Author: Bartek Hamerliński

ISO 27001 Internal Audit: Step-by-Step Guide

Illustration showing ISO 27001 internal audit steps including planning, evidence collection, reporting, and corrective actions

An ISO 27001 internal audit is a systematic and independent assessment of an organization’s Information Security Management System (ISMS) to ensure it conforms to the standard’s requirements and to identify areas for improvement. Regular internal audits are a mandatory part of ISO 27001 compliance (Clause 9.2) and provide management with insight into how effectively security […]

Annex A – A.8 Technological Controls

Visual representation of ISO 27001 Annex A, A.8 Technological Controls with icons for passwords, encryption, antivirus, cloud security, and access control

Technological Controls form the digital defense layer of your ISMS, covering access management, cryptography, system operations, and logging. Annex A.8 includes 34 controls (A.8.1–A.8.34) designed to protect information systems and data. This guide breaks down each control with precise definitions, implementation steps, and verification methods. For a high-level view of Annex A, see our Overview […]

Annex A – A.6 People Controls

Square infographic showing eight tiles with icons labeled Screening, Contracts, Training, Disciplinary Actions, Offboarding, Contractor Security, and KPI Monitoring under the header “ISO 27001 Annex A.6 People Controls.”

People Controls define eight essential measures in Annex A.6 that transform every team member into an active contributor to your organization’s security posture. This post describes each control, outlines step-by-step implementation guidance, and details verification techniques, from competence audits and social-engineering tests to privilege reviews and incident analyses, to ensure measurable effectiveness. For a complete […]

ISO 27001 Annex A Controls: An Overview

Square infographic with four colored quadrants on a blue gradient background, each showing an icon and control count for ISO 27001 Annex A: Organizational (37), People (8), Physical (14), and Technological (34).

What Is Annex A in ISO 27001? When companies start preparing for ISO 27001, they often run into one major obstacle: Annex A. It’s a long list of 93 information security controls that must be reviewed, selected, and implemented based on risk. The list can feel overwhelming if you’re not familiar with the standard (and most […]

Annex A Organizational Controls (A.5) Deep Dive

Square infographic on a purple background showing five colored tiles labeled “Policy,” “Roles,” “Incident,” “Continuity,” and “Supplier,” representing the core A.5 organizational controls of ISO 27001, each with a corresponding icon.

Organizational Controls are the backbone of a robust information security management system. They set the tone from the top, define clear roles, and establish the processes that make security an integral part of your organization’s culture. This article dives deep into the five key control groups under A.5. For a high‑level overview of all Annex A […]

Annex A – A.7 Physical Controls

Square infographic with a teal background titled “ISO 27001 Annex A.7 Physical Controls,” showing icons of an ID badge, security camera, padlock, shield with lock, and computer monitor to represent secure areas, entry controls, equipment protection, and surveillance.

Physical Controls protect your organization’s tangible assets and environments from unauthorized access, damage, or interference. In ISO 27001 Annex A, the A.7 category spans 14 controls (A.7.1–A.7.14) that cover everything from secure office entry to equipment disposal. This post explains each control, offers practical implementation tips, and shows how to verify their effectiveness. For a […]

How to Build an ISO 27001 Risk Treatment Plan

Flat-style square illustration on a purple background showing four white tiles with icons: a clipboard for the risk register, arrows representing avoid/reduce/transfer/accept strategies, a list mapping risks to Annex A controls, and a line chart for monitoring progress.

Putting together a risk treatment plan is where your ISO 27001 Controls meet your real-world risks. It shows auditors and everyone on your team that you have a systematic way to handle the threats you’ve identified. Below, we’ll walk through each step in plain language, share tips drawn from real-world practice, and flag common pitfalls […]

ISO 27001 Audit Checklist

Flat-style illustration of a clipboard holding an “ISO 27001 CHECKLIST” document, featuring a shield icon with a checkmark and three green checkmarks beside checklist lines, set against a light blue background.

For companies managing sensitive data or aiming to work with enterprise clients, ISO 27001 has a massive impact on how your company is seen by potential clients, both image-wise and security requirements-wise. Implementing and staying compliant with ISO 27001 shows that you take information security seriously. We’ll cover not just what to do, but also […]

SOC 2 Audit Checklist: How to Prepare, Document, and Pass Your First SOC 2 Audit

Flat-style illustration showing a SOC 2 audit checklist on a clipboard, surrounded by security icons, locks, shields, and a computer screen.

If you’re a growing startup or small business aiming to land enterprise clients, SOC 2 compliance isn’t just a checkbox, it’s your way to gain your clients’ trust. This guide walks you through exactly how to prepare for your SOC 2 audit, from risk assessment to documentation and everything in between. What Is SOC 2 […]

First Compliance Project in Humadroid

Alt text: First Project in Compliance – How to Get Started in Humadroid compliance module

Set up your first compliance project in Humadroid — define structure, assess risks, and connect controls. Here’s how to start managing audits and frameworks like ISO 27001.