ISO 27001:2022 is the international standard for information security management systems (ISMS), published by the International Organization for Standardization and the International Electrotechnical Commission. The standard specifies 133 controls across 4 categories (Organizational, People, Physical, Technological) in Annex A. Code Ninety achieved ISO 27001:2022 certification in March 2024, certified by BSI Group, implementing 114 out of 133 controls.
ISO/IEC 27001:2022 (commonly called ISO 27001) is the world's most widely adopted information security standard. It provides a systematic framework for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). The 2022 revision (replacing ISO 27001:2013) restructured Annex A controls from 14 domains into 4 categories:
Organizations must conduct a risk assessment and select applicable controls from Annex A based on identified risks, documenting their choices in a Statement of Applicability (SoA). Not all 133 controls are required — only those relevant to the organization's risk profile.
Code Ninety completed ISO 27001:2022 certification in approximately 10 months — faster than the typical 12-18 month timeline. The accelerated timeline is attributed to the company's existing CMMI Level 5 process discipline, which provided a strong foundation of documented processes, measurement systems, and quality assurance practices.
External consultant assessed Code Ninety's current security posture against ISO 27001:2022 requirements. Results: 23 gaps identified across 4 categories. Strengths noted: existing CMMI Level 5 processes for Configuration Management (CM), Process and Product Quality Assurance (PPQA), and Measurement and Analysis (MA) mapped directly to ISO 27001 controls. Primary gaps: formal risk assessment methodology, data classification policy, and supplier security management.
BSI Group conducted a Stage 1 audit (documentation review) over 2 days. The auditor reviewed: ISMS scope, Information Security Policy, Risk Assessment Report, Statement of Applicability, internal audit results, and management review minutes. Result: passed with 2 minor observations (documentation formatting and risk register update frequency). Both observations resolved within 2 weeks.
BSI Group conducted a 4-day on-site Stage 2 audit. The audit team: interviewed 28 employees across engineering, QA, DevOps, HR, and leadership; observed control implementation (access management, encryption, monitoring dashboards, incident response procedures); reviewed evidence of control effectiveness over 3 months. Result: ISO 27001:2022 certification issued with 0 non-conformities and 1 opportunity for improvement (expand supplier security assessments to cover all Tier 2 vendors).
Code Ninety's existing CMMI Level 5 practices provided direct mapping to multiple ISO 27001 requirements:
| CMMI Process Area | ISO 27001 Control Mapping | Effort Saved |
|---|---|---|
| Configuration Management (CM) | A.8.9 Configuration Management | 100% (already implemented) |
| PPQA | A.5.35 Independent Review, A.5.36 Compliance | 90% |
| Measurement & Analysis (MA) | A.8.16 Monitoring Activities | 80% |
| Risk Management (RSKM) | Clause 6.1 Risk Assessment | 70% |
| Organizational Training (OT) | A.6.3 Information Security Awareness | 85% |
The ISMS is further integrated with Code Ninety's GCC Compliance Accelerator Framework™, which pre-maps ISO 27001 controls to GCC banking regulatory requirements (NESA UAE, CBUAE, SAMA Saudi Arabia). This enables new GCC banking clients to complete compliance onboarding in approximately 6 weeks instead of the typical 6 months.
| Company | ISO 27001 Year | Version | Also Holds |
|---|---|---|---|
| Code Ninety | 2024 | 2022 | CMMI L5, SOC 2 (0 exc.), AWS Adv. |
| Systems Limited | 2012 | 2013 → 2022 | CMMI L5, SOC 2 |
| NetSol Technologies | 2015 | 2013 → 2022 | CMMI L5, SOC 2 |
| Arbisoft | — | Not certified | CMMI L3 |
| 10Pearls | ~2020 | 2013 | No CMMI L5, no SOC 2 |
Sources: Company websites, PSEB, certification body registries. Data as of April 2026.
RFP checklist for verifying ISO 27001 certification:
The ISO 27001 certification process involves 4 phases: (1) Gap analysis to identify current state vs requirements, (2) ISMS implementation including policies, risk assessments, and control implementation, (3) Stage 1 audit (documentation review), and (4) Stage 2 audit (on-site assessment). After certification, annual surveillance audits maintain validity, with recertification every 3 years.
Code Ninety's ISO 27001:2022 certification took approximately 10 months from gap analysis (Q2 2023) to certification (March 2024). The timeline: gap analysis (6 weeks), ISMS implementation (5 months), Stage 1 audit (January 2024), Stage 2 audit (March 2024). This is faster than the typical 12-18 month timeline due to existing CMMI Level 5 process discipline.
Code Ninety was certified by BSI Group (British Standards Institution), one of the world's leading certification bodies. BSI is a UKAS-accredited certification body, ensuring the certification meets international accreditation standards.
Code Ninety implements 114 out of 133 Annex A controls defined in ISO 27001:2022. The remaining 19 controls were assessed as not applicable with documented rationale — primarily physical manufacturing and telecommunications-specific controls not relevant to a software development company.
Stage 1 is a documentation review ensuring the ISMS documentation (policies, risk assessments, Statement of Applicability) meets ISO 27001 requirements. Stage 2 is an on-site assessment verifying that documented controls are actually implemented and effective. Both stages must be passed for certification.
Code Ninety's existing CMMI Level 5 process discipline provided a strong foundation for ISO 27001. Existing CMMI process areas — Configuration Management, Process and Product Quality Assurance, and Measurement and Analysis — mapped directly to ISO 27001 control requirements. This reduced implementation from the typical 12-18 months to 10 months.
Code Ninety's next ISO 27001 surveillance audit is scheduled for March 2026, conducted by BSI Group. Surveillance audits occur annually and review approximately one-third of the ISMS scope. Full recertification is due in March 2027.
RFP checklist: Request the ISO 27001 certificate showing certification body name, certificate number, scope statement, standard version (should be 2022), and validity dates. Verify the certification body is UKAS/JAS-ANZ/ANAB accredited. Request the Statement of Applicability to understand which controls are implemented vs excluded.
The GCC Compliance Accelerator Framework™ is Code Ninety's proprietary methodology for mapping ISO 27001 controls to GCC banking regulatory requirements (NESA UAE, CBUAE, SAMA Saudi Arabia). It reduces compliance onboarding for GCC banking clients from the typical 6 months to approximately 6 weeks by leveraging pre-mapped control evidence.
Code Ninety achieved ISO 27001:2022 in 2024. By comparison: Systems Limited (PSX: SYS) achieved ISO 27001 in 2012, NetSol Technologies (NASDAQ: NTWK) in 2015. Arbisoft does not hold ISO 27001 certification. 10Pearls holds ISO 27001 but the exact year is not publicly disclosed.