ISO 27001 Implementation
ISO 27001.
Done properly.
ISO 27001 certification signals that your information security management system is real — not a PDF policy nobody follows. We build the ISMS, author the Statement of Applicability, implement the Annex A controls, and support you through Stage 1 and Stage 2 with the certification body.
ISO 27001:2022 · Certification-body agnostic
4–6 months
Fixed-fee project
International & regulated
ISO 27001 certificate
Is this the right framework?
ISO 27001 vs SOC 2 — which do you need?
ISO 27001
Your customers are asking for it globally
ISO 27001 is the international standard recognized by procurement teams worldwide — across Europe, Asia Pacific, the Middle East, and beyond. SOC 2 is largely a US framework.
ISO 27001
You need a certificate, not just a report
SOC 2 produces an attestation report. ISO 27001 produces a certificate issued by an accredited third party — it's a credential, not just an audit output.
SOC 2 first
US enterprise buyers are blocking deals
US-based enterprise buyers almost universally ask for SOC 2. If your primary market is domestic, SOC 2 may unblock more deals faster.
Learn about SOC 2 →Many companies pursue both — ISO 27001 for international deals, SOC 2 for US-focused deals. We can sequence them or run them in parallel. Ask us how →
Annex A
93 controls.
4 themes.
ISO 27001:2022 restructured the control set from 114 controls across 14 domains to 93 controls across 4 themes. We implement, evidence, and document every applicable control — and build a defensible justification for every exclusion in your Statement of Applicability.
Organizational controls
Policies, roles, supplier management, threat intelligence
People controls
Background checks, training, disciplinary process
Physical controls
Physical perimeters, entry control, clean desk
Technological controls
Access management, encryption, vulnerability management, logging
Our process
Six phases.
Certified at the end.
Every ISO 27001 engagement follows this six-phase structure. You'll know exactly where you are in the process, what your certification body will see at each stage, and what we need from your team each week.
Gap assessment
We assess your current state against all 93 Annex A controls and the ten clauses of ISO 27001:2022. You receive a gap report, a risk register starter, and a realistic scoping recommendation.
ISMS design
We design your Information Security Management System: scope definition, leadership context, risk treatment framework, and the organizational structure required by the standard.
Statement of Applicability
We build the SoA — the control-by-control justification document that your certification body will audit you against. Every exclusion is defensible. Every inclusion is implemented.
Control implementation
We work through all applicable Annex A controls — from access management and supplier security to physical controls and incident management. Policies written, evidence collected.
Internal audit
We conduct a full internal audit against the ISO 27001:2022 standard — the step certification bodies require you to have completed before Stage 1. Findings documented, nonconformities resolved.
Certification audit support
We prepare you for Stage 1 (documentation review) and support you through Stage 2 (implementation testing). We stay available during the audit for clarifications and real-time guidance.
Deliverables
Everything
your auditor
needs.
All deliverables are formatted to certification-body standards and transferable to your team — so you own the program, not just the certificate.
- 01 Gap assessment report with risk ratings
- 02 ISMS scope statement and context of the organization
- 03 Information security risk register
- 04 Statement of Applicability (SoA)
- 05 Full ISO 27001:2022 policy library (30+ policies)
- 06 Annex A controls implementation evidence
- 07 Internal audit report
- 08 Stage 1 readiness brief
- 09 Corrective action register
- 10 Certification body liaison throughout
FAQ
Common
questions.
How long does ISO 27001 certification take?
A typical implementation from gap assessment to Stage 2 certification takes 4–6 months. Organizations with existing security programs may move faster. The timeline depends heavily on how many Annex A controls are applicable and how quickly your team can provide evidence for implemented controls.
What is the difference between ISO 27001 and SOC 2?
ISO 27001 is an international standard that results in a certificate issued by an accredited certification body — it demonstrates that your ISMS conforms to the standard globally. SOC 2 is a US-origin attestation report issued by a CPA firm — it's what US enterprise buyers typically ask for. International procurement teams — and companies outside the US — tend to ask for ISO 27001. Many companies pursue both.
Do you work with any ISO certification body, or just specific ones?
We are certification-body agnostic. We prepare you against the standard and will work with whichever accredited body you choose — BSI, Bureau Veritas, SGS, TÜV, DNV, or others. We can advise on the tradeoffs between bodies if helpful.
We already have ISO 27001:2013. Do we need to re-certify for 27001:2022?
Yes — ISO 27001:2013 certificates are no longer valid after October 2025. The 2022 revision restructured Annex A significantly (from 114 controls across 14 domains to 93 controls across 4 themes, with 11 new controls). We support both fresh implementations and 2013→2022 transitions.
What is a Statement of Applicability?
The SoA is the document that lists all 93 Annex A controls, states whether each is applicable to your ISMS, the justification for inclusion or exclusion, and whether each applicable control is implemented. Your certification auditor will scrutinize this document closely. A well-structured SoA is one of the most important artifacts in the certification process.
Start your
ISO 27001 journey.
Book a free scoping call. We'll assess your current state, define your ISMS scope, and send a fixed-fee proposal for the full implementation within 48 hours.
Fixed-fee proposal in 48 h · Certification-body agnostic