What types of compliance documents can ComplianceIQ generate?

ComplianceIQ generates privacy policies, terms of service, employee handbooks, data handling policies, OSHA compliance documents, acceptable use policies, HIPAA compliance docs, information security policies, and more — all tailored to your industry.

Are the generated documents legally valid?

ComplianceIQ generates comprehensive, industry-standard compliance documents informed by current regulations. While they provide an excellent foundation, we recommend having critical documents reviewed by legal counsel for your specific jurisdiction.

How does ComplianceIQ stay current with regulations?

Our AI models are continuously updated with the latest regulatory frameworks including GDPR, CCPA, HIPAA, SOC 2, OSHA, and more. Pro and Enterprise plans include regulatory update alerts.

← All calendars

ISO 27001 · 14 RECURRING ACTIVITIES

ISO 27001:2022 Compliance Calendar — keep your ISMS certifiable

ISO 27001 certification doesn't end at the Stage 2 audit — Clauses 9 and 10 require an ongoing operating ISMS with documented monitoring, internal audit, management review, and continual improvement. Skip them and you'll find out at the Year-1 surveillance.

Cadence mix:3× Monthly2× Quarterly2× Every 6 months5× Annually2× Event-triggered

Who this is for

ISMS managers running an active ISO 27001 certification
Compliance leads preparing for surveillance audits (Year 1, Year 2)
Teams transitioning from ISO 27001:2013 to :2022

Typical effort

Plan a dedicated ISMS owner at 0.25–0.5 FTE plus distributed control owners.

The calendar

Monthly (3)

Track + report ISMS KPIs

Performance Eval

Pull KPIs defined in the monitoring & measurement plan (incident counts, training completion, access review SLA, vuln SLA). Reviewed by ISMS manager.

Reference

Clause 9.1

Owner

ISMS manager

Effort

2–3 hrs

Evidence

KPI dashboard / report

Vulnerability + patch management

Operations

Critical patched within SLA. Exceptions documented in risk register.

Reference

Annex A 8.8

Owner

DevOps

Effort

4–8 hrs

Evidence

Patch + scan reports

Supplier register monitoring

Vendor

Watch Tier-1 supplier security posture; reassess any supplier with new scope or breach.

Reference

Annex A 5.19, 5.22

Owner

Procurement + ISMS

Effort

1–2 hrs

Evidence

Supplier register update

Quarterly (2)

Risk treatment plan progress review

Risk

Walk every open risk: status, treatment progress, residual risk. Adjust SoA if controls change.

Reference

Clause 6.1.3, 8.3

Owner

Risk owner + ISMS

Effort

4–6 hrs

Evidence

Updated risk register + SoA

Privileged access review

Operations

Manager-certified review of admin accounts, privileged service accounts, and shared credentials.

Reference

Annex A 8.2, 5.18

Owner

Manager + IT

Effort

4 hrs

Evidence

Signed access review

Every 6 months (2)

Internal audit — sample of ISMS clauses + Annex A controls

Internal Audit

Independent internal auditor walks evidence; findings tracked to closure.

Reference

Clause 9.2

Owner

Internal audit

Effort

16–24 hrs

Evidence

Internal audit report + CAPAs

Information security awareness training

Awareness

All staff complete training; phishing simulation + remediation; track 100% completion.

Reference

Annex A 6.3

Owner

ISMS + HR

Effort

4 hrs admin

Evidence

Training records

Annually (5)

Risk assessment refresh

Risk

Re-score asset/threat register; reissue risk treatment plan; re-approve SoA.

Reference

Clause 6.1.2, 6.1.3

Owner

Risk owner

Effort

16–24 hrs

Evidence

Risk register + SoA

Management review (top management)

Performance Eval

Standing agenda per 9.3.2: KPI status, audit results, risk changes, supplier issues, feedback, opportunities. Output: decisions + actions.

Reference

Clause 9.3

Owner

Top management

Effort

2–4 hrs meeting + prep

Evidence

Management review minutes

Nonconformity + corrective action review

Improvement

Walk every NC raised in the year, root cause, corrective action effectiveness, closure.

Reference

Clause 10.1

Owner

ISMS manager

Effort

4 hrs

Evidence

CAPA register

BC / DR exercise + ICT readiness test

Resilience

Annex A 5.30 + ISO 22301 alignment — exercise at least one critical service.

Reference

Annex A 5.29, 5.30

Owner

Eng + BCM

Effort

8–16 hrs

Evidence

Exercise report

Surveillance audit (Year 1 / 2) or Recertification (Year 3)

Audit

External auditor visits. Year 3 = full recert. Open NCs from prior visit must be closed.

Reference

ISO 17021

Owner

ISMS + Top mgmt

Effort

Vendor-led + ~24 hrs internal

Evidence

Surveillance / recert report

Event-triggered (2)

Significant change to ISMS scope or context

Change Mgmt

New product line / acquisition / major arch change → updated context (4.1), interested parties (4.2), scope (4.3), and SoA.

Reference

Clause 4.1–4.3

Owner

ISMS manager

Effort

Variable

Evidence

Updated ISMS docs

Information security incident handling

Incident

Run incident per Annex A 5.24–5.28: detect, assess, respond, learn, evidence collection.

Reference

Annex A 5.24–5.28

Owner

Incident lead

Effort

Variable

Evidence

Incident record + lessons

Pitfalls — where teams actually fail

Skipping management review — Clause 9.3 is the most-cited NC at ISO surveillance audits.
Internal audit done by the same team that owns the controls — independence is a hard requirement.
SoA not updated when controls or risk treatment change — misalignment is an instant finding.
Risk register treated as a spreadsheet that lives forever; auditor wants to see actual movement quarter to quarter.
Annex A 5.30 (ICT readiness) ignored because the team thinks it's optional — it isn't, post-2022.

Want this calendar mapped to YOUR controls?

Drop your existing ISO 27001 policy or upload a draft — ComplianceIQ scores it against the framework and produces a 0–100 audit, gap-by-gap with the cadence work you're missing.

Run free ISO 27001 audit See readiness checklist

What happens when the cadence slips — real ISO 27001 actions

£18.4M

Marriott International · 2020

$35M SEC + $117.5M class

Altaba (Yahoo) · 2018

FAQ

How often does ISO 27001:2022 require management review?

At planned intervals — interpreted in practice as at least annually. Clause 9.3.2 sets a fixed agenda; deviating from it is a frequent finding.

Can the same person run internal audit and own ISMS controls?

No — Clause 9.2.2(c) requires auditor independence from the activity audited. Use a different internal team member, a peer ISMS, or an outsourced internal auditor.

Do we have to follow this calendar exactly to stay certified?

The cadences here reflect industry practice. Your ISMS may schedule items more frequently if risk-driven, but skipping any of clauses 9.1–10.1 is a non-conformity.

What changed for ongoing cadence with ISO 27001:2022?

Annex A reorganised to 93 controls in 4 themes. Notably 5.7 (threat intelligence), 5.30 (ICT readiness), 8.9 (configuration mgmt), 8.16 (monitoring activities), and 8.23 (web filtering) require explicit ongoing operation — they're often missed by teams transitioning from :2013.

ISO 27001:2022 Compliance Calendar — keep your ISMS certifiable

The calendar

Monthly (3)

Quarterly (2)

Every 6 months (2)

Annually (5)

Event-triggered (2)

Pitfalls — where teams actually fail

What happens when the cadence slips — real ISO 27001 actions

FAQ

Other calendars