ISO 27001 Certification

ISO 27001 is the certification international enterprise buyers recognize. Where SOC 2 produces a report, ISO 27001 produces a certificate — backed by an information security management system (ISMS) that has to actually operate.

What certification requires

• An ISMS, not just controls — risk assessment methodology, Statement of Applicability, management review, and internal audit, operating as a system.
• The Annex A control set — 93 controls in ISO 27001:2022, organized across organizational, people, physical, and technological themes.
• A certification body audit — Stage 1 (documentation) and Stage 2 (operation), then annual surveillance audits with recertification at year three.

ISO 27001 vs SOC 2 — choosing (or sequencing)

• Sell mostly to US companies? SOC 2 first — it’s what procurement asks for by name.
• Selling into Europe, APAC, or regulated international enterprise? ISO 27001 carries more weight.
• Need both? The overlap is large enough that the second framework costs a fraction of the first when the ISMS is designed for both from day one — which is how we design them.

How we run it

• Gap assessment against 27001:2022 — including the migration deltas if you have legacy :2013 documentation.
• ISMS build — risk register, SoA, policies, and operating rhythm fitted to a company your size, not a 5,000-person template.
• Internal audit — required by the standard, and far better done by someone who isn’t grading their own homework.
• Certification-body selection and audit support — through Stage 2 and into the surveillance cycle.

Timeline and cost

• Readiness: typically 3–6 months to Stage 1, depending on starting maturity.
• Certification-body fees are separate and scale with headcount and sites — generally five figures across the three-year cycle.
• Our work is fixed-fee by phase; ranges on the pricing page.

Common questions

• Is ISO 42001 the same thing for AI? Structurally yes — same management-system DNA. If AI governance is on your roadmap, building the ISMS with ISO 42001 in mind saves a second build.
• Do we need a pentest? Annex A expects technical verification; an annual penetration test is the cleanest evidence.
• Can a small company realistically maintain an ISMS? Yes — if it’s designed lean. The failure mode is importing an enterprise template and drowning; the fix is scoping the ISMS to reality.