You already have most of what ISO 27001 requires. Here is what is missing.
If your business holds ISO 9001, ISO 14001 or ISO 45001, you have already built the structural foundation of an ISO 27001 management system. Management review process, internal audit programme, non-conformance workflow, document vault, risk register, corrective action tracking. ISO 27001 uses the same Harmonised Structure as all three. The management system architecture you built for quality, environmental or safety management is the same architecture ISO 27001 requires. What does not transfer is Annex A controls and the information asset register. These are the genuine additions. Everything else is an extension of what you already have. This article walks through what transfers, what does not, what the certification journey looks like and what the ongoing maintenance programme requires.
Why the Harmonised Structure changes the calculation.
ISO revised its management system standards to share a common clause structure, now called the Harmonised Structure, for exactly this reason. ISO 9001, ISO 14001, ISO 45001 and ISO 27001 all follow the same framework from Clause 4 through Clause 10.
Clause 4 is context of the organisation. In ISO 9001, you define the scope of your quality management system, identify the internal and external issues relevant to your organisation's purpose, and understand the requirements of interested parties. In ISO 27001, you do the same for your information security management system. The process is identical. If your scope document for ISO 9001 already defines your organisational context, your ISO 27001 scope document starts from the same base.
Clause 5 is leadership. ISO 9001 requires top management to demonstrate commitment, establish a policy and assign responsibility. ISO 27001 requires the same. Your quality policy and your information security policy are separate documents, but the leadership commitment process that produced one produces the other using the same mechanism.
Clause 6 is planning. Risk assessment, risk treatment and planning to address identified risks. ISO 9001 requires this for quality risks. ISO 27001 requires it for information security risks. The methodology you use, the risk matrix you apply and the register format you maintain are directly transferable. You are adding a risk category, not building a new risk process.
Clause 7 is support. Competence, awareness, communication and documented information. Your training records, your communication processes and your document control system already satisfy the Clause 7 requirements of ISO 27001. You add information security awareness training and information security-specific documentation to a system that already handles competence and document control.
Clauses 8, 9 and 10 follow the same pattern. Operational controls, performance evaluation, internal audit, management review, non-conformance and corrective action. Each extends. None replaces.
The practical consequence is that a business with an active, well-maintained ISO 9001 or 45001 management system has already done the structural work that represents the majority of the effort in any ISO certification. The ISO 27001-specific work is bounded and definable.
What transfers directly.
Your existing management review agenda, format and documentation apply directly. You add three items: information security performance against objectives, the status of information security risks and the effectiveness of Annex A controls. The review that already covers quality objectives, audit findings and corrective action status adds these items. Record keeping, action tracking and sign-off process remain the same.
Your audit programme is already scheduled against ISO clauses. Adding ISO 27001 means adding ISO 27001 clauses to the audit scope. The methodology, checklist format, finding classification and corrective action process are identical. For businesses on an annual audit cycle covering ISO 9001, 14001 and 45001 clauses, ISO 27001 clauses are added to the schedule. The one practical addition is auditor competency: whoever conducts internal audits against ISO 27001 clauses needs to understand those requirements. A short awareness course covers this.
ISO 27001 Clause 10.1 requires non-conformances to be identified, corrected, root-caused and verified closed. This is word-for-word the same requirement as ISO 9001 Clause 10.2 and ISO 45001 Clause 10.2. An information security non-conformance moves through your existing NCR system. Nothing changes except the category label.
Your existing document vault, version control process, review schedule and approval workflow apply to all ISO 27001 documentation. Your information security policy, statement of applicability, information asset register, risk assessment records and Annex A control documentation are added to the same vault under the same controls.
Your existing risk methodology, the criteria you use to score likelihood and consequence, and the register format you maintain are directly applicable to ISO 27001 risk assessment. You add an information security risk category. For each identified information asset, you assess the risks to confidentiality, integrity and availability using your existing scoring methodology.
Your management system already has quality or safety objectives with associated measures and targets. ISO 27001 requires information security objectives with the same characteristics. You add them to your existing objectives framework.
What is genuinely new.
This is the centrepiece of ISO 27001 and the document that anchors everything else. You identify every information asset your business holds or processes, classify it by sensitivity, assign it to an owner and assess the impact of its compromise, modification or loss. For a GCC construction or industrial services business, the scope typically includes project documentation and drawings, personnel records, payroll and financial data, client and subcontractor contracts, health and safety records, access control records, and the IT systems that hold and transmit this information. Most businesses of this type produce a register of between 40 and 80 assets. Scoping the register accurately is the most important initial decision. ISO 27001 does not require you to certify your entire organisation. You define the scope.
This document lists all 93 Annex A controls, records whether each is applicable or excluded, and provides documented justification for any exclusions. It is the first document your Stage 1 auditor reviews and the primary evidence that you have engaged seriously with your information security scope. The exclusions in a typical GCC construction or industrial business are not extensive. Controls related to software development are excluded if the business does not develop software. Controls related to physical security of data centres are excluded if the business uses cloud services. The majority of Annex A controls are applicable.
93 controls across four categories: organisational, people, physical and technological. The technological controls typically require the most specific attention. Access control policies need to define who has access to which information systems and on what basis. Multi-factor authentication needs to be implemented for systems holding sensitive information. A process for revoking access when personnel leave needs to be documented and evidenced. For most businesses, implementing these controls is a matter of weeks, not months.
ISO 27001:2022 specifically requires you to manage information security in cloud services and external provider relationships. For most construction and industrial businesses in the GCC, the relevant suppliers are document management platforms, project management software, payroll systems and email platforms. Each needs to be assessed against your information security requirements, the assessment documented, and the supplier's compliance monitored on a defined cycle.
A documented process for identifying, classifying, responding to and learning from information security incidents. An information security incident is broader than a data breach: it includes ransomware, phishing, accidental data disclosure, unauthorised access and the loss of a device containing organisational information. The process needs defined roles, a classification scheme, documented response steps and a notification mechanism for incidents that trigger UAE PDPL or Saudi PDPL obligations.
What a Stage 1 auditor actually looks for.
The Stage 1 audit is a documentation review. The auditor is checking whether you have the documented management system required by ISO 27001 and whether you are ready for Stage 2.
The auditor starts with the statement of applicability. They check that it covers all 93 Annex A controls, that exclusions are documented and justified, and that applicable controls have been assessed. An incomplete or underjustified statement of applicability typically results in a minor non-conformance that must be resolved before Stage 2 can proceed.
They then review the scope document, the information security policy and the information asset register. They are checking that the scope is defined clearly enough to audit, that the policy commits the organisation to appropriate objectives, and that the register covers the scope.
They look at the risk assessment and risk treatment plan. The risk assessment needs to follow a documented methodology, cover the assets in scope and produce a risk treatment plan that maps identified risks to Annex A controls.
Finally, they check for evidence that the management system has been operating. Internal audit records covering ISO 27001 clauses. A management review agenda and minutes covering information security. Corrective actions raised and tracked. At Stage 1 for an initial certification, this evidence can be limited, but it needs to exist. Businesses running Vissibl for several months before their Stage 1 audit arrive with this evidence already in place.
The most common gaps in a GCC business adding ISO 27001.
Access control documentation. Most businesses have informal access control practices. User accounts are managed by IT, and access is reviewed informally when people leave. ISO 27001 requires a documented access control policy, a formal user registration and deregistration process, and a review of user access rights at defined intervals. The practices often exist. The documentation and the review records do not.
Supplier security assessments. Most businesses have not formally assessed their IT suppliers against information security criteria. A contract with a document management platform that does not include information security requirements, or a cloud service that has never been assessed, is a gap against Annex A controls in the supplier relationships category.
Incident management records. Most businesses have not logged information security incidents formally because no process existed before ISO 27001. The absence of any incident history is itself a finding: it suggests the process for identifying and recording incidents is not operating. Even during implementation, any information security events should be logged against the new process.
Information asset register currency. Registers produced at implementation and not reviewed since are found out of date at surveillance audits. New systems adopted after certification, changes in data processing and changes in ownership are not reflected. The register needs to be a living document.
The timeline for a GCC business with an existing IMS.
For a business with an active ISO 9001 or 45001 management system in good standing, the realistic timeline to initial ISO 27001 certification is four to six months.
Month one: scoping, information asset register and gap analysis. Define your ISMS scope. Build the register. Run a gap analysis against ISO 27001 requirements to identify which Annex A controls need implementation work and which are already satisfied.
Months two and three: control implementation. Write and approve the information security policy, access control policy, incident management procedure and supplier security assessment process. Implement the technical controls. Complete supplier security assessments. Produce the statement of applicability.
Month four: integration. Add ISO 27001 to your management review agenda and internal audit schedule. Run the first internal audit covering ISO 27001 clauses. Hold the first management review covering information security. These two records are what your Stage 1 auditor needs to see.
Months five and six: Stage 1 and Stage 2 certification audits with your accredited certification body.
The timeline extends when the existing management system is not active. Non-conformances open for months, internal audits overdue, management reviews not held. The ISO 27001 implementation work is bounded, but catch-up on the existing system adds time. Businesses in this position typically need six to nine months.
What Vissibl does for GCC businesses adding ISO 27001.
- ISO 27001 extends your existing workspace. Your management review process, internal audit schedule and non-conformance workflow are already in the platform. ISO 27001 adds clause scope, Annex A controls and information asset management to a system that is already running.
- Information asset register built, version-controlled and review-scheduled from the first session.
- Annex A controls mapped, assessed and documented against your specific scope. Statement of applicability generated from your control assessment and maintained as your scope evolves.
- Vissi Research runs supplier security assessments continuously for your IT providers and cloud platforms. Risk scores and certificate expiry tracked automatically.
- Internal audits against ISO 27001 clauses added to your existing schedule. Findings flow into the same non-conformance register. Full audit history available for your certifying body.
- Vissi Audit assesses your ISO 27001 compliance position continuously. For businesses preparing for initial certification, the gap position is visible from day one and updated in real time as controls are implemented.
ISO 9001, 14001, 45001 and 27001 managed together. One programme, one audit schedule.
Surfaced in a single Vissi Audit session for a construction customer.
Identified in a single Vissi Research session.
One framework. Every user. Every site. $6,000 per year.
- Full platform included · Unlimited users · Unlimited sites · No setup fee
- Add to ISO 9001, 14001 or 45001 · One workspace, one audit schedule · One evidence trail
See where your ISO 27001 gaps are from your first session.
Bring your existing documentation. We run Vissi Audit against your current position and surface what your certifying body would find, in 11 minutes.