Logo probo
Get compliant
About The people and vision powering Probo Blog The latest news from Probo Stories Hear from our customers Docs Documentation for Probo GitHub Explore our open-source compliance tools

The Complete ISO 27001 FAQ: Everything You Need to Know

In the modern B2B landscape, security is no longer just a "nice-to-have" feature; it is a fundamental requirement for doing business. If you are targeting international markets or enterprise-level clients, you have likely encountered requests for ISO 27001 certification.

What is ISO 27001?

ISO/IEC 27001 is the leading international standard for information security management. Developed by the International Organization for Standardization (ISO), it provides a framework for how an organization should manage its data security.

At its core, ISO 27001 isn't about buying the right software; it's about building a culture of security. It requires companies to identify, manage, and mitigate security risks through a structured approach known as an Information Security Management System (ISMS).

Is it a Certification or a Report?

Unlike SOC 2, which results in a descriptive attestation report, ISO 27001 results in a formal certification. This certificate is issued by an independent, accredited third-party body after a successful audit. It serves as globally recognized proof that your security program meets a rigorous international benchmark.

Understanding the ISMS: The Heart of the Standard

The Information Security Management System (ISMS) is the most critical component of ISO 27001. Think of it as the "operating system" for your company's security. It isn't a single tool, but a set of policies, procedures, and controls that work together to protect your information assets.

A robust ISMS includes:

  • Risk Assessment: A formal process to identify threats to your data.
  • Security Policies: Clear guidelines for employees and contractors.
  • Asset Management: Knowing exactly what data you have and where it lives.
  • Continuous Improvement: A "Plan-Do-Check-Act" cycle to ensure security evolves alongside your business.

ISO 27001 Requirements: Risk-Based, Not Prescriptive

One of the biggest misconceptions about ISO 27001 is that it provides a rigid checklist of technical settings. In reality, the standard is risk-based.

ISO 27001 requires you to:

  • Define the Scope: What part of your business needs to be protected?
  • Conduct a Risk Assessment: What could go wrong? (e.g., data breaches, server downtime, insider threats).
  • Risk Treatment: How will you handle those risks? You can avoid, transfer, accept, or mitigate them.
  • Select Controls: Choose relevant controls from Annex A—a list of 93 security controls (in the 2022 version) covering everything from physical security to cloud service governance.

Technical Security vs. Governance

Is ISO 27001 a technical standard? Not exactly. While it leads to technical improvements, it is primarily a management and governance standard.

An ISO 27001 audit focuses heavily on documentation, accountability, and evidence that your processes are being followed. For example, an auditor won't just check if you use encryption; they will check if you have a policy for encryption, if employees are trained on it, and if you have logs proving it was active during the year.

The Role of Penetration Testing

A common question is: Do I need a penetration test for ISO 27001?

Technically, the standard does not explicitly name "penetration testing" as a requirement. However, it does require you to manage technical vulnerabilities. For most SaaS and tech-driven companies, a penetration test is the most defensible way to prove that your technical controls actually work.

  • Frequency: Most experts recommend an annual penetration test or one after any major infrastructure change.
  • Findings: Auditors do not expect "clean" reports. They want to see that when you find a vulnerability, you have a remediation plan to fix it.

The Certification Process: Timeline and Costs

Achieving ISO 27001 certification is a marathon, not a sprint.

The Audit Stages

The certification audit is divided into two parts:

  • Stage 1 (Documentation Review): The auditor reviews your ISMS design and documentation to ensure you meet the standard's requirements.
  • Stage 2 (Effectiveness Audit): The auditor looks for evidence that you are actually doing what your documentation says you are doing.

Timeline

For a small to mid-sized startup, the process typically takes 3 to 6 months. This includes the time needed to build the ISMS, collect evidence of its operation, and undergo the two-stage audit.

Costs

The direct cost of the audit itself is often between $10,000 and $20,000, depending on your company size. However, the "real" cost is often hidden in internal time. If your CTO or Lead Engineer is spending 20 hours a week on documentation, that is 20 hours they aren't spending on your product.

ISO 27001 vs. SOC 2: Which One Do You Need?

Feature ISO 27001 SOC 2
Primary Market International / Europe / Asia North America
Outcome Official Certification Detailed Audit Report
Duration Valid for 3 years (with annual checks) Usually an annual report
Focus Management System & Risk Specific Control Objectives

Can you have both? Yes. Many growth-stage companies start with SOC 2 to win US deals and then "map" those controls to ISO 27001 as they expand into Europe. Since the technical requirements overlap significantly (around 80%), doing the second one is much faster than the first.

Is it Worth it for Startups?

ISO 27001 is a major commitment. It is usually "worth it" when:

  • Enterprise Deals are Stalling: You are losing deals because you can't pass a security review.
  • Global Expansion: You are moving into markets where ISO is the "de facto" language of trust.
  • Security Maturity: You want to move away from "ad-hoc" security and build a professional, scalable program.

How Probo Simplifies ISO 27001 Compliance

Most companies fail at ISO 27001 because they treat it as a one-time project. At Probo, we treat it as a managed service. We act as your extended compliance team to ensure you get certified without the headache.

  • Done-for-You ISMS: We don't just give you a platform; we design your risk assessment and write your policies based on how you actually work.
  • Automated Evidence Collection: Our platform integrates with your tech stack (AWS, GitHub, Google Workspace) to automatically prove you are compliant.
  • End-to-End Audit Management: We help you select an auditor and stay with you through Stage 1 and Stage 2 to handle the "heavy lifting" of auditor requests.
  • Continuous Maintenance: We ensure your ISMS stays healthy year-round, so your annual surveillance audits are a non-event.

Stop letting security reviews slow down your growth.

Take a meeting to understand how close you are to compliance.

Get Started with Probo
Logo probo

Managed frameworks

Not seeing the one you are looking for?
Reach out, we likely do it as well.

SOC 3
SOC 2 Type 2
FERPA
CASA
HIPAA
ISO 27701
SOC 2 Type 1
ISO 42001
GDPR
CCPA
 Get compliant