ISO 27001:2022

Grow globally with ISO 27001 compliance

ISO 27001 is the international standard for information security. Normado generates your policies, maps all 93 Annex A controls to your organization, and tracks your compliance score — so you're audit-ready in weeks, with a platform your team actually owns.

First 100 customers get all Enterprise features at €49/mo for year one.

You're on the list! We'll be in touch soon.

Example ISO 27001 dashboard

app.normado.io/gap-analysis

ISO 27001 · Live Compliance

Annex A controls implemented64 / 93

Policies approved11 / 12

Risk register entries18

Evidence uploaded47 files

What ISO 27001 actually requires

Three pillars, plain language

ISO 27001 is built around an Information Security Management System (ISMS). Most guides make it sound scarier than it is. Here's what you actually need.

A documented management system

Policies, scope, roles, and a demonstrable commitment from leadership. This is paperwork — but specific paperwork that needs to reflect how your company actually operates.

Risk-based control selection

A formal risk assessment, a Statement of Applicability covering all 93 Annex A controls, and a justification for each control you include or exclude.

Evidence that it works

Auditors don't care what your policies say — they care that you actually do it. That means access reviews, incident logs, training records, and continuous monitoring.

Want the full breakdown? Read our ISO 27001 deep-dive.

How Normado covers it

Built end-to-end for ISO 27001

✓
12 AI-generated policies mapped to Annex AInformation security, access control, cryptography, supplier management, and 8 more — customized to your organization.
✓
All 93 Annex A controls pre-loadedEach with plain-language guidance explaining what it means and how to implement it for a typical SMB.
✓
Live gap analysis with dynamic scoringSee exactly which controls are complete, in progress, or not started — updated as you work.
✓
Risk register with heat mapAI-assisted risk identification linked to Annex A controls, with likelihood/impact scoring.
✓
Evidence management with expiry trackingUpload audit-ready evidence, organized by control, with alerts before anything goes stale.

Example org compliance

68%ISO 27001

Policies24 / 25

Controls18 / 25

Risks15 / 25

Evidence11 / 25

A living platform, not a one-off project

What ongoing compliance looks like

Consultants deliver a snapshot in time — then you maintain it yourself, re-engage every year, and answer auditor questions from static Word docs. Normado is the living system underneath: always current, always auditable, owned by your team.

Consultant engagement

€15,000 – €50,000

6 – 12 months per cycle

Tailored through months of interviews and workshops
Static deliverables you maintain yourself afterward
Evidence collection, version control, audit prep on you
Re-engage every year for refreshes and new frameworks
Expertise leaves when the engagement ends

Normado platform

€49 – €299 / month

Audit-ready in weeks

AI-generated policies tailored to your org in minutes
Gap analysis, risk register, and controls all in one place
Evidence management with expiry tracking built in
Always current — new frameworks and requirements rolled out automatically
Your team owns the system, always audit-ready

Frequently asked

ISO 27001 questions we hear most

Does Normado replace an auditor?

No — and nothing should. ISO 27001 certification is issued by an accredited certification body after an independent audit. Normado gets you audit-ready: policies, controls, risk register, and evidence all in one place. You still engage an accredited auditor for the certification itself.

How long does it take to get certified?

For a small company using Normado, realistic timeline is 3-4 months of preparation plus a 2-stage audit. The Stage 1 audit reviews documentation; Stage 2 reviews implementation evidence over a 2-3 month window. Total: roughly 6 months from start to certificate. See our ISO 27001 checklist for the full timeline.

Which Annex A controls do I actually need?

ISO 27001 requires you to evaluate all 93 Annex A controls and document which apply via a Statement of Applicability. Most SMBs end up with 60-75 applicable controls; the rest are excluded with written justification. Normado pre-loads all 93 with guidance to help you make these decisions.

Is my data stored in the EU?

Yes. All Normado infrastructure runs on EU servers (Supabase EU/Ireland region). Your policies, controls, risk data, and uploaded evidence never leave EU jurisdiction. This matters for ISO 27001 Annex A 5.34 (privacy and protection of PII) and for GDPR compliance generally.

Can I get ISO 27001 certified without a consultant?

Yes, though it depends on your team's familiarity with security operations. Companies with a technical lead who understands systems and a willingness to write cleanly can absolutely self-prepare with a platform like Normado. Companies with no security experience on staff usually benefit from at least a short engagement with a consultant for the Stage 1 readiness review.

Does Normado also cover other frameworks?

Yes — all Normado-supported frameworks are available in Professional and Enterprise tiers. One control implemented once often satisfies multiple frameworks simultaneously.