The short answer
ISO/IEC 27001 is the international standard for an Information Security Management System (ISMS). Unlike SOC 2 (which produces a report), ISO 27001 produces a certificate issued by an accredited certification body. The certificate confirms your ISMS meets the standard's requirements and is operating effectively.
The current version is ISO/IEC 27001:2022, which updated Annex A's control list and structure compared to the 2013 version. If you see "ISO 27001:2013" in a vendor's documentation, they're behind on recertification.
What's an ISMS?
An Information Security Management System is the documented framework an organisation uses to manage information security risk. It's not a tool; it's a set of policies, procedures, controls, and processes that together demonstrate you're running a real security program.
ISO 27001 doesn't dictate which controls to implement — it dictates that you must have a risk-driven process for choosing them. The Statement of Applicability (SoA) is the document where you say "we have these controls, we don't have these others, and here's why."
Annex A controls
The 2022 version of Annex A contains 93 controls organised into four themes (down from 114 controls / 14 domains in the 2013 version):
- Organizational controls (37)
- Policies, roles and responsibilities, supplier relationships, intelligence on threats, third-party agreements.
- People controls (8)
- Screening, employment terms, awareness training, disciplinary process, remote working.
- Physical controls (14)
- Secure areas, equipment, clear desk, secure disposal.
- Technological controls (34)
- Endpoint protection, access management, encryption, secure development, web filtering, monitoring, logging.
The certification process
ISO 27001 certification is a two-stage audit performed by an accredited certification body (CB):
- Stage 1 audit: documentation review. The CB checks your policies, scope statement, risk assessment, and SoA. They flag issues; you address them.
- Stage 2 audit: implementation review. The CB samples controls in action — interviews staff, reviews evidence, tests effectiveness. They issue findings (minor, major, or nonconformities).
- Certification: assuming no major nonconformities, the CB issues a certificate valid for three years.
- Surveillance audits: annual checks during the three-year cycle to confirm continued conformance.
- Recertification audit: at year three, a full re-audit.
Who needs it?
ISO 27001 is more common in markets where international customers expect a globally-recognised credential:
- European customers — they often require it (or its equivalents) over SOC 2
- Government contracts in Europe, Asia-Pacific, Australia/NZ
- Financial services across multiple jurisdictions
- Any B2B SaaS with material non-US customer bases
If your customers are primarily US-based and B2B, SOC 2 is usually the first step. Add ISO 27001 when international customers start asking for it.
How much does ISO 27001 cost?
Total cost depends on scope, company size, and how much of the work you do in-house. For a small to mid-sized SaaS (50–200 employees) certifying a single product, the typical first-year spend looks like this:
| Line item | Range (USD) | What drives it |
|---|---|---|
| Implementation consulting | $15K–$50K | Whether you hire a consultant or run it internally |
| GRC tooling | $6K–$30K/yr | Number of users, automation depth, framework count |
| Stage 1 + Stage 2 audit | $8K–$25K | Scope size, employee count, certification body's day rate |
| Surveillance audit (per year, years 1–2) | $3K–$8K | Same drivers as the initial audit, scaled down |
| Recertification (year 3) | $8K–$25K | Full re-audit, similar to initial |
| Internal time (often forgotten) | 200–600 hrs | Documentation, evidence collection, audit interviews |
The cheapest path is staying narrow on scope. Certify the one product, the one production environment, the corporate-IT systems that touch customer data — and explicitly exclude everything else in your scope statement. Each thing you add multiplies audit time. Most first-time certifications run $25K–$80K all-in for year one, then $10K–$20K/year for surveillance.
Implementation timeline
From a standing start, plan on 6–12 months. If you already have a SOC 2 program in place, you can compress that to 3–4 months because the control overlap is substantial.
- Month 1–2: scope definition, gap analysis, risk assessment methodology, Statement of Applicability draft
- Month 2–4: control implementation, evidence collection, policy writing
- Month 4–5: internal audit, remediation, management review
- Month 5–6: Stage 1 audit (documentation), gap closure
- Month 6–7: Stage 2 audit (implementation), certification
The choke points are usually risk assessment (people skip the formal methodology and have to redo it) and evidence collection (the ISMS needs three months of running history before Stage 2). Pad the schedule there.
ISO 27001 vs SOC 2 — the practical differences
| SOC 2 | ISO 27001 | |
|---|---|---|
| Deliverable | Auditor's report | Certificate |
| Standard issuer | AICPA (US) | ISO/IEC (international) |
| Audit cycle | Annual | 3-year cycle with annual surveillance |
| Control list | Trust Services Criteria (5 categories) | Annex A (93 controls) |
| Best for | US B2B SaaS | International / European customers |
| Cost (initial) | $15K–$60K | $15K–$50K + body fees |
The control overlap is significant — if you've done SOC 2, you're 70–80% of the way to ISO 27001. The remaining 20–30% is mostly documentation: writing an ISMS scope statement, a formal risk assessment methodology, and the SoA.
We don't have a deep ISO 27001 guide yet — but the managing multiple frameworks guide covers how to map ISO 27001 controls onto an existing SOC 2 program without doubling the work.
Related reading
- SOC 2 compliance: the practical guide — the US counterpart most teams pursue first
- Managing multiple frameworks at once — how to map ISO 27001 onto an existing SOC 2 program
- How to build a security program from scratch — what comes before any framework
- SOC 2 explained — sister glossary entry
- HIPAA explained — for healthcare SaaS overlap
- GDPR explained — how ISO 27001 partially satisfies Article 32
Common questions
Is ISO 27001 better than SOC 2?
Neither is 'better' — they serve different markets. SOC 2 is more common in the US; ISO 27001 is more common internationally. Many companies eventually do both. If your customers are primarily American and you're early stage, start with SOC 2. If you have material European, APAC, or government pipeline, ISO 27001 is the right first step.
How long does ISO 27001 take?
From scratch, 6–12 months to first certification. Adding ISO 27001 to an existing SOC 2 program is faster — typically 3–4 months — because the control overlap is roughly 70–80%.
How much does ISO 27001 certification cost?
Total first-year cost for a small SaaS is typically $25K–$80K: $15K–$50K in implementation (consultants, tooling, internal time), $8K–$25K for the Stage 1 + Stage 2 audit, and $3K–$8K per year for surveillance audits. Recertification at year three is roughly the same as the initial audit. Tooling like LukaGRC reduces the implementation half by automating evidence collection and the SoA.
What's the difference between ISO 27001:2013 and ISO 27001:2022?
The 2022 revision restructured Annex A from 114 controls in 14 domains down to 93 controls in 4 themes (organizational, people, physical, technological) and introduced 11 new controls covering cloud, threat intelligence, data masking, and secure development. Organizations certified to 2013 had until October 2025 to transition; any current certificate must reference the 2022 version.
Do I need ISO 27001 if I already have SOC 2?
Only if your buyers require it. SOC 2 covers the same control families but produces a report aimed at US auditors; ISO 27001 produces a certificate that European, APAC, and government buyers recognize. Many B2B SaaS companies pursue ISO 27001 once 10–20% of their pipeline starts asking for it.
What is the Statement of Applicability?
The SoA is the central ISO 27001 artifact. It lists every Annex A control, marks each as applicable or not, and gives the justification. Auditors read the SoA before anything else — it's the map of your ISMS. If a control is excluded, the SoA must explain why and the auditor will probe the rationale.
What controls are in Annex A?
Annex A of ISO 27001:2022 has 93 controls in 4 themes: 37 organizational controls (policies, supplier management, threat intelligence), 8 people controls (screening, training, discipline), 14 physical controls (secure areas, equipment, disposal), and 34 technological controls (access control, encryption, logging, secure development).
Can a startup get ISO 27001 certified?
Yes. The standard scales with the organization — a 10-person company can certify a narrow scope (one product, one office) in 4–6 months. The hard part is sustaining the ISMS through surveillance audits as the company grows; that's where automation matters more than at the initial certification.
Is ISO 27001 the same as ISO 27002?
No. ISO 27001 is the auditable standard; ISO 27002 is a guidance document explaining how to implement the Annex A controls. You get certified against 27001 — 27002 is just the implementation companion.
Does ISO 27001 satisfy GDPR?
Partially. ISO 27001 covers the security side of GDPR Article 32 (security of processing). It does not cover lawful basis, data subject rights, DPIAs, or international transfers — those need separate work. ISO 27701 is the privacy extension that bridges the gap.
Who issues ISO 27001 certificates?
Accredited Certification Bodies (CBs) — examples include BSI, Schellman, A-LIGN, TÜV. They're accredited by national bodies like ANAB (US), UKAS (UK), DAkkS (Germany). The CB you pick affects audit rigor and certificate recognition in different markets.
Last updated: May 25, 2026 · Reviewed by the LukaGRC compliance team
See how LukaGRC compares — try it free.
14-day trial. No card. Per-user pricing. Every feature in every plan.
Start free trial →