ISO 27001 Certification: Step-by-Step for First-Time Applicants

ISO 27001 is the international standard for information security management systems (ISMS). It's structured around risk — your organization identifies information security risks, implements controls to address them, and demonstrates continuous improvement over time. The result is a certification that enterprise customers, government agencies, and international partners recognize as meaningful evidence of security maturity.

More practically: ISO 27001 certification is increasingly appearing in RFPs, vendor questionnaires, and enterprise contract requirements alongside SOC 2. If you sell into European markets, financial services, or enterprise procurement, you'll encounter it. This guide covers what getting certified actually involves — the process, the controls, the costs, and the timeline.

The Structure: ISMS + Annex A Controls

ISO 27001 has two parts that work together:

The ISMS framework (Clauses 4–10) defines the management system requirements: scope, context, leadership commitment, risk assessment methodology, objectives, operational controls, performance evaluation, and continual improvement. This is the management system layer — policies, procedures, management review processes, internal audit programs.

Annex A contains 93 information security controls organized across four themes (Organizational, People, Physical, Technological). ISO 27001:2022 (the current version) reorganized the original 114 Annex A controls from the 2013 edition into 93 controls, and added 11 new controls covering areas like threat intelligence, cloud security, data masking, and web filtering.

Not every Annex A control applies to every organization. The standard requires you to produce a Statement of Applicability (SoA) — a document that lists every control, states whether it applies to your organization, and explains why. Controls you exclude need a documented justification.

Certification Body Selection

ISO 27001 certification requires an accredited external certification body (also called a registrar). These are organizations accredited by national accreditation bodies (UKAS in the UK, ANAB in the US, DAkkS in Germany, etc.) to perform ISO 27001 audits.

Major certification bodies include BSI, Bureau Veritas, DNV, SGS, TÜV SÜD, and Schellman. Choosing the right one matters:

• Accreditation matters. Verify the CB is accredited by an IAF-recognized body. A non-accredited "ISO 27001 certification" has no international recognition.
• Sector experience matters. A CB with experience auditing SaaS companies understands cloud architecture, DevOps environments, and the specific controls challenges of software businesses. A CB that primarily audits manufacturing will ask questions that don't fit your context.
• Geographic coverage matters. If your customers are European, a UKAS-accredited CB may carry more weight in procurement. If you're a US company selling domestically, ANAB accreditation is fine.
• Price varies significantly. Get quotes from 3–4 CBs. Audit fees for small companies (under 50 employees) typically range from $8,000–$25,000 for the initial certification cycle.

The Certification Process: Three Stages

Stage 1: Documentation Review

The auditor reviews your ISMS documentation — your scope document, information security policy, risk assessment methodology, Statement of Applicability, risk treatment plan, and key procedures. This is a desk review, typically conducted remotely.

The Stage 1 audit isn't about proving your controls work — it's about confirming your ISMS is properly designed and documented, and that you're ready for the Stage 2 audit. Stage 1 findings are typically observations or minor nonconformities that you address before Stage 2. Expect 1–3 months between Stage 1 and Stage 2.

Stage 2: Certification Audit

The Stage 2 audit is the main event. Auditors spend time on-site (or remotely, increasingly) examining whether your ISMS is actually implemented and operating effectively. They'll interview staff, review evidence of control operation, test technical controls, and assess whether your risk treatment decisions are being followed.

Any findings are classified as:

• Major nonconformity — A significant failure. Certification cannot be issued until resolved and re-audited.
• Minor nonconformity — A gap that doesn't prevent certification but must be closed within the surveillance period.
• Observation — A potential improvement area, not a required action.

If no major nonconformities are found (and minor ones have corrective action plans), the CB recommends certification. The certificate is issued for 3 years.

Surveillance Audits

Certification isn't one-and-done. You'll have annual surveillance audits in years 1 and 2 of the certification cycle, followed by a full recertification audit in year 3. Surveillance audits are smaller (typically 40–60% of the initial audit scope) and focus on checking that your ISMS is still operating and that minor nonconformities from the certification audit have been closed.

Timeline: What to Expect

For a first-time applicant starting from scratch:

Companies with existing security maturity (SOC 2 Type 2 certified, or with a mature internal security program) can compress this to 6–9 months because most of the control implementation is already done. The work shifts to documentation translation and gap closure rather than building from scratch.

Cost: What Small Businesses Actually Pay

For a small company (under 50 employees, cloud-native SaaS):

• Certification body fees (Stage 1 + Stage 2): $8,000–$25,000
• Implementation consulting (if used): $15,000–$60,000
• GRC tooling: $3,000–$12,000/year (many use Vanta, Drata, or Sprinto)
• Internal time (PM, engineering, management): 200–500 hours
• Annual surveillance audits: $5,000–$15,000/year

Total first-year cost for a small company doing it right: roughly $30,000–$100,000 depending on how much consulting you use and how much remediation work is required. Companies that already have SOC 2 can often run leaner because the control overlap is significant.

The Annex A Controls That Trip Up Small Companies

Across 93 Annex A controls, a few areas consistently generate findings for first-time applicants:

• A.5.23 — Information security for use of cloud services. New in ISO 27001:2022. You need documented policies and controls for cloud service usage — covering acquisition, use, management, and exit from cloud services. If your security program predates wide cloud adoption, this one likely has gaps.
• A.5.10 — Acceptable use of information and other associated assets. Policy must cover what employees can and can't do with company and customer information. Training records required. Small companies often have informal norms that were never documented.
• A.8.8 — Management of technical vulnerabilities. Requires a timely, systematic process for identifying, assessing, and remediating technical vulnerabilities. "We patch when we notice something" is not a process.
• A.5.29 — Information security during disruption. Business continuity planning specifically for information security. If your BCPs and disaster recovery plans exist but don't address information security continuity specifically, you have a gap.
• A.5.36 — Compliance with policies, rules, and standards for information security. Requires regular review of compliance with your own policies. Internal audit program needed — not just the external CB audit.

ISO 27001 vs. SOC 2: Which Should You Pursue First?

The honest answer depends on your customer base:

• US enterprise customers: SOC 2 Type 2 first. It's the expected standard in US procurement and more familiar to US security teams than ISO 27001.
• European or international customers: ISO 27001 first, or simultaneously. ISO 27001 has stronger recognition outside North America and maps well to GDPR requirements.
• Both market segments: Both eventually, ISO 27001 first because the ISMS framework makes SOC 2 documentation easier — not the reverse.

The controls overlap is significant (roughly 60–70%). Having one makes getting the other significantly cheaper and faster.