ISO/IEC 27001 is the international standard for information-security management systems (ISMS). Certification requires an accredited certification body to audit the organisation's ISMS against the ISO 27001 management-system requirements and the Annex A controls.
For MSPs, ISO 27001 plays two roles. The MSP's own ISO 27001 certification is a credibility signal to enterprise procurement; ISO 27001 readiness delivered to client tenants is a billable service.
ISO 27001 and SOC 2 overlap substantially in control content; many organisations pursue both. The difference is in the audit model — SOC 2 attests to a specific period; ISO 27001 certifies an ongoing ISMS.
What to look for
- ISO 27001 management-system requirement coverage. Clauses 4–10 (context, leadership, planning, support, operation, performance evaluation, improvement) — not just Annex A controls.
- Annex A 2022 control mapping. Direct mapping to the 93 controls in Annex A 2022 (the current version) across Organisational, People, Physical, and Technological themes.
- Multi-tenant for MSP delivery. Per-client isolation, billing, and co-branded reports.
- Continuous endpoint and cloud evidence. Evidence collected from actual endpoints and cloud tenants continuously.
- Statement of Applicability (SoA) generation. Annex A control applicability with implementation status, generated from live evidence.
- Internal-audit and management-review workflow. ISO 27001 requires regular internal audits and management reviews. Tooling that supports the cadence helps.
Options to evaluate
Lavawall®Multi-tenant MSP platform with ISO 27001 first-class
Direct ISO 27001 Annex A 2022 control mapping. Continuous endpoint and cloud evidence. Multi-tenant by design. Statement of Applicability generation from live evidence. Built and used by ThreeShield (CISSP / CISA staff).
Best when: MSPs delivering ISO 27001 readiness as a service or pursuing ISO 27001 for themselves.
Vanta / Drata / SecureframeSingle-tenant SaaS GRC with ISO 27001 module
Polished onboarding for a single SaaS company chasing ISO 27001. Not designed for MSP multi-tenant delivery.
Best when: Single SaaS companies pursuing ISO 27001.
How Lavawall® fits
Lavawall® treats ISO 27001 as a first-class framework. The 93 Annex A 2022 controls map to live evidence Lavawall® already collects from Windows / macOS / Linux endpoints and M365 / Entra / Azure / Google Workspace tenants.
Multi-tenant by design lets an MSP deliver ISO 27001 readiness across multiple client tenants from one console. Statement of Applicability is generated from the live control implementation rather than a generic template.
For organisations pursuing both ISO 27001 and SOC 2, the same evidence base satisfies both audits where the controls overlap.
Frequently asked
- ISO 27001 or SOC 2?
- Many enterprise procurement processes accept either. ISO 27001 is generally more accepted internationally; SOC 2 is more common in North American technology buyers. Many organisations pursue both.
- What is the difference between ISO 27001 and ISO 27002?
- ISO 27001 is the certifiable management-system standard. ISO 27002 is the implementation guide for the controls referenced in ISO 27001's Annex A. Lavawall® maps to ISO 27001 with ISO 27002 implementation guidance available in the control narratives.
- Does Lavawall® generate the Statement of Applicability?
- Yes, from the live evidence — not a generic template you fill in by hand.