ISO 27001:2022 — Executive Readiness Report

Prepared by Maria Santos, CISO  ·  For Board of Directors Presentation

CloudSync Solutions Ltda
Report date: 25 March 2026
Target audit: 25 September 2026
Framework: ISO/IEC 27001:2022
95%
ISMS Implementation
80%
Stage 1 Ready
60%
Stage 2 Ready
11/25
Avg Clause Maturity
3/93
Controls Verified
Certification Timeline
✅ On Track
183 days remaining
📊

Readiness by Area

Management Review
100%
Complete
Risk Management
95%
Complete
Policies & Procedures
95%
Complete
Scope & Context
90%
Complete
Asset Management
90%
Complete
Monitoring & Measurement
85%
Complete
Internal Audit
85%
Complete
Controls & SoA
75%
Evidence gap
🏁

PDCA Implementation Progress

13 of 14 certification skills complete · 1 remaining (Awareness & Training)
Org Profile
ISMS Scope
Asset Inventory
Risk Assessment
SoA
Gap Assessment
Policy Generator
Physical Security
Supplier Security
Awareness & Training
Internal Audit
Monitoring
Mgmt Review
Exec Report
Additional Completed Skills
Legal Req.
NDA / A.6.6
HR Security
Privacy/PII
SOPs
Sec. Arch.
BCP/DRP
⚠️

Critical Gaps — Board Attention Required

#
Gap Description
Severity
Effort
1
3 open internal audit CAPAs — NC-001: no access review records; NC-002: incident response procedure incomplete (missing RACI, LGPD linkage); NC-003: no backup restoration test records. Unresolved NCs will prevent Stage 2 certification.
High
2–4 weeks each; close simultaneously
2
Control evidence gap — 3 of 93 controls verified. Stage 2 auditors will sample operational evidence (logs, screenshots, attestations) across all 93 Annex A controls. This is the single largest risk to certification.
Critical
6–8 weeks campaign May–Jul
3
Awareness & Training program not delivered. No training records exist. Clause 7.2 and Control A.6.3 require documented competence and awareness for all staff — absence is a straightforward Major NC at Stage 2.
High
3–4 weeks; by Jun 2026
4
18 gap assessment findings open (0 closed) — many are already remediated by completed Do-phase skills but the register has not been formally refreshed. Overstates open risk; needs an updated status picture for the Stage 1 auditor.
Medium
1–2 weeks refresh; May 2026
5
IS Objectives Register (Clause 6.2) not produced as a standalone artifact. Objectives exist informally but no formal register with measurable KPIs, owners, targets, and measurement frequency has been published.
Medium
1 week; CISO-led
🛡️

Top 5 Risk Highlights  5×5 likelihood-impact matrix · 11 risks total: 1 Critical, 8 High, 2 Medium

Risk
Likelihood
Impact
Treatment
Credential theft — Compromised employee/service account credentials targeting customer PII (LGPD). Inherent: 20/25 Critical → Residual: 10/25 High
High
Critical
In Treatment · MFA rollout in progress
Cloud misconfiguration — Overly permissive GCP IAM, exposed storage, disabled audit logging. Inherent: 15/25 → Residual: 8/25 Medium
Medium
Critical
In Treatment · CSPM evaluation underway
Malicious insider — Staff with legitimate access exfiltrating data or causing unintentional disclosure. Inherent: 12/25 → Residual: 8/25 Medium
Medium
High
In Treatment · DLP tooling gap open
Supply chain compromise — Malicious package or CI/CD pipeline compromise injecting code into production
Medium
High
In Treatment · GitHub Advanced Security pending
Ransomware / destructive malware — Attack on production infrastructure and backups causing data loss and unavailability
Low
Critical
Partially treated · BCP/DRP done · NC-003 open
📅

Timeline to Certification

On Track for September 2026
183 days remaining · 3 enterprise RFPs worth R$420K ARR contingent on certification
25 Mar 2026 — NOW
This report issued. 3 open CAPAs. Evidence campaign not yet started.
Current
30 Apr 2026 — Phase 1
Close NC-001, NC-002, NC-003 CAPAs. Engage certification body.
Planned
30 Jun 2026 — Phase 2/3
Deliver Awareness & Training program. Gap assessment refresh complete.
Planned
25 Jul 2026 — Stage 1 Audit
Certification body documentation review (1–2 days). Evidence campaign ≥70%.
Planned
31 Aug 2026 — Stage 1 Remediation
Address any Stage 1 findings. Final evidence top-up.
Planned
25 Sep 2026 — 🎯 Stage 2 Audit
On-site implementation audit (3–5 days). Certification decision.
Target

Board Recommendations

1
Authorize CAPA closure resources — by 30 Apr
Close NC-001, NC-002, NC-003 before Stage 2 · Owner: Maria Santos / João Silva
2
Fund 6-week evidence collection campaign (May–Jul)
Target ≥70% of 93 controls verified — biggest Stage 2 risk · Owner: CISO + CTO + DPO
3
Launch IS Awareness & Training by 30 June
All-staff + role-based modules required for Clause 7.2 · Owner: HR Director + CISO
4
Confirm certification body booking by end of April
6–12 week CB lead time; Stage 1 for Jul 2026 · Owner: Pedro Lima (auth) / CISO
5
Commission gap assessment refresh by 31 May
Close 18 stale open findings; accurate risk picture for Stage 1 · Owner: Maria Santos, CISO
CloudSync Solutions Ltda  ·  ISO 27001:2022 Executive Readiness Report  ·  Confidential — Board of Directors
EXEC-READY-001 v1.0  ·  25 March 2026  ·  Prepared by Maria Santos, CISO