Compyl
Request Demo
Start here Platform Overview A guided, top-to-bottom tour of the entire GRC platform — one connected system, not point tools. Take the tour →
Govern
Policy ManagementCurrent, control-aligned policiesContract ManagementTrack every obligationAsset ManagementProtect critical assets
Comply & audit
ComplianceTest once, satisfy manyEvidence StudioAutomated, live evidenceTrust CenterShare your security postureUser Access ReviewsFast, accurate access reviews
Risk & third-party
Risk ManagementRisk in dollars, via FAIRThird Party InsightsObjective vendor risk in minutesVendor Risk ManagementManage third-party risk end to end
Compyl AI
Compyl AIAgentic AI across the platformCompyl CopilotAsk your GRC data anythingQuestionnaire AssistAI-drafted questionnaire answers
125+ integrations — connect your stackRequest a demo →
One control library Every framework, mapped Map a single control to every framework it satisfies — test once, prove many. See all frameworks →
Popular
SOC 2ISO 27001HIPAAPCI DSS
Standards
GDPRNIST CSFNIST SP 800-53ISO 42001
More
CCPAMASNIS2
Compliance, automated — how Compyl maps controlsRequest a demo →
Latest Inside Compyl 26.2 AI-powered GRC, from risk to audit — what's new in the platform. Read the post →
Learn
BlogInfoSec & compliance, trendingGuidesStep-by-step playbooks
Watch & grow
Security SessionsOn-demand episodesCase StudiesResults from real teams
Network
Partner NetworkCompyl Connect partners
Company Built by CISOs Our mission: make GRC adapt to how you work — not the other way around. About Compyl →
Company
About UsMission & teamCareersJoin the team
Trust
Our SecurityHow we protect youContact UsTalk to us
Framework · ISO 27001

Run a living ISMS — not a binder you rebuild before every audit.

ISO 27001 isn't just 93 controls — it's a management system you have to keep alive: a risk assessment, a Statement of Applicability, and surveillance audits every single year. Compyl runs the ISMS continuously, so it stays current, evidenced, and certification-ready instead of decaying into a stack of stale documents.

Request Demo → See how it works
93 Annex A controls
125+ integrations
Continuous ISMS
Home › Frameworks › ISO 27001 Certified AUDIT READINESS 96% audit-ready 93 ANNEX A · LIVE ANNEX A CONTROL THEMES Organizational 37 People 8 Physical 14 Technological 1 GAP EVIDENCE COLLECTED · AUTOMATIC ● live AWS · CloudTrail access logs 2m ago Current Okta · MFA enforcement export 5m ago Current GitHub · change-management records 18m ago Current 1,284 evidence items current 0 manual screenshots · next refresh in 4 min Export pack
ISO 27001 Readiness On track Evidence current 96% Controls passing 92% Annex A coverage 3 / 4 Monitored continuously · updated live
What is ISO 27001 — and how does Compyl help?

ISO/IEC 27001 is the international standard for an Information Security Management System (ISMS). It pairs mandatory management-system clauses (4–10) with 93 Annex A controls across four themes — Organizational, People, Physical, and Technological — which you scope through a Statement of Applicability. Unlike SOC 2, it is a certifiable standard: an accredited body audits you and issues a three-year certificate.

Compyl turns ISO 27001 from a once-a-year scramble into an always-on ISMS. It connects to your existing systems, collects Annex A evidence automatically, maps it to the right controls, monitors every control continuously, and flags drift before it becomes a nonconformity — so you stay ready for Stage 2 and every surveillance audit.

The problem

An ISMS that lives in spreadsheets falls apart between audits

Most ISO 27001 programs slow to a crawl after certification — the Statement of Applicability drifts from reality, evidence scatters across teams, and the next surveillance audit turns into a scramble to rebuild what should have been running all along.

The SoA drifts from reality

Your risk assessment and Statement of Applicability are point-in-time documents. Controls change; the paperwork doesn't — until an auditor finds the gap.

Surveillance never sleeps

Annual surveillance audits and a three-year recertification mean the ISMS is a permanent obligation — you can't certify once and move on.

The ISMS lives in documents

Clauses, policies, and Annex A evidence spread across drives and spreadsheets — impossible to keep current by hand, and painful to prove on demand.

How it works

One continuous loop — from connected systems to audit-ready

Compyl runs the whole ISMS as an always-on cycle — risk, controls, evidence, and the Statement of Applicability stay in sync automatically.

01

Connect

Integrate cloud, identity, code, endpoint, and HR systems.

02

Collect evidence

Pull audit evidence automatically, in real time.

03

Map to Annex A

Link every artifact to its Annex A control and the ISMS.

04

Monitor

Watch controls continuously and flag drift early.

05

Stay audit-ready

Hand auditors a current evidence pack on demand.

Automated evidence

Stop collecting ISO 27001 evidence by hand

The biggest cost of ISO 27001 isn't the audit fee — it's the weeks your team spends gathering proof for every control. Compyl collects it continuously from the systems you already run, so evidence is always current and always mapped to Annex A.

  • Pull evidence automatically from cloud, identity, code, and endpoint tools
  • Every artifact mapped to the Annex A control it supports
  • No more screenshots, spreadsheets, or last-minute requests
  • Export a complete, auditor-ready evidence pack on demand
Evidence Studio · ISO 27001 ● auto-collecting EVIDENCE CURRENT 1,284 items mapped to controls MANUAL EFFORT 0 screenshots this cycle SOURCE EVIDENCE ANNEX A STATUS AWS Access logs A.8.15 Current Okta MFA enforcement A.8.5 Current GitHub Change management A.8.32 Current CrowdStrike Endpoint protection A.8.7 Current Datadog Uptime monitoring A.8.16 Current 125+ integrations feeding evidence — refreshed automatically
Evidence Health · New in 26.2

Know your evidence is audit-ready — automatically

Collecting evidence is only half the battle; stale or incomplete proof is where audits go sideways. New in Compyl 26.2, Evidence Health continuously scores every artifact the moment it changes, so weak evidence surfaces weeks before an audit — not during it.

  • Every artifact scored on relevance, freshness, and completeness
  • An AI summary spells out exactly what's missing and why
  • Re-scores automatically whenever the underlying evidence changes
  • Continuous control monitoring done right — gaps surface with time to fix
Evidence Health · Q2 Access Review New · 26.2 OVERALL HEALTH 84 / 100 Q2 ACCESS REVIEW SCORED ON THREE DIMENSIONS Relevance Healthy · 95 Freshness Aging · 58 Completeness Healthy · 88 AI SUMMARY Evidence is relevant and complete — but aging. Last refreshed 41 days ago; access reviews expected within 90. Auto-refresh scheduled — gap clears ~3 weeks before audit. Re-pull Scored automatically the moment evidence changes · continuous control monitoring
Continuous monitoring

Catch control drift before the auditor does

An ISO 27001 certificate is only as strong as the months between surveillance audits. Compyl monitors every control continuously, scores your posture in real time, and turns the moment a control slips into a tracked task — not a future nonconformity.

  • Live posture across every Annex A control
  • Automatic alerts the moment a control drifts out of compliance
  • Remediation tasks auto-assigned with owners and deadlines
  • A defensible, time-stamped trail across the whole certification cycle
Control Monitoring · ISO 27001 93 controls · live 92% passing 86 / 93 CONTROLS CONTROL STATUS A.5.15 · Access control Passing A.8.16 · Monitoring activities Passing A.5.18 · Access rights Drifting A.8.13 · Information backup Passing Drift detected — A.5.18 deprovision SLA exceeded 2 accounts not revoked within 24h of role change Detected 6 min ago · before any audit sample Remediation task #ISO-412 auto-created Assigned to IT Ops · due in 24h · evidence re-checks on close
Collect once, reuse everywhere

Your ISO 27001 work becomes a head start on every other framework

ISO 27001 shares the majority of its controls with SOC 2, HIPAA, NIST, and PCI. Compyl cross-maps each control so one piece of evidence satisfies every framework it touches — which is why the second framework costs a fraction of the first.

  • One control mapped to its equivalent across 20+ frameworks
  • Collect evidence once and reuse it across every report
  • See instantly how ISO 27001 readiness translates to SOC 2 or HIPAA
  • Add the next framework without starting the program over
Cross Mapped Controls · A.5.15 41 mapped A.5.15 Access control 800-53 14 NIST CSF 9 SOC 2 8 PCI DSS 6 HIPAA 4 Evidence collected once · automatically satisfies 41 controls
The standard

The ISMS, plus 93 Annex A controls across four themes

ISO 27001 pairs the mandatory management-system clauses (4–10) with 93 Annex A controls you scope through a Statement of Applicability. Compyl maps evidence to every one.

Mandatory

ISMS · Clauses 4–10

The management system itself — context, leadership, risk assessment, operation, and continual improvement.

37 controls

Organizational

Policies, roles, supplier, threat-intel, and incident management — the backbone of the ISMS.

8 controls

People

Screening, awareness, responsibilities, remote working, and secure offboarding.

14 controls

Physical

Secure areas, equipment, clear-desk, and physical access to facilities and media.

34 controls

Technological

Access control, cryptography, logging, secure development, and monitoring.

The path to certification

Stage 1, Stage 2 — then surveillance for three years

Certification is a two-stage external audit, then annual surveillance and a full recertification at year three. Compyl keeps you ready for every checkpoint, not just the first.

STAGE 1

Documentation review

The auditor checks whether your ISMS is designed and documented — scope, risk assessment, Statement of Applicability, and policies.

Checks: is the ISMS designed and documented?
Output: readiness for the Stage 2 audit
Where Compyl helps: a complete SoA and documented ISMS, on demand
STAGE 2  ·  + annual surveillance

Implementation audit

The auditor samples evidence to confirm controls actually operate. Pass, and you’re certified — then surveillance audits each year, recertification at year three.

Checks: do the controls operate as intended?
Cycle: annual surveillance · recert at year 3
Where Compyl shines: continuous evidence keeps the whole 3-year cycle clean
Why Compyl for ISO 27001

Not a checkbox tool — a continuous compliance engine

Plenty of platforms get you a first ISO 27001 certificate. Compyl was built by security leaders to keep the ISMS true every day after, and to make the next framework easy.

01

Continuous, not point-in-time

Evidence and controls stay live year-round, so every surveillance audit is clean by default.

02

One connected system

Controls, evidence, risks, and policies in one platform — not a stack of disconnected tools.

03

125+ integrations

Pulls live data from the stack you already run, so posture reflects reality, not snapshots.

04

Agentic AI

AI maps controls, drafts remediations, and offloads busywork — your team stays in control.

05

Multi-framework by design

ISO 27001 evidence carries over to SOC 2, HIPAA, NIST, and PCI without redoing the work.

93
Annex A controls mapped to evidence and the ISMS
125+
Native integrations feeding evidence automatically
Real-time
Evidence collection — no manual screenshots
Year-round
Audit readiness instead of a pre-audit scramble
As our company scaled globally, Compyl supported our information security capabilities in jurisdictions around the world — helping us achieve full ISO and SOC certifications.
MG
Mack Gill COO · via G2
Recognized by users on G2

Rated a leader by the teams who use it

G2 High Performer, Mid-Market
G2 Momentum Leader
G2 Fastest Implementation, Go-Live Time
G2 Best Support, Quality of Support
G2 Best Meets Requirements, Mid-Market
Beyond ISO 27001

Certify once — extend to every framework that follows

Compyl cross-maps controls so the work you do for ISO 27001 carries straight into the next framework on your roadmap.

SOC 2 ISO 27001 HIPAA GDPR PCI DSS NIST CSF NIST SP 800-53 CCPA HITRUST MAS NIS2 20+ frameworks
FAQ

ISO 27001 questions, answered

ISO/IEC 27001 is the international standard for an Information Security Management System (ISMS). The 2022 version requires management-system clauses 4–10 plus 93 Annex A controls across four themes — Organizational, People, Physical, and Technological. Unlike SOC 2, it's a certifiable standard: an accredited body audits your ISMS and issues a certificate valid for three years.

Clauses 4–10 define the management system itself — context, leadership, planning and risk assessment, support, operation, evaluation, and continual improvement — and are mandatory. Annex A is a catalog of 93 controls you select through a Statement of Applicability based on your risk assessment.

Certification is a two-stage external audit. Stage 1 is a documentation review (is the ISMS designed and documented?). Stage 2 assesses implementation (do the controls actually operate?). After certification, annual surveillance audits confirm the ISMS is maintained, with a full recertification audit at the three-year mark.

Compyl connects to your existing stack, collects Annex A evidence automatically, maps it to controls and the ISMS, monitors controls continuously, scores evidence health, and flags drift before it becomes a nonconformity — a live, certification-ready posture instead of a pre-audit scramble.

Compyl 26.2 introduced Evidence Health, which continuously scores every piece of evidence on three dimensions — relevance, freshness, and completeness. Scoring runs automatically the moment evidence changes and includes an AI summary of what's missing, so control gaps surface weeks before a surveillance audit instead of during it.

Yes. Compyl cross-maps each control so a single control and its evidence can satisfy ISO 27001 alongside SOC 2, HIPAA, NIST CSF, PCI DSS, and 20+ other frameworks. Collect the evidence once and reuse it everywhere it applies.

Security and GRC teams at mid-market and enterprise organizations — CISOs, ISMS managers, and IT leaders — who need to achieve certification and keep the ISMS continuously maintained across the three-year cycle without adding audit-prep headcount.

Explore next

Keep building your GRC program

Solution

Policy Management

Keep the policies behind your ISMS current and control-aligned.

Learn more → Platform

Integrations

125+ in-house integrations that auto-collect your Annex A evidence.

Learn more → Framework

SOC 2

Already doing ISO 27001? Reuse the same controls to fast-track SOC 2.

Learn more → Browse

All frameworks

Every framework Compyl maps controls and evidence to.

Learn more →
GRC YOUR WAY

Keep your ISMS audit-ready — without rebuilding it every year

See how Compyl automates Annex A evidence, keeps your Statement of Applicability live, and carries you cleanly through Stage 2 and every surveillance audit.

Request a Demo →
By clicking “Accept”, you agree to the use of cookies on your device in accordance with our Privacy and Cookie policies
Accept