WarDek is a complete compliance suite that combines an OWASP vulnerability scanner with NIS2, AI Act and GDPR compliance modules, specially designed for European SMEs.

Is my company subject to NIS2?

The NIS2 directive applies to essential and important entities in sectors such as energy, healthcare, transport, digital, etc. Use our free simulator to check.

How should I use WarDek reports in an audit?

WarDek reports provide a practical working base for your team, auditor, or compliance preparation. They are not an official certification or legal opinion.

How long does a scan take?

A complete OWASP scan typically takes between 2 and 5 minutes depending on the complexity of your website.

Absolutely. We never store your credentials. Reports are encrypted and you can delete them at any time. We are hosted in France.

Can I try before I buy?

Yes! The Free plan lets you test WarDek with 3 scans per month, no credit card required.

ISO 27001 is the international standard for Information Security Management Systems (ISMS). The latest version, ISO 27001:2022, provides a framework for establishing, implementing, maintaining, and continually improving information security. It includes 93 controls organized into 4 categories: Organizational (37), People (8), Physical (14), and Technological (34).

Who should get ISO 27001 certified?

Any organization that handles sensitive information should consider ISO 27001 certification. It is particularly important for SaaS companies, cloud service providers, IT service providers, financial institutions, healthcare organizations, and any business undergoing enterprise due diligence. Many large companies require ISO 27001 certification from their vendors as a condition of doing business.

What is ISO 27001 Annex A?

Annex A is a normative annex of ISO 27001 that lists 93 security controls across 4 categories. Organizations must determine which controls are applicable through a risk assessment and document their applicability in a Statement of Applicability (SoA). The 2022 revision reorganized controls from 14 domains into 4 themes: Organizational, People, Physical, and Technological.

How long does ISO 27001 certification take?

Typical certification timeline is 6-12 months for SMEs and 12-18 months for larger organizations. This includes: risk assessment (1-2 months), ISMS implementation (3-6 months), internal audit (1 month), management review (2 weeks), and certification audit by an accredited body (1-2 months). Tools like WarDek can accelerate the technical controls assessment.

How does ISO 27001 relate to NIS2 and SOC 2?

ISO 27001, NIS2, and SOC 2 are complementary. ISO 27001 provides the management system framework. NIS2 is EU regulation with mandatory compliance for essential/important entities. SOC 2 is US-originated and focuses on trust service criteria for service organizations. Having ISO 27001 significantly helps with NIS2 compliance (Article 21 maps to many Annex A controls) and SOC 2 readiness.

What can WarDek automate for ISO 27001?

WarDek automatically assesses 12 technical Annex A controls through its security scanners: cryptography (A.8.24), configuration management (A.8.9), network security (A.8.20), secure development (A.8.25), application security (A.8.26), secure coding (A.8.28), threat intelligence (A.5.7), cloud security (A.5.23), and activity monitoring (A.8.16). A single scan generates an automated assessment across these controls.

ISO 27001:2022 Compliance Guide — Annex A Controls

What is ISO 27001:2022?

ISO 27001 is the globally recognized standard for Information Security Management Systems (ISMS). Published by ISO and IEC, it defines how organizations should manage information security risks through a systematic, process-based approach. The 2022 revision modernized the control set to address cloud computing, threat intelligence, and data privacy.

Certification is granted by accredited third-party auditors and must be renewed every three years with annual surveillance audits. For SMEs, ISO 27001 is increasingly a competitive requirement — enterprise buyers frequently mandate it during vendor due diligence.

The 4 Control Categories (Annex A)

ISO 27001:2022 organizes its 93 controls into four themes, replacing the previous 14-domain structure:

Category	Controls	Focus
Organizational	37	Policies, roles, responsibilities, threat intelligence, cloud services, supplier relationships
People	8	Screening, awareness training, remote working, confidentiality agreements
Physical	14	Perimeter security, equipment protection, secure areas, cabling, monitoring
Technological	34	Access control, cryptography, secure development, vulnerability management, logging, network security

Each control has associated attributes — control type (preventive, detective, corrective), information security properties (CIA), and cybersecurity concepts — making it easier to map to other frameworks.

12 Key Technical Controls WarDek Automates

WarDek's security scanners automatically assess the following Annex A controls through passive and active scanning:

Control	Name	What WarDek Checks
A.5.7	Threat intelligence	Known vulnerability databases, CVE exposure, threat feeds
A.5.23	Cloud services security	Cloud provider headers, CDN configuration, storage exposure
A.8.9	Configuration management	Security headers, server configuration, default settings
A.8.16	Monitoring activities	Logging headers, error handling, information disclosure
A.8.20	Network security	TLS configuration, cipher suites, protocol versions, HSTS
A.8.24	Use of cryptography	Certificate validity, key strength, encryption standards
A.8.25	Secure development lifecycle	Security headers indicating SDLC practices, CSP policies
A.8.26	Application security requirements	Input validation, CORS policies, authentication mechanisms
A.8.28	Secure coding	XSS protections, injection defenses, output encoding
A.8.8	Technical vulnerability management	Known CVEs, outdated software versions, patch status
A.8.12	Data leakage prevention	Exposed metadata, directory listings, information disclosure
A.8.22	Web filtering	Content security policies, referrer policies, permissions

Implementation Roadmap for SMEs

A practical 6-phase approach to ISO 27001 certification for small and medium enterprises:

Phase 1 — Gap Analysis (Weeks 1–4)

Assess current security posture against Annex A controls
Run a WarDek scan to establish a baseline for technical controls
Identify quick wins and major gaps
Secure management commitment and define ISMS scope

Phase 2 — Risk Assessment (Weeks 5–8)

Identify information assets and their owners
Assess threats, vulnerabilities, and impacts
Calculate risk levels and define risk treatment plans
Create the Statement of Applicability (SoA) — documenting which Annex A controls apply and why

Phase 3 — Policy and Documentation (Weeks 9–16)

Write mandatory documents: ISMS policy, risk treatment plan, SoA
Develop operational procedures for applicable controls
Define metrics and monitoring approaches
Set up document control and versioning

Phase 4 — Implementation (Weeks 17–28)

Deploy technical controls (firewall rules, encryption, access management)
Conduct security awareness training for all staff
Implement incident response procedures
Configure monitoring and logging systems

Phase 5 — Internal Audit (Weeks 29–32)

Perform a full internal audit against all applicable controls
Document nonconformities and corrective actions
Conduct management review meeting
Run a final WarDek scan to verify technical controls

Phase 6 — Certification Audit (Weeks 33–40)

Stage 1: Documentation review — auditor checks ISMS documentation completeness
Stage 2: Implementation audit — auditor verifies controls are operating effectively
Address any audit findings within the specified timeframe
Receive certification (valid 3 years, annual surveillance)

Relationship with NIS2, GDPR, and SOC 2

ISO 27001 does not exist in isolation. Understanding how it relates to other compliance frameworks helps maximize the return on your certification investment:

Framework	Relationship to ISO 27001	Overlap
NIS2	Article 21 measures map directly to many Annex A controls. ISO 27001 certification is considered strong evidence of NIS2 compliance.	~70%
GDPR	Article 32 (security of processing) aligns with ISO 27001 objectives. Annex A controls for data classification, access control, and cryptography directly support GDPR requirements.	~50%
SOC 2	Trust Service Criteria (security, availability, processing integrity, confidentiality, privacy) overlap significantly with Annex A controls. Many organizations pursue both.	~60%

By implementing ISO 27001 first, organizations typically cover 50–70% of the requirements for NIS2, GDPR technical measures, and SOC 2 — making subsequent certifications significantly faster and more cost-effective.

ISO 27001:2022 — Complete Guide for SMEs