Run your full Information Security Management System in PICMS — risk register, Statement of Applicability across all 93 Annex A controls, document control with version history, audit cycle, management review. UK-built, IRCA-aligned, no fluff.
ISO 27001:2022 is a management system standard. The certificate hangs on whether you can demonstrate continuous, evidence-backed operation — not whether you have a 90-page Information Security Policy nobody reads.
An auditor walking into your stage-2 visit will check, in roughly this order: that you have a defined ISMS scope, a current risk assessment, a Statement of Applicability mapping every Annex A control to an applicability decision and supporting evidence, document control with version history and authorised approvers, an internal audit programme that has actually run, management review minutes from the last 12 months with verifiable inputs and outputs, a measurable continual improvement record, and incident handling logs.
Spreadsheets work — until they don't. A typical 50-person UK SME pursuing first 27001 certification ends up with one risk register on SharePoint, one Statement of Applicability in Excel, one document library in Teams, internal audit findings in a Word file, management review minutes in someone's mailbox, and zero golden-thread linking the lot. The audit isn't lost on the policy text. It's lost on traceability.
5×5 matrix or equivalent, asset-based or scenario-based, applied consistently. Every risk traceable to a treatment decision (accept, mitigate, transfer, avoid) and to specific Annex A controls.
Version history. Approver. Effective date. Distribution list. Retention period. Auditors check whether the document attached to a control evidence record is the version that was current at the time of the activity, not the latest one.
Risk treatment plan executed and tracked. Changes assessed before deployment. Incidents recorded with chain-of-custody for evidence.
Programme. Schedule. Auditor independence. Findings tracked through to closure with verification of effectiveness.
The 12 mandatory inputs from the standard. Decisions recorded. Actions tracked. Distribution evidenced.
Each control either applicable (with evidence) or excluded (with justification). The Statement of Applicability is the auditor's reading list.
Asset and scenario-based risks, 5×5 inherent + residual scoring, treatment plans, control linkage, owner assignment, review schedule.
Live Statement of Applicability across all 93 ISO 27001:2022 Annex A controls. Per-control evidence linking with confidence scoring.
Version history, approval workflow, soft delete with restore, ISO 9001 7.5-compliant. Every uploaded document indexed and searchable.
Audit schedule, finding tracker, CAPA generation from findings, effectiveness verification, full audit trail per ISO 19011.
Structured 5-section form with all 12 mandatory clause 9.3.2 inputs, action tracking through 9.3.3 outputs, distribution log.
Auto-link risks to documents to incidents to CAPAs to audit findings — the traceability auditors look for, without manual cross-referencing.
Voice-enabled incident logging, 5-Whys investigation, automatic CAPA generation, evidence attachment with chain-of-custody.
Per-person competency matrix with expiry tracking — supports clause 7.2 evidence and Annex A.6.3 (information security awareness).
Auditor-credible vendors don't pretend software replaces management. PICMS does not:
What PICMS does is give you, your team and your auditor a single source of truth for everything else — so the certification visit is a verification exercise, not a documentation hunt.
Three tiers fit most 27001 deployments:
14 days free, full feature access, no credit card surprise. Built by an IRCA Registered Principal Auditor — the kind of person who'd be on the other side of your certification visit.