ISO 27001 Certification: The Complete Guide for 2026
Everything you need to know about ISO 27001 certification — requirements, cost, timeline, audit process, and how to maintain compliance. From initial gap analysis to successful certification.
ISO 27001 Certification: The Complete Guide for 2026
ISO 27001 is the single most important information security certification for B2B companies. If you sell to enterprise buyers — particularly in Europe — it is no longer optional. It is the baseline expectation.
This guide covers everything you need to know about ISO 27001 certification: what the standard requires, how much it costs, how long it takes, what the audit process looks like step by step, and how to maintain your certification once you have it.
Whether you are starting from scratch or upgrading an existing security programme, this is the reference you will come back to throughout the process.
Key Takeaways
- ISO 27001 is the international standard for Information Security Management Systems (ISMS). The current version is ISO/IEC 27001:2022 with 93 controls across 4 categories.
- Certification takes 6-12 months for most mid-sized companies. With automation tools and an existing security foundation, 3-6 months is achievable.
- Total first-year cost ranges from EUR 30,000 to EUR 150,000, depending on company size, scope, and how much you automate. Annual maintenance costs are significantly lower.
- The certification audit has two stages: Stage 1 (documentation review) and Stage 2 (implementation verification). Both must pass before certification is granted.
- ISO 27001 is valid for three years with mandatory annual surveillance audits. Recertification requires a full audit in year three.
- NIS2, DORA, and GDPR all map to ISO 27001 controls, making certification a strategic investment that satisfies multiple compliance requirements simultaneously.
What Is ISO 27001?
ISO 27001 is an international standard published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). It defines the requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS).
In practical terms, ISO 27001 tells you:
- What to protect — through asset identification and risk assessment
- How to protect it — through 93 reference controls covering organizational, people, physical, and technological measures
- How to prove you are protecting it — through documentation, evidence collection, internal audits, and management reviews
- How to keep improving — through the Plan-Do-Check-Act (PDCA) cycle
The current version, ISO/IEC 27001:2022, replaced the 2013 edition. The 2022 revision restructured Annex A from 14 control categories (114 controls) to 4 categories (93 controls) and added 11 new controls covering modern security challenges like cloud security, threat intelligence, data leakage prevention, and secure coding.
Certification means an accredited, independent certification body has audited your ISMS and confirmed it meets the standard's requirements. The certificate is recognized globally and is valid for three years.
Why ISO 27001 Matters in 2026
Enterprise Buyers Require It
The most direct reason: 73% of enterprise procurement processes now require ISO 27001 or an equivalent certification before they will sign a contract. If you sell B2B software, particularly to mid-market and enterprise companies, ISO 27001 has become a hard prerequisite — not a nice-to-have.
This is especially true in European markets. German, French, Dutch, and Nordic buyers expect ISO 27001 as standard. Without it, you do not make it past the security review phase.
NIS2 Creates Regulatory Pressure
The NIS2 Directive, which went into force across EU member states, references ISO 27001 as a relevant standard for demonstrating compliance with Article 21 risk management measures. While ISO 27001 alone does not equal NIS2 compliance, it provides approximately 70% of the required foundation.
For organizations affected by NIS2 — and there are approximately 160,000 across the EU — ISO 27001 certification is the most practical starting point for meeting regulatory obligations.
Competitive Advantage
In competitive deals, the company that can demonstrate security posture faster wins. ISO 27001 certification, shared through a Trust Center, eliminates weeks of back-and-forth security questionnaires and lets buyers verify your security controls on their own schedule.
Insurance and Liability
Cyber insurance providers increasingly offer better terms to ISO 27001 certified organizations. The certification demonstrates a systematic approach to risk management, which directly reduces the insurer's exposure.
Multi-Framework Efficiency
ISO 27001 controls overlap 70-80% with SOC 2 Trust Services Criteria, NIS2 Article 21 measures, and DORA ICT risk management requirements. Investing in ISO 27001 builds a compliance foundation that extends across multiple frameworks, reducing duplicate effort and cost.
ISO 27001 Requirements: What You Need to Know
ISO 27001 has two main components: the management system requirements (Clauses 4-10) and the reference controls (Annex A).
Management System Requirements (Clauses 4-10)
These clauses define how your ISMS must operate:
| Clause | Topic | What It Requires |
|---|---|---|
| Clause 4 | Context | Define ISMS scope, identify interested parties, understand internal and external issues |
| Clause 5 | Leadership | Establish security policy, assign roles, demonstrate management commitment |
| Clause 6 | Planning | Conduct risk assessment, define risk treatment plan, set security objectives |
| Clause 7 | Support | Allocate resources, ensure competence, build awareness, manage documentation |
| Clause 8 | Operation | Execute risk assessment and risk treatment plans |
| Clause 9 | Performance Evaluation | Monitor effectiveness, conduct internal audits, perform management reviews |
| Clause 10 | Improvement | Address non-conformities, implement corrective actions, drive continual improvement |
Annex A Controls (ISO 27001:2022)
Annex A provides 93 reference controls organized into four categories:
Organizational Controls (37 controls) — Policies, asset management, access control, supplier security, incident management, business continuity, and compliance.
People Controls (8 controls) — Pre-employment screening, terms of employment, security awareness training, disciplinary process, remote working, and confidentiality agreements.
Physical Controls (14 controls) — Physical security perimeters, entry controls, equipment protection, clear desk policy, and storage media handling.
Technological Controls (34 controls) — User authentication, encryption, logging, network security, secure development, data protection, vulnerability management, and backup.
You do not need to implement every control. Your risk assessment determines which controls are applicable. The Statement of Applicability (SoA) documents which controls you implement, which you exclude, and the justification for each decision. This is one of the most scrutinized documents during the certification audit.
For a deeper look at building the management system that ISO 27001 certifies, see our ISMS guide. For ISMS tooling, see Orbiq's ISMS software.
ISO 27001 vs SOC 2: Which Do You Need?
This is the most common question from companies planning their compliance programme. Here is how the two frameworks compare:
| Dimension | ISO 27001 | SOC 2 |
|---|---|---|
| Origin | International (ISO/IEC) | United States (AICPA) |
| Type | Certification by accredited body | Attestation report by CPA firm |
| Approach | Risk-based with Annex A controls | Criteria-based (Trust Services Criteria) |
| Scope | Entire ISMS (customizable) | Specific system or service |
| Validity | 3 years (with annual surveillance) | Report covers a specific period (typically 12 months) |
| Cost | EUR 30,000-150,000 first year | $30,000-150,000 first year |
| Timeline | 6-12 months | 3-9 months |
| Geography | Preferred in Europe and internationally | Expected in the US market |
| Renewal | Recertification audit in year 3 | New audit report each period |
| Control overlap | — | 70-80% overlap with ISO 27001 |
Do You Need Both?
If you sell to US enterprise buyers AND European enterprise buyers, the answer is usually yes. The good news: because of the 70-80% control overlap, the incremental effort of adding the second framework is significantly lower than building the first one from scratch.
Many companies start with ISO 27001 (which provides the more comprehensive management system) and then add SOC 2 as a reporting layer on top. This approach avoids building two separate compliance programmes.
ISO 27001 Certification Process: Step by Step
Here is the complete certification process, from initial decision to ongoing maintenance. Each step includes realistic timeframes for a mid-sized company (50-500 employees).
Step 1: Gap Analysis (Weeks 1-4)
Assess your current security posture against ISO 27001 requirements. This identifies:
- Which Annex A controls you already satisfy (partially or fully)
- Which controls are missing entirely
- What documentation exists versus what needs to be created
- The size of the gap between your current state and certification readiness
Output: Gap analysis report with prioritized remediation plan.
Who does this: Internal team, external consultant, or ISMS software with built-in gap analysis.
Step 2: Define ISMS Scope (Weeks 2-4)
Determine what your ISMS will cover:
- Which business processes, systems, and data
- Which locations (offices, data centres, remote workers)
- Which teams and departments
- Which regulatory requirements apply
Scoping too broadly makes implementation overwhelming. Scoping too narrowly reduces the certification's credibility with buyers. Most B2B SaaS companies scope their ISMS to cover the product, its underlying infrastructure, and the teams that build and operate it.
Step 3: Risk Assessment (Weeks 4-8)
The risk assessment is the foundation of everything that follows. It drives your control selection, your Statement of Applicability, and your audit scope. Do this thoroughly.
- Asset identification — Catalogue information assets (systems, data, people, processes)
- Threat identification — What could go wrong for each asset?
- Vulnerability assessment — What weaknesses could be exploited?
- Impact analysis — What is the business impact if this risk materialises?
- Risk evaluation — Assign likelihood and impact ratings; determine which risks need treatment
- Risk treatment — For each unacceptable risk: mitigate (apply controls), accept (formally document acceptance), transfer (insurance), or avoid (eliminate the source)
Step 4: Implement Controls (Weeks 6-20)
Based on your risk treatment decisions, implement the necessary controls:
- Deploy technical controls (access management, encryption, logging, network segmentation)
- Write policies and procedures (information security policy, acceptable use, incident response)
- Establish organizational controls (roles and responsibilities, supplier management, change management)
- Conduct security awareness training for all employees
- Begin evidence collection — document everything from day one
This is the longest phase. Compliance automation compresses it significantly by automating evidence collection, providing policy templates, and continuously monitoring control effectiveness.
Step 5: Internal Audit (Weeks 18-22)
ISO 27001 requires an internal audit before the certification audit. This must:
- Cover all ISMS processes and a representative sample of Annex A controls
- Be conducted by auditors independent of the areas being audited
- Identify non-conformities that need correction before the certification body arrives
- Produce a formal report with findings and recommendations
You can use internal staff (if independent of the ISMS), an external consultant, or a combination. The internal audit is your dress rehearsal — treat it seriously.
Step 6: Management Review (Week 22-24)
Top management must formally review the ISMS. This is not a checkbox exercise. The management review must cover:
- Results of the internal audit
- Status of risk treatment
- Feedback from interested parties
- Changes in the internal or external context
- Opportunities for improvement
- Resource allocation decisions
Output: Documented management review minutes with decisions and actions.
Step 7: Stage 1 Audit — Documentation Review (Week 24-26)
The certification body's auditor reviews your ISMS documentation:
- ISMS scope and policy
- Risk assessment and risk treatment plan
- Statement of Applicability
- Internal audit report
- Management review minutes
- Key procedures and records
Duration: 1-2 days (on-site or remote).
Output: Stage 1 report. If significant gaps exist, you address them before Stage 2 is scheduled. The gap between Stage 1 and Stage 2 is typically 4-8 weeks.
Step 8: Stage 2 Audit — Implementation Verification (Weeks 28-32)
The main event. The auditor verifies that your ISMS operates effectively in practice:
- Control testing — Interviews, observation, evidence inspection
- Process verification — Are ISMS processes (risk assessment, internal audit, management review) actually running?
- Evidence sampling — Reviews records, logs, and documentation across the audit period
- Staff interviews — Speaks with personnel at various levels to verify awareness
- Findings classification:
- Major non-conformity — Significant failure; must be corrected before certification
- Minor non-conformity — Isolated issue; requires a corrective action plan
- Observation — Improvement opportunity; does not block certification
Duration: 3-10 days depending on organization size and scope.
Step 9: Certification Issued
If no major non-conformities remain, the certification body issues your ISO 27001 certificate. It is valid for three years.
You can now list ISO 27001 certification in your marketing, share the certificate through your Trust Center, and respond to buyer security questionnaires with certified evidence.
Step 10: Surveillance Audits and Recertification
Certification is not the finish line. Ongoing obligations:
- Year 1 and Year 2: Surveillance audits (smaller in scope) verify your ISMS continues to operate effectively
- Year 3: Full recertification audit to renew for another three-year cycle
- Continuous: Risk assessments must be updated, incidents managed, controls monitored, internal audits conducted, and management reviews held
ISO 27001 Certification Cost Breakdown
Here is a realistic cost breakdown for a mid-sized B2B SaaS company (50-250 employees):
| Cost Component | Range (EUR) | Notes |
|---|---|---|
| Gap analysis | 5,000-15,000 | External consultant or ISMS platform with gap analysis |
| ISMS implementation | 10,000-30,000 | Internal effort + consultant support. Higher if no existing security programme |
| Compliance automation platform | 10,000-50,000/year | Orbiq, Vanta, Drata, or similar. Reduces implementation time by 40-60% |
| Policy and documentation | 5,000-15,000 | Writing policies from scratch vs. using templates |
| Security awareness training | 2,000-8,000 | Platform-based training for all employees |
| Certification audit (Stage 1 + 2) | 10,000-25,000 | Depends on scope, company size, and certification body |
| Remediation of findings | 0-10,000 | Fixing non-conformities identified during audit |
| Total first year | 30,000-150,000 | |
| Annual surveillance audit | 5,000-15,000 | Smaller scope than initial audit |
| Annual platform + maintenance | 15,000-50,000 | Ongoing ISMS operation, monitoring, evidence collection |
| Total annual maintenance | 20,000-65,000 |
What Drives Cost Up
- Company size: More employees means more training, more access controls, more evidence
- Scope complexity: Multiple products, data centres, or geographic locations
- Starting maturity: Companies with no existing security programme pay more
- Consultant dependency: Heavy reliance on external consultants versus building internal capability
- Certification body: Tier-1 global bodies (BSI, TUV, Bureau Veritas) typically cost more than regional bodies
What Drives Cost Down
- Compliance automation: Tools that automate evidence collection, provide policy templates, and monitor controls continuously can reduce implementation time (and cost) by 40-60%
- Existing frameworks: Companies already SOC 2 compliant can leverage 70-80% of existing controls
- Focused scope: Starting with a targeted scope and expanding later
- Internal competency: Teams with prior compliance experience move faster
ISO 27001 Certification Timeline
Here is a realistic timeline for a mid-sized company going from zero to certified:
| Phase | Duration | Activities |
|---|---|---|
| Phase 1: Foundation | Months 1-2 | Gap analysis, scope definition, risk assessment methodology, management buy-in |
| Phase 2: Implementation | Months 3-6 | Risk assessment execution, control implementation, policy writing, evidence collection begins, awareness training |
| Phase 3: Operation | Months 6-8 | ISMS running in production, internal audit conducted, management review completed, evidence accumulating |
| Phase 4: Certification | Months 8-10 | Stage 1 audit, remediation of findings, Stage 2 audit, certification decision |
| Total | 8-12 months |
Accelerated Timeline (With Automation)
Companies using ISMS software with automation capabilities can compress this timeline:
| Phase | Duration | How Automation Helps |
|---|---|---|
| Foundation | 2-3 weeks | Automated gap analysis, pre-built risk assessment frameworks |
| Implementation | 6-10 weeks | Policy templates, automated evidence collection, pre-mapped controls |
| Operation | 4-6 weeks | Continuous monitoring replaces manual evidence gathering |
| Certification | 4-6 weeks | Audit-ready evidence packages, automated control testing |
| Total | 4-6 months |
The biggest time savings come from automated evidence collection. Manually gathering screenshots, exporting logs, and compiling spreadsheets consumes hundreds of hours. Automation platforms pull evidence from your existing tools (AWS, Azure, GitHub, Google Workspace, Okta, etc.) continuously, so it is always audit-ready.
Common ISO 27001 Mistakes
These are the five mistakes we see most frequently. Each one can add months to your timeline or cause you to fail the certification audit.
1. Treating Certification as a One-Time Project
ISO 27001 is a management system, not a project. Organizations that build an ISMS solely to pass the audit create fragile systems that collapse between surveillance audits. The ISMS must operate continuously: risks reassessed, controls monitored, incidents managed, improvements implemented.
Build the ISMS because it makes your organization more secure. Certification follows naturally.
2. Not Involving Leadership
ISO 27001 requires demonstrated management commitment — not just a policy signature on page one. Management review meetings must be held, resourced, and documented with clear decisions. Auditors will interview leadership. If management cannot articulate the organization's risk appetite or the ISMS's strategic objectives, that is a non-conformity.
3. Underestimating the Risk Assessment
The risk assessment drives everything: your control selection, your Statement of Applicability, and your audit scope. A superficial risk assessment (copying a template without tailoring it to your actual risks) leads to inappropriate controls, audit findings, and — worse — a false sense of security.
Invest the time to do an honest, thorough risk assessment. Revisit it when your business changes.
4. Underestimating Documentation
ISO 27001 is evidence-heavy. Every control must be documented. Every process must have records. Every decision must be traceable. Companies that underestimate the documentation burden find themselves scrambling before audits, producing incomplete evidence, and receiving non-conformities.
Continuous monitoring solves this by collecting evidence automatically and continuously, so it is always there when the auditor asks for it.
5. Choosing the Wrong Certification Body
Not all certification bodies are equal. Consider:
- Accreditation: Ensure the body is accredited by a recognized national accreditation body (DAkkS in Germany, UKAS in the UK, COFRAC in France, RvA in the Netherlands)
- Industry experience: Auditors who understand SaaS, cloud infrastructure, and modern development practices will be more efficient and more credible
- Buyer perception: Some buyers specifically ask which certification body issued your certificate. Tier-1 bodies (BSI Group, TUV, Bureau Veritas, DNV) carry more weight
- Cost: Prices vary significantly. Get three quotes.
ISO 27001 and NIS2: The Connection
The NIS2 Directive requires entities to implement risk management measures under Article 21. These measures map closely to ISO 27001 controls:
| NIS2 Article 21 Requirement | ISO 27001 Coverage |
|---|---|
| Risk analysis and security policies | Strong — Clauses 6, 8, Annex A.5 |
| Incident handling | Partial — Annex A covers management, not NIS2's 24-hour reporting deadline |
| Business continuity | Strong — A.5.29-A.5.30 |
| Supply chain security | Partial — A.5.19-A.5.22 cover supplier security, but NIS2 requires continuous oversight |
| Effectiveness assessment | Strong — Clause 9 |
| Cyber hygiene and training | Strong — A.6.3, A.6.4 |
| Cryptography | Strong — A.8.24 |
| Access control and HR security | Strong — A.6, A.8.1-A.8.5 |
| Multi-factor authentication | Partial — A.8.5 addresses authentication without mandating MFA specifically |
Where ISO 27001 Falls Short of NIS2
ISO 27001 provides approximately 70% of NIS2's requirements. The remaining 30% are operational capabilities that an ISMS was not designed to deliver:
- Incident reporting under time pressure — NIS2 requires a 24-hour early warning, 72-hour notification, and final report within one month. ISO 27001 requires incident management but does not prescribe specific timelines.
- Continuous supply chain oversight — NIS2 demands ongoing monitoring of suppliers, not just annual questionnaire assessments.
- Evidence available on demand — NIS2 supervisory authorities can request evidence at any time. ISO 27001 prepares you for planned audit cycles.
Having ISO 27001 gives you the strongest possible starting position for NIS2 compliance. But it is not sufficient alone. For a detailed analysis, see ISO 27001 Is Not NIS2 Compliance.
How Orbiq Helps with ISO 27001
Orbiq is a compliance and Trust Center platform built for European B2B companies. Here is how it supports your ISO 27001 programme:
ISMS Software — Manage your entire Information Security Management System in one platform. Risk assessment, control mapping, policy management, and Statement of Applicability — all connected and audit-ready.
Continuous Monitoring — Track control effectiveness across all 93 Annex A controls automatically. Surface gaps before surveillance audits find them. Integrate with your existing tools (cloud providers, identity providers, code repositories) for real-time evidence.
Evidence Management — Automated evidence collection mapped to ISO 27001 clauses and Annex A controls. No more scrambling before audits. Evidence is collected continuously and stored with full metadata: timestamps, owners, version history.
Trust Center — Publish your ISO 27001 certification status, scope, and security controls as a self-service hub for buyers. Reduce security questionnaire volume and accelerate deal cycles by letting buyers verify your security posture on their own terms.
AI-Powered Questionnaires — When buyers do send security questionnaires, Orbiq's AI responds using evidence from your ISMS. Consistent, accurate, and fast.
Frequently Asked Questions
How much does ISO 27001 certification cost?
ISO 27001 certification typically costs between EUR 20,000-80,000 for mid-market companies, including gap analysis (EUR 5-15K), implementation (EUR 10-30K), and the certification audit itself (EUR 10-25K). Using compliance automation software like Orbiq can reduce implementation costs by 40-60%.
How long does ISO 27001 certification take?
Most organizations achieve ISO 27001 certification in 6-12 months. Companies with an existing ISMS or compliance framework can accelerate to 3-6 months. With automation tools, the implementation phase can be compressed significantly.
What is the difference between ISO 27001 and SOC 2?
ISO 27001 is an international standard requiring a formal ISMS with certification by an accredited body. SOC 2 is a US-based framework with audit reports from CPA firms. ISO 27001 is preferred in Europe and internationally, while SOC 2 dominates the US market. Many companies pursue both.
Is ISO 27001 mandatory?
ISO 27001 is not legally mandatory, but it is increasingly required by enterprise buyers, especially in the EU. NIS2 references ISO 27001 controls, and many procurement processes require it. For B2B SaaS companies selling to enterprise, it is effectively a market requirement.
Can you get ISO 27001 certified without an ISMS tool?
Technically yes, but it is extremely inefficient. Many companies start with spreadsheets and quickly find the evidence collection, control monitoring, and documentation burden unsustainable. ISMS tools like Orbiq automate 70% of the ongoing compliance work.
Next Steps
If you are considering ISO 27001 certification, here is where to start:
- Assess your current state — Run a gap analysis against ISO 27001:2022 requirements. Orbiq's ISMS software includes automated gap analysis to show you exactly where you stand.
- Estimate your timeline and budget — Use the cost and timeline tables in this guide to build a realistic project plan.
- Choose your tooling — Manual compliance is possible but costly. Compare ISMS software options to find the right fit.
- Start building — The earlier you start collecting evidence, the shorter your path to certification.
Ready to accelerate your ISO 27001 certification? See Orbiq's pricing or explore the ISMS platform.
Further Reading
- ISMS: What Is an Information Security Management System? — The management system that ISO 27001 certifies
- SOC 2 Compliance — How ISO 27001 compares to SOC 2
- ISO 27001 Is Not NIS2 Compliance — What ISO 27001 covers and what it does not for NIS2
- NIS2 Compliance — The EU directive that references ISO 27001
- ISO 27001 Certification (Glossary) — Quick reference entry
This guide is maintained by the Orbiq team. Last updated: March 2026.