In 2024, the number of globally valid ISO 27001 certifications almost doubled — from 48.671 to 96.709. In the same period, the average cost of a data breach reached US$4,88 million.

The two numbers tell the same story: the market has finally understood that a well-implemented ISMS is not compliance by compliance. It's what separates organizations that respond to incidents from those that prevent them.

The problem is that most implementations still treat the Information Security Management System as a certification project, and not as an active risk management resource. The company implements, certifies and operates as if the work was closed.

Until the next audit shows that controls exist on paper, but not as real governance.

In this material Vennx explains what an ISMS is, how ISO 27001:2022 structures its implementation, what errors compromise certification even before the audit arrives, and how to connect this system to risk management and controls that sustain compliance over time.

Read to the end!

What is an ISMS and why it goes beyond certification

The Information Security Management System is a management structure that guarantees the confidentiality, integrity and availability of an organization's information. It is not a technological tool, nor a set of isolated policies.

It is a system with processes, responsibilities, review cycles and documented evidence that need to function in an integrated and continuous way.

ISO 27001 is the international standard that defines the requirements to implement, maintain and continuously improve this system. It does not prescribe specific controls as a universal obligation, but directs to a risk-based management logic, where each organization selects the controls relevant to its context.

This distinction is fundamental.

An ISMS implemented as a project has a point of arrival: certification. An ISMS implemented as a system has continuous cycles of evaluation, adjustment and improvement; because threats change, processes change, and the regulatory environment changes together.

The Brazilian regulatory context amplifies this need. LGPD, regulations of the Central Bank and SOX bonds for companies with operations in the United States converge on the same principles as the ISO 27001 structure: access control, traceability, risk management and auditable evidence.

An organization that implements ISMS correctly is already building the foundation to serve multiple frameworks simultaneously.

ISO 27001:2022: what has changed and what it requires in practice

The current version of the standard, ISO/IEC 27001:2022, published in October 2022, brought relevant changes that many organizations have not yet fully incorporated into their implementations.

Annex A was restructured from 114 controls in 14 categories to 93 controls in 4 categories: Organizational, People, Physical and Technological. Reduction does not mean less demand, but consolidation and updating. Fifty-six previous controls were merged into 24. And 11 new controls were created to address risks that the 2013 version did not include:

• Threat intelligence— monitoring and analysis of emerging threats.

• Sécurité cloud— specific controls for cloud environments.

• Data Masking— protection of sensitive data in development and test environments.

READ ALSO: Cybersecurity as a systemic risk: why CISOs are losing sleep

• Data leakage prevention— prevention of data leakage.

• Secure coding— controls over the software development cycle.

• Web filtering, ICT readiness, monitoring activities— among others.

What has not changed is the central logic: the organization does not implement all 93 controls. Implement those that make sense for your risk profile, documented in the Statement of Applicability (SoA)— the document that records which controls apply, which have been excluded and with what justification.

SoA is one of the main objects of analysis in any certification audit.

Clauses 4 to 10 of the standard are mandatory for certification and cover: organizational context, leadership and commitment, planning (including risk analysis), support, operation, performance evaluation and continuous improvement. They are the structural framework on which the entire ISMS rests.

The implementation stages: from diagnosis to continuous cycle

Initial diagnosis and scope definition

The starting point is to understand where the organization is in fact and not where it would like to be. Um Gap analysisStructured maps the current state of information security in relation to the requirements of the standard, identifies priority gaps and defines the scope of ISMS: which processes, systems, assets and organizational units are covered by the implementation.

Poorly defined scope is one of the most common causes of retraction. An organization that includes more than it can manage creates a nominal ISMS. That is, documented, but not operational.

Risk analysis and assessment

Risk analysis is at the core of the entire implementation. It is the basis for the selection of controls and justifies treatment decisions. The process involves:

• Identification of information assets and their formal owners

• Mapping the threats and vulnerabilities associated with each asset

• Probability and impact assessment for risk prioritization

• Treatment decision: mitigate, accept, transfer or avoid

ISO 27005 is the complementary standard that provides the specific methodology for information security risk management — and is an indispensable reference at this stage.

An unassessed risk does not go away. He's just out of the control system.

Selection and implementation of controls

With the risks prioritized, the organization selects the controls in Annex A, which address each identified risk, and documents that decision in the SoA. Generic controls applied without a basis for risk analysis generate two problems: unnecessary costs with controls that do not solve real risks, and gaps where the actual risks remain untreated.

ISO 27001:2022 controls operate in four complementary layers:

• Organizational— policies, procedures, structure of responsibilities, supplier management.

• People— sorting, training, awareness, disconnection processes.

• Physicists— control of access to facilities, protection of equipment, safe disposal.

• Technological— access control to systems, cryptography, monitoring, backup.

Documentation as a pillar of audit

The standard requires concrete evidence, and not just the existence of controls, but proof that they are operating as expected. Policies, internal audit reports, action plans, training logs, monitoring logs: every element needs to exist, be up to date and be recoverable.

Outdated documentation is as problematic as lack of documentation. An auditor who finds a security policy with a review date overdue two years ago questions not only the document, but the reliability of the system as a whole.

Monitoring, auditing and continuous improvement

The ISMS does not end with certification. The standard requires two types of continuous cycle auditing:

• Internal audit— carried out by the organization itself (or contracted consultancy) to identify and correct non-conformities before the external audit.

• Supervisory audit— carried out annually by the certifying body to confirm that the ISMS remains in compliance and that previous non-conformities have been addressed.

Recertification takes place every three years. Between cycles, continuous improvement is operationalized by the PDCA cycle: what was planned is being implemented? Are the controls producing the expected results? What needs to be adjusted?

Errors that compromise implementation and certification

Most reproaches in ISO 27001 audit do not occur due to lack of controls. It occurs due to execution failures that could have been anticipated.

The most common patterns:

• Treat ISMS as an IT guideline— information security involves processes, people and technology. Without engagement of leadership and business areas, ISMS is confined to the technical department and loses efficiency in the processes that matter most.

• Generic controls without risk analysis— copying controls from other organizations or applying Annex A as a universal checklist generates apparent, not real, compliance.

• Documentation left for the last minute— evidence needs to be produced throughout the process, not reconstituted on the eve of the audit.

• Static risk analysis— an ISMS based on risks mapped two years ago does not reflect current threats. The standard requires periodic review of the risk analysis, especially after significant changes in the environment.

• Silos between risk, control and evidence— when the risk record exists in one spreadsheet, the controls in another and the action plans in emails, traceability disappears. The auditor cannot verify the full cycle - and neither can the organization.

From implementation to continuous governance

ISO 27001 defines what to implement. The real challenge is to keep the system operating with the same rigor over time — without turning each audit cycle into a race against the clock.

READ ALSO: The silent threat that costs US $8.3 billion to the global market

When risk management, internal controls and regulatory compliance operate in separate systems, efficiency is lost and traceability is fragmented. The compliance time reconstitutes evidence manually.

The leadership has no visibility into the real status of the controls. And the auditor finds exactly what the process generated: scattered, outdated documentation with no clear connection between risk and response.

The module RCM — Risk and Control Managementof VX was built to close that gap. It connects, in a single environment:

• Risk registration and categorization aligned to frameworks such as ISO 27001, COSO, SOX and LGPD.

• Direct association between identified risk, implemented control and recorded evidence.

• Action plans with responsible persons, deadlines and complete history of execution.

• Reports ready for internal and external audit — no manual consolidation.

Combined with the module Risk Benchmarking, VX allows you to go beyond the declared compliance: compare the controls implemented with what organizations in the same sector and port are actually adopting, and identify gaps before the auditor does.

Conclusion

Implementing an ISO 27001 aligned ISMS is less about following a checklist and more about building a risk management structure that supports compliance beyond the audit day. Certification is the point of arrival of a process, not its end.

The 2022 version of the standard updated the controls for the current world: cloud, threat intelligence, secure development. But the logic remains the same: risk-based management, careful selection of controls, traceable evidence and continuous cycles of review.

Does your organization have visibility into where each control is, who is responsible, what evidence has been recorded and when it needs to be reviewed? If the answer depends on spreadsheets and emails, ISMS exists on paper — but not as a system.

The VX RCM module connects risks, controls and evidence in a continuous, traceable cycle, aligned with the frameworks your audit demands.

Talk to a Vennx expert now and Get to know VX!