ISO 27001 readiness for IT Services, MSPs, and Cloud providers.
Client data, multi-tenant isolation, strong supplier hygiene, and client-contract security clauses you can actually defend. Your sales cycle closes the day an ISO certificate lands in procurement's inbox - the overlay opens with the asset inventory, access matrix, and SDLC scaffolding a client's security team will probe first.
- Certificates mapped into one evidence trail
- ISO 27001 + SOC 2
- Clients covered per certificate
- Unlimited
- Client-contract clauses tracked
- Per obligation
The majority of Annex A controls overlap with SOC 2 CC criteria. AFEND's evidence map harvests one certificate's artefacts toward the other - reuse rather than re-run.
One ISMS scope, one certificate. Your clients point to yours in their own supplier-management evidence. No per-client recertification work.
Non-standard client security clauses (shorter breach windows, custom encryption rules, client-approved vendor lists) captured in the obligations register and linked to the SoA they change.
Focus areas pre-loaded for this profile
- Multi-client data isolation and least-privilege access
- Formalising an SDLC and change management without slowing delivery
- Asset inventory and shadow IT cleanup
- Client contract security clauses and SLAs
- Supplier and subprocessor governance
The friction IT Services / MSP / Cloud teams hit before AFEND.
- 01Every new client RFP asks for ISO 27001 alongside SOC 2. Losing deals to 'they don't have it yet' is a recurring line item.
- 02Multi-client isolation on shared infrastructure - the same question SaaS teams face, but usually across more providers and more environments.
- 03Client contract security clauses that don't match each other: one client wants 24-hour breach notification, another wants 8 hours, a third insists on their own template.
- 04SDLC and change management often exist informally - they work, but they're not written down in a way an auditor can verify.
- 05Shadow IT: tools subscribed by individual engineers or teams without going through procurement, which means the subprocessor register is always half-complete.
The questions an external auditor opens with.
Not the Annex A wording. The real questions your auditor puts in the Stage 1 interview - and that AFEND makes answerable by construction.
- Q1Asset inventory with owner, classification, and location. No 'TBD' rows.
- Q2How a new client is onboarded - contract, access provisioning, data migration, security briefing.
- Q3Your SDLC evidence: ticket → review → test → deploy → post-deploy validation, across a representative sample.
- Q4The sub-processor register cross-referenced against last quarter's invoicing - inconsistent entries get flagged.
- Q5How client-specific security clauses are tracked and enforced when they exceed your baseline.
Annex A controls the auditor will press on for IT Services / MSP / Cloud.
All 93 Annex A controls go through the Statement of Applicability. These six get disproportionate scrutiny in it services / msp / cloud engagements - AFEND surfaces them on the SoA dashboard so you approve them first.
- A.5.9
- The first control every auditor checks and the one that's easiest to fail. Asset owner, classification, location, and review date - on everything.
- A.5.19
- MSPs + cloud providers are both customer and supplier. The supplier register has to be accurate enough that your own clients can derive theirs from it.
- A.5.20
- Client contracts contain their own security clauses. Map each non-standard obligation to a control in the SoA so it doesn't fall through the cracks.
- A.8.3
- Multi-client isolation: a support engineer helping client A must not be able to see client B's tickets, tenants, or logs.
- A.8.25
- Whatever your SDLC is (formal or implicit), the evidence trail needs to exist for a sample of production changes. 'We review every PR' isn't the control - the review record is.
- A.5.24
- Each client contract likely has different breach-notification windows. Your runbook has to resolve them into one playbook with client-specific overrides.
Inventory of information and other associated assets
Information security in supplier relationships
Addressing information security within supplier agreements
Information access restriction
Secure development life cycle
Information security incident management planning and preparation
Artefacts the readiness pack must contain.
Mapped to the Annex A controls above. AFEND’s evidence room accepts file uploads, external-system links, and review cycles; the auditor export bundles them in the expected structure.
- Asset inventory with owner, classification, location, and last-review date
- Multi-client access matrix showing isolation by engineer and tenant
- Sub-processor register reconciled with the last quarter's invoice log
- Sample SDLC trail (ticket → review → merge → deploy → validation) for a handful of recent changes
- Client contract security-clause register with non-standard obligations mapped to SoA controls
- Incident response runbook with per-client notification-window overrides
- Access-review export covering all client-facing accounts and platform-admin accounts
Mistakes we see every IT Services / MSP / Cloud team repeat.
Anti-pattern
Relying on 'SOC 2 Type II' attestation to answer ISO 27001 questions.
Fix
They overlap but don't substitute. Your ISO SoA must explicitly name each Annex A control; cross-map SOC 2 evidence on top. AFEND ships a SOC 2 → Annex A mapping so you reuse evidence, not paperwork.
Anti-pattern
Asset inventory that's a spreadsheet updated infrequently.
Fix
Pull it from the sources of truth (IAM, cloud inventory, MDM). A live query + a dated export is the control. Manual updates are the fail path.
Anti-pattern
Client-specific security clauses tracked in the client folder, not the ISMS.
Fix
Extract the non-standard ones into the obligations register at contract signing. AFEND links clauses to SoA entries so nothing is invisible at the next audit.
Anti-pattern
SDLC that works informally but has no artefact trail.
Fix
Pick a handful of recent production changes. Pull the ticket, the PR, the test run, the deploy log, the monitoring window. That's the evidence. Then name it SDLC.
Questions IT Services / MSP / Cloud buyers ask us.
We're an MSP with many clients. Do we certify once or per client?
Once, for your ISMS. The certificate covers your organisation's scope - your service delivery, your team, your infrastructure. Each client can then point to your certificate in their own supplier-management evidence.
How do we handle clients whose security requirements exceed our baseline?
Treat them as obligations. The client-specific clause gets extracted into the obligations register, mapped to the Annex A controls it touches, and tracked like any other compliance commitment. AFEND's register is built for this.
Does ISO 27001 replace SOC 2 for US-based clients?
Often no - US enterprises frequently request both. The good news: 80%+ of the controls overlap. AFEND's evidence-mapping lets you harvest one certificate's evidence toward the other, which is where the cost saving actually comes from.
Our developers run their own laptops with admin rights. Is that a problem?
Not automatically. The question is whether production access routes through those laptops, and whether there's a process for detecting and revoking compromise. With a documented EDR + JIT production-access flow, it's defensible. Without it, the auditor will land on it.
Open a workspace with the IT Services / MSP / Cloud overlay already loaded.
14-day trial, no credit card. The IT Services / MSP / Cloud risk library, the six core controls, and the evidence scaffolding above are pre-seeded the moment you choose this industry at setup.