ISO 27001

ISO 27001 Certification: Complete Guide 2026

James Mitchell
James Mitchell
·Updated: May 5, 2026 · 12 min read
ISO 27001 Certification: Complete Guide 2026

ISO 27001 Certification: The Complete Guide for 2026

ISO 27001 certification proves that your organization runs a working information security management system, or ISMS, that meets the ISO/IEC 27001 standard. It is the closest thing security has to a global passport. European customers expect it, and U.S. enterprise buyers increasingly ask for it alongside SOC 2.

This guide explains what ISO 27001 certification is in 2026, the latest version of the standard, the full certification process, what it costs, the documents you need, how it compares to SOC 2 and HIPAA, and the most expensive mistakes I see operators make.

ISO 27001 is the global anchor for information security. SOC 2 is American. HIPAA is U.S. healthcare. PCI DSS is payment cards. ISO 27001 is the only framework that travels everywhere a software company sells, which is why so many serious B2B operators in 2026 end up running it sooner or later.

💡 Pro Tip
Quick orientation: ISO 27001 certification is a three-stage audit (gap assessment, Stage 1, Stage 2) followed by annual surveillance audits and a full recertification every three years. Total first-year cost typically runs $30,000 to $150,000 for small to mid-sized businesses, with the certificate good for three years. There is no shortcut. There is also no easier credential if you sell to European, financial, or large-enterprise buyers in 2026.

If you only want the cost picture, skip ahead to ISO 27001 certification cost. For the audit-only view, see ISO 27001 certification process. For implementation depth, see the ISO 27001 implementation guide.

What ISO 27001 actually is

ISO 27001 is a published international standard. The current version is ISO/IEC 27001:2022, released in October 2022. It defines the requirements for an information security management system, or ISMS. The 2022 revision was a meaningful update, with reorganized Annex A controls (now 93 instead of 114), the addition of 11 new controls, and a small number of changes to the management clauses.

The companion standard, ISO/IEC 27002:2022, gives implementation guidance for each Annex A control. ISO 27001 tells you what; ISO 27002 tells you how. Together they form the operating manual for any ISO 27001 program.

The standard is organized into two main parts:

  • Clauses 4 to 10: The mandatory ISMS requirements. These are management-system style requirements: context of the organization, leadership, planning, support, operation, performance evaluation, improvement.
  • Annex A: The control catalog. The 93 controls in Annex A 2022 are grouped into four themes: Organizational (37), People (8), Physical (14), and Technological (34). You apply the controls that are relevant to your risk and document why you skipped any others (the Statement of Applicability).

For an Annex A walkthrough, see the ISO 27001 Annex A controls guide. For the SoA specifically, see the ISO 27001 Statement of Applicability template.

Who issues ISO 27001 certificates

The certification is issued by an accredited certification body, not by ISO itself. Certification bodies in turn are accredited by national accreditation bodies, which are members of the International Accreditation Forum (IAF). In the U.S. that body is ANAB (ANSI National Accreditation Board). In the UK it is UKAS. In Germany it is DAkkS. The accreditation chain matters because certificates issued by non-accredited bodies are not recognized internationally and will not satisfy enterprise procurement teams.

When you choose an auditor, the first question is whether the certification body is accredited under one of the IAF members. Names you see most often in 2026: BSI, Bureau Veritas, DNV, TÜV SÜD, Schellman, A-LIGN, Coalfire ISO, NQA, and Mastermind Compliance. The smaller boutiques can be excellent. Verify the accreditation before signing anything.

The certification process

ISO 27001 certification is a structured, multi-stage process. The end-to-end timeline for a 50 to 200 person company starting from scratch is 8 to 16 months.

Stage 0: Preparation (months 1-6)

This is the longest stage and the one that determines whether the audit goes smoothly. You implement the ISMS, write the documents, run the controls long enough to generate evidence, and rehearse the audit. Most companies use this phase to:

  • Define the ISMS scope (which business units, which products, which geographies, which third parties are inside the boundary).
  • Run a risk assessment that produces a risk register.
  • Pick the Annex A controls that apply and write the Statement of Applicability.
  • Write the mandatory documented information: information security policy, risk assessment methodology, risk treatment plan, statement of applicability, internal audit program, management review records.
  • Implement the controls and start collecting evidence.

Skipping or rushing Stage 0 is the single most common cause of a failed Stage 2 audit.

Stage 1: Documentation review

The certification body's auditor reviews your ISMS documentation, the scope statement, the risk assessment, the Statement of Applicability, and the internal audit and management review records. This is mostly off-site. The output is a Stage 1 report identifying any "areas of concern" that must be addressed before Stage 2.

Stage 1 typically takes 1 to 3 days of auditor time. You receive findings; you have 30 to 90 days to address them.

Stage 2: Implementation audit

This is the on-site (or virtual) audit where the auditor tests whether the controls actually work. They interview people, observe processes, sample evidence, and verify that what is in your documents matches what is happening in the business.

Stage 2 takes 3 to 8 days for most SMBs and several weeks for larger organizations. The auditor issues findings in three categories:

  • Major nonconformity: A systemic failure or a missing required clause. Major NCs must be closed before the certificate can issue.
  • Minor nonconformity: A localized control gap. Minor NCs require a corrective action plan but do not block certification.
  • Opportunity for improvement: Suggestions, not requirements.

If you have no major nonconformities, the certification body issues your ISO 27001 certificate. The certificate is valid for three years.

Stage 3: Surveillance audits (years 1 and 2)

After certification, the auditor returns annually to confirm the ISMS is still operating. Surveillance audits are shorter than Stage 2 (typically 1 to 4 days), but they are not optional. Skipping or failing a surveillance audit can suspend or revoke the certificate.

Stage 4: Recertification (year 3)

At the end of the three-year cycle, you go through a full recertification audit. It is a full Stage 2-style audit, not a surveillance audit. Most organizations spend less time on recertification than on initial certification because the ISMS is already running, but the audit fee is comparable.

For a deeper internal audit and surveillance perspective, see the ISO 27001 internal audit checklist and the ISO 27001 audit process guide.

What ISO 27001 certification costs

Illustration related to What ISO 27001 certification costs
Photo by Kindel Media

ISO 27001 certification has more cost components than people expect. A realistic 2026 budget for a 50 to 200 person company:

Cost componentYear 1Year 2Year 3
Gap assessment (consultant)$8,000-$25,000$0$0
Implementation consulting (optional)$15,000-$60,000$0-$10,000$0-$10,000
Stage 1 + Stage 2 audit fees$10,000-$40,000$0$15,000-$45,000 (recert)
Surveillance audit fee$0$5,000-$15,000$5,000-$15,000
Compliance automation tooling$15,000-$40,000/yr$15,000-$40,000/yr$15,000-$40,000/yr
Internal labor (allocated)$25,000-$75,000$15,000-$45,000$20,000-$50,000
Training, awareness, exercises$3,000-$10,000$2,000-$8,000$2,000-$8,000
Total$76,000-$250,000$37,000-$118,000$57,000-$168,000

Three variables dominate the total: company size (audit duration scales with headcount and locations), scope (a single product line is much cheaper than the entire company), and how much you outsource to consultants. A bootstrapped startup willing to do its own implementation and use a low-cost certification body can land near $30,000 to $40,000 in year 1; a regulated mid-market company using a top-tier certification body and full implementation consulting easily exceeds $200,000.

For deeper cost analysis with country-specific breakdowns, see the ISO 27001 certification cost guide.

What documents you actually need

ISO 27001:2022 mandates a specific set of "documented information." This is the minimum:

  • ISMS scope statement.
  • Information security policy and topic-specific policies (access control, cryptography, incident response, supplier security, etc.).
  • Risk assessment methodology and risk register.
  • Risk treatment plan.
  • Statement of Applicability covering all 93 Annex A controls (applied or excluded with rationale).
  • Internal audit program and report.
  • Management review records.
  • Records of training, awareness, and competence.
  • Records of incidents and corrective actions.
  • Evidence of operation for each implemented control (logs, screenshots, tickets, configuration exports).

Most ISO 27001 ISMSes end up with 25 to 50 distinct documents. Compliance automation platforms like Vanta, Drata, Sprinto, and Secureframe ship template libraries that cover 80 to 90 percent of this work; you fill in the company-specific details.

The Statement of Applicability is the most important document

Auditors spend more time on the Statement of Applicability than on any other document. It lists every Annex A control, marks it Applied or Not Applied, gives the rationale for the decision, and references the policy or evidence that proves the control is in place. A weak SoA is the fastest way to fail Stage 1 of ISO 27001 certification. See the ISO 27001 Statement of Applicability template for a working starting point.

ISO 27001 certification vs other frameworks

The most useful comparisons in 2026:

FrameworkGeographic strengthOutputValidityAudit rigor
ISO 27001Global, especially EU + APACCertificate from accredited body3 years + annual surveillanceHigh
SOC 2U.S. and U.S.-customer-drivenCPA attestation report (Type 1 or Type 2)Type 2 covers 3-12 month observation windowMedium-high
HIPAAU.S. healthcare onlyNo certificate; OCR enforcementContinuousVariable
NIST CSFU.S., increasingly globalSelf-assessment or third-party attestationContinuousSelf-determined
PCI DSSGlobal, payment cards onlyReport on Compliance (RoC) or SAQAnnualHigh for Level 1
HITRUST CSFU.S. healthcare and increasingly broaderCertification or readiness report2 years + interim assessmentVery high

The most common 2026 stacks: SOC 2 + ISO 27001 (B2B SaaS selling globally), ISO 27001 alone (European software companies), SOC 2 alone (U.S.-only B2B), HIPAA + SOC 2 (healthcare SaaS), HIPAA + HITRUST (healthcare data clearinghouses), PCI DSS + ISO 27001 (payment processors).

For the head-to-head, see SOC 2 vs ISO 27001, ISO 27001 vs SOC 2 vs NIST, and NIST CSF vs ISO 27001.

Common ISO 27001 implementation mistakes

Illustration related to Common ISO 27001 implementation mistakes
Photo by RDNE Stock project

After advising on dozens of ISO 27001 programs in 2024 to 2025, the same eight mistakes show up repeatedly:

  • Scoping too broadly. Trying to cover the entire company on the first cycle. Pick one business unit, product line, or office. Expand at recertification. A focused scope passes Stage 2; a sprawling scope fails it.
  • Treating the SoA as paperwork. The SoA is the audit. A weak SoA produces a weak audit. Spend the time.
  • Hiding controls behind documents. Writing a policy that says "we encrypt at rest" when half of your databases do not is a guaranteed major NC. Document only what is actually true.
  • Skipping the internal audit. Clause 9.2 requires an internal audit before Stage 2. Skipping it means failing Stage 2.
  • Skipping management review. Clause 9.3 requires a documented management review before Stage 2. Same outcome.
  • Picking the cheapest certification body without checking accreditation. A non-accredited certificate is worthless. Verify accreditation under an IAF member body.
  • Not assigning an ISMS owner. ISO 27001 requires explicit roles and responsibilities. Without an owner, the ISMS drifts.
  • Underinvesting in evidence collection. Stage 2 fails when the auditor cannot find evidence that the control was operating. Continuous evidence collection (via automation or process) is non-negotiable.

ISO 27001 in 2026: what changed

Three real shifts in the last 18 months:

  1. The 2022 transition is fully complete. Any certificate issued before October 2022 to ISO 27001:2013 expired in October 2025. Every active certificate in 2026 is to ISO 27001:2022.
  2. Cloud and AI controls in Annex A. The 11 new controls in 2022 included Threat Intelligence (A.5.7), Information Security for Cloud Services (A.5.23), and Secure Coding (A.8.28). Certification bodies in 2026 are testing these with full rigor; in 2023 to 2024 they were still calibrating.
  3. AI-specific guidance. ISO/IEC 42001 (AI management system standard) was published in late 2023. While not part of ISO 27001 itself, certification bodies are increasingly cross-referencing 42001 expectations when auditing AI-heavy companies under 27001. Companies running AI products should expect questions about model governance, training data security, and AI-specific incident response.

Frequently asked questions

Is ISO 27001 mandatory?

Not by law, in most jurisdictions. ISO 27001 is voluntary. It becomes effectively mandatory when your customers, regulators, or insurers ask for it. In 2026, most European enterprise buyers, large healthcare clients, and financial institutions require ISO 27001 (or an equivalent) before contract signature.

How long does ISO 27001 certification take?

For a small to mid-sized company starting from scratch: 8 to 16 months. The audit itself takes a few weeks; the implementation work that precedes it is the bulk of the timeline. For a company that already has a SOC 2 Type 2 in place, the timeline drops to 4 to 8 months because most of the controls are already implemented.

Does ISO 27001 replace SOC 2?

No. They overlap heavily but have different purposes. ISO 27001 is a certification of your management system; SOC 2 is an attestation of your operating effectiveness over a window. Many companies do both. If you are choosing one, see SOC 2 vs ISO 27001.

What is the difference between ISO 27001 and ISO 27002?

ISO 27001 is the standard against which you are certified; it defines the requirements for an ISMS. ISO 27002 is the implementation guidance document; it tells you how to implement each Annex A control. You are certified to 27001, not 27002. ISO 27002 is supplemental.

How many controls are in ISO 27001:2022?

93 controls in Annex A, organized into four themes: 37 Organizational, 8 People, 14 Physical, 34 Technological. The 2013 version had 114 controls. The 2022 revision merged duplicates and added 11 new controls.

Can a small business get ISO 27001 certified?

Yes. The standard is scalable; small businesses with as few as 5 employees have achieved certification. The trade-off is cost: with fewer people, you spend more per head. A company under 25 employees should expect $30,000 to $80,000 in year 1 if they implement themselves, more with consultants. The smallest cohort that gets ISO 27001 economically is usually 25 to 50 person SaaS companies that already have customer demand for it.

Do I need ISO 27001 if I have SOC 2?

If your customers are U.S.-based enterprise software buyers: probably not. If you sell into Europe, financial services, healthcare, or large enterprise: probably yes. The two pair well; running them in parallel adds about 20 to 30 percent on top of the cost of running either alone, because the underlying controls overlap.

Who can issue an ISO 27001 certificate?

Only a certification body accredited under an IAF-member national accreditation body. Issuers are not allowed to consult and certify the same client (the firewall between consulting and audit is strict). Verify accreditation before contracting; an unaccredited certificate is not recognized by enterprise procurement.

Where to go next

Illustration related to Where to go next
Photo by Ann H

If you are evaluating whether to pursue ISO 27001, start with SOC 2 vs ISO 27001 and ISO 27001 certification cost. If you are starting implementation, the ISO 27001 implementation guide, the Annex A controls reference, and the Statement of Applicability template are the three documents to read first. If you have implemented and are preparing for audit, the ISO 27001 internal audit checklist and the audit process guide cover the last mile.

ISO 27001 is the most credible information security credential a company can hold in 2026. The cost is real, the work is meaningful, and the result is a passport that opens enterprise, healthcare, financial, and international doors. The companies that treat the certification as the goal end up disappointed; the ones that use it as the structure on which to build a working security program get value out of it for years.

Authoritative sources: ISO 27001:2022, International Accreditation Forum, ANSI National Accreditation Board, UKAS, ISO 27002:2022 control implementation guide.

ISO 27001ISMSCertificationCompliance
James Mitchell
James Mitchell
Author
James Mitchell covers topics in this category and related fields. Views expressed are editorial and based on research and experience.
Related Articles
ISO 27001 Statement of Applicability (SoA) Template
ISO 27001
ISO 27001 Statement of Applicability (SoA) Template
April 28, 2026 · 11 min read
 ISO 27001 Internal Audit: Checklist & Requirements 2026
ISO 27001
ISO 27001 Internal Audit: Checklist & Requirements 2026
April 23, 2026 · 11 min read
 ISO 27001 Annex A Controls: Full List Explained
ISO 27001
ISO 27001 Annex A Controls: Full List Explained
April 12, 2026 · 10 min read
 ISO 27001 Certification Process: Step-by-Step Guide
ISO 27001
ISO 27001 Certification Process: Step-by-Step Guide
April 7, 2026 · 10 min read