You’ve landed a conversation with a multinational enterprise or a regulated financial services client. In the discovery call, they mention that they require “ISO 27001 certification” for any vendor they work with. Your team goes quiet. You don’t have it.
ISO 27001 is the golden seal for information security worldwide. Enterprise procurement teams, regulated industries, and governments increasingly demand it. Unlike SOC 2, which is primarily a North American SaaS thing, ISO 27001 is recognized globally—from Tokyo to Frankfurt to Toronto. If you’re expanding internationally or selling to large organizations outside the US, you’ll eventually need it.
The challenge: ISO 27001 is more rigorous than SOC 2. It requires a formal Information Security Management System, deeper documentation, and stricter controls. It takes longer, costs more, and demands more organizational discipline. But for companies that pull it off, it becomes a competitive advantage and a genuine security foundation.
This guide walks you through exactly what ISO 27001 is, why it matters, how to build an ISMS, and the step-by-step certification process. By the end, you’ll understand whether ISO 27001 is right for your company, when to pursue it, and how long it’ll take.
What Is ISO 27001?
ISO 27001 is the international standard for information security management systems. It’s issued by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Think of it as a global framework for how to think about, manage, and continuously improve your security posture.
Unlike SOC 2, which is an audit standard that evaluates specific controls at a specific moment in time, ISO 27001 is a management system standard. It requires you to build a formal ISMS—a documented, organization-wide program for identifying risks, implementing controls, monitoring their effectiveness, and continuously improving. The certification proves you have that system in place and that it works.
Here’s what makes ISO 27001 different from other standards:
It’s globally recognized. ISO 27001 is used and respected everywhere. If you’re selling to German banks, Japanese manufacturers, or Australian insurance companies, ISO 27001 is what they ask for.
It’s prescriptive but flexible. The standard defines what you need to do (manage security risks, implement controls, perform audits, conduct management reviews) but doesn’t dictate exactly how. You have flexibility in your approach as long as your system meets the standard’s requirements.
It requires ongoing governance. You don’t just build ISO 27001 compliance once. You need to maintain an active management system, conduct regular reviews, update your risk assessments, and continuously improve. This is both a strength (it ensures security is actually embedded in your operations) and a burden (it requires ongoing investment).
It maps to regulatory frameworks. Many regulations (GDPR, PCI DSS, HIPAA) reference or align with ISO 27001. Building an ISMS to ISO 27001 standards gives you a foundation that’s helpful for meeting other compliance requirements.
Who Needs ISO 27001?
Not every company needs ISO 27001. It’s a significant undertaking, and if your customers don’t require it and your industry doesn’t mandate it, the ROI might not exist.
You probably need ISO 27001 if:
You’re selling to large enterprises, especially in Europe or global markets. Multinational corporations have procurement teams that maintain lists of approved vendors. ISO 27001 certification gets you on those lists.
You’re operating in regulated industries: financial services, healthcare, insurance, government contracting, defense. Regulators in these sectors often expect or require ISO 27001 certification as evidence of proper information security management.
You’re expanding into Europe and have EU customers. GDPR compliance doesn’t require ISO 27001, but organizations in the EU often treat it as evidence of good faith security practices. In practice, many European enterprises treat it as table stakes.
You’re handling sensitive data at scale. If you’re processing personal data for millions of people, or handling trade secrets for multiple clients, ISO 27001 certification demonstrates to customers and regulators that you’re serious about information security.
You might not need ISO 27001 if:
Your customer base is primarily North American SMBs and mid-market companies. These organizations usually accept SOC 2 as sufficient.
You’re early-stage and customers aren’t demanding formal security certifications yet. SOC 2 is faster and cheaper to achieve first.
You’re in a low-regulation industry (e.g., B2B SaaS for non-sensitive operations) and your customers haven’t made ISO 27001 a requirement.
The honest truth: most SaaS companies do SOC 2 first, then add ISO 27001 later once they have mature security operations and actual market demand for it. Building both simultaneously is inefficient. Pursue ISO 27001 when it’s driven by market necessity, not abstract future-proofing.
ISO 27001 vs. SOC 2: Which Should You Pursue?
This is the question we get constantly.
The practical distinction:
SOC 2 is American, audit-focused, and favored in the SaaS ecosystem. Auditors look at whether specific controls are in place and operate effectively during a given time period. It’s lighter weight—8–15 months from start to certification. Enterprise customers in North America accept it readily.
ISO 27001 is international, management-system-focused, and required for enterprises globally and in regulated industries. Certification involves building a formal ISMS, then having an accredited auditor certify that your system meets the standard. It takes 12–18 months from start to certification. It’s more rigorous and requires deeper documentation.
Choose SOC 2 first if: You’re primarily selling in North America, your customers are mostly SaaS-focused or mid-market, and you need to move fast.
Choose ISO 27001 if: You’re selling to enterprises, operating in regulated industries, or expanding globally. You have longer sales cycles and can afford the extra time and cost.
Choose both eventually if: You’re a mature company with global customers across both SaaS and regulated industries. Most large software companies end up here, but they pursue SOC 2 first (12–18 months), then ISO 27001 (18–24 months after that).
Building ISO 27001 first is usually a mistake. It’s overengineered for many SaaS companies’ actual customer base, and you’ll spend months on controls that aren’t driving deals. Build SOC 2, prove you can maintain compliance, then layer on ISO 27001 when market demand justifies it.
The ISO 27001 Framework: Understanding the Structure
ISO 27001 is organized around several key components. Understanding the structure helps you understand what you’re building.
Clauses 4–10: The management system requirements. These clauses define what your ISMS must include:
Clause 4: Context of the organization. You define your organization, its purpose, interested parties (customers, regulators, employees), and what scope your ISMS covers.
Clause 5: Leadership. Top management must demonstrate commitment to information security, define information security policies, and ensure the ISMS is resourced.
Clause 6: Planning. You identify information security risks and opportunities, and plan how you’ll address them.
Clause 7: Support. You ensure adequate resources, define roles and responsibilities, provide training, ensure awareness, and manage communication.
Clause 8: Operation. You implement your planned controls, manage supplier relationships, ensure controls operate as designed, and manage change.
Clause 9: Performance evaluation. You monitor and measure your ISMS, conduct internal audits, perform management reviews, and identify improvement opportunities.
Clause 10: Improvement. You address nonconformities, take corrective actions, and continuously improve your system.
Annex A: Control objectives and controls. This is the real substance. Annex A contains 114 controls across 14 domains: information security policies, organization of information security, human resource security, asset management, access control, cryptography, physical and environmental security, operations security, communications security, system acquisition/development/maintenance, supplier relationships, information security incident management, business continuity management, and compliance.
When people say “we’re implementing ISO 27001 controls,” they usually mean selecting and implementing relevant controls from Annex A. Not every organization implements all 114. You select controls based on your risk assessment and what’s relevant to your business.
The flexibility here is important: you’re not required to implement every control. You conduct a risk assessment, determine what controls are necessary to mitigate identified risks, and document your decisions. If you decide a particular control doesn’t apply to your organization and risk profile, you document that decision and your reasoning. The auditor evaluates whether your risk-based decisions are defensible.
How to Build an ISMS (Information Security Management System)
Before you involve an auditor, you need to build the skeleton of your ISMS. This is the pre-certification work.
Start with senior leadership commitment. Your CEO and executive team need to genuinely support the ISMS. This isn’t lip service. They need to allocate budget, assign a person or team to lead it, and ensure it gets attention in senior meetings. ISO 27001 requires “leadership and commitment,” and auditors check whether this is real.
Next, define your scope. What does your ISMS cover? Your entire company? Just your product? Specific locations? Be explicit. Scope determines which controls are relevant and what your auditor evaluates.
Then, conduct a risk assessment. Identify your assets (data, systems, people, processes). Identify threats to those assets. Identify vulnerabilities. Estimate the likelihood and impact of risks. Determine which risks you’ll mitigate (through controls), which you’ll accept, and which you’ll avoid or transfer (e.g., through insurance or outsourcing). Document all of this.
Based on your risk assessment, select controls from Annex A. Don’t select controls arbitrarily. Select them because your risk assessment identified a risk that requires mitigation. Document why you selected each control. Document controls you decided not to implement and why (risk is acceptable, already addressed elsewhere, not applicable to your organization).
Implement your selected controls. This is the operational work. If you selected “multi-factor authentication for system access,” you actually configure MFA. If you selected “information security training,” you actually develop and deliver training. If you selected “management review,” you actually conduct quarterly management reviews where the team reviews security metrics and performance.
Document everything. Create an Information Security Policy that outlines your company’s commitment and top-level security objectives. Create procedure documents for how you conduct each control (e.g., “Access Management Procedure,” “Change Management Procedure,” “Incident Response Procedure”). Create a risk assessment document. Create a scope document. Create a controls matrix that lists your selected controls, why you selected them, how they’re implemented, and what evidence demonstrates they work.
Collect evidence continuously. As you operate your ISMS, evidence naturally accumulates. Access review logs. Training attendance records. Incident reports. Change approval records. Vulnerability scan results. Management review minutes. Don’t wait until pre-audit to start collecting this. The evidence shows that your ISMS actually works, not just on paper.
Establish a management review process. At least once a year (ISO 27001 requires it), senior management reviews the ISMS. They examine risk assessment results, whether controls are operating effectively, incident data, internal audit findings, and any feedback from interested parties. They identify improvement opportunities and approve changes to the ISMS. Document these reviews. They’re required.
Establish an internal audit process. At least once a year, conduct an internal audit of your ISMS. Review whether your controls are operating as designed. Check whether you’re following your own procedures. Identify gaps. Document findings and corrective actions.
All of this—the policies, procedures, risk assessment, controls matrix, management reviews, and internal audits—becomes your ISMS documentation. An auditor will review it to confirm your system is well-designed and operating effectively.
The ISO 27001 Certification Process Step by Step
The certification process is structured but takes time. Here’s what actually happens.
Step 1: Management Commitment and Scoping (Weeks 1–4)
Your leadership formally commits to ISO 27001 certification. You define the scope of your ISMS. You assign a person (Head of Security, Compliance Officer, or Operations Manager) as the ISO 27001 lead. They’ll be the central figure throughout the process.
You create a project plan. Identify the teams that need to be involved (engineering, operations, HR, sales, finance). Create a rough timeline. Allocate budget. Make the commitment real.
Step 2: Gap Assessment (Weeks 2–8)
Hire an ISO 27001 consultant to conduct a gap assessment. They’ll review your current security practices, policies, and systems. They’ll compare what you have to what ISO 27001 requires. They’ll produce a report identifying gaps.
The gap assessment might reveal that you have no formal risk assessment process, your access controls are informal, you’re not collecting evidence of security training, you have no formal incident response procedure, and your suppliers aren’t being assessed for security. This is normal. Most companies have gaps when they start. The assessment just makes them explicit.
Expect the gap assessment to take 3–6 weeks and cost $5,000–$15,000.
Step 3: Risk Assessment and Treatment (Weeks 6–16)
Now you conduct a formal risk assessment (if you don’t have one already). This is significant work. You:
– Identify your assets (systems, data, people, processes, facilities).
– Identify threats (cyberattacks, insider threats, natural disasters, human error).
– Identify vulnerabilities (weak access controls, unpatched systems, untrained staff).
– Assess the likelihood and impact of security incidents.
– Determine your risk tolerance.
– Decide how to treat each identified risk: mitigate (implement controls), accept (acknowledge the risk and decide not to act), avoid (eliminate the activity), or transfer (buy insurance or outsource).
Document all of this in your risk assessment report. This becomes part of your ISMS documentation that auditors will review.
For a company of 20–50 people, a proper risk assessment takes 6–10 weeks. For larger organizations, it takes longer.
Step 4: Implement Controls (Weeks 12–26)
Based on your risk assessment, you implement or improve controls. This is the heavy lifting. You’re building policies, configuring systems, training staff, setting up monitoring and logging, establishing procedures.
Some examples of what this looks like in practice:
– Defining an access management policy and process: how people request access, who approves, how you review access quarterly, how you offboard people.
– Implementing multi-factor authentication across all systems.
– Setting up centralized logging for all systems.
– Defining a change management process: changes are documented, reviewed, approved, tested, and deployed in a controlled manner.
– Creating an incident response procedure and conducting incident response drills.
– Developing and delivering security training to all staff.
– Defining a supplier management process: you assess vendors for security, you have security clauses in contracts, you monitor vendor security posture.
This phase typically takes 8–12 weeks for a company starting with a reasonable security foundation, or 12–20 weeks if you’re starting from scratch.
Step 5: Write Policies and Procedures (Weeks 12–24)
In parallel with control implementation, you’re documenting your ISMS. Write your information security policy (top-level commitment and objectives). Write detailed procedures for each key process: access management, change management, incident response, business continuity, supplier management, asset management, etc.
The procedures explain who does what, when, and how. They should match your actual practices, not describe some hypothetical ideal. When an auditor reads your procedures and interviews your staff, the procedures should describe what actually happens.
Step 6: Internal Audit (Weeks 20–28)
Conduct an internal audit of your ISMS. This is a checkpoint before certification. You’re asking: Do our controls operate as designed? Are we following our own procedures? Are there gaps between documentation and practice?
An internal auditor (ideally someone from outside your security team) reviews your controls, interviews staff, and tests whether controls work. They document findings, any nonconformities (places where you’re not meeting the standard), and corrective actions.
If the internal audit reveals significant gaps, you fix them before proceeding to certification audit.
Step 7: Management Review (Weeks 26–30)
Conduct a formal management review. Senior leadership reviews the ISMS, the results of your internal audit, your risk assessment, incident data, and any feedback. They determine whether the ISMS is still appropriate, whether controls are effective, and what improvements are needed. They document the review.
This is required by ISO 27001. It demonstrates that leadership is actively engaged in overseeing your information security.
Step 8: Stage 1 Audit (Certification Audit) – Documentation Review (Weeks 28–32)
You select an accredited ISO 27001 certification body (auditor). The auditor conducts a Stage 1 audit, which is typically a desk review. They review your ISMS documentation: your information security policy, procedures, risk assessment, controls matrix, policies, and any other documentation.
They’re checking: Is your ISMS documentation complete and well-structured? Does it appear to address the ISO 27001 standard? Are there obvious inconsistencies or gaps?
If significant gaps emerge in Stage 1, you correct them before moving to Stage 2. Most companies pass Stage 1, though the auditor may request clarifications or additional documentation.
Stage 1 typically takes 1–3 weeks and doesn’t require on-site visits.
Step 9: Stage 2 Audit (On-Site Certification Audit) (Weeks 32–36)
The auditor comes on-site. They spend typically 3–5 days at your location (for a company of 20–100 people). During Stage 2, they:
– Confirm that controls you described in Stage 1 actually exist and operate as documented.
– Test controls. They’ll ask to see access logs and confirm that access reviews actually happened. They’ll check incident tickets and confirm you responded per your procedure. They’ll review change logs and confirm approvals were obtained.
– Interview staff to confirm they understand their roles and follow procedures.
– Inspect systems and facilities.
– Review evidence that controls work: logs, monitoring data, training records, test results.
The auditor produces a report documenting their findings. If you’ve built a solid ISMS and your controls operate as documented, the auditor will issue a certification.
If the auditor finds nonconformities (you’re not meeting the standard in some way), you have to fix them. Major nonconformities must be addressed before certification can be issued. Minor nonconformities have a timeframe (usually 30–90 days) to resolve.
Step 10: Surveillance Audits and Recertification (Ongoing)
ISO 27001 certification lasts three years. During those three years, you’ll have surveillance audits—typically annual audits where the certification body confirms you’re maintaining your ISMS and addressing any previously identified nonconformities.
After three years, you undergo a full recertification audit similar to your initial certification.
Throughout all three years, you’re maintaining and continuously improving your ISMS. You’re conducting management reviews, internal audits, updating your risk assessment, monitoring control effectiveness, and evolving your system as your business changes.
ISO 27001 Annex A Controls: What You Actually Need to Know
Annex A contains 114 control objectives and controls. Most organizations don’t implement all 114. You implement the controls relevant to your business and risk profile.
The 14 domains in Annex A are:
1. Information Security Policies: You have a documented information security policy approved by management.
2. Organization of Information Security: You have clearly defined roles and responsibilities for information security. Someone owns each domain.
3. Human Resource Security: You conduct background checks on new hires. You provide information security training. You have procedures for job changes and termination that include security offboarding.
4. Asset Management: You maintain an inventory of assets (hardware, software, data). You classify information based on sensitivity. You handle and protect information according to classification.
5. Access Control: You control who can access what systems and data. You use multi-factor authentication where appropriate. You review access rights regularly. You manage privileged access carefully.
6. Cryptography: You use encryption to protect sensitive data in transit and at rest. You manage cryptographic keys securely.
7. Physical and Environmental Security: You restrict physical access to facilities where information systems are located. You protect against environmental hazards.
8. Operations Security: You manage your systems securely. You monitor systems for anomalies. You manage change carefully. You manage capacity and performance to ensure availability.
9. Communications Security: You segment your network and protect against unauthorized access. You manage wireless access points securely. You protect mobile devices and remote work.
10. System Acquisition, Development, and Maintenance: You build security into systems from the start. You assess third-party software for security. You test systems before deploying. You manage patches and updates.
11. Supplier Relationships: You assess vendors for security. You have security clauses in contracts. You monitor vendor compliance.
12. Information Security Incident Management: You have a process for detecting, reporting, responding to, and learning from security incidents. You maintain incident records.
13. Business Continuity Management: You identify critical business processes. You plan for recovery from disruptions. You test your plans regularly.
14. Compliance: You ensure your systems comply with applicable laws and regulations. You conduct regular reviews to identify new compliance requirements.
Most of these domains are relevant to virtually every organization. Some (like physical security) might be less relevant if you’re a fully remote company. Your risk assessment determines which controls you actually implement.
The good news: you probably already have practices in place for many controls. Your gap assessment will identify which ones and which ones need to be formalized or improved.
How Long Does ISO 27001 Certification Take?
From “we’re going to pursue ISO 27001” to “we’re ISO 27001 certified,” expect 12–18 months.
Here’s the realistic timeline:
Gap assessment and planning: 2–4 weeks. You’re understanding where you stand.
Risk assessment: 6–10 weeks. Solid risk assessment work takes time. You’re identifying assets, threats, vulnerabilities. You’re making decisions about risk tolerance and treatment.
Control implementation: 8–14 weeks. You’re building controls, setting up systems, establishing procedures, collecting evidence. This overlaps with risk assessment and subsequent phases.
ISMS documentation: 8–12 weeks. You’re writing policies and procedures. This also overlaps with implementation. Expect 40–80 hours of writing and review.
Internal audit and corrective actions: 4–6 weeks. You’re testing your system before certification and fixing any gaps you find.
Stage 1 audit: 2–4 weeks. Auditor does documentation review.
Stage 2 audit: 1 week on-site, plus report review and any final corrections.
Total: 12–18 months from start to certification, assuming you have existing security practices. If you’re starting from nearly zero, add 3–6 months.
The critical path is usually the control implementation phase. If you move quickly on gap assessment and risk assessment, but implementation stalls, you’ll extend your timeline significantly. Ensure you have dedicated people driving implementation.
Many companies underestimate the documentation phase too. Writing clear, comprehensive procedures takes longer than founders expect. Budget time for it.
Common Mistakes That Derail ISO 27001 Projects
Most ISO 27001 projects succeed, but here’s what goes wrong when they don’t:
Underestimating the time requirement. Founders often think “ISO 27001 is like SOC 2, we’ll do it in 3 months.” ISO 27001 takes 6-12 months because it’s more rigorous. It requires deeper assessment, more controls, more documentation, and more evidence collection. If you start expecting 3 months, you’ll get frustrated and lose momentum. Start with realistic expectations.
Treating it as a compliance project, not a business program. Some companies pursue ISO 27001 as a check-box: “we need this for customers, so let’s get certified and move on.” That mindset leads to building controls that look good on paper but don’t actually integrate into operations. Then post-certification, the system decays because no one is actually running it. ISO 27001 only works if it becomes part of how your company operates. That requires ongoing commitment from leadership and ongoing time from staff. If you’re not willing to maintain it for three years, don’t start it.
Pursuing ISO 27001 before SOC 2. If you’re primarily selling in North America, pursuing ISO 27001 first is inefficient. SOC 2 is lighter, faster, and sufficient for most SaaS customers. Pursue SOC 2 first, prove you can maintain compliance, then add ISO 27001 if market demand justifies it.
Poor risk assessment. If your risk assessment is superficial or doesn’t genuinely reflect your risks, your controls won’t align with actual threats. Spend time on this. Involve people from different parts of your organization. Make it real.
Over-documenting. Some companies create 200-page procedures that nobody reads or follows. Procedures should be clear enough that a reasonably intelligent person can follow them, but not so verbose they become useless. Aim for clarity over comprehensiveness. Auditors care that your ISMS works, not that you’ve written a novel about it.
Auditor shopping. Don’t just pick the cheapest certification body. Pick an experienced auditor who understands your industry and has done companies similar to yours. A bad audit can uncover problems you could have fixed before certification, and you’ll have to fix them afterward anyway. Spend time selecting the right auditor.
Not involving the whole organization. ISO 27001 isn’t a security team project. It’s an organizational program. Your operations team needs to be involved (they manage systems). Your HR team needs to be involved (they handle onboarding and offboarding). Your developers need to be involved (they build systems securely). If they feel like it’s being imposed on them rather than being part of it, they won’t buy in, and compliance suffers.
Ignoring the “continuous” part. ISO 27001 isn’t a one-time project. Post-certification, you still need to maintain your ISMS, conduct management reviews, perform internal audits, update your risk assessment, and respond to changes in your business and threat landscape. Allocate ongoing resources to this. If you don’t, your surveillance audits and recertification will reveal that your ISMS has decayed.
How Soter Advisory Can Help
Building an ISMS and achieving ISO 27001 certification is complex work that touches every part of your organization. It’s easy to get lost, miss requirements, or build controls that don’t actually fit how your company works.
Soter Advisory has guided companies through ISO 27001 from initial scoping through surveillance audits. We help you:
– Conduct a realistic gap assessment that identifies what you actually need to build.
– Run a risk assessment that reflects your real threats and business context, not a generic checklist.
– Design controls that mitigate real risks and integrate into how your team actually works.
– Build documentation that’s clear, auditor-ready, and actually useful to your team.
– Navigate the certification process smoothly, from Stage 1 through Stage 2.
– Establish a post-certification program that maintains compliance without becoming a burden.
Whether you need full project management, guidance on specific controls, or support preparing for surveillance audits, we can tailor an engagement to your needs. Most companies spend 12–18 months in active certification work; we help you make that time as efficient as possible and avoid common pitfalls.
If you’re considering ISO 27001, or you’re already underway and want an external perspective on your approach, let’s talk. We can assess where you stand and help you chart the most efficient path forward.
Conclusion
ISO 27001 certification is increasingly table stakes for companies selling to enterprises, operating in regulated industries, or expanding globally. It’s more demanding than SOC 2—it requires a formal ISMS, deeper documentation, and ongoing governance—but it’s genuinely rewarding. You’re not just checking a compliance box; you’re building a real information security management system that improves your security posture and gives your customers and regulators confidence.
The path is well-defined: assess your gaps, conduct a solid risk assessment, design and implement controls based on that assessment, document your ISMS thoroughly, conduct an internal audit, and work with an auditor through Stage 1 and Stage 2 certification. It takes 12–18 months from start to certified, but the work is systematic and achievable.
The companies that succeed at ISO 27001 are the ones that treat it as a business program, not a compliance project. They get leadership buy-in, involve their whole team, maintain realistic timelines, and commit to ongoing governance post-certification. If you can do those things, certification is within reach.
If you’re at the stage where ISO 27001 is becoming a business driver, or you’re evaluating whether it’s the right move for your company, we’re here to help. Reach out, and let’s discuss your situation and what your path to certification might look like.