“Rob, a UK-based company wants to evaluate us as a vendor, but they’re asking for ISO 27001. What do I need to know, and how fast can we get it?”
I get this type of call regularly.
My answers are usually “a lot,” and “not fast.”
For American companies selling primarily to American customers, SOC 2 (System and Organization Controls 2) is the framework that matters.
ISO 27001 enters the picture when that customer is international. If you’re expanding overseas or responding to a foreign prospect’s security requirements, this article will help you understand what ISO 27001 is and whether certification belongs on your roadmap.
What is ISO 27001?
ISO 27001 is an international standard for managing information security. It was developed by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), which is why you’ll sometimes see it written as ISO/IEC 27001. For the rest of this article, we’ll stick with ISO 27001 or just “ISO.”
ISO 27001 is a certification framework that gives your company a structured, repeatable system for identifying security risks, putting controls in place to address them, and improving those controls over time.
If your cybersecurity program meets the standard, a third-party auditor can audit your program and issue you an ISO 27001 certification. Security-conscious buyers view the certification as a sign you have a quality cybersecurity program. It builds trust.
What is the ISO 27001 ISMS?
The Information Security Management System (ISMS) is the heart of ISO 27001. ISO 27001 certification is a certification of your complete ISMS, not a certification of individual security tools or controls.
The ISMS is basically your cybersecurity program on-paper. It’s a huge stack of documentation that includes your security policies and procedures, your risk assessment process, the controls you’ve selected to address identified risks, and the monitoring and review mechanisms that keep everything current.
The documents are important for ISO 27001 audits! The auditor isn’t just checking whether you have a firewall. They’re checking whether you have a documented process for evaluating whether that firewall is the right control, whether it’s configured correctly, and whether someone reviews it on a defined schedule.
ISO 27001, Annex A, and the Statement of Applicability (SoA)
ISO 27001’s Annex A is a list of 93 cybersecurity controls organized into four categories: organizational, people, physical, and technological. When building an ISO 27001-compliant cybersecurity program, you must evaluate each of these 93 controls and decide whether or not they are applicable to your business.
Those decisions get documented in what’s called the Statement of Applicability (SoA). The SoA is one of the most important documents in your entire ISO 27001 program.
To write the SoA, you must list every Annex A control and state whether it is applicable or not. If a control is applicable, you must implement it, and document how it is implemented.
If it’s not applicable, you document why. “We don’t do that” is not a sufficient justification! You need a reasoned explanation tied to your risk assessment.
For example, if your company is fully remote with no physical office, certain physical security controls may not apply. Your SoA would note those controls are excluded because the organization operates without physical premises, and the associated risks are addressed through other means, like endpoint security and access controls for remote workers.
The SoA matters for two reasons:
First, auditors review it closely. A sloppy SoA with vague justifications is a red flag that can fail your certification audit.
Second, the exercise forces you to think carefully about every control area, which often surfaces risks your team hadn’t considered. I’ve seen companies go through the SoA process and realize they had no procedure for secure disposal of old laptops, or no formal process for revoking access when a contractor’s engagement ends.
Why Companies Actually Pursue Certification
In our professional experience, companies don’t pursue ISO 27001 because they read an article about best practices and felt inspired. Something specific pushes them toward it. Here are the drivers we see most often:
A Customer or Partner Requires It
This is the number one reason, and for our clients it’s almost always the only reason. A European prospect includes ISO 27001 on their vendor security requirements. SOC 2 doesn’t satisfy the requirement. Suddenly, certification moves from “someday” to “we need this to close the deal next quarter.”
International Expansion Plans
ISO 27001 is recognized in over 150 countries. SOC 2, while well-understood in the United States, carries far less weight in European and Asian markets. Some companies know they have international expansion plans and smartly plan for ISO 27001 certification ahead of time.
If you know you’ll need it someday, it’s better to plan now rather than to do it when a deal is on the line!
Regulatory Alignment Depending on your industry, ISO 27001 can help address compliance obligations tied to regulations like the EU’s GDPR. GDPR doesn’t have its own compliance audit; enforcement happens during inspections. Proactively pursuing ISO 27001 with an alignment towards the regulation’s privacy requirements will help prove you are committed to following the law.
Who ISO 27001 Is For
ISO 27001 is relevant for any organization that handles sensitive information, but certain types of companies tend to get the most value from it.
SaaS and technology companies are the most common companies we see. If you’re selling software to enterprise customers overseas, ISO 27001 will likely come up during procurement. The sooner it’s on your roadmap, the less scrambling you’ll do when that first international deal is on the line.
Healthcare and healthtech organizations managing patient data across borders often find ISO 27001 aligns with existing compliance needs. It pairs well with frameworks like HIPAA (Health Insurance Portability and Accountability Act) for companies operating in both U.S. and international markets.
Financial services firms face some of the most rigorous vendor security requirements in any industry. International financial institutions frequently mandate ISO 27001 for third-party vendors, making certification a prerequisite for those relationships.
Companies handling customer or proprietary data more broadly, from consulting firms to data analytics providers, may find ISO 27001 necessary as they grow into markets where it’s the expected standard.
The common thread: ISO 27001 tends to matter most when security becomes a condition of doing business with the customers you want to reach.
What ISO 27001 Is Not
Before you get too deep into planning, let’s clear up a few misconceptions that cause real problems.
It Is Not Just an IT Project
This is the misconception that causes the most pain. ISO 27001 covers people, processes, and governance across the entire organization, not just the technology stack. HR policies, physical security, vendor management, and executive oversight all fall within scope. If you hand this to your IT manager and say “make it happen,” you’re setting them up to fail.
It Is Not a One-Time Certification
ISO 27001 certification is valid for three years, but annual surveillance audits are required. You must actually follow through on what the policies and procedures in your ISMS say. Companies that treat certification as a finish line instead of an ongoing commitment tend to struggle at their first surveillance audit.
It Is Not Just a Checklist of Controls
While the SoA is kind of a checklist of controls, you don’t have to implement every single one. ISO 27001 wants to know that you have a system for deciding which controls you need, implementing them, monitoring them, and improving them. An auditor who sees a well-reasoned decision to exclude a control will be far less concerned than one who sees a control poorly implemented and not maintained.
The Gap Between Understanding and Implementation
Knowing what ISO 27001 is doesn’t get you very far toward actually achieving certification. The gap between “I understand the standard” and “we passed our certification audit” is where most companies struggle.
The five areas that cause the most trouble: defining the right scope (too broad and the project becomes unmanageable; too narrow and you’ll need to expand it later), building an ISMS, completing the SoA, and actually running your security program to your ISMS’s specifications. There’s a lot of stuff to do to prepare for the certification audit!
The timeline for a first-time certification typically runs 9 to 18 months, depending on your company’s size, existing security maturity, and how many resources you can dedicate.
Costs vary widely for the same reasons. The certification audit itself might run $20,000 to $80,000 depending on your scope and the certification body. For preparation, once you factor in the internal labor (or vCISO time) to build the ISMS, implement controls, conduct internal audits, and prepare documentation, the total investment for a mid-size company can range from $50,000 to $200,000 or more.
Those numbers aren’t meant to scare you. They’re meant to help you plan realistically. Companies that go into ISO 27001 thinking it’s a quick, low-cost project usually fail or get a cheap, low-quality audit. If you get a rubber-stamp certification, you will likely lose deals if customers ask you serious questions about your cybersecurity program.
Making the Call: Is ISO 27001 Right for You Right Now?
Should your company pursue ISO 27001?
Pursue it now if a current customer or high-value prospect is requiring it, you’re actively selling into international markets where ISO 27001 is expected, or your regulatory environment (particularly GDPR or cross-border data requirements) points you toward it.
Put it on your roadmap (12 to 24 months) if your growth plan includes international expansion but you don’t have immediate certification pressure.
Deprioritize it for now if your customer base is U.S.-focused and nobody is asking for it, you haven’t yet addressed more foundational security basics (like multi-factor authentication, endpoint protection, and backup testing), or your team doesn’t have the bandwidth to sustain an ongoing management system.
Remember: the primary reason to pursue any formal certification is because a customer requires it. If that customer is international, ISO 27001 is likely the answer. If they’re domestic, SOC 2 is almost certainly the better first step.
If nobody’s asking? Build your security, no compliance needed. (Yet!)
A Plan is Enough to Start
If you’re reading this because an international prospect just asked about ISO 27001, take a breath. You don’t need to have certification in hand tomorrow. What you need is a realistic timeline, a clear understanding of the work involved, and a plan that gets you there without derailing everything else.
A commitment with a strong plan may help secure the deal.
Then, it’s time to start scoping your ISMS!
Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.
