the process 

Like any certification, achieving ISO 42001 compliance comes with its own unique process. Let’s break it down.  

Prepare for ISO 42001 Certification 

Organizations should start by getting to know ISO 42001 and its clauses, annexes, critical documents, and policy requirements.  

From there, conduct a gap analysis to identify discrepancies between your existing AI governance framework and ISO 42001 requirements. Develop a step-by-step implementation roadmap to address these gaps, prioritizing areas that will have the greatest impact on your business.  

Companies should set up training sessions for the new processes and provide a way for staff to give their insights and feedback on the new AIMS. Having a centralized location for all of this feedback will make documentation more organized and efficient.  

Pro tip: Utilize ISO 42001 to clearly define the desired outcomes for your AI systems. Align these with business objectives to ensure governance efforts directly support strategic goals.   

Engage with auditors 

After your organization has prepared for certification, you’re ready to choose an auditor. Look for a quality audit partner that aligns their goals with yours.  

While evaluating auditors, come prepared with a list of questions and clarifications regarding the process, and be ready to discuss the scope of the audit in detail. We also recommend conducting a pre-audit checklist review and simulating audit scenarios to prepare your staff for the actual assessment. 

Undergo the audit process 

Designate a team member as the point of contact to streamline communication with your auditor. Your assessment will include interviews with key personnel and a review of documentation. 

After your assessment is complete, schedule a meeting to discuss key findings with the internal team and determine the action plans needed for any nonconformities based on the report. 

Ensure continuous improvement 

Establish a team designated to compliance improvement and progression post-certification. Engage with customers, investors, and partners to communicate your commitment to responsible AI governance. Use Clause 7.4 (Communication) and 7.5 (Documented Information) of ISO 42001 to ensure transparency and traceability. 

Selecting an audit partner 

Choosing the right audit partner is a crucial part of the process. Not all auditors are created equal, so let’s dive into what you need to look out for. 

Expertise  

Choose an auditor, or certification body, that is accredited with a high-quality, reputable Accreditation Body, like ANAB. This guarantees they have the expertise to navigate you through the audit process and uphold their procedures to the highest standards given the thorough review process that the certification body must also go through. It’s important to evaluate how long they’ve been operating, the experience level of their staff, their understanding of ISO 42001 compliance, and their experience with other ISO frameworks. Since there are similarities and overlaps with ISO 27001, choosing an auditor who knows ISO and the ISO process can provide valuable insights and ensure a thorough and effective audit. 

Quality  

It’s important to choose a high-quality audit partner that will align their goals with your organization’s goals. High-quality auditors have extensive experience and knowledge of ISO 42001, allowing them to address potential compliance issues effectively. This minimizes the risk of failing the assessment and ensures that your organization meets all necessary standards.  

Efficiency  

Efficiency plays a big role in the time and resources required to achieve certification. The assessment process can be complex, but some auditors offer technology to help streamline the process. This can help save time during the certification process and reduce disruptions to your operations. To boost efficiency even further, consider a firm who can handle additional frameworks like ISO 27001, SOC 2, HITRUST, and more. Using the same firm for multiple audits can streamline the process and allow you to consolidate your audits, saving time, resources and money.  

Budget  

Budget is an important consideration, and as with most things, you get what you pay for. Beware of auditors that are offering assessments for under-market value. When looking at the budget, you should balance it with other factors that are important to you. Are you willing to pay more to expedite your timeline? Is the auditor you choose known for quality? Is it worth it to spend more to work with a trusted auditor instead of a brand-new firm? 

Case study: Synthesia 

In 2024, A-LIGN issued its first ISO/IEC 42001 certification to Synthesia, making them the first AI video company to achieve ISO 42001 compliance. Synthesia is the world’s leading enterprise AI video communications platform, with more than 55,000 businesses, including half of the Fortune 100, using it to communicate efficiently and share knowledge at scale using AI avatars. 

“A-LIGN’s expertise and attention to detail helped us identify and remediate any gaps in our rigorous processes. Together, we have led the way for the rest of the industry in the adoption of this standard, fostering trust and ensuring the long-term success of AI development and use.” 

— Martin Tschammer, Head of Security

This certification sets a new benchmark in the industry, showcasing Synthesia and A-LIGN’s joint dedication to compliance innovation and high-quality security. It also highlights A-LIGN’s unwavering commitment to excellence and its role in empowering clients to achieve and maintain the highest levels of compliance in the ever-evolving AI landscape.  Read the full success story.

Checklist: Questions to ask an ISO 42001 auditor 

Choosing an auditor is a big step in the assessment process and can impact your audit results as well as your experience. These are the key questions to ask your auditor to ensure you’re choosing the best fit for your organization: 

• What is your cybersecurity compliance experience? 
  • How many customers do you work with and how many audits have you completed? 
  • How many years have you been in business? 
  • What is your experience with ISO? 

• What is your experience with ISO 42001 assessments? 
  • How many ISO 42001 certifications have you issued? 
  • How long have you been conducting ISO 42001 audits?

• How well-versed are your auditors in ISO 42001 requirements? 
  • Do your auditors have specific certifications or training related to ISO 42001? 
  • Where are your auditors located?

• Are you accredited to conduct ISO 42001 audits? 
  • Which accreditation body did you choose and why? 

• Can you describe your audit process for ISO 42001? 
  • How do you ensure the quality and consistency of your audits? 
  • What kind of feedback and reporting can we expect from your audits?

• How much will the ISO 42001 assessment cost? 
  • What are your rates, and what do they include? 
  • Are there any additional fees we should be aware of?

• What is the timeline for the ISO 42001 assessment? 
  • What is the lead time to begin the assessment? 
  • How long do you anticipate the entire assessment process will take? 

• Do you have references and case studies from satisfied customers? 
  • Can you provide examples of similar organizations you have worked with? 

Ready to take the next step with ISO 42001? Download the guide or contact us to learn more.

With the Department of Government Efficiency (DOGE) in the forefront, questions around the future of FedRAMP have begun to circulate. The future of FedRAMP is a topic of much discussion and one that we’ve had with many customers and partners, and we’re here to help guide you through the state of uncertainty that currently exists in the market. We will continue to keep this article updated as news continues to roll in on changes. 

FedRAMP 20x

On March 24, 2025, FedRAMP announced its plans for a new assessment process for cloud service providers that will be designed by FedRAMP in partnership with industry stakeholders and agency experts. The new approach is called FedRAMP 20x.

FedRAMP 20x has five key goals:

1. Make it simple to automate the application and validation of FedRAMP security requirements.
2. Leverage existing industry investments in security by inheriting best-in-class commercial security frameworks.
3. Continuously monitor security decisions using a simple, hands-off approach.
4. Build trust between industry and federal agencies by leaning into the direct business relationships between providers and customers.
5. Enable rapid continuous innovation without artificial checkpoints that halt progress.

Over the next few months, industry and government will come together in public community working groups to discuss key topics and chart a path forward for a more efficient FedRAMP assessment process.

FedRAMP Rev5 updates

As of March 24, 2025 the current Rev5 agency authorization pipeline will remain open without significant changes. The current agency operation backlog is on track to be cleared by the end of April and then the PMO will continue to process new Rev5 agency authorizations based on demand. Until a new process is defined, FedRAMP Rev5 agency authorization remains the only active path to FedRAMP authorization.

The value of FedRAMP in the DOGE era 

We believe that FedRAMP is vital for modernizing Federal technology and software – aligned with DOGE’s vision to improve efficiency in the Federal government. We share the belief that FedRAMP has opportunities to continue improving efficiency, aligned with the vision that FedRAMP itself shared in December to improve authorization capacity designed to meet the demand that exists for authorization and create improved paths to faster and more straightforward review processes. 

FedRAMP has provided a standardized approach to security and risk assessment for cloud technologies and federal agencies, reducing duplicative effort, inconsistency, and cost inefficiency by providing agencies with a security platform that can be leveraged once across several agencies. Through the “audit once, use many times” approach, GSA has estimated that the program has saved over $700 million in costs associated with one-time assessment and authorization costs. 

Charting your path forward 

As a top 3 FedRAMP 3PAO, A-LIGN offers the following guidance to CSPs: 

1. For CSPs considering FedRAMP: We urge you to stay the course.  Security remains of critical importance, and with FedRAMP signed into law, Government Agencies are still required to only use cloud solutions with security authorizations. While we do expect changes in FedRAMP funding to evolve objectives and responsibilities, we also know that national security will continue to be a priority. Although FedRAMP process responsibilities may shift a bit, e.g., from FedRAMP to the Agencies, security authorization remains a requirement for cloud solutions that process government data.  As a result, our recommendation is to continue pursuit of FedRAMP authorization to open new routes to market and revenue. We believe DOGE’s mission is to modernize and drive efficiency in the Federal government should drive additional uptake in the use of cloud services and being prepared for that will allow your company to win new business. 

2. For CSPs who are already authorized: Your number one priority should be ensuring continuous monitoring activities are successfully demonstrated.  As the FedRAMP program continues to evolve and in discussions about the future state, we’re hearing more and more focus will be placed on Continuous Monitoring (ConMon).  In addition, with greater responsibilities shifting to the Agencies, now more than ever, ensure alignment with all your authorizing agencies to determine the right path forward for your company. 

The state of FedRAMP 

The GSA’s FedRAMP program, which evaluates the security of cloud computing services for Federal agencies, is undergoing significant changes. Although the support team at the FedRAMP Program Management Office (PMO) within GSA may be shrinking in size, the goals and objectives of the Government-wide initiative remain strong and are a focus area for automation and efficiencies. PMO staffing reductions are primarily affecting private sector contractors, with the number of contractors expected to drop to zero due to expiring contracts.  Again, this supports the shifting of responsibilities back to the Agencies who are best poised to ascertain the appropriate level of security risk acceptable for the cloud solution they’re authorizing for use.   

Despite these changes, FedRAMP continues to be a priority for the US Government. The program is being revamped to increase throughput and enhance government adoption of modern technology. In fact, a recently discussed goal is to decrease the entry barriers so that small businesses in particular are better able to enter the market.  FedRAMP’s codification into Federal law in 2022 ensures its staying power, with ongoing efforts to streamline evaluation and approval processes 

The role of 3PAOs 

While much has been said in the market about the role of the PMO and its impacts on third-party assessment requirements, 3PAOs are crucial for ensuring the security of cloud products – helping to identify risks to government agencies. 3PAOs are beholden to strict standards such as ISO 17020 and FedRAMP-specific requirements set by the American Association for Laboratory Accreditation (A2LA) in their R311 publication. This includes certifications for assessors, continued education, and participation in activities to ensure the integrity of the program. 

These requirements ensure that 3PAOs, like A-LIGN, can perform FedRAMP assessments that are high quality for CSPs. Concerns about 3PAO performance and quality are addressed with A2LA as the independent accreditation body, to step in. A2LA conducts a comprehensive initial audit for every candidate 3PAO, followed by a surveillance audit before a full renewal in year 3. 

Currently, the Agencies play a role in continuous monitoring, ensuring that cloud service offerings (CSOs) remain secure and compliant over time. However, with the existing cuts and uncertainty around the future of FedRAMP, there is an opportunity for 3PAOs to provide additional assurance to CSPs, government agencies, and taxpayers, to have 3PAOs conduct continuous monitoring activities in lieu of Agencies to ensure security remains fortified. 

Moving forward 

FedRAMP remains a critical component of federal technology modernization. As the program evolves, CSPs must stay informed and proactive in their compliance efforts. A-LIGN is committed to helping you navigate these changes and achieve your FedRAMP goals. 

Reach out to us today to learn more about FedRAMP and to stay up to date on the latest news in the market. 

One of the most crucial pieces of the compliance puzzle is your auditor. Finding the right auditor can mean the difference between an efficient, smooth audit experience and a long list of costly compliance and brand reputation issues.  

A-LIGN’s 2025 Compliance Benchmark Report found that report and auditor quality remain top of mind for compliance teams. Our survey revealed that the most important factors for companies when choosing an auditor are: 

• Experienced audit team 

• Report quality 

• Tech-enabled audit  

But what does “experienced” mean? Or a “quality” report? We’ll answer those questions below as we cover the six crucial factors to consider when choosing a compliance auditor. Plus, follow along with our Quality Audit Checklist to make sure you get the most from your audit experience. 

1. Experience and credentials  

When it comes to compliance audits, experience counts. In fact, it might be the most important factor of all. Here are some specific qualities to look for.  

Industry tenure and track record  

Look for auditors who have been in business for a substantial period — ideally a decade or more — and have completed many audits for the standard you need. Experienced auditors are less likely to make costly mistakes and are better equipped to handle complex compliance landscapes. 

An experienced auditor will also generally have a large team of experts with a wide variety of specialties. Auditors on these teams also generally have experience with an array of company types, making it more likely your audit team will have a deep understanding of your priorities. 

Certifications and accreditations  

Ensure your auditors hold the certifications, licenses, and accreditations required to perform the audits you need. Here are some examples:  

Certified public accounting license and registered with the American Institute of Certified Public Accountants — only independent licensed CPAs can issue SOC 1 and SOC 2 attestation reports  

Accredited by ANAB, the ANSI National Accreditation Board as an ISO 27001, ISO 27701, ISO 42001 and ISO 22301 certification body   

Accredited by UKAS, the United Kingdom Accreditation Service, as an ISO 27001 certification body 

Authorized HITRUST External Assessor  

Accredited FedRAMP Third Party Assessment Organization (3PAO)   

Accredited CMMC Third Party Assessment Organization (C3PAO) 

PCI Qualified Security Assessor Company   

Maintaining high standards  

Not all accreditation bodies are created equal. It’s important to seek out accreditation bodies that maintain high standards of quality. These groups often have a long track record of success and far-reaching expertise in the frameworks you’re pursuing. Plus, their teams have relevant certifications and deep industry experience. 

Industry-specific experience  

Auditors with experience in your industry will understand your organization’s unique compliance challenges and requirements better. This insight is crucial for providing relevant and effective audit services. If your auditor has experience in the healthcare sector, for example, they’d be familiar with the overlap between SOC 2 and HIPAA compliance. A combined audit could save you significant time and money.   

2. Report quality  

According to the 2025 Compliance Benchmark Report, 70% of companies deemed the quality of compliance reports extremely important. Not all reports are created equal, so finding an audit partner who will deliver a high-quality report is essential. 

Thorough, actionable reports  

If the report you get from your auditor is too short, too vague, or otherwise deficient, you’ve wasted time and money. Ask your prospective auditor detailed questions about how they prepare audit reports. Curious what questions to ask? Download our Quality Audit Checklist. High-quality audit reports should not only confirm compliance but also highlight areas for improvement and risk mitigation strategies that are specific to your organization’s security posture.   

Red flags to watch for  

Be cautious of audit firms that provide overly brief reports or fail to offer constructive feedback. Cookie-cutter statements that could apply to any company could indicate insufficient investigation into your organization’s security processes and systems. Comprehensive reports that include thought leadership and best practices are indicative of a thorough and professional audit process.  

Be sure to ask any potential auditors about their level of success and how often their reports are rejected by external vendors. Rejected reports are a red flag for report and auditor quality. 

3. Breadth of services 

An auditor with a wide breadth of services can help you combine audits, avoiding duplicate efforts later on. According to the 2025 Compliance Benchmark Report, 92% of companies pursue more than one certification or attestation, making it all the more important to choose an auditor that will grow with you and continue to meet your needs.  

Multiple frameworks   

Look for firms capable of handling a wide range of compliance standards and frameworks. Consider what certifications and assessments are common in your industry, and make sure your potential audit partner can handle those needs. Even if you only seek out one or two audits now, your auditor should be able to scale its services as your business evolves and grows — or new regulations emerge.  

Cybersecurity and risk management  

Outside of yearly audits, a full-service compliance partner should offer cybersecurity services like penetration testing and vulnerability assessment to help your organization mitigate risk year-round. Ask any prospective auditors how they can support and guide your organization on its journey to improve its overall security posture.  

Related content: The Why Behind Compliance: Building a Culture of Security 

4. Tech-enabled services  

Choosing an auditor who embraces technology isn’t about flashy bells and whistles; it’s about efficiency. An auditor who does everything manually will take longer to finish your audit, and nobody wants to spend more time on an audit than they have to.  Download the Quality Audit Checklist to learn what questions can help you understand a firm’s technology  

Software and automation  

Leverage auditors who use audit management software to streamline the audit process. This technology can simplify evidence collection and streamline communication between you and your auditor, limiting the time and resources needed to complete the audit. It also gives you a more transparent look at the process.  

Integration with GRC tools   

Choose auditors who can integrate with your existing compliance and trust management software, like Vanta, Drata, or AuditBoard. This integration can enhance the scalability and accessibility of your compliance program, making it easier to maintain high standards over time.  

5. Audit process 

Selecting a team that has wide-reaching experience and the appropriate certifications is essential, but so is alignment with the audit process. This portion of the process will take up time and resources, so be sure to understand scoping, the steps of the process, and how often you’ll be in touch with the team. 

Experienced audit teams will have a clearly defined process to help you achieve your compliance goals. Here’s what to look for in a productive, manageable process: 

• Timeline and scoping: There should be a clear timeline and scoping criteria established from the get-go. Be aware that the timeline will vary based on the framework, team availability, level of business complexity, and more. 

• Synchronize audit cycles: Identifying overlaps and harmonizing audit cycles is a green flag for an effective audit partner. It takes knowledge and experience to define an audit synchronization opportunity, and those who see it will save you time and resources. 

• Streamline the process: You shouldn’t feel like ripping your hair out during an audit cycle. The right partner will streamline the process with technology and other tools to ensure a seamless process with minimal disruptions. 

• Team communication: The frequency and style of communication your audit partner brings to the table are high priority. Consider: are you looking for a partner to keep you up-to-date each day? Do you only want periodic updates? Think about what’s important to you and choose accordingly.  

6. Reputation and references  

A qualified auditor should be well respected by its customers and the industry at large. Avoid companies that cannot back up their supposed reputation with examples and metrics.   

Client testimonials and references  

Request references from similar companies to gauge the auditor’s reliability and effectiveness. Positive feedback from these references can provide valuable insights into the auditor’s performance and process.  

Case studies and success stories  

Review the auditor’s case studies, which should clearly demonstrate the auditor’s ability to deliver successful compliance outcomes. These stories can offer concrete examples of how the auditor has helped other organizations achieve their compliance goals.  

Industry recognition  

Choose auditors who are recognized and respected in the industry. Awards, publications, and active participation in industry forums are good indicators of a firm’s credibility and expertise.  

How does A-LIGN stack up?  

“I have extensive experience with auditors, and working with A-LIGN has been refreshing. I appreciate their approach, communication, proactive team, and how seamlessly audits are conducted with a no-surprises approach,” said Rashpal Singh, Global Director of Governance, Risk, and Compliance at Menlo Security. 

Selecting the right compliance auditor can make a significant difference in maintaining a robust compliance program and building trust with your stakeholders. Combining experienced auditors and audit management technology, A-LIGN provides the widest breadth and depth of services including SOC 2, ISO 27001, HITRUST, FedRAMP, and PCI, among others. 

A-LIGN prioritizes delivering best-in-class audits for our clients, providing tailored guidance, practical recommendations, and ongoing support to maintain a successful security posture. Our 96% client satisfaction rating speaks for itself.  

Contact us to learn more about why A-LIGN is the leading provider of high-quality, efficient cybersecurity compliance programs.

The European Union is raising its bar for compliance with the roll out of NIS2, but what exactly is it and how can companies ensure they comply? We’re here to break down this regulation and share the best way for organizations to achieve compliance by following the ISO/IEC 27001:2022 framework.  

What is NIS2? 

Replacing the original NIS Directive, NIS2 sets out to redefine minimum security requirements for operators of essential services and digital service providers. This update drives broader applicability across more industries, introduces new methods for onboarding companies, establishes stricter requirements for reporting incidents, and enforces harsher penalties for non-compliance. It’s intended to strengthen cybersecurity in the EU, ensuring all companies in the scope of the NIS2 directive that provide services or carry out activities within the EU take proactive measures to create a more secure operating environment. 

Check out our article NIS2 Directive: What You Need to Know to take a deeper dive into the updates and requirements for this regulation.  

What is ISO 27001? 

ISO 27001 is an internationally recognized standard that focuses on the implementation, management, and maintenance of information security within a company. It’s a powerful framework for governance because it gives organizations flexibility to ensure that what they’re implementing aligns with their business goals. It builds a strong foundation for security practices, focusing not just on controls but on a robust management system. 

To learn more about ISO 27001, check out our article ISO 27001 Certification: Everything You Need to Know 

Using ISO 27001 as a tool for NIS2 compliance 

The NIS2 Directive does not provide a clear roadmap for how to achieve compliance, which leaves many organizations wondering how they can meet the guidelines of the directive and avoid penalties for non-compliance. While ISO 27001 is not specifically mentioned, the directive does allude to “relevant European and international standards.” Our team of experts at A-LIGN believe that NIS2 compliance can be achieved with the ISO 27001 framework, incorporating additional requirements for business continuity and incident management.  

Mapping the Overlap 

There are ten minimum security measures for NIS2 that build on and align closely with ISO 27001, adding specific business continuity requirements to enhance organizational resilience. Certifying against ISO 27001 and mapping to NIS2 controls demonstrates conformity of your Information Security Management System (ISMS) with the documented standards and provides your customers with assurance regarding the security of your systems and data. If you are already ISO 27001 compliant, mapping to NIS2 controls enhances compliance by aligning with EU-specific requirements and emphasizes incident reporting. It also gives you a competitive edge by demonstrating a robust commitment to cybersecurity. 

A-LIGN is at the forefront of ISO 27001 certification and has a team of experts ready to help you navigate the audit process and achieve compliance. Reach out to us today to get started with ISO 27001 certification for 2025.   

The European Union Artificial Intelligence Act (EU AI Act) has established a comprehensive framework for regulating AI, setting a precedent for global AI governance. As enforcement phases roll out, organizations must proactively implement compliance measures to avoid legal and operational risks. However, due to evolving regulatory interpretations and industry-specific obligations, many organizations face uncertainty regarding compliance strategies. 

ISO/IEC 42001, the AI Management System (AIMS) standard, provides a structured, risk-based approach to AI governance that aligns with the EU AI Act’s requirements. This article outlines the regulatory timeline and demonstrates how companies can leverage ISO 42001 to systematically prepare for compliance.  

What is the EU AI Act? 

The EU AI Act is a groundbreaking legislative proposal designed to regulate artificial intelligence across the European Union. Its core objective is to establish a legal framework that balances technological innovation with the protection of fundamental rights and public safety. The act classifies AI applications into four risk categories: unacceptable, high, limited, and minimal, each subject to specific rules or restrictions.  

What is ISO 42001? 

ISO 42001 is an international standard dedicated to establishing effective artificial intelligence management systems. This standard outlines a structured framework that organizations can adopt to ensure the responsible and ethical use of AI technologies. 

Published on December 18, 2023, this standard provides guidance to organizations that design, develop, and deploy AI systems on factors such as transparency, accountability, bias identification and mitigation, safety, and privacy. 

EU AI Act timeline 

The EU AI Act became legally binding on August 1, 2024. However, the requirements in the act will begin to take effect gradually over time with a phased roll out. Key milestones include: 

• February 2, 2025: Prohibitions on certain AI systems and requirements on AI literacy start to apply. 

• August 2, 2025: Rules start to apply for notified bodies, GPAI models, governance, confidentiality and penalties. 

• August 2, 2026: The remainder of the AI Act starts to apply, except for some high-risk AI systems with specific qualifications. 

• August 2, 2027: All systems, without exception, must meet obligations of the AI Act. 

February 2025 milestones 

The first major enforcement deadline—February 2, 2025—introduced two key requirements: 

• Prohibited AI practices: The Act explicitly bans AI systems that engage in manipulative behavior, social scoring, or unauthorized biometric surveillance. Organizations that have not conducted internal risk assessments to identify and eliminate these practices are already non-compliant. 

• AI literacy requirements: Organizations must ensure that employees involved in AI decision-making possess adequate training in AI risk management, explainability, and governance. This requirement applies to developers, compliance teams, and executives responsible for AI oversight. 

Organizations that have not yet implemented structured compliance mechanisms must act immediately, as future enforcement deadlines impose stricter obligations on AI transparency and risk management. 

August 2025 milestones 

The next major deadline introduces requirements for general-purpose AI (GPAI) providers, including foundational models and large-scale AI systems. 

• Transparency disclosures: AI providers must publicly disclose details about model training methodologies, datasets, and inherent risks. 

• Explainability and accountability: Organizations must ensure AI outputs are understandable, predictable, and governed by clearly defined policies. 

ISO 42001 provides a structured approach to meeting these requirements: 

• Clause 7.4 (Communication & transparency) outlines best practices for documenting and disclosing AI models and decision-making processes. 

• Clause 6.1.3 (AI system impact assessment) supports organizations in evaluating AI bias, ethical risks, and explainability, reinforcing compliance with EU AI Act transparency mandates. 

For companies developing GPAI models, establishing robust transparency mechanisms is essential to avoid regulatory penalties. 

August 2026 milestones 

By this date, high-risk AI systems defined in Annex III of the EU AI Act must fully comply with strict legal, technical, and governance requirements. These systems are deployed in sectors such as healthcare, critical infrastructure, law enforcement, and human resource management. 

Organizations must ensure high-risk AI systems: 

• Implement rigorous risk management practices 

• Include bias detection and mitigation controls 

• Maintain security and explainability safeguards 

ISO 42001 establishes a structured risk-management framework that directly aligns with high-risk AI system compliance: 

• Clause 8.2 (AI risk treatment) enables organizations to systematically identify, assess, and mitigate AI risks. 

• Clause 9 (Performance evaluation) mandates ongoing risk monitoring, bias audits, and transparency reporting, ensuring continued compliance. 

Organizations operating high-risk AI must implement structured AI governance frameworks to meet this compliance milestone. 

August 2027 milestones 

Certain high-risk AI systems integrated into pre-existing EU-regulated industries (e.g., medical devices, finance, and automotive) will be subject to an extended compliance timeline. AI systems requiring pre-market conformity assessments under sector-specific EU laws must meet full AI Act compliance by this date. 

ISO 42001 facilitates multi-standard compliance and audit readiness: 

• ISO 42001 integrates with ISO 27001 (Information Security) and ISO 13485 (Medical Devices), providing a unified compliance framework. 

• ISO 42001 supports AI conformity assessments, positioning organizations for third-party regulatory audits. 

Organizations in regulated industries should begin integrating AI governance structures now to ensure seamless compliance by 2027. 

Why ISO 42001 is essential for EU AI Act compliance 

The EU AI Act mandates an ongoing governance framework for AI risk management, transparency, and compliance. Unlike one-time risk assessments or ad hoc governance policies, ISO 42001 establishes a systematic, repeatable process for AI compliance, ensuring organizations: 

1. Proactively manage AI risks rather than responding to enforcement actions. 

2. Align AI governance with business operations using structured risk-management frameworks. 

3. Demonstrate compliance through audit-ready documentation and performance evaluation. 

ISO 42001 provides an adaptable compliance framework that evolves alongside regulatory requirements, making it an ideal foundation for AI governance.  Though it is not an approved harmonized standard for AI Act conformity, it does provide the foundation you’ll need to be successful when the final QMS conformity standard is released.  

Recommendations for EU AI Act compliance 

Organizations should take the following steps to ensure readiness for EU AI Act enforcement: 

1. Conduct an AI risk & readiness assessment: Map AI systems to EU AI Act categories and use ISO 42001’s risk framework to identify compliance gaps. 

2. Implement AI literacy programs: Ensure personnel meet EU AI Act training requirements through structured education initiatives outlined in ISO 42001 Clause 7.2 (Competence). 

3. Develop AI governance policies: Use ISO 42001 to define roles, responsibilities, and oversight mechanisms for AI compliance. 

4. Prepare for independent audits: ISO 42001 provides an audit-ready AI governance structure, ensuring organizations are prepared for third-party conformity assessments. 

The EU AI Act is now law, and enforcement will intensify over the next two years. Organizations that wait until 2026 or 2027 to implement compliance measures will face significant operational and regulatory risks. ISO 42001 provides a structured, proactive approach to AI governance, ensuring that organizations remain compliant, transparent, and resilient in a rapidly evolving regulatory landscape. 

The question is no longer whether AI governance will become mandatory—it already is. The real challenge is ensuring that organizations implement compliance structures that are sustainable, scalable, and aligned with industry best practices. Organizations that take action now will be best positioned to thrive in the new AI regulatory environment.

With bad actors targeting sensitive data, many organizations are looking for new ways to monitor and improve their data security — Enter: ISO/IEC 27001:2022. Earning your ISO 27001 certification is a useful way to establish credibility with stakeholders, customers, and partners, and in turn, helps demonstrate your organization’s commitment to cybersecurity.   

Of course, like most standards, the certification process can seem daunting at first glance. Here’s what you need to know before your organization decides to pursue an ISO 27001 certification.   

What is ISO 27001?  

The International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) originally published ISO 27001 in October 2005, revised in 2013, and again in 2022. It focuses on building a strong information security management system (ISMS) within organizations.    

As one of the most widely used security frameworks around the world, ISO 27001 is a risk-driven standard that focuses on data confidentiality, integrity, and availability. The standard aims to help organizations have a stronger, more holistic approach to data security.   

What are the benefits of ISO 27001 certification? 

• Defines responsibilities and business processes for information security  
• Builds a culture of information security and diligence  
• Reduces the potential for security incidents through implemented controls specific to your unique risks and assets  
• Meets additional security compliance requirements

Who should get a certification for ISO 27001?  

ISO 27001 isn’t a legal requirement but may be a prerequisite to customers doing business with your organization.  

Some industries are more likely to need an ISO 27001 certification because of the type of data that companies store. These industries include:  

• Information technology  

• Healthcare  

• Finance  

• Consulting  

• Telecommunications 

What is the difference between ISO 27001 and SOC 2?  

ISO 27001 and SOC 2 are two of the most popular cybersecurity assessments that verify an organization’s ability to mitigate risk and protect information. However, the two standards are not interchangeable.   

SOC, or System and Organizational Controls, is a framework developed by the American Institute of Certified Public Accountants (AICPA) with the aim of providing regular, independent attestation of the controls that an organization has implemented to mitigate information-related risk. There are three types of SOC audits: SOC 1, SOC 2, and SOC 3, although SOC 2 has become the de facto standard for cybersecurity.   

Difference #1: Certification vs. attestation   

The biggest difference between ISO 27001 and SOC 2 is that ISO 27001 is an audit process that results in a certification, and SOC 2 is an audit process that results in an attestation report. In an attestation report, a third-party assessor documents a conclusion about the reliability of a written statement over a prior time period. ISO 27001 certifications, on the other hand, are issued by an accredited certification body or the International Accreditation Forum (IAF) seal and lasts for 3 years.   

Difference #2: Global reach  

ISO 27001 is an international standard that is used as the principal cybersecurity standard throughout the world. SOC 2 is an American-born standard, and although it is gaining popularity in Europe, it has yet to have the same global reach as ISO 27001.   

Difference #3: ISMS vs. Trust Service Criteria (TSC)  

ISO 27001 focuses on the development and maintenance of an Information Security Management System (ISMS). In order to earn an ISO 27001 certification, organizations must implement all of the clauses and controls of the framework within the scope of its ISMS. The organization will then be issued a pass or fail of the audit. Organizations would need to implement, maintain and continually improve the ISMS in order to achieve an ISO 27001 certification.  

SOC 2 is structured around five Trust Services Criteria (TSC): Security, Availability, Confidentiality, Processing Integrity, and Privacy. For a SOC 2 audit, organizations can mostly pick which criteria they’d like to have evaluated (Security is mandatory). The final report is not pass/fail but rather the auditor concludes an opinion based on the design and effectiveness of the operation of controls in place for each chosen TSC.  

Difference #4: Certification bodies and renewal timelines   

For SOC 2, the attestation is carried out by a licensed CPA firm. ISO 27001 certifications must be carried out by an accredited ISO 27001 certification body. 

How do ISO 27001 and ISO 42001 overlap? 

ISO 27001 provides a great foundation for ISO 42001, a new standard for AI use. But, the two are not the same. Here’s how they differ:  

• Scope: ISO 27001 focuses on ISMS and provides a framework to protect sensitive information through risk management processes. ISO 42001, however, deals with AI management systems. This standard includes responsibilities specific to AI, such as ethical considerations and impact assessments. 

• Normative references: ISO 27001 references various information security management standards. These guidelines help organizations maintain data integrity, confidentiality, and availability. ISO 42001 incorporates AI-specific standards, like ISO/IEC 22989. These references focus on ethical AI use, risk management, and system integrity. 

• Context of the organization: ISO 27001 requires organizations to understand the context of their information security needs. ISO 42001 extends this concept to AI. Organizations must understand the specific context of their AI systems, including stakeholder expectations and potential impacts. ISO 42001 also requires organizations to understand their role in the AI ecosystem as provider, producer, or user. 

Understanding the overlaps and differences between these two frameworks can streamline your compliance efforts and keep your team ahead of the curve. Learn more about ISO 42001 vs. ISO 27001. 

Preparing for your ISO 27001 audit  

The prep work is just as important as the audit when it comes to compliance. Your organization should take the time to understand the standard, define your goals, and research accredited certification bodies, or organizations. You should also consider conducting a gap assessment and understand the state of your company’s compliance journey before jumping into an ISO 27001 audit. 

Steps to ISO 27001

While the road to ISO 27001 certification is well-established, it is still a multi-pronged process that requires attention to detail and a generous time commitment. The five steps to ISO 27001 certification include:   

1. Optional Pre-Assessment    

2. The Stage 1 Audit    

3. The Stage 2 Audit    

4. A Surveillance Audit    

5. Recertification   

In order to make the ISO 27001 certification process as smooth as possible, A-LIGN offers end-to-end services, from pre-assessment to ongoing audits to recertification. Our experts ensure your organization can continue to run with minimal disruption while still helping you acquire the certification you need to strengthen your security.     

Step 1: Pre-assessment    

The pre-assessment is designed for companies that are undergoing the certification process for the first time. This assessment is only performed on an as-needed basis but is highly recommended prior to the actual audit.   

The pre-assessment involves performing a review of an organization’s scope, policies, procedures, and processes to review any gaps in conformance that may need remediation before the actual certification process begins.   

Step 2: Stage 1 audit   

During a Stage 1 audit, an auditor reviews an organization’s ISMS to confirm that it has been established and implemented in conformance with the ISO 27001 standard. This audit also checks to see if the mandatory activities of an ISMS have either been completed prior to starting Stage 2.   

Upon completion, the Stage 1 audit will reveal if an organization is ready to move forward to Stage 2 or if it needs to modify its policies, procedures, and supporting documentation before proceeding.   

Step 3: Stage 2 audit   

The Stage 2 audit tests the conformance of an organization’s ISMS against the ISO 27001 standard. Upon completion of Stage 2, A-LIGN will determine if an organization is ready for certification.   

If any nonconformities were identified during the audit, they will need to be remediated by the organization before a certificate can be issued.    

Stage 4: Surveillance audit   

The ISO 27001 certification process doesn’t simply end after a certificate has been issued. For the two years following certification, A-LIGN will conduct annual surveillance audits to ensure an organization’s ongoing compliance with the ISO 27001 standards. This step ensures your cybersecurity practices are operating at the highest possible level.   

Stage 5: Recertification   

An ISO 27001 certification is valid for three years after the certificate’s issue date. Organizations need to recertify before the certificate’s expiration date or be required to begin the certification process again. Recertification audits review the entire management system, similar to the Stage 2 audit.     

How do I choose an assessor?  

Once an organization decides to pursue an ISO 27001 certification, they must then decide which path to take toward certification. This initial step in the process means choosing a certification body (CB).   

A CB is an organization that provides certifications around a chosen standard. These organizations come in two forms: accredited and unaccredited.    

Although the process taken by both accredited and unaccredited certification bodies are similar, there are enough differences to consider the risks that come from using unaccredited certification bodies before they begin pursuing ISO 27001 certification.    

Accredited certification bodies    

Accredited certification bodies must complete a rigorous evaluation process through an accreditation body. This is done to ensure the certification audit it conducts is performed in accordance with the audit requirements.    

The evaluation process involves reviewing the competence of the audit team, the audit methodology used by the certification body, and the quality control procedures an organization has in place to ensure the audit and certificate are performed/issued accurately.  

Organizations that use an accredited certification body for certification will receive their ISO 27001 certifications with the accreditation body represented on the certificate. Additionally, for certification bodies that have entered into the IAF Multilateral Recognition Arrangement (MLA) under their accreditation body, the IAF MLA mark will appear on the certificate as well in addition to the AB’s mark.  Accreditation granted by the IAF MLA are recognized globally for equivalent programs and recognize acceptance of certificates across global markets. Accreditation bodies are admitted to the MLA after a peer review, and their certification bodies are held to auditable requirements. Recognized accreditation bodies and scopes can be verified on the IAF website.   

Unaccredited certification bodies   

Because accreditation is not compulsory, non-accreditation does not always mean the certification body is not reputable. Accreditation, however, does provide a confirmation that the certification body is approved. An unaccredited certification body is not audited to confirm their compliance with IAF certification audit requirements.   

Oftentimes clients will only accept ISO 27001 certificates from accredited certification bodies. It is important for organizations to check if their clients have any specific accreditation requirements before they begin their certification process.  

Common pitfalls  

All certification processes come with the chance of not getting approved for certification, and ISO 27001 is no exception. Here are some of the most common ISO 27001 pitfalls organizations make, along with how you can avoid making the same missteps.    

Pitfall #1: Failing to schedule the internal audit and management review   

Both the internal audit and management review are critical to the success of the ISMS, as the internal audit feeds into the management review, and then both feed into the continuous improvement cycle.   

However, the certification process can be easily disrupted if the internal audit and management review are not scheduled within the proper time frame. Organizations should make sure their internal audit is scheduled well in advance of the certification audits in order for management review and continuous improvement activities to have enough time to be completed. The internal audit and management review of the ISMS must be completed prior to the Stage 2 audit.  

A-LIGN starts the surveillance audit approximately nine months after receiving initial certification. This means an organization would start the next internal audit six to seven months after certification.   

Pitfall #2: Changes in key personnel    

Most times, the ISMS is implemented by someone who fields many of the questions during an audit, taking overall responsibility for the ISMS. If this person leaves their role, the ISMS can fall apart.   

Organizations need to ensure they have a redundant person who has a basic understanding of the ISMS. Even if this person never has to step up and take over the process, having an established transition process ahead of time can alleviate any potential headaches down the line. Detailed documentation will be key to this transition and will help ensure the new ISMS Manager can continue carrying out the processes required.   

Pitfall #3: Failing to be vigilant   

ISO 27001 defines ongoing processes that should be in place throughout the year, not just during the audit itself. Management controls, which include periodic meetings, documented approvals for decisions, recording meeting minutes of oversight committees, etc., require maintenance for the ISMS to continue to function.    

It is easy to fall into a period of false security and let oversight slip. Organizations should make sure their ISMS is a living process that is built into their day-to-day so that it continues to function as designed after certification is received.   

Pitfall #4: Not considering environmental changes    

ISO 27001 requires that all changes in the environment must be considered through the risk assessment process. It also requires new or modified controls to be mentioned in the statement of applicability.   

The certification body you choose must also be notified and a new certificate issued if there are changes to the scope or statement of applicability.    

When changes in the environment may impact the scope of certification, it is necessary to review and update the ISMS documentation to ensure it correctly reflects the environment post-change.

What is ISO 27701?  

Acting as an extension of ISO 27001, ISO 27701 is the first international privacy standard to provide a certification path for organizations to demonstrate their privacy systems and controls.   

The ISO/IEC 27701:2019 standard was first published in 2019. It details the requirements and guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS). Although this standard is most relevant for personally identifiable information (PII) controllers and processors, it can also be used by organizations of any kind, size, and location.  An important thing to remember is that most organizations are at the very least a controller of their employees’ data.  

To receive an ISO 27701 accredited certificate, organizations must either already have ISO 27001 certification or must undergo the ISO 27001 certification audit with the extension of ISO 27701.  

Why organizations may want to pursue ISO 27001 and ISO 27701  

Outside of simply gaining a better understanding of the PIMS implementation process, there are multiple benefits that come from pursuing ISO 27701 and ISO 27001. Combining the two certifications:    

Streamlines compliance obligations for ISO 27001 and the GDPR by integrating privacy directly into an organization’s ISMS   

Helps organizations surpass the competition and attract new customers by adding a level of increased security and privacy into the organization   

Maintains peace of mind for current customers as they know their personal identifiable information (PII) is protected   

Helps organizations avoid potential fines, especially as the enforcement of privacy protection continues to increase   

The underlying, foundational framework of ISO 27001 creates a strong ISMS. Alongside the ongoing PIMS improvement structure of ISO 27701, organizations can benefit from combining the two and ensuring a certifiable commitment to privacy controls.    

A-LIGN recognizes the complex compliance needs for businesses that require cybersecurity compliance assessments in the U.S. and EMEA region. To cater to this growing demand, A-LIGN has successfully pursued and obtained accreditation from both ANAB and UKAS specifically to the ISO 27001 and ISO 27701 standards. 

What are the ISO 27001 controls and requirements?  

What are the ISO 27001 controls and requirements? 

The ISO 27001 requirements provide a clear framework for protecting and managing valuable data and information. In the 2013 version of ISO 27001, controls were organized into 14 different domains. In the 2022 update, controls are placed into four themes instead:   

People controls (8 controls)   

Organizational controls (37 controls)   

Technological controls (34 controls)   

Physical controls (14 controls)   

Below is a summary of the new controls in ISO Annex A:  

A.5.7 Threat Intelligence: This control requires organizations to gather and analyze information about threats, so they can take action to mitigate risk.  

A.5.23 Information Security for Use of Cloud Services: This control emphasizes the need for better information security in the cloud and requires organizations to set security standards for cloud services and have processes and procedures specifically for cloud services.    

A.5.30 ICT Readiness for Business Continuity: This control requires organizations to ensure information and communication technology can be recovered/used when disruptions occur.    

A.7.4 Physical Security Monitoring: This control requires organizations to monitor sensitive physical areas (data centers, production facilities, etc.) to ensure only authorized people can access them — so the organization is aware in the event of a breach.    

A.8.9 Configuration Management: This control requires an organization to manage the configuration of its technology, to ensure it remains secure, and to avoid unauthorized changes.    

A.8.10 Information Deletion: This control requires the deletion of data when it’s no longer required, to avoid leaks of sensitive information, and to comply with privacy requirements.    

A.8.11 Data Masking: This control requires organizations to use data masking in accordance with the organization’s access control policy to protect sensitive information.    

A.8.12 Data Leakage Prevention: This control requires organizations to implement measures to prevent data leakage and disclosure of sensitive information from systems, networks, and other devices.   

A.8.16 Monitoring Activities: This control requires organizations to monitor systems for unusual activities and implement appropriate incident response procedures.    

A.8.23 Web Filtering: This control requires organizations to manage which websites users access, to protect IT systems.    

A.8.28 Secure Coding: This control requires secure coding principles to be established within an organization’s software development process to reduce security vulnerabilities.    

How does ISO 27001 relate to GDPR compliance? 

Achieving ISO 27001 certification can cover many aspects of the General Data Protection Regulation (GDPR) but it’s impossible to fully swap a standard and a regulation. While ISO 27001 does not equal GDPR compliance, it’s a great starting point. 

How long is ISO 27001 certification valid? 

ISO 27001 certifications are valid for a three-year period with annual surveillance audits.  

What’s an example of ISO 27001 in the real world? 

Below are customer case studies in which the organization earned ISO 27001 certification to drive revenue, build customer trust, and better their security posture.  

Magic achieves SOC 2, ISO 27001, and HIPAA compliance with A-LIGN & Drata 

Anthology’s commitment to compliance elevates edtech standards 

Boomi showcases cybersecurity dedication with 10+ compliance certifications and attestations 

Menlo Security reduces evidence collection time by 60% with consolidated audit approach 

Getting started with ISO 27001 

ISO 27001 is a longstanding cybersecurity framework used to build an ISMS within your organization. This internationally recognized framework is a risk-driven standard focusing on the confidentiality, integrity and availability of the data in your environment.      

As an accredited ISO 27001 certification body,  A-LIGN can provide your organization with the experience and guidance needed to achieve certification.  Contact us to get started today.