ISO 27001 certification guide
ISO 27001 is the gold standard for information security management. It's recognized globally, demanded by enterprise customers, and increasingly expected in regulated industries. But it's also a significant undertaking—months of work and tens of thousands of dollars.
This guide helps you understand what ISO 27001 really involves, whether your company needs it, and how to get certified without losing your mind.
What is ISO 27001?
ISO 27001 is an international standard published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Its full name is ISO/IEC 27001:2022 (the latest version).
The standard specifies requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS).
What's an ISMS?
An ISMS is not a product or a tool—it's a systematic approach to managing sensitive information. It includes:
- Policies and procedures governing how security is managed
- Risk assessment process to identify and treat security risks
- Controls to address identified risks
- Continuous improvement mechanisms
- Management commitment and oversight
Think of ISMS as "how your organization does security"—documented, measured, and improved over time.
The ISO 27000 family
ISO 27001 doesn't exist in isolation:
| Standard | Purpose |
|---|---|
| ISO 27001 | Requirements for ISMS (certifiable) |
| ISO 27002 | Code of practice for controls (guidance, not certifiable) |
| ISO 27003 | ISMS implementation guidance |
| ISO 27004 | Security management measurement |
| ISO 27005 | Information security risk management |
| ISO 27017 | Cloud security controls |
| ISO 27018 | Protection of PII in cloud |
| ISO 27701 | Privacy Information Management System (GDPR alignment) |
You certify against 27001. The others provide guidance.
Who needs ISO 27001?
You likely need ISO 27001 if:
-
Your customers require it
- Enterprise customers, especially European
- Government contracts
- Critical infrastructure suppliers
- Healthcare and financial services partners
-
You're expanding internationally
- ISO 27001 is recognized worldwide
- Required or preferred for EU business
- Common in APAC, Middle East, Africa
-
Your industry expects it
- Cloud service providers
- SaaS companies selling to enterprise
- Managed service providers
- Critical infrastructure
-
You want to differentiate
- Among competitors who aren't certified
- Demonstrates security maturity
- Reduces sales cycle friction
-
You're preparing for acquisition
- Due diligence looks for certifications
- Shows operational maturity
- May increase valuation
You probably don't need ISO 27001 if:
- You're very early stage (pre-product, pre-revenue)
- Your customers don't ask for it
- You only operate in US markets (SOC 2 may suffice)
- The investment would strain your runway
ISO 27001 vs. SOC 2: which to choose?
| Factor | ISO 27001 | SOC 2 |
|---|---|---|
| Geographic recognition | Global, especially Europe | Primarily North America |
| Standard type | Certification (pass/fail) | Attestation (opinion) |
| Scope | Entire ISMS | Specific system(s) |
| Prescriptiveness | Framework-based | Criteria-based |
| Maintenance | Annual surveillance audits | Annual re-attestation |
| Cost | Generally higher | Generally lower |
| Time to achieve | 6-12 months | 4-9 months |
| Customer expectation | EU enterprise, global | US enterprise, SaaS |
Common pattern: US-focused SaaS companies start with SOC 2, add ISO 27001 when expanding to Europe or selling to global enterprises.
How ISO 27001 helps business
Direct business value
| Benefit | How it helps |
|---|---|
| Win enterprise deals | Mandatory requirement in many RFPs |
| Reduce sales friction | Customers trust certified companies faster |
| Expand markets | Access EU, government, regulated industries |
| Increase valuation | Demonstrated operational maturity for M&A |
| Lower insurance premiums | Cyber insurance discounts for certified orgs |
Indirect value
| Benefit | How it helps |
|---|---|
| Improved security posture | Certification forces you to fix gaps |
| Better incident response | Required procedures mean faster response |
| Clear accountability | Defined roles and responsibilities |
| Reduced breach likelihood | Controls actually reduce risk |
| Employee awareness | Training requirements improve culture |
Real business impact examples
SaaS company targeting enterprise: Before certification: 6-week security review per enterprise customer, 30% loss rate during security due diligence. After certification: 1-week review (just checking the cert), 10% loss rate. Impact: Faster sales cycles, higher win rate.
MSP pursuing government contracts: Before: Excluded from 80% of government RFPs requiring ISO 27001. After: Qualified for all RFPs. Impact: $2M in new annual contract value.
ISO 27001 structure
The standard's components
ISO 27001 has two main parts:
Clauses 4-10 (mandatory requirements): These define HOW to build and run your ISMS.
| Clause | Title | What it covers |
|---|---|---|
| 4 | Context of the organization | Understanding your organization, stakeholders, ISMS scope |
| 5 | Leadership | Management commitment, policy, roles |
| 6 | Planning | Risk assessment, risk treatment, objectives |
| 7 | Support | Resources, competence, awareness, communication, documentation |
| 8 | Operation | Operational planning, risk assessment implementation, risk treatment |
| 9 | Performance evaluation | Monitoring, measurement, internal audit, management review |
| 10 | Improvement | Nonconformity handling, continual improvement |
Annex A controls (93 controls in 4 categories): These define WHAT controls you should consider.
| Category | Controls | Examples |
|---|---|---|
| Organizational | 37 controls | Policies, asset management, access control, supplier relationships |
| People | 8 controls | Screening, terms of employment, awareness, disciplinary process |
| Physical | 14 controls | Secure areas, equipment, clear desk, working in public |
| Technological | 34 controls | Endpoint security, access rights, secure development, backup, logging |
Statement of Applicability (SoA)
Not all 93 controls apply to every organization. The SoA documents:
- Which controls you implement
- Which you exclude (with justification)
- How you implement each applicable control
The SoA is a key audit document. Auditors verify that your SoA accurately reflects your environment and that excluded controls are legitimately not applicable.
The certification process
Step 1: Gap analysis (4-8 weeks)
Before starting, understand where you are vs. where you need to be.
DIY approach:
- Download ISO 27001 checklist (many free versions available)
- Assess each clause and Annex A control
- Document current state and gaps
Consultant approach:
- Hire ISO 27001 consultant for gap assessment
- Cost: $5,000-$15,000
- Deliverable: Gap report with remediation roadmap
What to assess:
- Documentation: Do policies exist?
- Implementation: Are policies followed?
- Evidence: Can you prove it?
Step 2: ISMS design and documentation (8-16 weeks)
Build the management system and create required documents.
Mandatory documents:
- ISMS scope definition
- Information security policy
- Risk assessment methodology
- Risk assessment results
- Risk treatment plan
- Statement of Applicability
- Security objectives
- Roles and responsibilities
- Asset inventory
- Acceptable use policy
- Access control policy
- Operating procedures for IT management
- Secure development policy
- Supplier security policy
- Incident management procedure
- Business continuity procedures
- Compliance requirements register
Records you'll need to produce:
- Risk assessments (initial and periodic)
- Internal audit reports
- Management review minutes
- Training records
- Incident logs
- Change management records
- Access review records
Step 3: Implementation (8-16 weeks)
Put your documented controls into practice.
Key activities:
- Deploy technical controls
- Conduct security awareness training
- Implement access control procedures
- Set up logging and monitoring
- Conduct risk assessment
- Establish incident response capability
- Run backup and recovery tests
Critical milestone: Controls must be operating for at least 3 months before Stage 2 audit (some auditors require 6 months).
Step 4: Internal audit (2-4 weeks)
Before the external certification audit, audit yourself.
Requirements:
- Auditor must be independent (can't audit their own work)
- Cover all ISMS clauses and applicable controls
- Document findings (nonconformities)
- Plan and track remediation
Options:
- Train internal staff as auditors
- Hire external auditor (not your certification body)
- Use consulting firm
Cost: $3,000-$10,000 if external
Step 5: Management review
Senior management must formally review the ISMS.
Required inputs:
- Status of previous actions
- Changes affecting ISMS
- Audit results
- Security incident summary
- Risk assessment results
- Improvement opportunities
Required outputs:
- Decisions on improvements
- Resource allocation
- Changes to risk criteria
Format: Formal meeting with documented minutes. Annual at minimum, often quarterly.
Step 6: Stage 1 audit (1-2 days)
The certification body's first visit.
What they check:
- Documentation completeness
- ISMS scope appropriateness
- Readiness for Stage 2
- Understanding of requirements
Outcome:
- Confirmation you're ready for Stage 2
- List of areas of concern to address
- Schedule for Stage 2
Timeline: Stage 2 usually 2-4 weeks after Stage 1.
Step 7: Stage 2 audit (2-5 days)
The main certification audit.
What they do:
- Interview staff at all levels
- Review evidence of control operation
- Observe processes in action
- Test controls (sampling)
- Verify documentation matches reality
Audit team: Lead auditor + technical auditor(s). Size depends on organization complexity.
Possible findings:
- Major nonconformity: Significant failure, must fix before certification
- Minor nonconformity: Issue exists but not critical, fix within 3 months
- Opportunity for improvement: Suggestion, not required
Step 8: Certification decision
After Stage 2:
- Auditor submits report to certification body
- Technical reviewer assesses report
- Certification decision made
- Certificate issued (valid 3 years)
If major nonconformities:
- Fix the issues
- Auditor verifies (may require site visit)
- Then certification proceeds
Step 9: Surveillance audits (annual)
Certification isn't one-and-done.
| Year | Audit type | Scope |
|---|---|---|
| Year 1 | Surveillance | Partial ISMS review |
| Year 2 | Surveillance | Partial ISMS review |
| Year 3 | Recertification | Full ISMS review |
Surveillance audits:
- Typically 1-2 days
- Focus on high-risk areas and previous findings
- Verify continual improvement
Timeline and costs
Realistic timeline
| Phase | Duration | Notes |
|---|---|---|
| Gap analysis | 4-8 weeks | Understand current state |
| Documentation | 8-16 weeks | Policies, procedures, SoA |
| Implementation | 8-16 weeks | Deploy controls, train staff |
| Operate before audit | 12+ weeks | Collect evidence of operation |
| Internal audit | 2-4 weeks | Self-assessment |
| Stage 1 + remediation | 2-4 weeks | Readiness check |
| Stage 2 + remediation | 2-4 weeks | Certification audit |
| Total | 8-14 months | From start to certificate |
Accelerated timeline (6 months): Possible with heavy consultant involvement and pre-existing security program. Expect higher costs and stress.
Cost breakdown
| Cost category | Small company (under 50 emp) | Mid-size (50-200) | Notes |
|---|---|---|---|
| Gap assessment | $5,000-$10,000 | $10,000-$20,000 | Consultant-led |
| Documentation | $5,000-$15,000 | $15,000-$30,000 | Templates help reduce |
| Implementation | $10,000-$30,000 | $30,000-$75,000 | Technical controls, training |
| Internal audit | $3,000-$7,000 | $5,000-$15,000 | External auditor |
| Certification audit | $10,000-$25,000 | $20,000-$40,000 | Certification body |
| Annual surveillance | $5,000-$12,000 | $10,000-$20,000 | Per year |
| Total Year 1 | $35,000-$90,000 | $90,000-$200,000 | All-in |
| Annual ongoing | $15,000-$35,000 | $30,000-$60,000 | Maintenance + surveillance |
Cost reduction strategies:
- Use a compliance automation platform ($10K-$20K/year)
- Do gap assessment internally
- Use documentation templates
- Train internal auditors
- Choose certification body carefully (prices vary significantly)
Choosing a certification body
Certification bodies (registrars) must be accredited. Look for:
| Accreditation body | Region | Notes |
|---|---|---|
| UKAS | UK | Well-recognized globally |
| ANAB | USA | Common in North America |
| DAkkS | Germany | Common in DACH region |
| JAS-ANZ | Australia/NZ | Asia-Pacific |
Major certification bodies:
- BSI (British Standards Institution)
- Bureau Veritas
- DNV
- SGS
- TÜV
- Schellman
- A-LIGN
Selection criteria:
- Accreditation status
- Industry experience
- Geographic coverage
- Auditor availability
- Price (get 3+ quotes)
- Reputation
Preparation roadmap
Phase 1: Foundation (Months 1-2)
Week 1-2: Get buy-in
- Present business case to leadership
- Secure budget and resources
- Assign ISMS owner (usually you)
- Establish steering committee
Week 3-4: Define scope
- Determine which parts of organization are in scope
- Define ISMS boundaries (systems, locations, processes)
- Document scope statement
Week 5-8: Gap assessment
- Assess against all ISO 27001 clauses
- Assess against Annex A controls
- Document gaps and remediation effort
- Create prioritized roadmap
Deliverables:
- Executive approval document
- ISMS scope statement
- Gap analysis report
- Remediation roadmap
Phase 2: Design (Months 3-4)
Week 9-12: Policies and procedures
- Write information security policy
- Define roles and responsibilities
- Document risk assessment methodology
- Create procedure templates
Week 13-16: Risk assessment
- Identify information assets
- Identify threats and vulnerabilities
- Assess likelihood and impact
- Determine risk levels
- Create risk treatment plan
Deliverables:
- Information security policy (approved)
- ISMS roles document
- Risk assessment methodology
- Risk register
- Risk treatment plan
- Statement of Applicability (draft)
Phase 3: Implementation (Months 5-7)
Week 17-20: Technical controls
- Deploy required security tools
- Configure access controls
- Set up logging and monitoring
- Implement backup and recovery
Week 21-24: Process controls
- Establish incident response process
- Create change management procedure
- Set up supplier security assessment
- Conduct security awareness training
Week 25-28: Documentation and records
- Finalize all procedures
- Begin collecting evidence/records
- Conduct access reviews
- Document asset inventory
Deliverables:
- Implemented controls
- Training records
- Operational procedures
- Evidence collection process
Phase 4: Verification (Months 8-9)
Week 29-32: Internal audit
- Plan internal audit program
- Conduct internal audit
- Document findings
- Create corrective action plans
- Implement fixes
Week 33-36: Management review
- Gather required inputs
- Conduct management review meeting
- Document decisions and actions
- Communicate outcomes
Deliverables:
- Internal audit report
- Corrective action plans
- Management review minutes
- Updated ISMS documentation
Phase 5: Certification (Months 10-12)
Week 37-38: Pre-audit preparation
- Review all documentation
- Verify evidence availability
- Brief staff on audit process
- Conduct pre-audit readiness check
Week 39-40: Stage 1 audit
- Host certification body for Stage 1
- Address any findings
- Schedule Stage 2
Week 41-44: Stage 2 audit and certification
- Host certification body for Stage 2
- Address any nonconformities
- Receive certification decision
- Celebrate!
Deliverables:
- ISO 27001 certificate
- Audit reports
- Post-certification improvement plan
Common mistakes and how to avoid them
Mistake 1: Treating it as a project, not a program
The problem: Companies treat certification as a one-time project. After getting certified, attention drops, and the ISMS withers.
The solution: Plan for ongoing operation from day one. Budget for surveillance audits, continuous improvement, and dedicated ISMS management time.
Mistake 2: Over-scoping
The problem: Including everything in scope makes certification harder and more expensive.
The solution: Start with a narrower scope (e.g., your SaaS platform only, not the entire company). Expand scope in later years.
Mistake 3: Paper-only compliance
The problem: Writing beautiful policies that no one follows. Auditors will notice.
The solution: Implement controls as you document them. Evidence of operation is more important than perfect documentation.
Mistake 4: Leaving risk assessment to the end
The problem: Risk assessment is foundational—controls flow from identified risks. Doing it late means rework.
The solution: Complete risk assessment early. Let it drive your control selection.
Mistake 5: Underestimating evidence requirements
The problem: "We do access reviews" means nothing without evidence. Auditors sample everything.
The solution: Start collecting evidence from day one. Automate evidence collection where possible.
Mistake 6: Last-minute audit scheduling
The problem: Certification bodies book up months in advance. Last-minute scheduling means delays.
The solution: Engage certification body early. Schedule Stage 1 while still in implementation.
Mistake 7: Wrong certification body choice
The problem: Choosing the cheapest option may mean inexperienced auditors or later availability issues.
The solution: Get multiple quotes, check references, verify accreditation, consider long-term relationship.
ISO 27001:2022 changes
The latest version (2022) replaced ISO 27001:2013. Key changes:
Annex A restructuring
| 2013 version | 2022 version |
|---|---|
| 14 domains, 114 controls | 4 themes, 93 controls |
| Sections A.5 - A.18 | Organizational, People, Physical, Technological |
New controls (11 added)
| Control | What it covers |
|---|---|
| A.5.7 | Threat intelligence |
| A.5.23 | Information security for cloud services |
| A.5.30 | ICT readiness for business continuity |
| A.7.4 | Physical security monitoring |
| A.8.9 | Configuration management |
| A.8.10 | Information deletion |
| A.8.11 | Data masking |
| A.8.12 | Data leakage prevention |
| A.8.16 | Monitoring activities |
| A.8.23 | Web filtering |
| A.8.28 | Secure coding |
Transition timeline
- New certifications: Must use 2022 version
- Existing certificates: Transition by October 31, 2025
- Surveillance audits: Can include transition assessment
Real certification stories
Story 1: The 6-month sprint
Company: 80-person B2B SaaS, already had SOC 2 Type II.
Timeline: 6 months from start to certificate.
What helped:
- Existing SOC 2 controls mapped to ~60% of ISO 27001
- Used Vanta for automated evidence collection
- Consultant did gap assessment and guided documentation
- Management was highly engaged
What was hard:
- ISMS documentation requirements more prescriptive than SOC 2
- Risk assessment methodology needed to be more formal
- Physical security controls for the office (SOC 2 was cloud-only scope)
Cost: $65,000 total (including tools and consultant).
Key insight: "Having SOC 2 first made ISO 27001 much easier. If I had to do one, I'd still start with SOC 2 for speed, then add ISO 27001."
Story 2: The 14-month marathon
Company: 200-person fintech, no prior certifications.
Timeline: 14 months (originally planned 10).
What delayed it:
- Underestimated documentation effort (3 months behind)
- Risk assessment required multiple iterations
- Internal audit found 23 findings, fixing took 6 weeks
- Stage 2 had 2 major nonconformities (another 4 weeks)
What worked:
- Hired dedicated ISMS manager (part-time contractor)
- Used compliance platform from month 3
- Got executive sponsor who pushed for resources
Cost: $140,000 total.
Key insight: "We should have done a proper gap assessment before starting. We discovered major gaps at month 5 that should have been in the original plan."
Story 3: The multi-site challenge
Company: 50-person company with offices in US, UK, and India.
Challenge: ISO 27001 requires consistent controls across all in-scope locations.
How they handled it:
- Centralized policies with local implementation procedures
- Video audits for remote locations (post-COVID, certification bodies accept this)
- Global tools for consistency (SSO, endpoint management, logging)
- Local security representatives trained on ISMS
Timeline: 12 months.
Cost: $95,000 (slightly higher due to complexity).
Key insight: "Multi-site isn't as hard as we feared. The key is standardizing tools and processes, not customizing for each location."
Maintaining certification
Getting certified is just the beginning. Maintaining it requires ongoing effort.
Annual activities
| Activity | Frequency | Effort |
|---|---|---|
| Risk assessment review | Annually (minimum) | 2-4 days |
| Management review | Annually (minimum) | 1-2 days |
| Internal audit | Annually | 3-5 days |
| Surveillance audit | Annually | 1-2 days (auditor) + prep |
| Policy review | Annually | 2-3 days |
| Control effectiveness review | Quarterly | 1-2 days |
Ongoing activities
| Activity | Frequency | Effort |
|---|---|---|
| Incident management | As needed | Varies |
| Change management | Per change | 0.5-2 hours |
| Access reviews | Quarterly | 2-4 hours |
| Awareness training | New hires + annual refresh | Ongoing |
| Vulnerability management | Continuous | Ongoing |
| Evidence collection | Continuous | Automated if using platform |
Budget for ongoing maintenance
| Cost | Small company | Mid-size |
|---|---|---|
| ISMS manager time | 8-16 hrs/month | 20-40 hrs/month |
| Compliance platform | $15-25K/year | $25-50K/year |
| Internal audit (if external) | $5-10K/year | $10-20K/year |
| Surveillance audit | $5-12K/year | $12-25K/year |
| Training | $2-5K/year | $5-15K/year |
| Total | $30-60K/year | $60-120K/year |
Common maintenance failures
- Evidence gaps: Forgot to collect evidence, discovered during audit
- Risk assessment staleness: No updates after significant changes
- Training lapses: New hires not trained within required timeframe
- Incident handling: Incidents occur but aren't logged or reviewed
- Management disengagement: ISMS becomes "security team's thing"
Tools and resources
Documentation templates
| Resource | Cost | Link |
|---|---|---|
| ISO 27001 Toolkit | Paid (~$300+) | itgovernance.co.uk |
| ISMS.online templates | Included with platform | isms.online |
| Secframe templates | Free | secframe.com |
Compliance platforms
| Platform | Starting price | Notes |
|---|---|---|
| Vanta | ~$15K/year | Strong SOC 2 + ISO 27001 |
| Drata | ~$15K/year | Good automation |
| Secureframe | ~$12K/year | Startup-friendly |
| ISMS.online | ~$10K/year | ISO 27001 specialist |
| Sprinto | ~$10K/year | Cost-effective |
| OneTrust | Enterprise pricing | Full GRC suite |
Training and certifications
| Course | Provider | Cost |
|---|---|---|
| ISO 27001 Lead Implementer | BSI, PECB, others | $2,000-$4,000 |
| ISO 27001 Lead Auditor | BSI, PECB, others | $2,000-$4,000 |
| ISO 27001 Foundation | Various | $500-$1,500 |
| Free overview courses | Udemy, LinkedIn Learning | Free-$50 |
Consultants: what to look for
| Criterion | Why it matters | Red flags |
|---|---|---|
| Certification body independence | Can't consult and audit | Same company offers both |
| Relevant industry experience | Understands your context | Generic approach |
| References | Proof of successful projects | Won't provide references |
| Clear scope and pricing | No surprises | Vague proposals |
| Knowledge transfer | You can maintain it after | Dependency creation |
Finding consultants
- ISO 27001 Consultants Directory (PECB certified)
- Clutch.co — Consultant reviews
- Ask your certification body for recommendations (they can't recommend themselves)
- Network referrals from companies who recently certified
Expert tips
Start with a maturity baseline
Before ISO 27001, assess your maturity using a simple scale:
| Level | Description | ISO 27001 gap |
|---|---|---|
| 0 | Non-existent | Major work needed |
| 1 | Initial/ad-hoc | Significant work |
| 2 | Repeatable | Moderate work |
| 3 | Defined | Light work, focus on documentation |
| 4 | Managed | Ready for certification |
| 5 | Optimized | Already exceeds requirements |
If you're at Level 2 or below, budget 12+ months. Level 3+, you can move faster.
Use the SOC 2 bridge
If you already have SOC 2:
- ~60% overlap with ISO 27001 controls
- Significant documentation is reusable
- Risk assessment methodology can be adapted
- Shorten timeline by 3-4 months
The 80/20 of Annex A controls
Some controls take disproportionate effort:
| High-effort controls | Tips |
|---|---|
| A.5.1 Policies | Use templates, focus on substance over perfection |
| A.5.9 Asset inventory | Automate with asset management tools |
| A.6.3 Awareness training | Use platforms like KnowBe4, simple is fine |
| A.8.2 Privileged access | Start reducing now, document exceptions |
| A.8.9 Configuration management | Baseline configs, use IaC where possible |
| A.8.16 Monitoring | Centralized logging first, SIEM later |
| A.8.25-34 Secure development | Integrate into existing SDLC, don't create parallel process |
Build internal audit capability
External auditors are expensive. Train 2-3 internal auditors:
- Take ISO 27001 Lead Auditor course ($2,000-$4,000 per person)
- Practice on each other's areas
- Use external auditor for oversight only
Leverage compliance platforms
Tools like Vanta, Drata, Secureframe, and Sprinto offer ISO 27001 modules:
- Pre-built policy templates
- Automated evidence collection
- Control monitoring dashboards
- Auditor-ready evidence packages
Cost: $15,000-$30,000/year. Worth it for most companies.
Workshop: ISO 27001 planning
Part 1: Business case (1 hour)
- List customer/market requirements for ISO 27001
- Estimate deals lost or delayed due to lack of certification
- Calculate potential revenue impact
- Compare to certification cost
- Draft executive summary
Deliverable: Business case document
Part 2: Scope definition (1 hour)
- List all business processes
- Identify which handle sensitive data
- Determine minimum viable scope
- Document scope statement
Deliverable: Draft ISMS scope
Part 3: Gap assessment (2-3 hours)
- Review each ISO 27001 clause (4-10)
- For each Annex A control, rate: Implemented / Partial / Not implemented
- Estimate remediation effort
- Identify quick wins vs. major projects
Deliverable: Gap analysis spreadsheet
Part 4: Roadmap and budget (1 hour)
- Sequence remediation activities
- Assign owners and timelines
- Estimate costs by category
- Present plan to leadership
Deliverable: Project roadmap and budget proposal
How to explain this to leadership
The pitch:
"ISO 27001 is the international standard for information security. Our enterprise customers in Europe and globally increasingly require it. Getting certified will open new markets, reduce sales cycles, and demonstrate our security maturity. It's a 9-12 month effort costing approximately $X."
The business case:
"In the past year, we've encountered 15 prospects who required ISO 27001. We lost 8 of them outright, and the other 7 required extensive security reviews. If we were certified, we'd have won at least 4 of those 8 deals (worth $Y) and saved Z hours in security reviews."
The ask:
"I need approval for $[budget] over 12 months, including consultant support, compliance tooling, and certification fees. I'll need [X hours/week] dedicated to this project, plus involvement from IT, HR, and department heads for risk assessments and policy reviews."
The timeline:
"We can achieve certification in 10-12 months. First 3 months are planning and documentation. Months 4-7 are implementation. Months 8-9 are internal audit and fixes. Months 10-12 are certification audits."
Conclusion
ISO 27001 is a multi-year investment, not a quick win. The value isn't the certificate — it's the documented ISMS that forces you to think through every aspect of how you manage information security, and the evidence that you actually follow your own processes.
Start building the foundation before you commit to the audit.
What's next
Next: SOC 2 certification guide — the B2B trust credential for companies selling to enterprise customers.