ISO 27001 SOP software for the 2022 ISMS revision
Manage every ISMS clause and Annex A control as a procedure. Pre-seeded with the 2022 revision, AI-assisted control mapping across SOC 2 / HITRUST / NIST, and audit-ready evidence for your notified body.
Why ISO 27001 is hard without the right system
The ISMS is a documentation game. You win or lose in the procedure library.
Your notified body arrives at Stage 2 looking to confirm that every applicable Annex A control has a procedure, that procedures are being followed, and that the ISMS has been through an internal audit and management review. They don\'t spend time inspecting your tech stack — they read your procedures and sample your workforce.
SOP Studio gives the ISMS a place to live that the notified body accepts on sight. Every procedure is version-stamped, approved by a named role, linked to the Annex A controls it implements, and backed by a workforce-acknowledgment history. That\'s the bulk of what Stage 2 inspects.
What's seeded
Clauses 4–10 + the four 2022 Annex A themes.
ISMS Clauses (4–10)
Context, leadership, planning, support, operation, performance evaluation, improvement — the management-system backbone any 27001 auditor will trace.
A.5 Organizational
Policies, roles, assets, access control, supplier relationships, cloud services, incident management planning, continuity, privacy/PII.
A.6 People
Screening, awareness/training, disciplinary process, confidentiality agreements, remote-working policies.
A.7 Physical
Physical perimeters, entry controls, storage media lifecycle.
A.8 Technological
Privileged access, secure authentication, vulnerability management, configuration management, backup, logging, monitoring, cryptography, secure coding, change management.
The ISO + SOC 2 dual-cert path
Most orgs pursuing ISO 27001 also want SOC 2. SOP Studio treats them as one procedure library.
One procedure covers A.8.15 logging + CC7.2 monitoring + HITRUST 12.a. SOP Studio tracks that many-to-many mapping automatically.
Frequently asked
ISO 27001 SOP software questions, answered.
Does SOP Studio replace a Statement of Applicability (SoA)?
No. The SoA is a formal document describing which Annex A controls apply to your ISMS, with justifications. SOP Studio is the procedure layer below the SoA — each "applicable" control in the SoA typically maps to one or more procedures, and SOP Studio is where those procedures live. Customers either maintain the SoA as a separate document that references SOP Studio, or track SoA scope inside SOP Studio with a custom procedure type.
Are you aligned to ISO 27001:2013 or the 2022 revision?
2022. The seeded Annex A follows the 4-theme structure introduced in the 2022 revision (A.5 Organizational, A.6 People, A.7 Physical, A.8 Technological) with 93 controls represented. Customers still on the 2013 structure can map existing procedures against the 2022 controls cleanly — in most cases, the control content is similar enough that the cross-walk is mechanical.
How is SOP Studio different from a full ISMS platform like Trustero or Strike Graph?
Full ISMS platforms cover a wider surface — risk register, SoA workflow, evidence collection, internal audit scheduling, management review, and procedure authoring. SOP Studio is focused on the procedure and workforce-acknowledgment portion. Customers often start with SOP Studio for its document control + acknowledgment depth, then layer a lighter-weight ISMS workflow around it, rather than paying for a full ISMS suite they only partially use.
One procedure, multiple certifications — can SOP Studio handle that?
Yes, and it's the main reason ISO 27001 customers adopt SOP Studio. An access-control procedure typically satisfies ISO 27001 A.8.2 (privileged access) + SOC 2 CC6.1 (logical access security) + HITRUST 02.c (privileged access management) + NIST 800-171 3.1.5 (least privilege) simultaneously. SOP Studio tracks the many-to-many mapping so one SOP earns coverage across every framework you're enrolled in.
Does SOP Studio cover ISO 27002 implementation guidance?
ISO 27002 provides implementation guidance for the Annex A controls. SOP Studio's control summaries paraphrase the Annex A requirement itself — we don't reproduce 27002 guidance text verbatim (it's copyrighted). Customers use 27002 as a reference and SOP Studio as the procedure repository aligned to the Annex A IDs.
We're pre-certification. Is SOP Studio useful that early?
Especially early. Most of the effort in an ISO 27001 program is building and maintaining the procedure library and the acknowledgment history. Starting that work 6–12 months before your Stage 2 audit means your notified body arrives to a mature, internally-audited procedure library rather than a recently-assembled one. Pre-certification customers also use SOP Studio to build the SoA-linking mental model early so it's not a surprise.
What's the relationship to ISO 27017, 27018, and 27701?
27017 (cloud services), 27018 (PII in clouds), and 27701 (privacy information management) extend or supplement 27001. SOP Studio's 27001 seed doesn't include them by default — customers pursuing those extensions add the relevant controls via our GRC integration or as custom controls. The same procedure-level workflow applies.
ISO 27001:2022 — pass Stage 2 on procedural strength, not documentation archaeology.
Book a walkthrough and we'll map your current policy library against the 2022 Annex A to show coverage gaps before your notified body finds them.