Security
ISO 27001 audit engagement
ISO 27001 Stage 1 + Stage 2 audit scope.
Last updated
ISO 27001 audit engagement
Matter pursues ISO 27001:2022 beginning the year after SOC 2
Type II completes. Evidence pool shared with SOC 2 wherever possible
(documented at
apps/api/lib/iso27001-evidence.ts).
ISO 27017 + 27018 add ~30 controls on top for cloud-specific + PII-cloud-specific scenarios; bundled with the same registrar.
Statement of applicability
Annex A 2022 contains 93 controls across 4 groups:
- A.5 — Organisational (37 controls)
- A.6 — People (8 controls)
- A.7 — Physical (14 controls)
- A.8 — Technological (34 controls)
Matter's statement of applicability marks every control as applicable except those that genuinely don't fit (e.g. A.7 physical-perimeter controls for an entity with no offices — documented at applicability matrix).
Stage 1 audit
Documentation review — auditor verifies the management system is documented + the controls are designed.
- ISMS scope statement.
- Information security policy.
- Risk assessment + treatment plan.
- Statement of applicability with applicability rationale.
- Mandatory clauses (4-10) documented procedures.
Typical duration: 2 days.
Stage 2 audit
Implementation review — auditor verifies controls are operating
- records are maintained.
- Sample-based testing of every applicable control.
- Internal audit cycle evidence.
- Management review records.
- Continual improvement evidence.
Typical duration: 5-10 days.
SOC 2 evidence reuse
Shared controls between SOC 2 + ISO 27001 in the ISO catalog:
| ISO Annex A | SOC 2 Common Criteria | Shared evidence |
|---|---|---|
| A.8.10 | P1.1 | Erasure + retention |
| A.8.24 | CC6.6 | Cryptography |
| A.9.2 | CC6.1 | Privileged access |
| A.12.4 | CC7.1 | Logging + monitoring |
| A.14.2 | CC8.1 | Change control |
| A.16.1 | (independent) | Incident management |
| A.17.1 | A1.2 | Business continuity |
Reuse rate target: ≥ 70%.
Surveillance audits
ISO 27001 certification is a 3-year cycle with annual surveillance visits. Surveillance visits typically sample 1/3 of controls per visit; full re-certification audit in year 3.
Outputs
- Certificate — 3-year validity, displayed on trust page.
- Statement of applicability — distributable under NDA.
- Annual surveillance reports — internal.
ISO 27017 + 27018 extensions
When bundled:
- ISO 27017 — adds ~7 cloud-specific controls (CLD.6.3 service catalogue, CLD.8.1 customer responsibility split, etc.).
- ISO 27018 — adds ~14 PII-in-cloud controls (mostly aligned with GDPR Article 28).
Listed at mattermode.com/trust once obtained.