SecurancePro
Talk to an expert
All field notesISO

ISO 27001 certification: how it actually works

A SaaS founder's guide to ISO 27001 certification: who issues it, stage 1 vs stage 2, the three-year cycle, timelines, and how it compares to SOC 2.

8 min read

A European prospect asks for your ISO 27001 certificate. You google it, land on a dozen consultant pages telling you they will "get you certified," and close the tab more confused than you started.

ISO 27001 certification is not that complicated once you understand who issues it. This post walks through how the process actually runs, the three-year cycle, the two-stage initial audit, and why most US SaaS companies end up doing both SOC 2 and ISO 27001 rather than picking one.

Who actually issues an ISO 27001 certificate

This is the single most misunderstood part of the standard.

ISO does not certify anyone. ISO writes the standard (ISO/IEC 27001:2022 is the current edition; the October 2022 announcement from ISO itself is the clearest primary reference). The body that issues your certificate is a certification body (CB), which has itself been accredited by a national accreditation body, UKAS in the UK, ANAB in the US, DAkkS in Germany, and so on. Accreditation rules come from ISO/IEC 17021-1:2015, the conformity-assessment standard that governs every CB on the planet. Both layers are required. An ISO 27001 certificate from a CB that is not accredited is worth less than a LinkedIn endorsement.

If you're new to the underlying standard itself, start with what ISO 27001 is before you read further — this post assumes you know what an ISMS is.

A few names you will see: Schellman, A-LIGN, BSI, DNV, TÜV, Coalfire ISO, Prescient. These are the certification bodies. They sell the audit, run it, and issue the paper.

SecurancePro is not one of them. We are a CPA firm. We perform SOC 1, SOC 2, and SOC 3 attestations, and we help companies get ready for ISO 27001, but we do not issue ISO 27001 certificates. Nobody can be both your consultant and your certification body, the accreditation rules forbid it, for the same reason your tax preparer cannot also be your IRS auditor.

The certification body audits. A consultant (or an internal team) gets you ready. Keep those two roles in separate organizations.

What the certificate actually attests

An ISO 27001 certificate says your Information Security Management System (ISMS) conforms to the requirements in ISO/IEC 27001. It does not say every control in Annex A is implemented. The Statement of Applicability is where you declare which Annex A controls apply and which you have excluded with justification.

This is the core difference from SOC 2. SOC 2 is an attestation on the design and operating effectiveness of specific controls, reported as evidence with exceptions listed. ISO 27001 is a conformance certification on a management system: you designed it, you operate it, you measure it, you improve it. Both matter, for different reasons, to different buyers — we unpack the decision in SOC 2 vs ISO 27001.

The initial certification: stage 1 and stage 2

Unlike SOC 2, ISO 27001 splits the initial audit into two formal stages, separated by a few weeks to a few months.

Stage 1 is a documentation and readiness review. The auditor reads your ISMS documentation, your risk assessment, your Statement of Applicability, and your internal audit and management review records. They are not looking to pass or fail you yet. They are checking that you have built enough of an ISMS for a stage 2 audit to be worth running. If your risk methodology is a blank page or your SoA does not exist, they will tell you to come back later rather than waste a stage 2.

Stage 2 is the evidence audit. The auditor tests that your ISMS and your Annex A controls are actually operating as documented. Interviews, sampling, evidence pulls, walkthroughs, it looks like the fieldwork phase of a SOC 2 audit but framed around ISMS clauses 4 through 10 plus the applicable Annex A controls.

If stage 2 goes well, the CB's technical reviewer issues the certificate. The date on the certificate is usually the date of the certification decision, not the last day of fieldwork.

Common timing: stage 1 in month N, stage 2 in month N+1 or N+2, certificate issued two to six weeks after stage 2 closes. Plan four months end-to-end for a clean engagement, longer if stage 1 surfaces material gaps.

The three-year cycle nobody explains up front

This is the part founders wish somebody had told them before they signed the CB contract.

An ISO 27001 certificate is valid for three years, but the CB does not disappear during those three years. You have a surveillance audit in year 1 and year 2, followed by a recertification audit at the end of year 3. All three are chargeable engagements.

  • Year 0: stage 1 + stage 2 (initial certification).
  • Year 1: surveillance audit, a lighter sample of the ISMS and a subset of Annex A controls.
  • Year 2: second surveillance, same shape, different sample.
  • Year 3: recertification, effectively a full stage 2 again, plus review of how the ISMS evolved over the cycle.

Budget accordingly. A company that priced only the initial audit and then discovered the surveillance fee the week before year-one fieldwork is a story our readiness clients tell us once a month.

What the ISMS needs to contain

The standard itself is short. Clauses 4 through 10 are the requirements clauses; Annex A lists 93 reference controls (in the 2022 revision) grouped into four themes: organizational, people, physical, and technological. We walk through each clause and the Annex A themes in ISO 27001 requirements.

The non-negotiables your CB will ask to see:

  • Context of the organization (clause 4). Who are you, who depends on you, what is in scope of the ISMS.
  • Leadership commitment and a policy (clause 5). Signed by someone who can actually commit resources.
  • Risk assessment and treatment methodology (clause 6). Repeatable, documented, with a risk register that gets updated.
  • Statement of Applicability. Annex A controls you include, Annex A controls you exclude, and why.
  • Competence, awareness, communication, documented information (clause 7). Training records and version-controlled policies.
  • Operation (clause 8). The controls running in real life.
  • Performance evaluation (clause 9). Internal audit and management review, both actually performed before your stage 2.
  • Improvement (clause 10). Corrective actions closed with evidence.

Internal audit and management review are the two clauses first-time applicants most often skimp on. Both are mandatory, both are scoped by your CB, and "we'll do it after stage 2" is the wrong answer.

How ISO 27001 relates to SOC 2

If you sell to European buyers, ISO 27001 is the default ask. If you sell to US enterprise buyers, SOC 2 is. Most growth-stage SaaS companies with mixed customer bases end up doing both because the control overlap is roughly 70–80%.

The typical sequence we see:

  1. SOC 2 Type I, six months after you decide to start.
  2. SOC 2 Type II, twelve months in, with the ISMS documentation being built alongside the Type II observation window.
  3. ISO 27001 stage 1 shortly after the Type II closes, reusing the same control library and much of the same evidence.

Doing them together is cheaper than doing them in series with different firms, because the evidence library is the same document set mapped differently. Our earlier piece on what a SOC 2 report tells your buyer is the best starting point if you are choosing between the two for the first time.

If your customers are in US healthcare, the HIPAA Security Rule is a separate overlay on top of either, see who the HIPAA Security Rule applies to for the scope question.

What to do before you engage a certification body

  1. Write down the scope of the ISMS. Not your whole company, the product, the systems, the people that customers actually care about.
  2. Pick a risk methodology and run the assessment. A spreadsheet is fine for the first cycle; the standard does not require a tool.
  3. Draft the Statement of Applicability. Include every Annex A control with either "Applicable" + justification or "Excluded" + justification.
  4. Run an internal audit and a management review before stage 1. Not optional, no matter how small the company is.
  5. Then shortlist three certification bodies, get quotes, and ask each for a sample audit plan.

The order matters. Companies that sign a CB contract before they have a risk assessment almost always fail stage 1 and pay for it twice.

If you are planning SOC 2 and ISO 27001 as a combined program, the mapping work is cheaper to design than to retrofit. See our services or get in touch, we will help you pick the sequence, build the evidence library once, and introduce you to certification bodies we have worked alongside.

§ Related notes
All field notes →