← Compliance Frameworks

Compliance Guide · Global

ISO 27001 Compliance Guide

ISO 27001 is the global gold standard for information security. Here is everything you need — the 11 mandatory ISMS clauses, all 93 Annex A controls, the certification process, and how to get there in 9 months.

  • Issuing body: ISO + IEC · accredited certification bodies
  • Version: ISO/IEC 27001:2022 (October 2022)
  • Coverage: Organisations seeking globally recognised security cert
  • Validity: 3 years · annual surveillance · year-3 recertification
Book a Free Consultation Call Compare to SOC 2 →
ISO 27001:2022 Information Security Management System (ISMS) certification overview with Annex A controls
93 Annex A controls across 4 themes
7 Mandatory ISMS clauses (4–10)
3 years Certification validity before recert
Global Recognised in 165+ countries

Who needs ISO 27001?

ISO 27001 is the most widely recognised international information security certification. While not legally mandatory, it is increasingly the price of entry to global enterprise sales:

  • SaaS and cloud providers selling internationally
  • Financial services — banks, insurers, fintechs (often alongside regional regulators)
  • Healthtech and life sciences handling cross-border data
  • Managed service providers / MSSPs / SOC providers
  • Government and public-sector suppliers (especially in EU, UK, Singapore, UAE)
  • Manufacturers and supply-chain organisations facing customer security questionnaires

If a single significant deal is conditional on ISO 27001, you have a business case. If multiple deals are at risk, you have an emergency.

The ISMS — clauses 4 to 10

ISO 27001's body specifies the requirements for your Information Security Management System (ISMS). Clauses 4–10 are mandatory:

4

Context of the organisation

Define internal/external issues, interested parties, and the scope of your ISMS.

5

Leadership

Top-management commitment, security policy, roles & responsibilities.

6

Planning

Risk assessment, risk treatment, security objectives — the analytical core.

7

Support

Resources, competence, awareness, communication, documented information.

8

Operation

Operational planning and control; risk treatment plan execution.

9

Performance evaluation

Monitoring, internal audit, management review.

10

Improvement

Nonconformity management, corrective actions, continual improvement.

Annex A — 93 controls in 4 themes

The 2022 revision restructured Annex A from 14 domains into 4 themes:

ThemeControlsExamples
A.5 Organisational37Information security policies, roles, threat intelligence, supplier security, classification, identity management, incident management
A.6 People8Screening, terms of employment, awareness/training, disciplinary process, remote working, NDAs
A.7 Physical14Physical security perimeter, secure areas, equipment placement, secure disposal, clear desk/screen
A.8 Technological34User endpoints, privileged access, secure authentication, cryptography, backup, logging, web filtering, secure coding, vulnerability management

11 new controls were added in 2022 — including A.5.7 Threat intelligence, A.5.23 Cloud services security, A.8.9 Configuration management, A.8.10 Information deletion, A.8.11 Data masking, A.8.12 DLP, A.8.16 Monitoring activities, A.8.23 Web filtering, A.8.28 Secure coding, A.5.30 ICT readiness for BCM, A.7.4 Physical security monitoring.

The Statement of Applicability (SoA)

Your SoA is the most-referenced document during certification. It lists every Annex A control with one of three states:

  • Implemented — describe how, with reference to your evidence and policies
  • Excluded — explain why (e.g. "no on-premise data centres" → exclude certain physical controls)
  • Not yet implemented — for controls planned in your treatment roadmap

Every entry must be justified by your risk assessment and treatment plan. The two documents read together. Auditors will sample heavily across both.

Step-by-step certification roadmap

ISO 27001 certification roadmap — gap analysis, ISMS design, internal audit, Stage 1 and Stage 2 certification audit

Phase 1 Build the ISMS (Months 1–3)

  • Define scope (which products, sites, services, geographies)
  • Engage leadership; establish security policy + roles
  • Run a risk assessment and produce the risk treatment plan
  • Draft the Statement of Applicability

Phase 2 Implement Annex A controls (Months 2–6)

  • Build out the 93 controls in scope (organisational, people, physical, technological)
  • Policy library, training programme, vendor management, incident response
  • Technical baselines: identity, MFA, encryption, logging, backups, monitoring

Phase 3 Operate the ISMS (Months 4–9)

  • Generate at least 3 months of operating evidence
  • Conduct an internal audit covering all clauses + a sample of controls
  • Hold a management review with documented outputs
  • Engage your certification body and book Stage 1

Phase 4 Certification audits (Months 9–12)

  • Stage 1: documentation & ISMS readiness
  • Stage 2: on-site/remote fieldwork — control testing, interviews, evidence sampling
  • Address any non-conformities; receive certificate
  • Annual surveillance audits in years 1 + 2; recertification at year 3

Stage 1, Stage 2, and surveillance

Understanding the audit cycle is critical:

  • Stage 1 (Documentation review): 1–3 days. The auditor reviews your scope, policies, SoA, risk assessment, internal audit programme, and management review records. Output is a list of issues to address before Stage 2.
  • Stage 2 (Certification audit): 3–10+ days depending on size. The auditor tests implementation and effectiveness — interviews, observation, evidence sampling. They issue findings classified as major non-conformities (must be remediated before certificate), minor non-conformities (remediated post-cert), and opportunities for improvement.
  • Annual surveillance audits: 1–3 days each in years 1 and 2. Sample of controls and ISMS operation.
  • Recertification (year 3): Comprehensive — closer in scope to the original Stage 2.

Cost & timeline

Small SaaS (1–50 staff)

9–12 months

Cert body: $15K–$30K. Advisory/tools: $10K–$25K. Internal: 300–500 hrs. Year 1 total $30K–$70K. Surveillance: ~$10K/year.

Mid-market (50–500 staff)

12–15 months

Cert body: $30K–$60K. Advisory: $25K–$60K. Internal: 600–1000 hrs. Total $80K–$180K. Often combined with SOC 2 to share evidence.

Enterprise / multi-site

15–24 months

Multi-site sampling. Cert body: $60K–$200K. Programme work: $100K+. Often part of a portfolio (ISO 27001 + 27017 + 27018 + 27701).

How Security Pulse helps with ISO 27001

RunWay — Build the ISMS

  • Scope, risk assessment & risk treatment plan
  • Statement of Applicability template + control mapping
  • Policy library covering all 93 Annex A controls
  • Internal audit programme + management review templates
  • Certification body selection support

Autopilot — Operate continuously

  • Identity, MFA, JIT access, quarterly access reviews (A.5, A.8)
  • Endpoint protection + vulnerability management (A.8)
  • Incident response with documented runbooks (A.5.24–A.5.27)
  • Vendor risk monitoring (A.5.19–A.5.23)
  • Evidence vault — exports for surveillance + recertification

ISO 27001 vs SOC 2

ISO 27001:2022SOC 2 Type II
TypeCertification (international standard)Attestation report (US, AICPA)
Validity3 years (annual surveillance)1 year (annual renewal)
Best forGlobal enterprise, EU/Asia buyers, gov suppliersUS enterprise SaaS sales
Audit cost$15K–$60K (small/mid)$20K–$80K (small/mid)
Time to first cert/report9–18 months6–12 months
OutputCertificate + scope statementDetailed written report (under NDA)
Overlap~80% of controls overlap — most companies share evidence between both

Common questions about ISO 27001

What is ISO 27001 and who needs it?

ISO/IEC 27001:2022 is the international standard for an Information Security Management System (ISMS). It defines the requirements for establishing, implementing, maintaining, and continually improving information security in an organisation. It is not legally required, but it is the most widely recognised international security certification — frequently demanded by enterprise buyers in Europe, Asia, the Middle East, and increasingly in North America. Common adopters: SaaS, cloud providers, MSPs, financial services, healthtech, government suppliers.

What is the difference between ISO 27001 and ISO 27002?

ISO 27001 is the certifiable standard — it specifies the requirements for an ISMS and is the document audited against. ISO 27002 is a guidance standard that provides implementation advice for the controls listed in ISO 27001 Annex A. You get certified to ISO 27001; you read ISO 27002 to learn how to implement the controls. The 2022 revision of ISO 27002 reorganised controls from 14 domains into 4 themes (organisational, people, physical, technological).

How many controls are in ISO 27001:2022 Annex A?

93 controls organised into 4 themes: A.5 Organisational (37 controls), A.6 People (8 controls), A.7 Physical (14 controls), and A.8 Technological (34 controls). The 2022 revision reduced the count from 114 in the 2013 version by merging similar controls and adding 11 new ones — including threat intelligence, cloud security, ICT readiness for business continuity, data masking, monitoring activities, web filtering, and secure coding.

What is the Statement of Applicability (SoA)?

The SoA is the cornerstone document of your ISMS. It lists every Annex A control, states whether you have implemented it (and how) or excluded it (with justification). Auditors reference your SoA continuously during fieldwork. The SoA must be tied to your risk treatment plan — every control inclusion or exclusion must be justified by the risk assessment.

What are Stage 1 and Stage 2 audits?

Stage 1 is a documentation review where the certification body checks your ISMS design — scope, policies, SoA, risk assessment, internal audit, management review. Stage 2 is the certification audit proper: on-site (or remote) fieldwork where the auditor tests control implementation and evidence. There's typically 4–8 weeks between Stage 1 and Stage 2 to address minor findings. Pass Stage 2 and you get your certificate.

How long does ISO 27001 certification take?

For a startup or small organisation starting from scratch: 9–12 months from kickoff to certificate. For an organisation with mature security practices (e.g. existing SOC 2): 6–9 months. For complex multi-site enterprises: 12–18 months. The slowest constraint is operational evidence — auditors expect to see at least 3 months of ISMS operation (records, internal audits, management reviews) before Stage 2.

How much does ISO 27001 cost?

For a small SaaS organisation: $30K–$80K total. Breakdown: certification body fees $15K–$35K (depends on org size and complexity), advisory/consulting $10K–$30K, internal labour 300–600 hours (the largest hidden cost). Annual surveillance audits in years 2 and 3 add roughly half the certification body fee per year. Recertification every 3 years costs roughly the same as initial certification.

How long does the certificate last?

ISO 27001 certificates are valid for 3 years. Annual surveillance audits in years 1 and 2 confirm your ISMS continues to operate effectively. A full recertification audit is required at the end of year 3. Skipping a surveillance audit or a major non-conformity can result in suspension or withdrawal of the certificate — so this is genuinely continuous, not a one-time achievement.

Should I get SOC 2 first or ISO 27001 first?

Depends on your buyers. If your prospects are mostly US-based enterprise SaaS buyers, start with SOC 2 — it is faster, cheaper, and the format US procurement teams expect. If your buyers are global enterprises, EU/UK organisations, or you operate in multiple jurisdictions, start with ISO 27001 — its global recognition matters more. Many companies eventually do both; ~80% of the control work overlaps and the certifications can share evidence.

How does Security Pulse help with ISO 27001?

Security Pulse covers the full ISMS lifecycle. RunWay implements the foundational programme: scope definition, risk assessment, SoA, policy library aligned to all 93 Annex A controls, internal audit programme. Autopilot then runs continuously: identity, endpoint, change management, monitoring, incident response, vendor risk, with an evidence vault that produces certification-body-ready exports. We support both initial certification and ongoing surveillance audits.

ISO 27001 certification — minus the document graveyard.

Book a Free Consultation Call