What is the difference between ISO 27001:2013 and 27001:2022?

Clause structure 4–10 (Annex SL) is the same. The biggest change is in Annex A: from 114 controls in 14 domains to 93 controls in 4 themes (Organizational, People, Physical, Technological). There are 11 new controls — e.g. threat intelligence, secure coding, web filtering, data masking. Per IAF, 27001:2013 certificates become invalid after 31 October 2025; transition is mandatory before that date.

How long from scratch to certificate?

For organizations starting from zero, 9–18 months is a realistic range. Key variables: ISMS scope, technology complexity, and existing control maturity. A small SaaS with a disciplined engineering team: 6–9 months. A large organization with many vendors & legacy systems: 12–18 months.

Is ISO 27001 mandatory for OJK-licensed fintech?

ISO 27001 is not yet mandatory in every fintech category, but many POJK regulations (e.g. POJK 11/2022 IT risk management and POJK Cybersecurity) require controls equivalent to many Annex A controls. Holding ISO 27001 is often an efficient way to evidence POJK compliance.

Is ISO 27001 enough for PDP Law compliance?

ISO 27001 is a very strong foundation — most Annex A controls are relevant to UU 27/2022 PDP obligations (e.g. access control, encryption, data retention, vendor management). However the PDP Law adds legal obligations: DPO appointment (in certain conditions), DPIA, incident notification to the Authority within 3x24 hours, and data subject rights. Many organizations build their PDP program on top of the ISMS foundation.

How much does an ISO 27001 audit cost?

Determined by the certification body based on IAF MD 5 mandays. Main variables: employees in scope (not total organization headcount), sites in scope, and technology complexity. For 50–100 employee single-site SaaS, cost trends lighter than for a multi-site SOE. Solicit quotes from 2–3 bodies.

What is the Statement of Applicability (SoA) and why does it matter?

The SoA is the mandatory document listing all 93 Annex A controls with applicable/excluded status, justification, and implementation reference. The SoA is the first document the auditor opens at Stage 1 — its quality signals ISMS maturity. A shallow SoA (e.g. non-specific exclusion justifications) becomes an immediate finding.

How many ISMS internal auditors are ideal?

For a SaaS/mid-size ISMS, 4–6 internal auditors suffice. Ideal mix: 2 from GRC/security, 2 from IT, 1 from HR, 1 from business operations — for cross-functional perspective. This team runs annual internal audits with rotating audit areas.

Can ISMS internal audit be outsourced?

Yes, and many small organizations do so. ISO 27001 still requires evidence that an independent, competent internal audit function operates. An effective combination: an in-house internal audit team (for regular audits) plus an independent external auditor for targeted audits (e.g. ahead of recertification).

Awareness + Internal Auditor

Prepare your ISMS for ISO/IEC 27001:2022 certification

Q: Can Neksus directly issue an ISO 27001 certificate?

No. ISO/IEC 27001 certificates can only be issued by accredited certification bodies (KAN in Indonesia, internationally recognized via the IAF MLA). Neksus trains your ISMS to readiness; you select the certification body.

Training for CISOs, IT managers, GRC officers, internal audit teams, and business process owners — understand ISMS clauses 4–10, apply the 93 Annex A controls, and run internal audits per ISO 19011 before the certification body arrives.

Core clauses: Clauses 4–10Core clauses
Annex A controls: 93 controls (2022)Annex A controls
Companion standard: ISO/IEC 27002:2022Companion standard
Format: Inhouse, online, hybridFormat

Short answer

ISO 27001 Awareness + Internal Auditor training equips your team to understand ISMS clauses 4–10 and the 93 Annex A controls (2022 version), draft the Statement of Applicability, and run internal audits per ISO 19011. Neksus trains to readiness; a KAN-accredited certification body performs the audit and issues your ISO/IEC 27001:2022 certificate.

About the Standard

The international standard for Information Security Management Systems

ISO/IEC 27001:2022 is the international standard for Information Security Management Systems (ISMS), jointly published by ISO and IEC. The 2022 edition replaces 27001:2013, preserving the Annex SL clause 4–10 structure and refactoring Annex A from 114 controls in 14 domains into 93 controls across 4 themes: Organizational (37), People (8), Physical (14), and Technological (34). Its implementation companion is ISO/IEC 27002:2022 — deeper per-control guidance. Neksus trains your team to define the ISMS context, perform risk assessment, draft the Statement of Applicability, implement applicable Annex A controls, and run an internal audit cycle before the certification body arrives.

The 2022 edition is mandatory — organizations on 27001:2013 must transition before October 2025 (IAF deadline)
All 93 Annex A controls must be evaluated and marked applicable or excluded with written justification
The Statement of Applicability (SoA) is the most scrutinized mandatory document
Aligns with Indonesia’s UU 27/2022 PDP Law for personal-data security components

Neksus trains, the certification body certifies

ISO/IEC 27001 certificates can only be issued by accredited certification bodies (KAN in Indonesia, internationally recognized via the IAF MLA). Neksus prepares your ISMS to pass Stage 1 and Stage 2 — without promises of guaranteed certification.

ISO 27001 ≠ PDP Law, but each strengthens the other

UU 27/2022 PDP regulates personal data processing as a legal obligation. ISO 27001 is the information security management framework that helps organizations implement supporting technical and organizational controls. Many organizations use the ISMS as the foundation for PDP compliance.

27001:2013 → 27001:2022 transition deadline

Per the IAF resolution, ISO 27001:2013 certificates become invalid after 31 October 2025. Organizations holding 27001:2013 certificates must pass a transition audit to 27001:2022 before that date. Transition Internal Auditor training focuses on the Annex A restructure and the 11 new controls.

Scope of Certification

Typical ISMS scopes that get certified

Scope definition (clause 4.3) is a strategic decision that determines audit complexity and cost.

SaaS / B2B technology companies

Scope: SaaS service from development through delivery; includes engineering, cloud infrastructure, customer support, and vendor management. Common enterprise-customer requirement.

Financial services & OJK-licensed fintech

Scope: digital financial services, payment processing, online lending. Often paired with POJK 11/2022 IT risk management and POJK Cybersecurity regulations.

Data centers & cloud providers

Scope: data center infrastructure and operations. Many Annex A.7 (physical) controls may be applicable.

SOEs & Government bodies

Scope: core information systems managing employee/citizen data. Aligns with BSSN and SPBE security guidelines.

Hospitals & healthcare IT

Scope: electronic medical records, queue systems, BPJS integration. Very sensitive for health data.

Manufacturing with IoT/OT

Scope: operational technology (OT/ICS) systems converging with IT. Unique challenges in Annex A.7 (physical) and A.8 (technological).

Organizational Readiness

Organizational readiness before inviting a certification body

Without these items, Stage 1 declares ‘inadequate readiness’ and Stage 2 is deferred.

Information security policy authorized by top management
Commitment to information security, compliance obligations, risk framework, and security objectives.
ISMS context & written scope
Clause 4 — issue analysis, interested parties (regulators, clients, partners), interfaces with systems outside the scope.
Risk assessment & treatment methodology
Clause 6.1 — documented risk method (e.g. ISO 31000 or OCTAVE), risk acceptance criteria, current risk register.
Statement of Applicability (SoA)
Must cover all 93 Annex A controls: applicable/excluded status, justification, and reference to procedures/technical controls.
Risk Treatment Plan
List of selected controls with target dates, owners, and implementation status.
Evidence of applicable Annex A control implementation
For every applicable control, there must be a procedure, log, and/or technical configuration that is auditable.
One internal audit cycle + management review
Internal audit per ISO 19011, compliance evaluation, and management review (clause 9.3) with standard inputs/outputs.

Certification Audit Path

Audit path from contract to certificate

Per ISO/IEC 17021-1 — 3-year certification cycle with two surveillance audits.

1
Application & contract
1–2 weeks
Submit scope, employees in scope, sites, IAF sector (37 for IT). The body computes mandays per IAF MD 5.
2
Stage 1 — ISMS documentation review
1–2 days
Auditor reviews policy, scope, risk register, SoA, risk treatment plan, internal audit results, and management review minutes. Output: readiness confirmed, or prerequisites to close.
3
Stage 2 — Implementation audit
3–10 days onsite
Auditor goes into processes & systems. Interviews CISO, IT team, asset owners, vendors. Review of access logs, firewall configs, backups, patch management, incident logs. Findings classified.
4
Closure of findings & certification recommendation
30–90 days
Major NCs must be closed with evidence of effective corrective action before the recommendation. Minor NCs may close at surveillance.
5
Certificate issuance (3-year cycle)
—
Certificate carries the specific ISMS scope. Often required by enterprise customers and during M&A due diligence.
6
Year 1 & 2 surveillance audits
Annual, 2–5 days
Focus on significant changes (new architecture, new vendors, major incidents), monitoring results, and a sample of critical controls.
7
Recertification audit (year 3)
Before certificate expires
Full re-audit. Pass → renewed for another 3 years.

Internal Auditor (ISO 19011)

What an ISO 27001 Internal Auditor does — beyond the checklist

Internal Auditor training follows ISO 19011:2018 with added information-security competency focus.

What they do

An ISO 27001 internal auditor verifies the SoA — that every control declared applicable is actually implemented and effective. They go into the systems: examining access logs against least privilege, testing the incident response procedure, evaluating firewall configurations against the baseline, auditing asset lifecycle (HR onboarding/offboarding), and auditing vendor contracts for security clauses. Independence is critical — auditors from one BU audit another BU. Internal audits are a mandatory input to the management review (clause 9.3).

Competencies built

Understanding of ISMS clauses 4–10 and the Annex SL structure
Mastery of the 93 Annex A controls: organizational, people, physical, technological
Risk-based thinking & risk assessment methods (ISO 31000 / OCTAVE / FAIR)
SoA audit: justifying inclusion/exclusion and consistency with implemented controls
Basic technical audit: access logs, security configuration, backup, vulnerability management
Understanding of supporting regulation: UU 27/2022 PDP, PP PDP, BSSN regulations
ISO 19011 — independence, objectivity, evidence-based

Findings Categories

Major NC
E.g. SoA inconsistent with implemented controls, a critical control (e.g. backup) not working, or a major incident not handled per procedure.
Minor NC
E.g. access logs not reviewed regularly, a procedure not updated after a change, or awareness training not delivered for one department.
OFI
E.g. recommendation to automate access review, or to adopt an additional framework (e.g. NIST CSF) for governance strength.
Observation
E.g. note on a newly emerging risk (new vendor, new service) not yet covered by the risk assessment.

Outcomes

Expected outcomes for your team

Understanding of all 93 Annex A controls

Each participant can explain a control’s objective and example implementation — beyond memorizing the control number.

Defensible draft SoA

Class output: a draft SoA with inclusion/exclusion justifications defensible to the external auditor.

Active ISMS internal auditors

4–8 internal auditors who can run cross-BU audits with independence.

Per-control audit checklists

Audit checklist set for the 4 Annex A themes — ready for the annual audit program.

Living risk register

A risk register updated against assets, threats, and vulnerabilities; the opposite of a static document.

Decision Aid

Awareness vs Internal Auditor vs Lead Auditor preparation (Information Security)

Criterion	Awareness	Internal Auditor ★	Lead Auditor preparation
Typical duration	1 day	3 days	5 days (IRCA-style)
Target audience	All employees with system access	Internal audit & GRC team	Aspiring Lead Auditors / ISMS consultants
Main output	Security policy understood & lived	Audit checklists + draft SoA + finding reports	Individual certificate from a registered training scheme
Delivered by	Training vendor (e.g. Neksus)	Training vendor (e.g. Neksus)	Registered training organization (e.g. IRCA / PECB)

Engagement Path with Neksus

Engagement path with Neksus for ISO 27001

1
Kickoff & gap analysis
Week 1
2-hour workshop with CISO/IT Lead: ISMS scope mapping, gap identification vs 93 Annex A controls, target certification schedule.
2
1-day awareness
Week 2
For all in-scope employees (engineering, customer support, HR, finance). Goal: embed an information security culture.
3
3-day Internal Auditor workshop
Weeks 3–4
Clauses 4–10, the 93 Annex A controls, risk assessment methods, SoA audit, ISO 19011 technique, and finding-write practice.
4
Mock audit in critical areas
Week 5
Facilitator accompanies audit at one BU (e.g. engineering / data center). Participants practice interview technique & log verification.
5
Readiness review & closure recommendations
Week 6
Report: remaining gaps, priority actions, Stage 1 document readiness.
6
Handoff to the certification body
Week 7+
Stage 1 document package is ready. Body selection is entirely your decision.

Target Roles

Target roles

CISO / Information Security Manager

Senior

ISMS owner, primary contact with the certification body.

IT Manager / Head of Infrastructure

Accountable for Annex A.8 (technological) control implementation.

GRC Officer

Maintains the SoA, risk register, and ISMS documentation.

Internal Audit Team

4–8 cross-BU people for independence.

DPO (Data Protection Officer)

Aligns the ISMS with UU 27/2022 PDP.

Process Owner / Asset Owner

Information asset owners who must demonstrate controls at audit.

HR (Human Resources)

Annex A.6 (people) controls — screening, training, disciplinary process.

Top Management

Directs the information security policy and leads the management review.

Examples of Accredited Certification Bodies

Examples of accredited certification bodies for ISO 27001 in Indonesia

The list below is not a Neksus recommendation. Body selection is entirely your organization’s decision.

BSI (British Standards Institution)

UKAS + KAN

UK-origin body; original author of many ISO/IEC information security standards.

SGS

UKAS / ANAB + KAN

Broad experience auditing ISMSs for SaaS, fintech, and data centers.

TÜV Rheinland

DAkkS + KAN

Common for 27001 combined with 27017/27018 (cloud).

TÜV SÜD

DAkkS + KAN

Multi-site and cross-jurisdiction cloud ISMS experience.

Bureau Veritas

COFRAC + KAN

ISMS audit experience in financial services and energy.

Sucofindo / TUV NORD Indonesia

KAN

Frequently used in SOE/government tenders and OJK fintech ecosystem.

Important — Transparency

The bodies above are examples of organizations accredited (typically through KAN and the IAF MLA network) that can perform certification audits. They are not Neksus partners and do not receive referrals from Neksus. Choosing a certification body is entirely your organization’s decision based on scope, sector, and internal procurement requirements.

Typical Outcome Patterns

Typical outcome patterns from comparable clients

Context

B2B SaaS, 80 employees, first-time certification to satisfy enterprise customer demand.

Intervention

Awareness for the whole team (1 day) + 3-day Internal Auditor for 5 cross-functional people + mock audit focused on engineering & vendor management.

Indicative result

Stage 1 passed without critical findings; Stage 2 produced 2 Minor NCs (access review & vendor security clauses) closed within 45 days. Certificate unlocked the next enterprise-customer pipeline.

Context

OJK-regulated fintech, 150 employees, transition from 27001:2013 to 27001:2022.

Intervention

2-day Internal Auditor transition training focused on the 11 new controls + SoA update + mock transition audit.

Indicative result

Transition audit passed within the regular surveillance cycle at no extra cost.

Context

SOE utility, certifying the SCADA-IT system.

Intervention

Training for IT, OT, and vendor management teams; coaching on a feasible vs ambitious scope definition.

Indicative result

ISO 27001 with a focused scope (control room + SCADA-IT) achieved, establishing the foundation for a scope-expansion roadmap the next year.

Procurement Info

Procurement information

Contract format
Inhouse training, continuous program, or integrated awareness + Internal Auditor + mock audit package.
Location
Onsite at the client site (Jabodetabek with no extra travel charge), regional onsite, or live online.
Language of delivery
Indonesian or bilingual ID/EN (many engineering teams default to EN).
Materials & participant certificate
Modules, handouts, SoA template, Annex A audit checklists, Neksus participation certificate.
Tax documentation
VAT invoice, receipt, BAST. SOE/government e-procurement support available.
Payment terms
30% advance on contract, 70% on training completion.
Optional implementation coaching
Separate consulting on a manday basis: Annex A control implementation coaching, pre-Stage-1 coaching.

Frequently Asked Questions

Discuss ISO/IEC 27001:2022 readiness for your organization

Send your ISMS scope and target certification schedule. The Neksus team studies your context and prepares a program design within 2 business days.

Awareness, Internal Auditor, and mock audits focused on critical areas
Facilitators with CISO/security architect & ISMS audit backgrounds
Materials cover the 27001:2013 → 27001:2022 transition and PDP Law alignment
Structured handoff to your chosen certification body

Prepare your ISMS for ISO/IEC 27001:2022 certification

The international standard for Information Security Management Systems

Typical ISMS scopes that get certified

Organizational readiness before inviting a certification body

Audit path from contract to certificate

Application & contract

Stage 1 — ISMS documentation review

Stage 2 — Implementation audit

Closure of findings & certification recommendation

Certificate issuance (3-year cycle)

Year 1 & 2 surveillance audits

Recertification audit (year 3)

What an ISO 27001 Internal Auditor does — beyond the checklist

Expected outcomes for your team

Awareness vs Internal Auditor vs Lead Auditor preparation (Information Security)

Engagement path with Neksus for ISO 27001

Kickoff & gap analysis

1-day awareness

3-day Internal Auditor workshop

Mock audit in critical areas

Readiness review & closure recommendations

Handoff to the certification body

Target roles

Examples of accredited certification bodies for ISO 27001 in Indonesia

Neksus training topics that reinforce an ISO 27001 ISMS

Employee Cybersecurity Awareness

Data Literacy & Business Analytics

Organizational Change Management

Typical outcome patterns from comparable clients

Procurement information

Frequently Asked Questions

Can Neksus directly issue an ISO 27001 certificate?

What is the difference between ISO 27001:2013 and 27001:2022?

How long from scratch to certificate?

Is ISO 27001 mandatory for OJK-licensed fintech?

Is ISO 27001 enough for PDP Law compliance?

How much does an ISO 27001 audit cost?

What is the Statement of Applicability (SoA) and why does it matter?

How many ISMS internal auditors are ideal?

Can ISMS internal audit be outsourced?

Discuss ISO/IEC 27001:2022 readiness for your organization