Industry Focus — ISO 27001 and SOC 2
ISO 27001 and SOC 2 readiness — without the consultancy overhead.
Building an ISMS takes real work. Most SMBs need a structured partner to gap-analyze their environment, define scope, build the documentation, and keep the program operational. That’s what Directive is built for.
The regulatory context
ISO/IEC 27001:2022
ISO 27001 is the international standard for information security management systems (ISMS). The 2022 revision introduced new controls and reorganized the Annex A control set. Certification is awarded by an accredited certification body following Stage 1 (documentation review) and Stage 2 (operational audit). For many organizations, ISO 27001 certification is a commercial requirement — enterprise customers and procurement teams ask for it.
SOC 2 (AICPA Trust Service Criteria)
SOC 2 is an audit standard for service organizations in the US — increasingly required by enterprise buyers, healthcare partners, and government vendors. A SOC 2 Type II report demonstrates that your security controls were in place and operating effectively over a defined observation period. The Trust Service Criteria cover: Security (mandatory for all audits), Availability, Processing Integrity, Confidentiality, and Privacy. Most organizations scope to Security only and add criteria based on customer requirements.
The gaps we see most often
ISO 27001
- Scope not formally defined
- Risk assessment done once, never updated
- Controls selected without a documented risk treatment decision
- Statement of Applicability (SoA) missing or templated
- Management review done informally or not at all
- Internal audit not completed before Stage 2
SOC 2
- Security criteria scope not formally defined
- No asset inventory or data flow map supporting control selection
- Access reviews not documented — auditors look for evidence, not policy
- Logging in place but logs not reviewed — monitoring controls require evidence of review
- Vendor agreements do not include security requirements
- No formal change management process documented
How Klaravex addresses it
ISO 27001 Readiness
Gap analysis against ISO/IEC 27001:2022, phased remediation plan, and full ISMS documentation set — scope document, risk assessment methodology, risk treatment plan, Statement of Applicability, policies and procedures, and management review framework. We work alongside your team throughout, because an ISMS that sits in a folder isn’t an ISMS.
SOC 2 Readiness
Scope definition and Trust Service Criteria selection, control gap analysis and prioritized remediation, evidence collection framework, security policy documentation, and audit-firm coordination. We work alongside your team from initial gap assessment through audit readiness — and provide post-audit remediation support if needed.
Ongoing ISMS Management
Internal audits, risk reviews, management reviews, and corrective action tracking — keeping the program operational after the initial build. Recommended: Assurance for GDPR operational hygiene. Directive for organizations building a formal ISMS toward ISO 27001 certification.
SOC 2 reports are issued by accredited CPA firms, not by Klaravex. Klaravex provides readiness advisory and gap remediation. A SOC 2 Type II report covers a specific observation period and does not constitute ongoing security assurance.
FAQ
Do you help with the full certification process, or just the readiness phase?
We take you through readiness — gap analysis, documentation, controls implementation, internal audit support, and management review. The formal Stage 1 and Stage 2 audits are conducted by an independent accredited certification body. We help you select and prepare for that audit.
Can a small company actually achieve ISO 27001 certification?
Yes. ISO 27001 is not just for large enterprises. Scope definition is flexible — a well-scoped ISMS for a 20-person company is entirely achievable. Typical timeline for an SMB starting from scratch: 6–12 months to Stage 1 readiness.
Do you help with both Type I and Type II?
Yes. Type I (point-in-time) is often a useful first milestone for organizations that need to show customers they have controls in place. Type II requires an observation period — we help you determine which is appropriate given your timeline and customer requirements.
Ready to start your ISO 27001 or SOC 2 program?