ISO 27001. Stage 1 and Stage 2, run end to end.
Twelve to sixteen weeks for first-time certification. Annex A controls implemented, ISMS operating, Stage 1 readiness, Stage 2 certification audit by an accredited body.
International certification for an information security management system, granted by an accredited certification body.
ISO 27001 certifies that a company operates an Information Security Management System against the requirements in clauses 4 through 10 of the standard, with controls selected from Annex A. Annex A in the 2022 revision lists 93 controls across four themes: organizational, people, physical, and technological. Certification is granted by an accredited certification body, not the consultant who helped you prepare. Cooling-off rules in ISO/IEC 17021-1 §5.2.7 require two years between consulting work and certifying the same management system at the same firm.
Who needs it
Companies selling into Europe, the United Kingdom, India, the Middle East, and parts of Asia routinely run into ISO 27001 in procurement. SOC 2 satisfies most US enterprise buyers; ISO 27001 is the dominant equivalent everywhere else. Companies expanding from US-only to global procurement find that adding ISO 27001 alongside an existing SOC 2 program is the standard move. Some industries, particularly outsourcing and managed services, treat ISO 27001 as table stakes regardless of geography.
The HSD playbook for ISO 27001
HSD's engineers run a gap analysis against ISO 27001 clauses 4 through 10 and Annex A, draft the Statement of Applicability with rationale for each control, write the missing policies, implement the technical controls, and stand up the ISMS document set. We coordinate the certification body partner. Stage 1 is a documentation review; Stage 2 is on-site or remote fieldwork against the operating ISMS. Surveillance audits in years one and two follow, with full recertification at year three.
Timeline
Weeks 1 to 2
Gap analysis and SoA drafting
Mapping current state to clauses 4 to 10 and Annex A; Statement of Applicability with control rationale
Weeks 2 to 6
ISMS documentation and policies
Information security policy, risk assessment methodology, risk treatment plan, full Annex A control documents
Weeks 4 to 10
Technical control implementation
Access management, cryptography, secure development, supplier security, threat intelligence (new in 2022)
Weeks 10 to 12
Internal audit and management review
Required clause 9 internal audit and clause 9.3 management review meeting, both documented
Week 13
Stage 1 audit
Documentation review by certification body, identification of any blocking issues for Stage 2
Weeks 14 to 16
Stage 2 audit
On-site or remote fieldwork; certification decision and issuance
Cost reality
| Line item | Range | Note |
|---|---|---|
| Software-only platforms covering ISO 27001 | USD 10,000 to 30,000 per year | Higher than SOC 2-only because of the Annex A control breadth |
| Remediation consulting | USD 40,000 to 100,000 | Annex A is broader than SOC 2 Trust Services Criteria; expect more work |
| Certification body fees | USD 10,000 to 25,000 for Stage 1 + Stage 2 | Plus annual surveillance audit fees of USD 5,000 to 12,000 |
| HSD bundled program | Scoped per program | Engineers, ISMS documentation, certification body coordination in one engagement |
What auditors check
Statement of Applicability with rationale for every Annex A control
All 93 controls addressed: included, excluded with justification, or partially included with scope notes.
Risk assessment and risk treatment plan
Documented methodology, asset inventory or risk register, treatment decisions, residual risk acceptance.
Internal audit covering all ISMS clauses
Performed by competent personnel, at least once before certification; findings tracked to closure.
Management review meeting
Clause 9.3 inputs and outputs documented; senior leadership attendance recorded.
Operating evidence for selected Annex A controls
Auditor samples Annex A controls for evidence: change tickets, access reviews, supplier reviews, incident records.
Continual improvement evidence
Nonconformities raised, corrected, root-cause analyzed; ISMS performance metrics tracked over time.
Common pitfalls
Treating ISO 27001 like SOC 2
ISO 27001 is a system standard, not a controls report. The auditor judges whether the management system functions, not whether individual controls were implemented in isolation.
Skipping the internal audit
Clause 9.2 internal audit is mandatory and must happen before the Stage 2 certification audit. Skipping or rushing it fails Stage 1.
Generic Statement of Applicability
Generic SoA with no rationale per control gets flagged. Each control needs a justification grounded in your risk assessment.
No clause 9.3 management review
Top management must convene, review specified inputs, and produce specified outputs. Skipping this fails certification.
Picking a non-accredited certification body
Only certificates from bodies accredited under IAF members (UKAS, ANAB, etc.) are recognized internationally. Discount certifiers without accreditation produce certificates buyers do not accept.
FAQ
How long does ISO 27001 first-time certification take?+
What changed in ISO/IEC 27001:2022 versus the 2013 version?+
Can the same firm consult and audit?+
Do we need ISO 27001 if we have SOC 2?+
What is the Statement of Applicability?+
How long is the ISO 27001 certificate valid?+
Want ISO 27001 scoped for your stack?
Thirty-minute call. Fixed-scope quote inside a week. We tell you honestly when ISO 27001 should wait or when it should lead.