What types of compliance documents can ComplianceIQ generate?

ComplianceIQ generates privacy policies, terms of service, employee handbooks, data handling policies, OSHA compliance documents, acceptable use policies, HIPAA compliance docs, information security policies, and more — all tailored to your industry.

Are the generated documents legally valid?

ComplianceIQ generates comprehensive, industry-standard compliance documents informed by current regulations. While they provide an excellent foundation, we recommend having critical documents reviewed by legal counsel for your specific jurisdiction.

How does ComplianceIQ stay current with regulations?

Our AI models are continuously updated with the latest regulatory frameworks including GDPR, CCPA, HIPAA, SOC 2, OSHA, and more. Pro and Enterprise plans include regulatory update alerts.

ISO 27001:2013 vs :2022 — what changed?

Annex A reorganised: 114 controls → 93 (in 4 themes: organisational, people, physical, technological). 11 new controls (e.g., threat intel, secure coding, web filtering). Transition deadline Oct 31 2025.

How does ISO 27001 differ from SOC 2?

ISO 27001 = international standard requiring full ISMS + certification. SOC 2 = US audit reporting against TSC, no certificate (it's an attestation). Many companies do both.

Do we have to implement all 93 Annex A controls?

No — the SoA documents applicability with justification. But excluding a control requires defensible reasoning.

No. Certification requires an accredited certification body (CB) — typically BSI, DNV, Schellman, A-LIGN.

ISO 27001 Implementation Checklist 2026 — 35 Steps to Certification

The checklist

Clause 4 Context

1

Determine internal & external issues affecting the ISMS

critical

Documented context analysis; PESTLE / SWOT acceptable evidence.

→ Clause 4.1

2

Identify interested parties and their requirements

high

Customers, regulators, employees, suppliers; documented requirements per party.

→ Clause 4.2

3

Define ISMS scope (what's in, what's out, with rationale)

critical

Scope statement is auditor's first reference — be precise.

→ Clause 4.3

Clause 5 Leadership

4

Top management commitment & ISMS policy approved by leadership

critical

Signed policy + meeting minutes evidencing leadership engagement.

→ Clause 5.1, 5.2

5

Documented roles, responsibilities & authorities for ISMS

high

Org chart + role descriptions for security team.

→ Clause 5.3

Clause 6 Planning

6

Risk assessment methodology documented & approved

critical

Define how you identify, analyse, and evaluate risk (likelihood × impact scale).

→ Clause 6.1.2

7

Risk register with owners, treatment options, residual risk

critical

Living document — auditor will check it's updated.

→ Clause 6.1.2

8

Statement of Applicability (SoA) listing all 93 Annex A controls

critical

Each control: applicable/not applicable + justification + implementation status.

→ Clause 6.1.3

9

Risk treatment plan with assigned owners & deadlines

high

Bridges risks → controls; tracked to closure.

→ Clause 6.1.3

10

Documented information security objectives

high

Measurable, time-bound; reviewed in management review.

→ Clause 6.2

Clause 7 Support

11

Competence requirements documented & evidence of training

high

Job descriptions list required skills; training records on file.

→ Clause 7.2

12

Awareness program reaching all employees

critical

Annual mandatory training + phishing simulations + posters/intranet.

→ Clause 7.3

13

Documented information control (version, approval, distribution)

critical

Document register with version, owner, last reviewed date.

→ Clause 7.5

Clause 8 Operation

14

Operational planning & control — change management documented

high

Risk-informed change process; auditor will sample changes.

→ Clause 8.1, A.8.32

15

Risk assessment performed at planned intervals + after changes

high

At least annual + ad-hoc after major changes/incidents.

→ Clause 8.2

16

Risk treatment implementation tracked to completion

high

Risk register shows residual risk + control evidence.

→ Clause 8.3

Clause 9 Evaluation

17

Monitoring, measurement, analysis, evaluation plan

high

KPIs for each objective; documented results.

→ Clause 9.1

18

Internal audit programme (covering full ISMS over a cycle)

critical

Schedule + competent auditors + reports + corrective actions.

→ Clause 9.2

19

Management review meetings (minimum annually)

critical

Standing agenda: changes, performance, audit results, risks, opportunities.

→ Clause 9.3

Clause 10 Improvement

20

Nonconformity & corrective-action process documented

critical

Root cause, correction, corrective action, verification of effectiveness.

→ Clause 10.1

Annex A.5 Organisational

21

Information security policies set & communicated

high

Topic-specific policies (access, backup, change, etc.) all approved.

→ A.5.1

22

Threat intelligence collected & acted upon

high

New :2022 control — CISA/NCSC/MS-ISAC feeds documented in IR process.

→ A.5.7

23

Information security in supplier agreements

high

Contractual security requirements; tier-based assessment.

→ A.5.19–.22

24

Information security incident management process

critical

Defined, tested, evidence of incidents handled per process.

→ A.5.24–.27

25

ICT readiness for business continuity

critical

Documented BCP/DRP with RTO/RPO; tested.

→ A.5.30

Annex A.6 People

26

Background verification before hiring

high

Documented per-hire; proportionate to role.

→ A.6.1

27

Disciplinary process for security violations

high

Documented + applied; aligns with HR policy.

→ A.6.4

Annex A.7 Physical

28

Physical security perimeter, entry controls, monitoring

high

Even cloud-hosted orgs need this for offices/data closets.

→ A.7.1–.4

29

Secure disposal or reuse of equipment

high

Wipe / destroy certificate; documented chain of custody.

→ A.7.14

Annex A.8 Technological

30

User access management (provisioning, review, deprovisioning)

critical

Quarterly access reviews; same-day deprovisioning on termination.

→ A.8.2, A.8.3, A.8.18

31

Cryptography with key management

high

Policy + KMS + key rotation documented.

→ A.8.24

32

Logging & monitoring with protected log integrity

critical

Centralised SIEM; logs write-once; retention per policy.

→ A.8.15–.17

33

Secure development lifecycle with code review & testing

high

SAST/DAST in CI; secure-coding training; threat modelling.

→ A.8.25–.28, A.8.30

34

Web filtering and protection against malware

high

EDR + DNS filtering + email gateway.

→ A.8.7, A.8.23

Audit Prep

35

Pre-Stage-1 mock audit & document review by competent party

critical

Closes gaps before certification body shows up; 6 weeks before Stage 1.

→ Best practice

ISO 27001:2022 Implementation Checklist — 35 Steps to Certification

The checklist

Clause 4 Context

Clause 5 Leadership

Clause 6 Planning

Clause 7 Support

Clause 8 Operation

Clause 9 Evaluation

Clause 10 Improvement

Annex A.5 Organisational

Annex A.6 People

Annex A.7 Physical

Annex A.8 Technological

Audit Prep

Pitfalls — where teams actually fail

FAQ

Other checklists