Where the requirement actually comes from
Almost never from statute; almost always from customers. Enterprise vendor security reviews, procurement questionnaires, and tender criteria ask for independent proof that a supplier manages information security systematically, and ISO 27001 is the globally recognized answer. The pattern is self-reinforcing: once your competitors present certificates, the questionnaire stops being optional for you.
Profiles where certification is the entry ticket
- B2B SaaS and cloud services. The classic case: you hold customer data, their security team must justify trusting you, and the certificate plus your SoA scope is how they do it internally.
- IT managed services, hosting, development agencies. Privileged access to client systems makes you part of their attack surface; certification is how they govern that.
- Fintech and payment-adjacent suppliers. Banks flow security requirements down aggressively; ISO 27001 is the common denominator beneath their bespoke questionnaires.
- Health technology and life sciences suppliers. Sensitive data plus regulated customers equals certified-ISMS expectations.
- BPO, legal tech, HR tech, and any data processor at scale. Controllers under GDPR and similar laws must verify processor security (Article 28); your certificate shortens their due diligence.
- Public sector suppliers in many countries, where tenders score or require it.
Who can reasonably skip it
Businesses that hold little third-party sensitive data and sell to buyers who never ask: local services, most consumer-only products, early prototypes without enterprise ambitions. Even then, the underlying discipline (asset inventory, risk assessment, access control, incident readiness) is just competent operations; you can run it without the audit fees and certify when the first serious questionnaire lands.
The timing signal to watch
The moment ISO 27001 appears in a live deal, you are 4 to 8 months from being able to satisfy it. The companies that suffer are the ones that discover this inside a procurement deadline. If your pipeline is trending toward enterprise, start before the questionnaire arrives; the certificate is slow to mint and instant to verify.