If you've been asked to get ISO 27001 certified — by a client, by your leadership, or by a procurement team that won't move forward without it — you already know that the standard is real and the process isn't simple. What you may not know is what it actually takes to pass on the first try, and why most organizations that run into trouble didn't fail on documentation. They failed on evidence.
I've worked with organizations across healthcare, SaaS, financial services, and manufacturing to earn ISO 27001 certification, and the pattern I see most often is this: teams spend six months building policies, then spend audit week realizing that documentation and implementation are two completely different things. The auditor isn't checking your binders. They're checking whether your people live by what's in them.
This guide is the practical version — what the standard actually requires, what changed in the 2022 revision, how long certification realistically takes, and what separates a first-time pass from an expensive repeat engagement.
What ISO 27001 Actually Requires
ISO/IEC 27001 is an international standard for Information Security Management Systems. The core of the standard isn't a checklist — it's a management framework. Clauses 4 through 10 of ISO 27001:2022 define how your organization should establish, implement, maintain, and continually improve an ISMS. Annex A then provides a reference set of 93 controls you can select based on your risk assessment.
That phrase — "based on your risk assessment" — is where most organizations underestimate the work. ISO 27001:2022 clause 6.1.2 requires organizations to identify information security risks against criteria established by the organization itself, which means there is no universal right answer for which risks to document and no template that replaces genuine judgment. The standard is intentionally flexible, and auditors are trained to tell the difference between an organization that understood its actual risk environment and one that filled out a downloaded template.
The Annex A controls cover four categories in the 2022 revision: organizational controls, people controls, physical controls, and technological controls. That's a structural simplification from the 2013 version's 14 domains — but the underlying security expectations are more demanding in several areas, particularly around supply chain risk management, cloud services, and threat intelligence.
What Changed in ISO 27001:2022 (and Why It Matters Now)
The 2022 revision is not a cosmetic update. The International Accreditation Forum mandated a transition deadline of October 31, 2025, which means any certificate still issued under the 2013 version is now expired. If your organization holds an old certificate and hasn't transitioned, you're operating with a lapsed certification — a fact that surfaces quickly in enterprise due diligence.
The most consequential changes:
Annex A restructured. Down from 114 controls in 14 domains to 93 controls in 4 themes. Eleven controls are entirely new, concentrated in areas most organizations have historically underinvested in: threat intelligence (control 5.7), information security for cloud services (5.23), data leakage prevention (8.12), and data masking (8.11).
Context and scope are harder to game. Auditors in 2025–2026 are more sophisticated about clause 4.1 and 4.2 requirements. A vague scope statement that quietly excludes your most sensitive systems without documented justification will generate a nonconformity. I've seen this exact issue close what should have been a clean Stage 1.
Attribute taxonomy. The 2022 revision introduced optional attributes — preventive, detective, corrective, and others — to each Annex A control. It's not mandatory, but auditors have started noticing whether organizations have thought about it, and it signals the difference between an ISMS built to pass and one built to function.
Organizations that pursued the 2022 certification rather than delaying came out ahead, both because the auditor pool is now fully calibrated to the new standard and because the revised Annex A maps considerably better to modern cloud and SaaS environments than the 2013 version ever did.
ISO 27001 vs. Other Cybersecurity Frameworks
One of the most common questions I get is whether ISO 27001 is the right framework, or whether SOC 2 or NIST would be a better fit. The honest answer is that it depends on your customer base and regulatory context — and in many cases, the answer is more than one.
| Framework | Geographic Reach | Who Requires It | Certification vs. Assessment | Renewal Cadence |
|---|---|---|---|---|
| ISO/IEC 27001:2022 | Global (EU, APAC, enterprise B2B) | Enterprise procurement, EU tenders, regulated industries | Formal third-party certification | 3-year cert + annual surveillance |
| SOC 2 Type II | Primarily North America | U.S. SaaS customers, financial services partners | Auditor attestation report | Annual report |
| NIST CSF 2.0 | U.S.-centric, increasing globally | Federal contractors, critical infrastructure | Self-assessment or third-party | No fixed cadence |
| NIST SP 800-171 / CMMC | U.S. federal supply chain | DoD contractors handling CUI | Self-attestation + Level 2/3 audit | Annual affirmation |
| ISO 42001:2023 | Global, early-stage adoption | AI governance (emerging procurement req.) | Formal third-party certification | 3-year cert + annual surveillance |
ISO 27001 is the right choice when your customers are outside North America, when you're entering regulated markets, or when you need a certification — not just an attestation — that carries third-party accreditation. SOC 2 serves a different market. I've seen organizations spend 18 months on SOC 2 only to discover their target enterprise clients in Europe require ISO 27001. The two aren't interchangeable even though they cover overlapping ground.
The Certification Path: What the Process Actually Looks Like
ISO 27001 certification happens through a third-party accredited certification body — DEKRA, BSI, SGS, Bureau Veritas, and others. The process has two main stages and a continuing surveillance obligation after you earn the certificate.
Stage 1: Documentation Review
Stage 1 is a desk review. The auditor examines your ISMS documentation — your scope statement, information security policy, risk assessment methodology, Statement of Applicability, and key procedures. For a mid-size organization, this typically takes one to two days.
Stage 1 isn't a formality. A well-run Stage 1 surfaces gaps before you get to the more expensive Stage 2, and it's your last real opportunity to course-correct without a formal nonconformity on the record. Organizations that rush to Stage 1 before their documentation is genuinely ready are burning time and money.
Stage 2: Implementation Audit
This is the main event. The Stage 2 auditor spends time with your team — interviewing employees, reviewing evidence, testing whether your documented controls are actually operating. They're looking for objective evidence that your ISMS is implemented, not just written down.
The most common Stage 2 findings I see in practice:
- Controls listed in the Statement of Applicability with no corresponding evidence of operation
- Risk treatments marked "accepted" without documented justification
- Asset inventories that haven't been maintained since the initial build
- Supplier agreements that don't include security requirements (control 5.19 requires them)
- Incident response procedures that exist on paper but haven't been tested
Surveillance Audits
After certification, you'll have annual surveillance audits in years one and two of the three-year certificate cycle, followed by a recertification audit in year three. These are not easier than the initial certification. Auditors use them to verify continual improvement, and organizations that treat the ISMS as a one-time project rather than an ongoing management system routinely generate nonconformities in year two.
How Long Does ISO 27001 Certification Take?
A mid-size organization starting from scratch should plan for 9 to 14 months from kickoff to certificate. That timeline breaks down roughly as:
- Months 1–3: Gap assessment, project scoping, ISMS policy and procedure development
- Months 3–7: Risk assessment, Annex A control implementation, internal training
- Months 7–9: Internal audit and management review (both required by the standard before Stage 1)
- Months 9–12: Stage 1 and Stage 2 audits, corrective action if needed
Organizations that already have significant security infrastructure — existing access control programs, vendor management processes, incident response plans — can compress that timeline. Organizations with no baseline cannot. The most reliable predictor of timeline isn't company size. It's whether leadership treats information security as a genuine management priority or as a compliance checkbox.
I'll say this plainly: if your executive team isn't visibly involved in the ISMS, you will struggle in the Stage 2 audit. Clause 5.1 of ISO 27001:2022 requires demonstrable leadership commitment, and auditors who've been doing this for years can tell the difference between a CEO who understands the scope of the ISMS and one who signed a policy without reading it.
What the Data Says About ISO 27001 and Cybersecurity Risk
A few statistics worth knowing before your next leadership conversation about certification:
The IBM Cost of a Data Breach Report 2024 puts the average cost of a data breach at $4.88 million, a 10% increase over the prior year. Organizations with mature security compliance programs consistently show lower breach costs than those without — and the gap has been widening, not closing.
As of the most recent ISO Survey, 70,969 ISO/IEC 27001 certificates had been issued across 150+ countries, a number that has grown by double digits year-over-year as enterprise procurement teams add certification requirements to vendor qualification checklists. The North American growth rate is accelerating faster than any other region.
The 2022 revision's 11 new controls are concentrated in exactly the areas where most organizations have the largest gaps: threat intelligence, cloud security, data leakage prevention, and secure coding. The October 2025 IAF transition deadline means any ISO/IEC 27001:2013 certificate is now expired; organizations seeking first-time certification must pursue the 2022 standard. There is no path to a valid certificate through the old version.
Supply chain compromise has become the attack vector of choice for sophisticated threat actors, which is a direct driver of why ISO 27001 control 5.19 — information security in supplier relationships — has become one of the most scrutinized areas in recent certification audits. The organizations that treat supplier security as a paperwork exercise rather than a real assessment process are the ones generating nonconformities here.
What to Look for in an ISO 27001 Cybersecurity Consultant
If you're considering external help — and most mid-size organizations benefit from it — here's what I'd actually evaluate.
First, ask whether they've led organizations through Stage 2 audits, not just built documentation. Documentation is the straightforward part. The harder work is preparing your team for auditor interviews, ensuring controls are genuinely operating, and running a credible internal audit before the external auditor arrives. A consultant who has only ever built paper programs will leave you exposed at the moment it matters most.
Second, ask about their familiarity with your industry. ISO 27001 is an industry-agnostic standard, but the risk landscape varies considerably between a SaaS company handling customer PII and a medical device manufacturer subject to FDA 21 CFR Part 11. The controls you select and justify should reflect your actual environment, not a generic Annex A template pulled from the internet.
Third — and this is the one most people skip — ask how they handle nonconformities. A consultant who guarantees a clean audit is telling you what you want to hear, not what you need to know. The realistic expectation is that your Stage 1 will generate observations and possibly minor findings, and a good consultant has a clear process for resolving them before Stage 2.
At Certify Consulting, we've maintained a 100% first-time audit pass rate across more than 200 client engagements over eight-plus years. That number holds because we don't advance clients to Stage 1 until we'd stake our own reputation on the readiness of their documentation — and we don't advance to Stage 2 until the internal audit has been genuinely stress-tested, not just checked off. If you're trying to figure out what ISO 27001 certification would actually require for your organization, I'm happy to talk through it before you commit to a path. Reach out at certify.consulting.
How Much Does ISO 27001 Certification Cost?
For a mid-size organization (50–500 employees), expect $40,000–$120,000 all-in across the first year, depending on organizational complexity, your baseline security maturity, and whether you're pursuing a focused scope or enterprise-wide certification. That range includes consultant fees, certification body fees, and internal staff time.
Annual surveillance audits typically run $5,000–$15,000 through your certification body. Organizations that maintain an active ISMS throughout the year — rather than scrambling before each audit — spend less on surveillance over time because there's less corrective work to do.
The real cost driver isn't the consultant fee. It's the internal staff time required to implement controls that actually operate and to produce the objective evidence auditors will ask for. Organizations that underestimate this consistently run over budget and over schedule.
Jared Clark is Principal Consultant at Certify Consulting, where he leads information security and quality management certification engagements for organizations across the U.S. and internationally. He holds credentials including JD, MBA, PMP, CMQ-OE, CQA, CPGP, and RAC, and has served 200+ clients with a 100% first-time audit pass rate over eight-plus years of practice.
Last updated: 2026-06-14
Jared Clark
Principal Consultant, Certify Consulting
Jared Clark is the founder of Certify Consulting, helping organizations achieve and maintain compliance with international standards and regulatory requirements.