logo
Sign UpSign InTry for free
ISO 27001 Software

ISO 27001 software for ISMS implementation and certification

ISO 27001 software supports the implementation, audit, and certification of an information security management system (ISMS) aligned to ISO/IEC 27001:2022. This page shows the ISMS cycle as a BPMN process map.

Jack Finnegan, Founder & CEO, BA Copilot

By Jack Finnegan ยท Updated 21 May 2026

Map your ISMSCompliance hub
What it is

What ISO 27001 software actually is

ISO 27001 software is the category of platform that supports the implementation, audit, and certification of an information security management system (ISMS) aligned to ISO/IEC 27001:2022. The standard structures the ISMS as a Plan-Do-Check-Act management system with Annex A providing 93 reference controls organised across organisational, people, physical, and technological themes.
Major platforms include Vanta (heavy on automation and SaaS-trust attestations), Drata, Secureframe, Hyperproof, OneTrust GRC, and the long-standing enterprise platforms (Archer, ServiceNow IRM, MetricStream). Most offer pre-mapped controls, evidence collection automation, internal audit workflow, and integration with external auditors.
The problem today

Certification readiness becomes a sprint, not a system

Most firms approach ISO 27001 the same way: scope and policy work happens, the 93 Annex A controls are mapped and assigned, evidence is gathered in a frantic three-month sprint before the Stage 2 audit, certification is achieved, and then most of the controls drift quietly for the three-year recertification window.
The fix is treating the ISMS as a process that runs continuously, not as a project that delivers certification. Each control sits in a workflow; each workflow has an owner and a cadence; each cadence triggers the evidence the next audit will sample.
Four pillars

Four pillars of a working ISMS

Scope and policy

What the ISMS covers, the leadership commitment, and the information security policy that anchors it.

Risk assessment

Clause 6 risk assessment and treatment plan. The Statement of Applicability documents which Annex A controls apply.

Annex A controls

93 reference controls in the 2022 standard, down from 114 in the 2013 version. Implement only those that respond to identified risks.

Audit, review, certification

Internal audit verifies the ISMS is operating; management review evaluates it; external certification audit (Stage 1 + Stage 2) issues the certificate.

Process Map

The ISO 27001 ISMS cycle as a process map

The PDCA-aligned cycle - scope, risk assessment, controls + SoA, audit, review, corrective action, certification.

Open in editor

The ISO 27001 ISMS cycle as a process map

The ISO/IEC 27001:2022 information security management system (ISMS) cycle rendered as a BPMN 2.0 process. Define ISMS scope, run information-security risk assessment, implement Annex A controls, produce the Statement of Applicability, internal audit, management review, corrective action.

  1. Define the ISMS scope, leadership commitment, and information security policy.
  2. Run the information-security risk assessment and risk-treatment plan per Clause 6.
  3. Implement Annex A controls proportionate to identified risks and produce the Statement of Applicability (SoA).
  4. Internal audit verifies controls are designed and operating effectively.
  5. Management review evaluates the ISMS against objectives.
  6. If nonconformities are identified, route to corrective action; otherwise the cycle moves into continual improvement.
  7. Pursue external certification audit (Stage 1 + Stage 2) when the ISMS is mature.
What this diagram shows: The cycle starts at kickoff. Scope and policy come first. Risk assessment and treatment feed Annex A control selection plus the Statement of Applicability. Internal audit verifies; management review evaluates. The nonconformity gateway routes findings to corrective action and back through re-audit; clean reviews flow to external certification audit and the issued certificate.
FAQ

Frequently asked questions

What is ISO 27001 software?

ISO 27001 software supports the implementation, audit, and certification of an information security management system aligned to ISO/IEC 27001:2022. Major platforms include Vanta, Drata, Secureframe, Hyperproof, and OneTrust GRC.

What is the difference between ISO 27001 and ISO 27002?

ISO 27001 is the certifiable management-system standard - the requirements. ISO 27002 is the implementation guidance for the Annex A controls - the how. Certification is against 27001; 27002 is referenced for control implementation detail.

What changed in ISO 27001:2022?

The 2022 revision restructured Annex A from 114 controls into 93, grouped into four themes (organisational, people, physical, technological) instead of the 14 control categories used in the 2013 version. The clauses 4-10 are largely unchanged. Most firms with 2013 certification transitioned during the 2022-2025 window.

How long does ISO 27001 certification take?

Typical implementation timeline is 9-18 months from kickoff to Stage 2 certification audit, depending on the firm's starting maturity. Stage 1 audit is a documentation review; Stage 2 is the implementation audit. Certificates are valid three years with annual surveillance audits.

Does BA Copilot replace Vanta / Drata / OneTrust?

No. BA Copilot is the BPMN modelling layer that produces the process maps for the ISMS workflows themselves. Vanta, Drata, OneTrust own the controls library, evidence automation, and external auditor integration. BA Copilot integrates by exporting BPMN that the platform attaches to control records.

Jack Finnegan, Founder & CEO, BA Copilot
From the founder

14 Years in BPMN

I'm Jack Finnegan. I've spent fourteen years working hands-on with BPMN, as an analyst, an engineer, and a product director, where I felt every sharp edge of legacy business process platforms.

BA Copilot is the platform I wanted on every one of these projects: AI-first process management, which treats BPMN as a first-class output rather than an export afterthought.

Jack Finnegan on LinkedIn
Sources

Sources and verification

Last verified 21 May 2026 by Jack Finnegan.

Verified against: ISO/IEC 27001 - Information security management systems (official)

References cited on this page:

  • ISO/IEC 27001:2022
Cosmic background pattern
Decorative rectangle pattern

Make the ISMS a working process

Open the ISMS cycle template, model each control workflow as BPMN, and produce the evidence trail the certification audit will sample.