ISO 27001 is the global certificate that proves you run information security like a grown-up business. Hard part isn't writing policies — it's collecting evidence every quarter that the policies actually run.
ISO 27001 requires a managed information security program, risk assessment, controls, ownership, evidence and continual improvement. The hard part is not writing policies; it is proving that security work actually happens.
Each requirement of the chosen framework, scored against each tool. Coverage is editorial — based on public documentation, vendor demos and user reports.
| Requirement | 🇵🇱 $200 / month | 🇺🇸 from ~$8 | 🇺🇸 from ~$7 | 🇺🇸 from $3 / user / month | 🇬🇧 from $28 / user / year | 🇸🇰 from $190 / 5 devices / year | Editor's note |
|---|---|---|---|---|---|---|---|
ISMS scope & SoA Statement of Applicability with control ownership. | Implemented | Strong | Strong | Not included | Not included | Not included | ›Annex A 2022 mapped, ownership assigned, evidence routed per control. |
Risk treatment plan Risk register tied to controls and treatment. | Implemented | Strong | Strong | Not included | Not included | Not included | ›Generates risk treatment evidence from live signals — not a spreadsheet. |
Operational evidence per control A.5–A.8 evidence collected continuously. | Implemented | Strong | Strong | Partial | Partial | Partial | ›Connects EDR/EPP telemetry into per-control evidence packs. |
Access control & MFA Quarterly reviews, MFA enforced. | Via integration | Strong | Strong | Strong | Partial | Partial | ›Verifies MFA across all IdPs and ships review reports. |
Endpoint protection (A.8.7) EDR/EPP coverage on every device. | Partial | Not included | Not included | Strong | Strong | Strong | ›Not native EDR — bundles Wazuh baseline or wraps your existing EDR. |
Internal audit & continual improvement Audit cycle, findings, corrective actions. | Implemented | Implemented | Implemented | Not included | Not included | Not included | ›Tracks findings to closure with owner + due date. |
Supplier evaluation Vendor due-diligence record. | Implemented | Strong | Strong | Not included | Not included | Not included | ›Built-in supplier register at no extra cost. |
Methodology: public docs, vendor demos, practitioner interviews. Verify with each vendor before purchase.
ISO 27001 is the global certificate that proves you run information security like a grown-up business. Hard part isn't writing policies — it's collecting evidence every quarter that the policies actually run.
Companies needing recognized ISMS certification.
Risk register, SoA, audit logs, training, supplier evals.
Operational evidence and continual improvement loop.
Maps signals to Annex A and runs continual improvement workflows.