AWS Advanced Tier PartnerISO 9001:2015 CertifiedISO 27001:2022 Certified
Book Free Review →
From ISO-Certified Practitioners

ISO 27001:2022 on AWS, A Practical Path to NIS2 Article 21

Build an ISO 27001:2022-aligned AWS workload that doubles as your NIS2 evidence. We're ISO 27001:2022 certified ourselves, we've lived this end-to-end.

Book Free ISO Roadmap Review →Download ISO Roadmap (PDF)
AWS Advanced Tier Partner
Google Cloud Partner
RedHat Partner
Google Cloud Partner
ISO 27001:2022 Certified
ISO 9001:2015 Certified
ISO/IEC 27001:2022We're Certified

ISO 27001 is the shortest path to enterprise sales.

93
Annex A Controls
12
Months to Certify
80%
Maps to NIS2
70%
Maps to DORA
ISO 27001 isn't just a certificate, it's the operating system that makes NIS2, DORA, and SOC 2 each easier.— HAZERCLOUD ISO 27001:2022 implementation, 2024
We're
Certified
The Problem We Solve

Enterprise procurement keeps asking for ISO 27001. You haven't started.

01, PROCUREMENT BLOCKER

Our biggest enterprise deals are stuck because we don't have ISO 27001.

Banks, insurers, and regulated industries increasingly require ISO 27001 as a procurement minimum. Without it, deals stall in security review.

02, OVERLAP UNCERTAINTY

We're being asked for SOC 2, ISO 27001, and now NIS2. Where do we start?

ISO 27001 covers ~80% of NIS2 Article 21 and ~60% of SOC 2 Trust Services Criteria. Starting with ISO compounds across the others.

03, AWS-NATIVE EVIDENCE

We have AWS controls, but evidence collection for the Statement of Applicability is manual.

Audit Manager, Security Hub, and Config can automate ~70% of ISO 27001:2022 Annex A evidence, if configured properly from the start.

What You'll Get

From scoping to certification, with AWS-native evidence.

Stream A · ISMS Foundation

ISMS Foundation

  • Information Security Management System scoping
  • Risk assessment + treatment plan
  • Statement of Applicability (Annex A)
  • Information security policy framework
  • Asset inventory + classification scheme
Stream B · AWS Implementation

AWS Implementation

  • Annex A control to AWS service mapping
  • Audit Manager evidence framework deployment
  • Security Hub + Config compliance packs
  • CloudTrail + GuardDuty + KMS hardening
  • Identity & Access (IAM, Identity Center)
  • Backup + business continuity
Stream C · Audit Readiness

Audit Readiness

  • Internal audit program
  • Management review process
  • External audit body selection support
  • Stage 1 + Stage 2 audit prep
  • Surveillance audit support (annual)
  • NIS2 / SOC 2 / DORA reuse mapping
Past Engagement Outcomes

What ISO 27001 on AWS typically delivers

Outcomes from SaaS, FinTech, and HealthTech engagements across UK, EU, Australia, and the GCC achieving ISO 27001:2022 certification on AWS-native architectures.

12mo
Median engagement to certified
70%
Annex A controls automated via AWS
80%
Reusable for NIS2 evidence
60%
Reusable for SOC 2 controls
Built on Certified Foundations

We're ISO 27001:2022 certified. We deliver from experience.

AWS Advanced TierISO/IEC 27001:2022ISO 9001:2015Practitioner-Led

Our own ISO 27001:2022 certification (achieved 2024) means we've operated every control we recommend. No theoretical guidance, no consultant abstractions, we've lived the audit, ran the surveillance, and integrated AWS evidence into the process.

Mini Case Study

Case study: How a growth-stage SaaS achieved ISO 27001:2022 in 11 months

A growth-stage SaaS company (Amsterdam-headquartered, global customer base) was losing 30%+ of enterprise pipeline to ISO 27001 procurement requirements. Their leadership had budgeted 18 months and $130k for the effort. They engaged us to compress the timeline.

We started with ISMS scoping, 4 weeks to define the certified scope, document the risk methodology, and produce the Statement of Applicability. Implementation ran in parallel: Audit Manager evidence framework, Security Hub compliance pack, Identity Center for SSO + access reviews, and Backup hardening for business continuity.

Internal audit ran in month 8. Stage 1 (documentation review) in month 10, Stage 2 (operational audit) in month 11. Certified in month 11.5. The ISO evidence framework now also covers ~80% of their NIS2 Article 21 mapping, which unblocked their next compliance milestone.

We expected 18 months. HAZERCLOUD got us certified in 11, and the same evidence is now powering our NIS2 work.— CISO · Growth-Stage SaaS, Netherlands (anonymized)

Outcomes

Time to certification11 mo
Annex A coverage93/93
AWS automation72%
NIS2 evidence reuse80%
Total engagement cost−40%
Read the full case study
Engagement Options

Two phases. Predictable cost. Practitioner-led.

Most engagements split foundation + implementation. Audit body fees are separate. Multi-standard discounts available if we're delivering ISO + SOC 2 + NIS2 together.

Stage 01

ISMS Foundation

  • ISMS scoping + governance design
  • Risk assessment + treatment plan
  • Statement of Applicability (93 Annex A controls)
  • Policy framework (15-20 policies)
  • Asset register + classification scheme
Start with foundation →
Stage 02

AWS Implementation + Audit Readiness

  • Annex A controls implementation on AWS
  • Audit Manager + Security Hub setup
  • Internal audit program + first internal audit
  • Stage 1 + Stage 2 external audit prep
  • Audit body selection support
  • 12-month surveillance support included
Book scoping call →
FAQ

ISO 27001 questions founders ask first.

Wondering if SOC 2 is better? How long it takes? Whether AWS does the work for you? Book a call, we've answered these for our own ISO 27001 journey.

Book Free ISO Review →
What's the difference between ISO 27001 and SOC 2?+
ISO 27001 is a global standard with formal certification by accredited audit bodies. SOC 2 is a US-origin framework with an attestation report (Type II covers a period). For European customers, ISO 27001 is often preferred (especially in DACH and Nordics); for North American customers, SOC 2 is often required. Many companies pursue both, ~60% of ISO 27001 controls map to SOC 2 Trust Services Criteria, so doing them together saves time.
How long does ISO 27001:2022 certification typically take?+
12 months is the median for organizations starting from scratch. The biggest variable is leadership commitment, if the CEO/CTO treats it as a priority, you can compress to 9 months. If it's pushed down to a junior team, it stretches to 18+ months. Our 11-month median reflects practitioner-led delivery (we operate the controls so your team can focus on the business).
Does AWS hold ISO 27001? How does that help us?+
Yes, AWS itself is ISO 27001 certified. This means the underlying infrastructure controls (physical security, datacenter operations, hypervisor security) are already certified. Your scope covers what YOU do on top of AWS, application security, identity, data classification, backups, incident response. AWS's certification reduces your work but doesn't eliminate it.
Will ISO 27001 satisfy NIS2 Article 21? GDPR Article 32?+
ISO 27001:2022 covers ~80% of NIS2 Article 21 and ~70% of GDPR Article 32 controls out of the box. The gaps for NIS2 are mostly supply-chain documentation and management body accountability. The gaps for GDPR Article 32 are typically data minimization and DPIA processes. Starting with ISO 27001 then layering NIS2/GDPR-specific additions is significantly faster than tackling each separately.
What's the minimum AWS service set for an ISO 27001-ready workload?+
Mandatory: CloudTrail (multi-region, log file validation, KMS-encrypted), Config (with conformance pack), GuardDuty, Security Hub, IAM Identity Center for SSO, KMS for encryption, AWS Backup. Strongly recommended: Audit Manager (for evidence collection), Inspector (for vulnerability management), Macie (for data classification if PII applies). Total additional AWS spend depends on scale — we size this during the scoping call.
How does ISO 27001:2022 differ from the 2013 version?+
ISO 27001:2022 reorganized the Annex A controls from 114 to 93 (across 4 themes: Organizational, People, Physical, Technological). New controls cover threat intelligence, secure coding, cloud services, data leakage prevention, and ICT readiness for business continuity. If you're on the 2013 version, you have until October 2025 to transition. Starting fresh in 2026, go directly to 2022.
Jobin Joseph, Founder & CTO of HAZERCLOUD
Jobin Joseph
Founder & CTO
AWS SA ProDevOps ProSecurity+2
Verify on Credly ↗
Who You'll Actually Work With

This engagement runs through me, personally.

The AWS-certified specialist on your discovery call leads the implementation team on your engagement. No bait-and-switch. No junior-led delivery.

Discovery call: I attend, no exceptions
Architecture sign-off: before any work begins
Weekly review: I'm on every call, every week
Material decisions: go through me first
Deliverable sign-off: my signature, my reputation
30 days post-handoff: direct line to me
Read more about Jobin and the engagement model
ISO27001
Ready to start your ISO 27001 journey?

30 minutes with our founder. One scoping insight delivered.

We'll discuss your customer drivers, your existing AWS setup, and your timeline. You'll leave the call with a clearer scoping decision, what's in, what's out, and the realistic 12-month path forward.

Book Free ISO Review →Download ISO Roadmap (PDF)

AWS Advanced Tier Services Partner · ISO 27001:2022 · ISO 9001:2015 · 5× AWS-Certified Founder