ReadSafety.com
Home/Questions/ISO 27001
Questions Answered · IT & Cybersecurity

ISO 27001: your questions,
answered in plain language.

The questions founders, IT managers, and compliance leads actually search about ISO 27001 — including the SOC 2 decision — answered in plain language and reviewed by certified auditors at USQC.

What is ISO 27001 in simple terms?

In one sentence: ISO 27001 is the international standard for proving you manage information security systematically — risks assessed, controls chosen deliberately, evidence kept.

ISO 27001 defines the requirements for an information security management system (ISMS). The core logic: identify what information you hold and what could go wrong (risk assessment), decide how to treat each risk (risk treatment), select controls from a reference catalog (Annex A) or elsewhere, and run the whole thing as a managed, audited, improving system.

It is deliberately not a technical checklist — it doesn't mandate a firewall brand or an encryption algorithm. It mandates that your security choices trace back to an honest risk assessment, and that leadership owns the results.

The current edition is ISO 27001:2022. Our free clause-by-clause ISO 27001 guide demystifies every requirement and all 93 Annex A controls.

ISO 27001 vs SOC 2 — which one do I need?

Shortcut: selling to US customers? SOC 2 is usually asked first. Selling internationally or to enterprises and governments? ISO 27001. Scale-ups routinely end up with both.

They answer the same customer question — “can we trust you with our data?” — through different machinery. ISO 27001 is a certifiable international standard: an accredited body audits your ISMS and issues a certificate on a three-year cycle. SOC 2 is an attestation framework from the AICPA: a CPA firm examines your controls against the Trust Services Criteria and writes a report (Type I = design at a point in time; Type II = operating effectiveness over a period).

Practical differences: ISO 27001 gives you a certificate you can show anyone; SOC 2 produces a confidential report shared under NDA. ISO 27001 is recognized globally; SOC 2 dominates US SaaS procurement. Effort overlaps heavily — a solid ISMS gets you most of the way to both, and many audit firms offer combined programs.

Decision rule: look at your actual sales pipeline's security questionnaires. Build for what your buyers ask for, and design your control set once so the second framework becomes an increment, not a second project.

How much does ISO 27001 certification cost?

For a small company (under ~50 people, one product, cloud-hosted), realistic totals: certification body fees of $5,000–$12,000 for the initial cycle plus $3,000–$6,000 per surveillance year; tooling (compliance automation platforms) commonly $5,000–$20,000/year if you choose one; consulting from $5,000 to $30,000+ if you outsource implementation. Internal time remains the biggest unquoted cost — someone must own the ISMS.

Compliance automation platforms genuinely reduce evidence-collection pain for cloud-native companies, but they don't replace the thinking: the risk assessment, the Statement of Applicability, and management commitment are yours to produce regardless of tooling.

As with every standard: only accredited certification matters. An unaccredited certificate fails enterprise vendor review, which defeats the entire purpose. USQC operates in accordance with ISO/IEC 17021 and quotes full three-year cycles.

How long does it take to get ISO 27001 certified?

Typical: 4–9 months. Cloud-native startups with modern tooling and a dedicated owner have done it in 3–4 months; organizations with legacy infrastructure, multiple products, or no security baseline should plan for 9–12.

The sequence that consumes the time: scope the ISMS, inventory information assets, run the risk assessment, write the Statement of Applicability, implement the controls you committed to, then operate long enough to produce evidence — logs reviewed, access recertified, an internal audit, a management review. Auditors certify operating systems, not intentions.

Then the standard two-stage certification audit (see Stage 1 vs Stage 2), with certificates typically issued weeks after a clean Stage 2.

What are the Annex A controls?

Annex A is ISO 27001's reference catalog of information security controls — 93 of them in the 2022 edition, organized into four themes: organizational (37), people (8), physical (14), and technological (34). They range from access control and cryptography to supplier management, secure development, and threat intelligence.

The crucial misunderstanding to avoid: Annex A is not a mandatory checklist. You must consider every control and justify inclusion or exclusion in your Statement of Applicability, but the driver is your risk assessment. A company with no physical office legitimately excludes several physical controls — with a documented reason.

Companion standard ISO 27002 provides implementation guidance for each control — it's the “how” to Annex A's “what.”

What changed in ISO 27001:2022?

The headline change was Annex A: 114 controls in 14 categories became 93 controls in 4 themes — merged, modernized, and extended with 11 genuinely new controls including cloud security, threat intelligence, data leakage prevention, secure coding, and configuration management. The management clauses (4–10) received only light edits.

The transition deadline for organizations certified against the 2013 edition was October 31, 2025 — it has passed. All valid certificates are now against the 2022 edition; if yours somehow still says 2013, contact your certification body urgently.

New implementers: build against 2022 only, and treat any template or consultant still selling 14 control categories as out of date.

Is ISO 27001 required by law or by GDPR?

No law mandates ISO 27001 by name for businesses in general, and GDPR does not require certification. But GDPR's Article 32 requires “appropriate technical and organisational measures” for personal data — and a certified ISMS is one of the strongest available demonstrations that your measures are systematic and appropriate. Regulators and courts treat it as strong evidence of diligence, not as automatic compliance.

Sector rules increasingly point the same direction: EU NIS2, DORA for financial services, and national critical-infrastructure regimes all demand systematic security risk management that an ISO 27001 ISMS maps onto naturally.

The commercial reality is blunter: enterprise procurement has made 27001 (or SOC 2) a de facto entry ticket for B2B software and services. The law asks for appropriateness; the market asks for the certificate.

What is a Statement of Applicability?

The Statement of Applicability (SoA) is the single most examined document in an ISO 27001 audit: a table listing every Annex A control with, for each one, whether it applies to you, why, and its implementation status. It is the bridge between your risk assessment (why controls are needed) and your actual security program (what you did about it).

A good SoA is honest and specific: exclusions carry real justifications (“no physical data center — all infrastructure is AWS, covered by controls X and supplier management”), and inclusions reference where the control lives (policy, system, owner).

Full anatomy with examples in the glossary: Statement of Applicability.

Can a startup get ISO 27001 certified?

Yes — startups are now the fastest-growing certification demographic, because enterprise deals stall in vendor security review without it. A 15-person SaaS company has a genuinely small scope: one product, one cloud provider, a handful of SaaS vendors, no physical infrastructure. That's a compact ISMS.

The startup advantages: modern stack (SSO, MDM, infrastructure-as-code make many controls near-automatic), no legacy debt, and short decision paths. The startup risks: treating it as a tooling purchase rather than a management system, and scoping so narrowly that the certificate doesn't cover what customers actually buy — enterprise reviewers read the scope statement first.

Realistic budget for a funded startup: one internal owner at ~25% time for a quarter, a compliance platform, and accredited audit fees. Many close their first enterprise deal on the strength of it.

What happens during an ISO 27001 certification audit?

Stage 1: the auditor reviews your ISMS documentation — scope, risk assessment, SoA, policies — and confirms you're ready. Stage 2: the real examination. Expect the auditor to sample controls from your SoA and demand operating evidence: show me the access reviews, the offboarding tickets, the backup restore test, the incident from March and how it was handled, the supplier assessment for your hosting provider.

Interviews go beyond the security team — engineers get asked how code reaches production, HR gets asked about screening and offboarding, leadership gets asked how they steer the ISMS. Inconsistency between what documents say and what people describe is where findings come from.

Findings are graded as elsewhere (nonconformity, major/minor); minors with a corrective plan don't block the certificate.

Does ISO 27001 cover cloud services and remote work?

Yes — the 2022 edition modernized precisely for this. Annex A now includes an explicit cloud services control (acquisition, use, management, and exit), and remote working, mobile devices, and data leakage prevention are all addressed. If your company is fully remote and fully cloud, the standard fits — your “physical security” story becomes largely your provider's, verified through supplier management and their own certifications.

The shared-responsibility trap is the thing auditors probe: AWS's ISO 27001 certificate covers their infrastructure, not your misconfigured S3 bucket. Your ISMS must cover your side of the line — identity, configuration, data classification, and monitoring.

For AI systems specifically, see ISO 42001 questions — it's designed to bolt onto an existing 27001 ISMS.

What are the benefits of ISO 27001 — is it worth it?

Revenue: the most direct return of any ISO standard — 27001 unblocks enterprise sales, shortens vendor security reviews from months to days, and is increasingly a bid requirement in government and finance. Risk: the discipline of an honest risk assessment plus incident readiness measurably reduces both breach likelihood and breach cost. Structure: security stops being one heroic engineer's tribal knowledge and becomes a system that survives personnel changes.

For B2B companies the calculation is usually simple: one enterprise deal that would otherwise stall covers the entire program cost.

When you're ready, USQC provides accredited ISMS certification with transparent three-year pricing — and ReadSafety.com's free 27001 guide gets you audit-ready without a paywall.

Ready to certify?

ReadSafety.com gives you the knowledge free. When you're ready for third-party certification or accredited training, USQC — United Safety Quality Council — provides certification audits and professional courses.

Certify with USQCRead the full ISO 27001 guide