Clause 6.1.2
Risk management
Identify, assess, and treat information security risks.
Due: before certification
← All regulations
ISOContinuousISO/IEC 27001:2022
ISO 27001
ISO 27001 is the certification standard for information security management systems. It requires risk management, a Statement of Applicability, documented controls, internal audit, and continual improvement.
Who must comply
Practical impact for EU SMBs.
- SaaS and technology companies selling to enterprise customers.
- Suppliers that need to prove information security maturity in tenders.
- Teams preparing for ISO 27001 certification with an accredited certification body.
- Companies standardising security processes across IT, HR, legal, and operations.
Key obligations
What needs to be provable.
Clause 6.1.3
Statement of Applicability
Select relevant Annex A controls and justify inclusions or exclusions.
Due: before audit
Annex A 5.15
Access control
Manage access rights, MFA, privileged access, and periodic reviews.
Due: continuous
Clause 9.2
Internal audit evidence
Keep audit plans, findings, corrective actions, and management review inputs.
Due: at planned intervals
Fines and sanctions
Risk is measured in money, contracts, and lost trust.
Violation typeMaximum sanctionEnforcement
Failed certification auditCertificate not issued or suspendedCertification body
Customer security requirement not metContract riskCustomer
Insufficient audit evidenceRepeat audit or remediationAuditor
How Splnit.eu helps
Turn obligations into controls, evidence, and deadlines.
SoA and policies
Generate working documents for Annex A controls and risk treatment.
Evidence vault
Collect audit evidence from Microsoft 365, GitHub, and AWS.
Access reviews
Track account reviews, role changes, and exceptions.