ISO 27001

Certification · $15K–$120K · 3–12 months

Controls: 93 Annex A controls (2022 revision)
Recertification: 3-year certificate with annual surveillance audits
Oversight: Accredited certification body
Common gaps: Risk treatment plan, Statement of Applicability, internal audit
Related: SOC 2 Type 2, NIST CSF
Public registry: IAF CertSearch ↗

What is ISO 27001?

ISO 27001 is the international standard for an Information Security Management System (ISMS). Certification proves you run a documented, risk-based program — not just point controls.

Is ISO 27001 a certification or an attestation?

It is a certification issued by an accredited body, valid for three years with annual surveillance audits — distinct from SOC 2's point-in-time/period attestation model.

Who needs ISO 27001?

Companies selling internationally, especially in Europe and APAC, where ISO 27001 is often the expected security credential.

What does it cost and how long does it take?

Costs vary with scope and company size; expect a multi-month effort covering risk assessment, the Statement of Applicability, and an internal audit before the certification audit.

Sources

ISO ↗

Other frameworks buyers ask about

SOC 2 Type 2$15K–$400K · 6–15 months SOC 2 Type 1$10K–$150K · 4–10 weeks HIPAA$10K–$60K · varies PCI DSS$15K–$200K · 3–9 months GDPRVaries · ongoing FedRAMP$250K+ · 12–24 months HITRUST CSF$40K–$200K · 6–18 months CMMC$25K–$200K+ · 6–18 months NIST CSFNo cert · ongoing