Logo probo
Get compliant
About The people and vision powering Probo Blog The latest news from Probo Stories Hear from our customers Docs Documentation for Probo GitHub Explore our open-source compliance tools

What is ISO 27001?

The Complete Guide for 2026

This guide cuts through the complexity of ISO 27001, giving you everything you need to understand.

What is ISO 27001?

Definition and Core Purpose

ISO 27001 is an international standard that specifies requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). Published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), it provides a systematic approach to managing sensitive company and customer information.

At its core, ISO 27001 is about risk management. The standard doesn't prescribe specific technical controls or one-size-fits-all solutions. Instead, it requires organizations to identify their unique information security risks and implement appropriate controls to address them. This risk-based approach makes the standard flexible enough to apply to organizations of any size, in any industry, anywhere in the world.

The framework operates on three fundamental principles of information security:

  • Confidentiality: Ensuring information is accessible only to authorized individuals
  • Integrity: Safeguarding the accuracy and completeness of information
  • Availability: Ensuring authorized users have access to information when needed

The History and Evolution of ISO 27001

ISO 27001's roots trace back to the British Standard BS 7799, first published in 1995. The standard evolved through several iterations before becoming ISO/IEC 27001:2005, establishing the foundation for modern information security management systems.

The 2013 revision brought significant structural changes, aligning the standard with other ISO management system standards through Annex SL, a common framework that makes it easier for organizations to integrate multiple management systems.

The most recent update, ISO/IEC 27001:2022, introduced important modernizations reflecting today's threat landscape. The revision reorganized Annex A controls from 114 controls across 14 domains to 93 controls across four themes: Organizational, People, Physical, and Technological. This restructuring makes the controls more intuitive and easier to implement.

New controls were added addressing contemporary challenges including threat intelligence, information security for cloud services, ICT readiness for business continuity, and data masking. Organizations already certified to the 2013 version have until October 2025 to transition to the 2022 standard.

The Structure of ISO 27001: What the Standard Actually Requires

Understanding ISO 27001's structure is essential before embarking on your certification journey. The standard consists of two main components: the management system requirements (Clauses 4-10) and the security controls (Annex A).

Clauses 4-10: The Management System Requirements

The main body of ISO 27001 follows a logical progression that mirrors the Plan-Do-Check-Act cycle common to ISO management system standards:

Clause 4: Context of the Organization

You must understand your organization's internal and external context, identify interested parties and their requirements, and define the scope of your ISMS. This foundational work ensures your security program addresses real business needs.

Clause 5: Leadership

Top management must demonstrate commitment to the ISMS through active involvement, establishing an information security policy, and assigning roles and responsibilities. Without genuine leadership buy-in, certification efforts typically stall.

Clause 6: Planning

This clause requires you to address risks and opportunities, establish information security objectives, and plan how to achieve them. Your risk assessment methodology and Statement of Applicability (documenting which Annex A controls apply) are critical outputs.

Clause 7: Support

Organizations must provide necessary resources, ensure personnel competence, maintain awareness programs, establish communication processes, and control documented information. This clause covers the infrastructure supporting your ISMS.

Clause 8: Operation

Here's where planning meets execution. You must implement your risk treatment plans and controls, managing operational processes to meet security objectives.

Clause 9: Performance Evaluation

You must monitor, measure, analyze, and evaluate your ISMS effectiveness. This includes conducting internal audits and management reviews to ensure the system performs as intended.

Clause 10: Improvement

When nonconformities occur, you must take corrective action. Beyond fixing problems, you're expected to continually improve the ISMS's suitability, adequacy, and effectiveness.

Annex A: The 93 Security Controls Explained

Annex A provides a reference set of 93 information security controls organized into four categories:

  • Organizational Controls (37 controls): These address policies, procedures, and organizational structures. Examples include information security policies, segregation of duties, contact with authorities, and supplier relationships.
  • People Controls (8 controls): Focused on human aspects of security, covering screening, terms of employment, awareness training, and disciplinary processes.
  • Physical Controls (14 controls): These protect against physical and environmental threats, including secure areas, equipment security, and clear desk policies.
  • Technological Controls (34 controls): Addressing technical security measures such as access control, cryptography, network security, and secure development practices.

Not every control applies to every organization. Through your risk assessment, you'll determine which controls are relevant and document your decisions in the Statement of Applicability. If a control doesn't apply (perhaps you don't do software development, making secure coding practices irrelevant), you can exclude it with proper justification.

Who Needs ISO 27001 Certification?

While any organization handling sensitive information can benefit from ISO 27001, certain scenarios make certification particularly valuable.

  • Technology and SaaS Companies: If you're processing customer data, especially for enterprise clients, ISO 27001 certification often appears in RFPs and vendor requirements. It's become table stakes for selling into regulated industries.
  • Financial Services: Banks, insurance companies, and fintech firms face intense regulatory scrutiny. ISO 27001 demonstrates due diligence and often satisfies multiple regulatory requirements simultaneously.
  • Healthcare and Life Sciences: Organizations handling protected health information benefit from ISO 27001's systematic approach to information security, complementing regulations like HIPAA.
  • Government Contractors: Many government agencies require or prefer vendors with ISO 27001 certification, particularly for contracts involving sensitive data.
  • Professional Services: Law firms, accounting practices, and consulting companies handling confidential client information increasingly pursue certification to differentiate themselves and meet client expectations.

ISO 27001 for Startups and Growing SaaS Companies

The conventional wisdom that ISO 27001 is "only for large enterprises" is outdated. Growing SaaS companies are pursuing certification earlier than ever, and for good reason.

First, building security into your operations from the start is far easier than retrofitting it later. The technical debt of poor security practices compounds over time, making remediation increasingly expensive and disruptive.

Second, certification accelerates sales cycles. When enterprise prospects ask about your security posture, producing an ISO 27001 certificate answers dozens of security questionnaire questions instantly. That efficiency translates directly to faster deal closures.

Third, the 2022 standard update made implementation more accessible for smaller organizations. The restructured controls and clearer guidance reduce the complexity that previously made certification seem out of reach for startups.

The key for smaller companies is right-sizing your ISMS. You don't need enterprise-grade complexity, you need controls appropriate to your risk profile and business context. This is exactly how Probo operates to help you get compliant.

ISO 27001 vs SOC 2: Which Framework is Right for You?

For North American SaaS companies, the ISO 27001 versus SOC 2 question comes up constantly. Both frameworks address information security, but they differ in important ways.

Key Differences in Scope, Recognition, and Audit Process

  • Geographic Recognition: SOC 2 is predominantly recognized in North America, while ISO 27001 enjoys truly global recognition. If you're selling internationally, particularly in Europe, Asia, or Australia, ISO 27001 typically carries more weight.
  • Framework Structure: SOC 2 is based on the AICPA's Trust Services Criteria, focusing on five categories: Security, Availability, Processing Integrity, Confidentiality, and Privacy. ISO 27001 takes a broader management system approach with its 93 controls covering organizational, people, physical, and technological domains.
  • Audit Output: SOC 2 audits produce a detailed report describing your controls and the auditor's testing results, essentially a narrative about your security practices. ISO 27001 audits result in a certificate confirming your ISMS meets the standard's requirements, plus an audit report with findings.
  • Audit Process: SOC 2 Type 2 audits examine your controls over a period (typically 6-12 months), assessing whether they operated effectively. ISO 27001 certification audits occur at a point in time, followed by annual surveillance audits to maintain certification.
  • Cost Considerations: For a detailed breakdown of SOC 2 expenses, check out our SOC 2 compliance cost guide. Generally, both frameworks involve similar cost categories, though ISO 27001's three-year certification cycle with surveillance audits differs from SOC 2's annual reports.

When to Choose ISO 27001, SOC 2, or Both

Choose ISO 27001 when:

  • You're selling to international customers, especially in Europe and Asia-Pacific
  • Enterprise buyers specifically request ISO 27001 certification
  • You want a management system framework that drives continuous improvement
  • You're planning to integrate multiple management systems (quality, environment, etc.)

Choose SOC 2 when:

  • Your primary market is North America
  • Customers specifically request SOC 2 reports
  • You need flexibility in defining your control environment
  • You want detailed assurance reporting for specific trust services criteria

Choose both when:

  • You're serving both domestic and international markets
  • Different customer segments require different frameworks
  • You want maximum flexibility in responding to security inquiries
  • You're building a comprehensive compliance program

Many organizations pursue both frameworks, leveraging the significant overlap between them. With proper planning, you can implement controls that satisfy both standards simultaneously, reducing duplication of effort.

The ISO 27001 Certification Process: Step-by-Step

ISO 27001 certification follows a structured process designed to verify your ISMS meets the standard's requirements. Understanding this process helps you prepare effectively and avoid common pitfalls.

Stage 1 Audit: Documentation Review

The Stage 1 audit is essentially a readiness assessment. An accredited certification body auditor reviews your ISMS documentation to determine whether you're prepared for the full certification audit.

During Stage 1, auditors examine:

  • Your ISMS scope and boundaries
  • Information security policy and objectives
  • Risk assessment methodology and results
  • Statement of Applicability
  • Key procedures and documented information
  • Internal audit and management review records

The auditor identifies any gaps or concerns that must be addressed before Stage 2. This audit typically occurs on-site (or virtually) over one to two days, depending on your organization's size and complexity.

Stage 1 isn't just a documentation check, it's an opportunity to get valuable feedback before the main event. Smart organizations use this stage to identify and fix issues while there's still time.

Stage 2 Audit: Implementation Assessment

Stage 2 is the main certification audit, typically occurring four to eight weeks after Stage 1 (allowing time to address any findings). This audit verifies that your ISMS is effectively implemented and operating as documented.

Auditors will:

  • Interview personnel across the organization
  • Observe processes in action
  • Review records and evidence of control implementation
  • Verify that risks are being managed as planned
  • Assess the effectiveness of your internal audit program
  • Confirm management commitment and involvement

The audit duration depends on your organization's size, complexity, and scope. A small SaaS company might require three to four audit days, while larger organizations need proportionally more time.

After Stage 2, the auditor issues findings categorized as:

  • Major nonconformities: Significant failures requiring correction before certification
  • Minor nonconformities: Issues that don't prevent certification but must be addressed
  • Opportunities for improvement: Suggestions for enhancement (not mandatory)

Assuming no major nonconformities (or successful correction of any identified), the certification body issues your ISO 27001 certificate.

Surveillance Audits and Recertification

Certification isn't a one-time achievement, it's an ongoing commitment. Your certificate is valid for three years, but maintaining it requires:

Annual Surveillance Audits

Each year (typically around the anniversary of your initial certification), auditors return to verify your ISMS continues to operate effectively. These audits are smaller in scope than the initial certification, focusing on:

  • Changes to the ISMS
  • Corrective actions from previous audits
  • Selected controls and processes
  • Continual improvement activities

Recertification Audit

Before your three-year certificate expires, you'll undergo a full recertification audit similar to your initial Stage 2. This comprehensive review ensures your ISMS remains effective and has matured appropriately.

The ongoing nature of ISO 27001 certification reinforces its value. Unlike point-in-time assessments, the continuous oversight provides assurance that organizations maintain their security posture over time.

ISO 27001 Certification Timeline and Costs

One of the most common questions from organizations considering ISO 27001 is "How long will this take and how much will it cost?" The honest answer: it depends. But we can provide realistic ranges based on organizational context.

Realistic Timelines for Different Organization Sizes

Small Organizations (under 50 employees)

  • Implementation: 4-8 months
  • Total time to certification: 6-12 months

Smaller organizations benefit from simpler structures and faster decision-making. However, they often face resource constraints that can extend timelines.

Medium Organizations (50-250 employees)

  • Implementation: 6-12 months
  • Total time to certification: 9-15 months

Mid-sized companies typically have more complex processes and more stakeholders to coordinate, but also more resources to dedicate to the project.

Large Organizations (250+ employees)

  • Implementation: 12-18 months
  • Total time to certification: 15-24 months

Enterprise implementations involve greater complexity, more locations, and extensive coordination requirements. Phased approaches often work best.

These timelines assume dedicated effort and reasonable organizational readiness. Factors that extend timelines include:

  • Significant gaps in existing security practices
  • Complex technical environments
  • Multiple locations or business units
  • Limited internal resources
  • Competing organizational priorities

Cost Breakdown: Internal vs External Expenses

ISO 27001 certification costs fall into several categories:

Internal Costs

  • Personnel time for implementation (often the largest cost)
  • Training and awareness programs
  • Technology investments (tools, systems, controls)
  • Process changes and documentation
  • Ongoing maintenance and improvement

How Probo Simplifies Your ISO 27001 Journey

Navigating ISO 27001 certification doesn't have to consume your team's time and energy. Probo manages the entire compliance process for you hands-off, combining dedicated expert guidance with powerful automated compliance software to get you certified faster and with less stress.

Here's what's included when you partner with Probo:

  • Dedicated Compliance Expert: Direct access to compliance experts whenever you need guidance. No more guessing or searching for answers, your expert is just a message away.
  • Onboarding Meeting: An onboarding meeting with your dedicated expert to understand your full context, tech stack, and specific compliance needs from day one.
  • Policies & Risk Assessment: Probo handles all necessary documentation templates and risk analysis for you. No more starting from scratch or wondering if your policies meet the standard's requirements.
  • Audit Prep & Auditor Selection: We find you the right auditor for your organization and prepare you thoroughly for the audit, so there are no surprises when certification day arrives.
  • Quarterly Follow-ups After Certification: Ongoing support to maintain your compliance posture. Certification is just the beginning, Probo ensures you stay compliant through surveillance audits and beyond.
  • Access to Probo Compliance Platform: A centralized workspace to manage all compliance activities, with automated evidence collection and audit-ready documentation that keeps everything organized and accessible.

Get ISO 27001 Certified with Probo

Take a meeting to understand how close you are to compliance.

Talk to a compliance expert
Logo probo

Managed frameworks

Not seeing the one you are looking for?
Reach out, we likely do it as well.

SOC 2
CCPA
SOC 2 Type 1
ISO 27701
CASA
HIPAA
SOC 3
SOC 2 Type 2
FERPA
ISO 42001
 Get compliant