ISO 27001 Certification: Complete Guide

ISO 27001 certification is how an organization proves to customers, regulators, and partners that its information security management system (ISMS) meets the ISO/IEC 27001:2022 standard. The certificate comes from an accredited third-party auditor, not from ISO itself, and is valid for three years.

This guide covers the current version of the standard, the full certification path from scoping through recertification, what it costs, the documents auditors require, and how ISO 27001 differs from SOC 2, HIPAA, and other frameworks.

TL;DR

The current standard is ISO/IEC 27001:2022, published in October 2022. Every active certificate issued before October 2022 (under the 2013 version) expired in October 2025.
Certification follows this path: define scope, gap assessment, build your ISMS, internal audit, management review, then a two-stage external audit (Stage 1 documentation review, Stage 2 implementation audit).
Certificates are valid for three years. Annual surveillance audits in years one and two are required. A full recertification audit runs in year three.
Your certification body must be accredited under a recognized national accreditation body — ANAB in the US, UKAS in the UK, DAkkS in Germany — all operating under the framework now coordinated by Global ACI (which replaced the former IAF as of January 2026). Certificates from unaccredited bodies are not recognized by enterprise procurement.
The 2022 revision reorganized Annex A from 114 controls in 14 domains to 93 controls across four themes — Organizational (37), People (8), Physical (14), and Technological (34) — adding 11 new controls including Threat Intelligence (A.5.7), Information Security for Cloud Services (A.5.23), and Secure Coding (A.8.28).

Who this is for

This guide is written for security leads, compliance managers, and founders evaluating whether to pursue ISO 27001 certification, and for engineers and program managers preparing for an initial or recertification audit. It assumes you understand what an ISMS is but want a clear picture of the full process, the costs, and the common failure modes.

What ISO 27001 Is (and What It Is Not)

ISO 27001 is an international standard that defines requirements for establishing, implementing, maintaining, and continually improving an information security management system. The controlling version is ISO/IEC 27001:2022, published in October 2022.

Certification means an accredited third-party auditor has verified that your ISMS meets those requirements. ISO itself does not issue certificates. The certificate carries the name of the certification body that audited you — BSI, DNV, TÜV SÜD, LRQA, Schellman, A-LIGN, Coalfire ISO, NQA, and others.

It is a management system standard, which matters for how you read it. The bulk of the text (Clauses 4 through 10) describes requirements for how your organization manages information security: who is accountable, how risks are identified and treated, what records must exist, how performance is measured, and how problems are corrected. Annex A is the control catalog — the specific security measures your ISMS must address.

The companion document is ISO/IEC 27002:2022, which provides implementation guidance for each Annex A control. You are certified against ISO 27001. ISO 27002 tells you how to implement the controls; ISO 27001 defines that you must have addressed them.

The Annex A Control Structure in 2022

The 2022 revision replaced the 2013 structure (14 control categories, 114 controls) with four themes:

Theme	Control range	Count
Organizational	A.5.1 — A.5.37	37
People	A.6.1 — A.6.8	8
Physical	A.7.1 — A.7.14	14
Technological	A.8.1 — A.8.34	34
Total		93

Eleven controls are new in the 2022 revision. They address threat areas that were absent from the 2013 standard:

A.5.7 — Threat Intelligence
A.5.23 — Information Security for Use of Cloud Services
A.5.30 — ICT Readiness for Business Continuity
A.7.4 — Physical Security Monitoring
A.8.9 — Configuration Management
A.8.10 — Information Deletion
A.8.11 — Data Masking
A.8.12 — Data Leakage Prevention
A.8.16 — Monitoring Activities
A.8.23 — Web Filtering
A.8.28 — Secure Coding

Certification bodies have been auditing these controls with full rigor since 2024. If your ISMS was built primarily around the 2013 control set, these eleven deserve close attention before your next audit.

Who Issues Certificates

Certification bodies are accredited by national accreditation bodies, which operate under the multilateral recognition framework now maintained by Global ACI (Global Accreditation Cooperation Incorporated), which merged the former International Accreditation Forum and ILAC in January 2026. The national bodies you will encounter most often: ANAB (US), UKAS (UK), DAkkS (Germany), COFRAC (France), ACCREDIA (Italy).

An unaccredited certificate — one issued by a body not accredited under this chain — carries no standing with enterprise procurement teams or regulated-sector buyers. Before contracting with any certification body, verify their accreditation status directly with the relevant national body.

The Certification Path, Step by Step

For a 50 to 200 person company starting from scratch, the full path from decision to certificate typically takes 8 to 16 months. A company that already holds a current SOC 2 Type 2 report can often cut that to 4 to 8 months because the controls overlap heavily.

Step 1: Define the ISMS Scope

The scope statement (required under Clause 4.3) defines exactly which parts of your organization fall under the ISMS — which business units, products, locations, and third-party interfaces are inside the boundary, and which are excluded with documented rationale.

Two errors are equally dangerous here. Scoping too broadly — "the entire organization" — inflates audit effort and cost and forces you to operate controls across systems that do not touch sensitive information. Scoping too narrowly risks satisfying neither enterprise customers nor regulated-sector buyers.

A practical starting point for SaaS companies: scope the production environment and the team that manages it. You can expand the boundary at recertification once the ISMS is stable.

The auditor will challenge scope boundaries that look arbitrary or that exclude obvious dependencies. Have a written rationale for every boundary decision.

Step 2: Run a Gap Assessment

A gap assessment compares your current security posture against the 2022 standard clause by clause and control by control. The output is a prioritized remediation plan: which controls are fully in place, which are partial, and which are absent.

This is not an audit. No certification body involvement is required. You can run it internally if someone on your team understands the standard, or engage an external consultant. The gap assessment does not trigger any independence restriction — the same consulting firm can help you prepare and later certify you, because the auditor independence requirement in ISO/IEC 17021-1 applies to the certification audit, not pre-audit consulting.

Step 3: Build the ISMS

Implementation is where most of the time goes. The work has three parallel tracks:

Documentation. The standard requires specific documented information. The minimum set:

ISMS scope statement
Information security policy and topic-specific policies (access control, cryptography, incident response, supplier security, acceptable use)
Risk assessment methodology
Risk register
Risk treatment plan
Statement of Applicability (covering all 93 Annex A controls)
Internal audit program and records
Management review records
Competence and awareness training records
Incident and corrective action records
Evidence of operation for each implemented control

Most ISMSes produce 25 to 50 distinct documents by the time Stage 1 begins. Compliance automation platforms such as Vanta, Drata, Sprinto, and Secureframe supply template libraries that cover the bulk of this documentation work; you fill in organization-specific details.

Control implementation. You deploy or configure the technical and process controls selected in your Statement of Applicability. How long this takes depends on your starting point. If you already have security tooling in place and the gap assessment showed mostly procedural gaps, implementation may take weeks. If you are building from nothing, it takes months.

Evidence accumulation. Auditors at Stage 2 sample evidence that controls were operating, not just deployed. Continuous evidence collection — through automated compliance tooling, periodic screenshots, JIRA ticket exports, or pull request logs — must begin well before the Stage 2 audit window. A control that went live the week before the audit is difficult to defend.

Step 4: Write the Statement of Applicability

The Statement of Applicability (SoA) deserves its own step because auditors treat it as the central document in any ISO 27001 review. For every one of the 93 Annex A controls, the SoA must state:

Whether the control is applied or excluded
The justification for that decision (linked to the risk register for applied controls; linked to a documented rationale for exclusions)
A reference to the policy, procedure, or evidence artifact that demonstrates the control is operational

A weak SoA — one that lists controls without clear rationale or evidence references — is the most reliable predictor of Stage 1 findings that delay certification.

Step 5: Internal Audit

Clause 9.2 requires an internal audit before Stage 2. This is not optional. Some organizations run the internal audit using staff from a different business unit. Others hire a consultant. Either approach satisfies the requirement. What matters is that the audit is planned, executed, and documented, and that findings from it feed into a corrective action process before Stage 2.

Skipping the internal audit means failing Stage 2.

Step 6: Management Review

Clause 9.3 requires a documented management review before the certification audit. Senior leadership must review the performance of the ISMS, the results of the internal audit, outstanding corrective actions, and any changes to the risk environment. The meeting must be documented with records of what was reviewed and what decisions were made.

Like the internal audit, skipping or underdocumenting the management review is a reliable path to a major nonconformity at Stage 2.

Step 7: Stage 1 Audit — Documentation Review

Stage 1 is a structured review of your ISMS documentation: the scope statement, risk assessment, Statement of Applicability, internal audit records, and management review records. It is primarily conducted off-site. The certification body's auditor does not test whether your controls work during Stage 1; they verify that your documented ISMS is logically complete and ready for implementation testing.

The auditor issues a Stage 1 report identifying any concerns — missing mandatory documents, logical gaps in the risk assessment, an incomplete SoA. You typically have 30 to 90 days to address Stage 1 findings before Stage 2 proceeds.

Step 8: Stage 2 Audit — Implementation Audit

Stage 2 is the on-site (or virtual) audit where the auditor tests whether your controls are actually operating. They interview staff, observe processes, sample evidence artifacts, and verify that documented policies match operational reality. For a 50 to 200 person organization, Stage 2 typically takes 3 to 8 days of auditor time spread over one or two weeks.

Findings are categorized as:

Major nonconformity: A systemic failure or an absent required clause. Major NCs must be closed before the certificate can issue. The certification body will not publish the certificate until you have submitted evidence of correction and the auditor has accepted it.
Minor nonconformity: A localized control gap. Minor NCs require a corrective action plan but do not block certification, provided the plan is accepted by the certification body within an agreed timeframe.
Opportunity for improvement: Suggestions with no corrective action obligation.

If Stage 2 produces no major nonconformities, the certification body issues your ISO 27001 certificate. The certificate is valid for three years from the issue date.

Step 9: Surveillance Audits (Years 1 and 2)

In each of the first two years after initial certification, the certification body returns for a surveillance audit. Surveillance audits are shorter than Stage 2 — typically 1 to 4 days — but they are mandatory. They verify that the ISMS is still operating effectively: that controls are active, internal audits are being conducted, management reviews are happening, and incidents are being addressed.

Failing to schedule a surveillance audit, or failing a surveillance audit without remediation, can result in certificate suspension or withdrawal.

Step 10: Recertification Audit (Year 3)

At the end of the three-year certificate cycle, you undergo a full recertification audit. This is a Stage 2-style audit, not a surveillance audit. The certification body reviews the full ISMS: documentation, risk register, SoA, internal audit history, and operating controls.

Recertification typically moves faster than initial certification for organizations that have maintained their ISMS actively. The audit fee is comparable to the original Stage 2 fee.

What ISO 27001 Costs

The cost of ISO 27001 certification has more components than people expect, and the range is wide because three variables dominate: company size (audit duration scales with headcount and locations), scope (a single product line is much cheaper than the entire company), and how much you outsource.

The figures below are aggregated from published consulting guides and certification body cost discussions. No single vendor's estimate is authoritative; treat this as a planning framework.

Cost component	Year 1	Year 2	Year 3
Gap assessment (consultant)	Approximately $5,700 for orgs up to 250 employees; see note [1]	—	—
Implementation consulting (optional)	Varies; consultant day rates run $1,400–$1,800; see note [1]	Reduced or zero	Reduced or zero
Stage 1 + Stage 2 audit fees	See note [2]	—	Full recert audit fee
Surveillance audit fee	—	Required; approximately $10,000/yr; see note [2]	Required
Compliance automation tooling	Per vendor pricing; see vendor pricing pages directly	Ongoing	Ongoing
Internal labor (allocated)	Significant; scales with scope and team size	Lower	Moderate

The figures for consultant day rates and gap assessment costs come from Pivot Point Security's published guide (accessed 2026-05-12) [1]. Secureframe's published cost guide (accessed 2026-05-12) [2] cites overall preparation costs averaging up to $40,000, an initial certification audit in the range of $10,000–$50,000+, and surveillance audit costs of approximately $10,000 per year.

Because none of these sources give methodology beyond stated estimates, we do not reproduce a single dollar-figure range as authoritative. Get quotes from at least three accredited certification bodies — audit fees are negotiable, and certification body pricing varies meaningfully by geographic market and company profile.

Required Documents

ISO 27001:2022 mandates specific documented information. The minimum set is listed in Clause 4.3, Clause 6.1.2, Clause 6.1.3, Clause 8.1, Clause 9.1, Clause 9.2, and Clause 9.3. In plain terms:

ISMS scope statement (Clause 4.3)
Information security policy (Clause 5.2) and topic-specific policies
Risk assessment methodology (Clause 6.1.2)
Risk register (Clause 6.1.2)
Risk treatment plan (Clause 6.1.3)
Statement of Applicability (Clause 6.1.3.d) — all 93 controls, applied or excluded with rationale
Information security objectives (Clause 6.2)
Internal audit program and reports (Clause 9.2)
Management review records (Clause 9.3)
Corrective action records (Clause 10.1)
Operational records — evidence of control operation (logs, configurations, access reviews, training completions, incident records)

The SoA is the document auditors spend the most time examining at Stage 1. For a working starting point, see the ISO 27001 Statement of Applicability guide.

ISO 27001 vs Other Frameworks

The comparison that matters most in practice:

Framework	Geographic strength	Output type	Validity period	Auditor independence standard
ISO 27001	Global, strongest in EU and APAC	Certificate from accredited body	3 years + annual surveillance	ISO/IEC 17021-1
SOC 2	US and US-customer-driven markets	CPA attestation report (Type 1 or Type 2)	Type 2 covers a 3–12 month observation window	AICPA AT-C 205 / SSAE 18
HIPAA	US healthcare only	No certificate; OCR enforcement only	Continuous obligation	No mandated auditor; varies
NIST CSF	US, increasingly used globally	Self-assessment or third-party attestation	Continuous; no expiration mechanism	No standard; self-determined
PCI DSS v4.0	Global, payment card transactions only	Report on Compliance (RoC) or SAQ	Annual	PCI SSC QSA program

The structural difference between ISO 27001 and SOC 2 is frequently misunderstood. ISO 27001 is a certification of your management system — the auditor assesses whether your ISMS structure meets the standard. SOC 2 is an attestation of operating effectiveness — the auditor attests that your controls operated as described over a defined period (for Type 2). The two serve different buyer populations and are not substitutes for each other.

HIPAA is a US federal regulation, not a certifiable framework. There is no HIPAA certificate. Organizations satisfy HIPAA through ongoing compliance; OCR enforces it through investigations and penalties. Treating HIPAA and ISO 27001 as equivalent credentialing mechanisms is a category error.

Common framework stacks in practice: SOC 2 + ISO 27001 for B2B SaaS selling globally, ISO 27001 alone for European software vendors, SOC 2 alone for US-only B2B, HIPAA + SOC 2 for healthcare SaaS, PCI DSS + ISO 27001 for payment processors.

Eight Implementation Mistakes That Derail Certification

These appear consistently across the organizations that arrive at Stage 2 unprepared.

1. Scoping the entire company on the first cycle. Pick one product line, one business unit, or one geographic location. Expand at recertification. A focused scope passes Stage 2; a sprawling scope fails it — or passes with so many findings that the corrective action burden wipes out the cost savings of avoiding a focused scope in the first place.

2. Writing a Statement of Applicability that lists controls without evidence references. The SoA must reference the specific policy, system, or record that demonstrates each control is operating. A list of checkboxes does not satisfy the auditor.

3. Documenting controls that are not actually in place. An access control policy that says "we review privileged access quarterly" is a guaranteed major NC if your last access review was nine months ago. Document only what is operationally true.

4. Skipping the internal audit before Stage 2. Clause 9.2 is mandatory. There is no workaround. Schedule the internal audit with enough lead time that findings can be remediated before Stage 2 begins.

5. Underdocumenting the management review. A calendar invite with no documented agenda, no recorded decisions, and no action items does not satisfy Clause 9.3. The management review record must show what was reviewed, what was decided, and what corrective actions were assigned.

6. Choosing a certification body without verifying accreditation. Accreditation status can be checked directly on the national body's website (ANAB, UKAS, DAkkS). An unaccredited certificate is not recognized by enterprise procurement.

7. Not assigning a named ISMS owner. ISO 27001 requires explicit roles and responsibilities. Without a named owner — someone accountable for the ISMS who has sufficient authority and resource access — the ISMS drifts between audit cycles.

8. Underinvesting in continuous evidence collection. Stage 2 fails when the auditor cannot find evidence that controls were operating, not just deployed. Start collecting evidence — access review records, patch deployment logs, training completions, incident records — from the day the control goes live.

What Changed After October 2025

Three developments are relevant for any organization starting or renewing certification in 2026:

The 2013 standard is fully retired. The transition deadline for certificates issued under ISO/IEC 27001:2013 was October 31, 2025. Any certificate still referencing the 2013 version is expired. Every active certificate in circulation in 2026 references ISO/IEC 27001:2022.

The eleven new 2022 controls are now fully enforced. The controls for Threat Intelligence, Cloud Services, Configuration Management, Data Masking, Data Leakage Prevention, Secure Coding, and the others listed above were treated leniently by some certification bodies in 2023 and early 2024 while both auditors and clients were still calibrating. That period is over. Gap assessments and audit preparation must treat all eleven with the same rigor as established controls.

AI-heavy companies should expect questions about model governance. ISO/IEC 42001 (AI management systems) was published in December 2023. It is not part of ISO 27001. However, certification bodies auditing companies with significant AI products have begun asking about model governance, training data security, and AI-specific incident response within the ISO 27001 audit scope, particularly under controls A.5.7 (Threat Intelligence) and A.8.28 (Secure Coding). This is not a formal requirement — but if you run AI products and are preparing for Stage 2, prepare to discuss it.

Frequently Asked Questions

Is ISO 27001 legally required?

In most jurisdictions, no. ISO 27001 is a voluntary standard. It becomes a practical requirement when your enterprise customers, insurers, or regulated-sector partners ask for it as a condition of contract. Most European enterprise buyers, many financial institutions, and a growing number of US government contractors treat ISO 27001 or an equivalent as a vendor baseline requirement.

How long does ISO 27001 certification take?

For a 50 to 200 person company building an ISMS from scratch: 8 to 16 months. The audit itself (Stage 1 + Stage 2) takes a few weeks of scheduled time; the ISMS implementation, evidence accumulation, internal audit, and management review that precede it account for most of the calendar. For a company that already has a current SOC 2 Type 2 in place, the timeline typically drops to 4 to 8 months.

Does ISO 27001 replace SOC 2?

No. They differ structurally: ISO 27001 certifies your management system; SOC 2 attests to operating effectiveness over an observation window. They serve different buyer populations and are used in combination by many B2B SaaS companies selling into multiple markets. For a detailed comparison, see SOC 2 vs ISO 27001.

What is the difference between ISO 27001 and ISO 27002?

You are certified against ISO 27001, which defines the requirements for an ISMS. ISO 27002 provides implementation guidance for each Annex A control — it explains how to implement each control, not whether you must. ISO 27002 is supplemental; no one is certified to ISO 27002.

How many controls are in ISO 27001:2022?

93 controls in Annex A, organized into four themes: Organizational (37), People (8), Physical (14), and Technological (34). The 2013 version had 114 controls across 14 categories. The 2022 revision merged duplicates and added 11 new controls.

Can a small company get ISO 27001 certified?

Yes. The standard scales to organization size. Companies with fewer than 25 employees have achieved certification, though the cost per employee is higher at small scale. The smallest cohort that pursues ISO 27001 efficiently tends to be 25 to 50 person SaaS companies that have concrete customer demand for it and can justify the first-year investment.

Who can issue an ISO 27001 certificate?

Only a certification body accredited under a national accreditation body that operates within the Global ACI multilateral recognition framework (the body that replaced IAF as of January 2026). Certification bodies cannot consult and certify the same client; the independence rules are specified in ISO/IEC 17021-1.

Where to Go Next

If you are deciding whether to pursue ISO 27001, start with SOC 2 vs ISO 27001 for a framework choice guide, and the ISO 27001 certification cost guide for a budget picture.

If you are starting implementation, the ISO 27001 implementation guide, the Annex A controls reference, and the Statement of Applicability guide cover the core documentation work.

If you are preparing for audit, the ISO 27001 internal audit checklist and the audit process guide cover what auditors actually test.

Sources

Pivot Point Security, "ISO 27001 Certification Cost" (accessed 2026-05-12). Cited for consultant day rate range ($1,400–$1,800) and gap assessment quote ($5,700 for orgs up to 250 employees). https://www.pivotpointsecurity.com/blog/iso-27001-certification-cost/
Secureframe, "How Much Does ISO 27001 Certification Cost?" (accessed 2026-05-12). Cited for average preparation cost (~$40,000), initial audit range ($10,000–$50,000+), surveillance audit (~$10,000/yr). https://secureframe.com/blog/iso-27001-certification-cost
ISMS.online, "ISO 27001:2022 Annex A Controls" (accessed 2026-05-12). Source for all 11 new control names and numbers, and four-theme control counts. https://isms.online/iso-27001/annex-a/
ISO, "ISO/IEC 27001:2022 — Information security, cybersecurity and privacy protection — Information security management systems — Requirements." https://www.iso.org/standard/27001
ISO, "ISO/IEC 27002:2022 — Information security controls." https://www.iso.org/standard/75652.html
ISO, "ISO/IEC 17021-1:2015 — Conformity assessment — Requirements for bodies providing audit and certification of management systems." https://www.iso.org/standard/61651.html
Global Accreditation Cooperation Incorporated (Global ACI), successor to IAF as of January 2026. https://global-aci.org/
ANAB (ANSI National Accreditation Board), US national accreditation body for ISO 27001 certification bodies. https://anab.ansi.org
UKAS, UK national accreditation body. https://www.ukas.com

Sources used

ISO/IEC 27001:2022 standard — accessed 2026-05-12
ANAB — accessed 2026-05-12
UKAS — accessed 2026-05-12
Global ACI — accessed 2026-05-12
93 controls across four themes — accessed 2026-05-12
ISO/IEC 27002:2022 — accessed 2026-05-12
ISO/IEC 17021-1 — accessed 2026-05-12

Last reviewed: 2026-05-12. This article was prepared by the Security Compliance Guide Editorial Team. We use AI to draft initial summaries of publicly available cybersecurity compliance documentation, then verify every claim against primary sources before publication. We are not licensed auditors, attorneys, or compliance consultants. For binding decisions, consult a qualified professional. See our editorial standards for full sourcing rules.