Contact us

Cyber Risk Assessment - ISO 27001 Assessment

Achieve and sustain ISO/IEC 27001:2022 certification with an assessment that does more than catalog gaps. NOXMON builds your risk-based Information Security Management System (ISMS), drives Annex A control selection, and quantifies each finding in financial terms through RISKMON, our proprietary cyber risk quantification platform.

Certification Readiness, Quantified

ISO/IEC 27001:2022 is the international standard for an Information Security Management System. Certification demonstrates to customers, regulators, and partners that you manage information security risk systematically—not as a one-time project, but as an ongoing discipline. NOXMON guides organizations from initial gap assessment through a successful certification audit.

Our assessment establishes the foundation of a credible ISMS: defined scope, leadership commitment, a documented risk assessment methodology, and a Statement of Applicability that justifies every Annex A control decision. Because the standard is risk-based, the quality of your risk assessment determines the quality of your certification—and that is precisely where RISKMON delivers.

Rather than scoring risks on a subjective 1-to-5 scale, RISKMON applies FAIR-based modeling to express each information security risk as quantified financial exposure. This makes your risk treatment decisions defensible to an auditor and meaningful to your board—and the same platform monitors your controls 24x7 after certification.

Annex A: Four Control Themes, 93 Controls

The 2022 revision reorganized Annex A into 93 controls across four themes. NOXMON assesses your current state against each, then helps you document which controls apply—and why—in your Statement of Applicability.

Organizational Controls

37 controls

Policies, roles, supplier relationships, threat intelligence, information security in project management, and cloud service security.

People Controls

8 controls

Screening, terms of employment, awareness and training, disciplinary process, and responsibilities after termination or change of employment.

Physical Controls

14 controls

Secure areas, equipment protection, clear desk and screen practices, secure disposal, and physical monitoring of facilities.

Technological Controls

34 controls

Access control, cryptography, secure development, logging and monitoring, data masking, web filtering, and protection against malware.

Risk-Based ISMS & the Statement of Applicability

A Defensible Risk Assessment

  • Asset & Risk Identification. Identify information assets, threats, and vulnerabilities relevant to your defined ISMS scope.
  • Quantified Risk Analysis. RISKMON models each risk as financial exposure so risk acceptance and treatment decisions are evidence-based.
  • Risk Treatment Plan. Map identified risks to Annex A controls with prioritized, owner-assigned remediation.
  • Management Review. Provide leadership with quantified reporting that demonstrates ISMS performance and continual improvement.

Statement of Applicability (SoA)

  • Control Selection. Justify the inclusion or exclusion of each Annex A control with documented rationale tied to your risk assessment.
  • Implementation Status. Track the implementation state of every applicable control with supporting evidence.
  • Audit-Ready Evidence. Maintain the SoA and linked evidence in RISKMON so it stays current between surveillance audits.
  • Cross-Framework Mapping. Reuse a single set of control evidence across ISO 27001, SOC 2, and other frameworks you are accountable for.

The Certification Audit Path

Stage 1 Audit

The certification body reviews your ISMS documentation—scope, policies, risk assessment, risk treatment plan, and Statement of Applicability—to confirm readiness for Stage 2. NOXMON ensures your documentation is complete and internally consistent before this review.

Stage 2 Audit

The auditor evaluates whether your ISMS is implemented and effective in practice, testing controls and reviewing evidence. We prepare your teams, conduct internal audits, and remediate findings so the accredited certification body can issue your certificate.

Surveillance & Recertification

Certification is valid for three years with annual surveillance audits. RISKMON's continuous 24x7 monitoring keeps controls effective and evidence current, so each surveillance audit is a confirmation rather than a scramble.

How RISKMON Powers Your ISMS

ISO 27001 is fundamentally a risk-management standard, and an ISMS is only as strong as the risk assessment behind it. RISKMON replaces subjective risk scoring with FAIR-based quantification, expressing each information security risk as a range of probable financial loss. That clarity drives smarter risk treatment decisions and produces a Statement of Applicability that auditors trust.

The platform maps a single set of control evidence across overlapping frameworks, tracks findings and remediation to closure, and surfaces ISMS performance through executive and board dashboards. After certification, RISKMON's 24x7 continuous monitoring keeps your controls effective—so your ISMS stays alive between audits rather than going stale. NOXMON uses RISKMON to monitor its own clients every day.

Assessment Deliverables

  • ISMS Gap Assessment. Current-state evaluation against ISO/IEC 27001:2022 clauses and all 93 Annex A controls.
  • Quantified Risk Assessment. FAIR-based risk register with financial exposure modeled in RISKMON.
  • Statement of Applicability. Documented control selection with justification for each inclusion and exclusion.
  • Risk Treatment Plan. Prioritized, owner-assigned remediation roadmap tracked to closure.
  • ISMS Documentation Set. Scope, policies, procedures, and internal audit and management review records.
  • Certification Readiness Report. Stage 1 and Stage 2 readiness assessment with board-level reporting.

"We needed ISO 27001 certification to close enterprise deals, but our previous consultant just handed us templates. NOXMON built a real ISMS, quantified our risks in dollars, and walked us through Stage 1 and Stage 2 without a single major nonconformity. RISKMON keeps our Statement of Applicability and evidence current between surveillance audits."

— Head of Security, B2B SaaS company pursuing certification

Tell us about your project

Schedule a ConsultationContact Us

Our offices

  • Houghton
    Houghton, MI 49931
    (212) 913-9184
    info@noxmon.com
  • New York City
    New York, NY 10011
    (212) 913-9184
    info@noxmon.com