Pristine InfoSolutions is Saudi Arabia's most experienced ISO 27001:2022 and ISO 27701 certification partner — delivering certified ISMS and PIMS programmes with a 99% first-attempt certification rate, fully aligned to NCA ECC, SAMA CSF, and Saudi PDPL. Bilingual Arabic and English throughout.
ISO 27001:2022 and ISO 27701 are designed to work together — the ISMS is the security foundation on which the PIMS is built. Implementing both concurrently with Pristine is 30-40% cheaper than sequential delivery.
ISO 27001 is structured around 10 clauses plus Annex A. Clauses 4–10 are mandatory. Annex A provides 93 controls from which organisations select applicable controls documented in the Statement of Applicability.
Define internal and external context, interested parties, and ISMS scope. The boundary decisions made here shape every subsequent ISMS decision.
MandatoryBoard commitment, information security policy, and defined roles and responsibilities. SAMA and NCA require board-level ownership evidenced through this clause.
MandatoryISO 27005 risk assessment, risk treatment plan, and Statement of Applicability for all 93 Annex A controls. The SoA is the primary document reviewed at every certification audit.
Mandatory · CriticalResources, competence, awareness training, and documented information management — policies, procedures, records, and all ISMS evidence controlled and maintained.
MandatoryOperational planning and control — risk assessments at planned intervals, risk treatment implemented, all in-scope controls active and evidenced. The largest clause.
Mandatory · LargestInternal audit programme, management review, and ISMS effectiveness monitoring. Independent assessment of all clauses and Annex A controls.
MandatoryNonconformity and corrective action process. Continual improvement driven by audit findings, management review, and evolving threats.
Mandatory93 controls across 4 themes: Organisational (37), People (8), Physical (14), Technological (34). All assessed in the SoA — included or excluded with justification.
93 Controls · 4 ThemesLists all 93 controls with applicability decision, implementation status, and exclusion justifications. Primary document reviewed at every certification and surveillance audit.
Certification CoreISO 27001:2022 restructured 114 legacy controls into 93 across 4 modern themes — with 11 brand-new controls addressing today's threat landscape.
Policies, roles, threat intelligence, asset management, access control, supplier relationships, incident management, BCP, legal compliance. Largest theme.
Screening, employment terms, awareness training, disciplinary process, post-employment responsibilities, remote working, confidentiality.
Security perimeters, entry controls, physical monitoring (NEW), protecting against threats, clear desk, equipment security, cabling, media disposal.
Endpoint, IAM, cryptography, secure config, DLP (NEW), network, logging, monitoring (NEW), web filtering (NEW), secure coding (NEW), vuln management, cloud (NEW).
ISO 27701 extends ISO 27001 Clauses 4–10 with privacy-specific additions. For organisations implementing both concurrently, a single integrated management system satisfies both — reducing documentation by 60-70%.
PII Controllers implement Annex A controls covering lawful basis documentation, data subject rights, privacy by design, consent management, and third-party processor management — directly mapped to Saudi PDPL obligations.
PII Processors implement Annex B controls for processing data on behalf of controllers — covering processing obligations, DSR support, sub-processor management, and breach notification. Essential for Saudi SaaS, cloud, and outsourcing providers.
Saudi Arabia's Personal Data Protection Law (PDPL) creates specific obligations for organisations processing Saudi personal data. ISO 27701 is the most structured path to PDPL compliance evidence — approximately 95% of PDPL obligations are directly addressed through Annex A and B controls.
Pristine's structured certification programme delivers a 99% first-attempt success rate. Every phase produces auditor-ready documentation and genuine control implementation.
All 93 Annex A controls scored. Gap report with risk-prioritised list. ISMS scope boundaries proposed.
Weeks 1–2Policy library (38+ docs). Statement of Applicability for all 93 controls. ISO 27701 RoPA if in scope.
Weeks 2–8ISO 27005 methodology. Risk register. Treatment plan. Board risk acceptance signed.
Weeks 4–8All in-scope Annex A controls implemented — technical and administrative. Evidence collected.
Weeks 6–20Independent audit. All nonconformities closed. Stage 1 doc audit. Stage 2 on-site certification.
Weeks 20–24Three structured programmes from initial ISO certification to full ISMS+PIMS enterprise transformation aligned to NCA ECC, SAMA, and PDPL.
First ISO 27001:2022 certification for Saudi organisations — full ISMS from gap assessment through to certificate, with NCA ECC control mapping included.
Integrated ISO 27001:2022 and ISO 27701 — concurrent delivery, Saudi PDPL aligned, NCA ECC and SAMA mapped. Single audit. Maximum value.
Full enterprise ISO transformation — simultaneous NCA ECC and SAMA, continuous improvement, dedicated programme management, and 3-year maintenance.
Every Pristine-prepared organisation that has proceeded to ISO 27001 certification audit has achieved certification at first attempt — zero major nonconformities. Verified track record, not a marketing claim.
Pristine maps ISO 27001 Annex A controls to NCA ECC sub-controls and SAMA subdomains as standard. Three compliance frameworks from one programme, one evidence set.
ISO 27001 + ISO 27701 concurrently saves 30-40% versus sequential delivery. Shared policies, shared risk methodology, shared internal audit, shared certification audit — one programme, two certificates.
All 38+ ISMS/PIMS policies, SoA, risk register, and board presentations delivered in Arabic by native-speaking consultants — not translated from English. ISO auditors consistently recognise the quality difference.
Pristine produces an explicit PDPL mapping document — article-by-article mapping showing which Annex controls satisfy which PDPL obligations. SDAIA compliance evidence included as standard.
ISO is a 3-year cycle with annual surveillance audits. Pristine post-certification management keeps your ISMS and PIMS audit-ready year-round — continuous evidence collection and annual pre-surveillance reviews.
We achieved ISO 27001:2022 certification in 24 weeks with zero nonconformities — having previously failed Stage 2 with another firm due to poor documentation quality. Pristine's Arabic policies were exactly what the auditor expected. The NCA ECC mapping they included saved us months of additional compliance work.
We needed ISO 27001 and ISO 27701 simultaneously — European clients required ISO 27001 and our Saudi government contracts required PDPL compliance evidence. Pristine's concurrent programme achieved both in 22 weeks with zero major nonconformities. The cost saving versus sequential delivery was 35%.
Pristine mapped our ISO 27001 Annex A controls to NCA ECC sub-controls as a standard deliverable. When our NCA audit arrived 6 months later, 90% of the evidence was already collected. Zero additional compliance effort. The integrated approach was transformative for our security programme efficiency.
Request a free ISO 27001:2022 and ISO 27701 gap assessment — our certified implementation specialists will assess your current ISMS posture and deliver a clear certification roadmap at no cost.
A senior Pristine specialist will contact you within 4 business hours.
🔒 Data processed within Saudi Arabia · PDPL compliant · Response within 4 business hours