Experiencing a breach? help@lyrarecovery.com
Lyra Recovery
Compliance
ISO/IEC 27001 ISMS

ISO 27001

International standard for information security management systems.

Overview

What it is, in plain English.

ISO/IEC 27001 is the international gold standard for information security. Unlike point-in-time attestations, ISO 27001 certifies an Information Security Management System (ISMS) — a living, risk-driven program that runs continuously. Lyra builds the ISMS, drives the risk treatment plan, aligns your controls to Annex A (2022 revision: 93 controls in 4 themes), and walks with you through Stage 1 and Stage 2 audits.

ISMS design, implementation, and ongoing operation — including Statement of Applicability, risk treatment, and Annex A control alignment for ISO 27001 certification.

Who needs it

Built for organizations that have to get this right.

  • Companies selling internationally, especially into the EU and UK

  • Vendors whose enterprise customers require ISO 27001 over (or alongside) SOC 2

  • Organizations that want a true management system, not just a compliance checkbox

  • Firms preparing for ISO 27701 (privacy) or ISO 27017/27018 (cloud) extensions

Our approach

How we get you audit-ready and keep you there.

We don't drop policy templates and disappear. We design controls, implement them in your environment, prepare every artifact, and walk with you through the audit — then operate the program after certification so you stay compliant year over year.

  1. 01

    Scope & Gap Assessment

    We map your environment, business processes, and existing controls against the framework to find every gap, redundancy, and risk.

  2. 02

    Remediation & Control Design

    We design and implement the technical and administrative controls — policies, configurations, monitoring, and evidence pipelines.

  3. 03

    Evidence & Documentation

    We build the artifact library auditors expect: policies, SSPs, risk registers, control matrices, and continuous evidence collection.

  4. 04

    Audit Support & Continuous Monitoring

    We sit with you through the audit, respond to auditor requests, and operate the program after certification so you stay compliant year-round.

Key controls

What's actually in scope.

  • Risk assessment and risk treatment methodology

  • Statement of Applicability covering all 93 Annex A controls

  • Information security policies and procedures

  • Asset management, classification, and handling

  • Access control, cryptography, and operations security

  • Internal audit program and management review cadence

Deliverables

What you walk away with.

  • Documented ISMS scope, policies, and procedures

  • Risk register and risk treatment plan

  • Statement of Applicability with control justifications

  • Internal audit and management review records

  • Stage 1 and Stage 2 audit support, leading to certification

Timeline

Typically 4–9 months to certification, depending on existing maturity and ISMS scope.

Questions we hear

Straight answers to the real questions.

ISO 27001 or SOC 2 — which first?
If your buyers are mostly North American, SOC 2. If they are European, international, or government-adjacent, ISO 27001. Many of our clients eventually do both — we map controls once and reuse the evidence.
What changed with the 2022 revision?
Annex A was restructured from 114 controls into 93 controls across 4 themes (Organizational, People, Physical, Technological), with 11 brand-new controls covering threat intelligence, cloud security, and secure coding.
Is the ISMS scope the whole company?
Not necessarily. Scope can be a single product line, business unit, or geography. We help you scope tightly enough to be achievable and broadly enough to be meaningful to buyers.
Talk to a ISO 27001 expert All frameworks

Other frameworks we support

24 / 7 Recovery

When the worst day hits, every minute matters.

Our breach team is standing by — call, email, or submit a request and we respond within minutes.

Talk to a Recovery Expert help@lyrarecovery.com