Having ISO 27001 compliance means your small or medium-sized business has built an information security management system (ISMS) that meets the framework set by the International Organization for Standardization. This is a certification earned through a formal audit conducted by an accredited third-party body. If you’re working with enterprise clients, selling into regulated industries, or responding to security questionnaires from prospects, you’ve probably already been asked if you have it.
Key Takeaways
- ISO 27001 is an internationally recognized certification that proves your information security program is documented and independently verified.
- Overall costs run between $6,000–$40,000, depending on the business size and complexity.
- ISO 27001 and SOC 2 are distinct frameworks that answer different questions.
- Organizations that leverage managed IT services – with documented controls for access, endpoints, patching, and incident response – can compress their audit timeline and their preparation costs.
Table of Contents
What is ISO 27001?
ISO 27001 is the international standard for information security management systems, published jointly by the International Organization for Standardization and the International Electrotechnical Commission. The current version (ISO/IEC 27001:2022) is the only valid edition; the 2013 version expired on October 31, 2025, so every new or renewing certification now uses the 2022 standard.
At its core, ISO 27001 defines how an organization should structure, operate, and continually improve its approach to managing sensitive information. “Information security” here covers three properties:
- Confidentiality (keeping data from unauthorized access)
- Integrity (keeping it accurate and unaltered)
- Availability (keeping it accessible when needed)
The standard is certified by accredited third-party certification bodies – not by ISO directly – so the certificate you earn carries the name of the body that audited you. Teal’s ISO 27001 certification, for example, carries the name of A-LIGN.
Who Needs ISO 27001 Certification?
Strictly speaking, no law requires ISO 27001 for most organizations, but the market often does. The moment a prospect, partner, or client sends you a security questionnaire with “Are you ISO 27001 certified?” at the top, the standard becomes practically mandatory.
The industries where this comes up most often include:
- Financial services and fintech
- Manufacturing
- Health-adjacent SaaS
- Legal and professional services
It’s also common for businesses expanding into European markets, where ISO 27001 is recognized as evidence of GDPR-aligned security controls.
If you’ve been asked for your “security posture” documentation by a prospective client and you don’t have a good answer, ISO 27001 is likely the framework you’ll want to adopt.
What the ISO 27001 Requirements Cover
The standard has two structural components: core clauses and Annex A.
Core Clauses
The first four clauses help your organization understand what ISO 27001 is for and how to prepare for an audit. It covers:
- Intro to ISO 27001 standards
- Normative references
- Relevant terms and definitions
Clauses 4 through 10 define the ISMS itself. It includes:
- Defining the scope of your ISMS
- Conducting a risk assessment
- Assigning ownership
- Establishing a management review process
These clauses are mandatory; there’s no selecting which ones apply.
Annex A
Annex A is a reference catalog of 93 security controls organized by 4 broad themes.
Organizational (Theme A.5 – 37 Controls)
Anything dealing with company processes, high-level policies, cloud workflows, or vendor relationships.
Physical (Theme A.7 – 14 Controls)
Anything dealing with tangible items, office doors, alarms, server cages, or building keys.
People (Theme A.6 – 8 Controls)
Anything dealing directly with human interaction, background screening, training, or remote work rules.
Technological (Theme A.8 – 34 Controls)
Anything dealing with digital data, software configurations, network firewalls, or coding practices.
You don’t implement all of them. Instead, you conduct a risk assessment, select the controls that address your identified risks, and document your reasoning for excluding any that don’t apply. That document is called a Statement of Applicability (SoA), and the audit will test whether your selected controls are in place and operating as intended.
There is a significant documentation burden involved in this audit process. You’ll need a written information security policy, a risk assessment process, a risk treatment plan, an asset inventory, evidence that controls are operating, and records of your management review.
How Much Does ISO 27001 Certification Cost?
For a small to mid-size organization, plan for the audit to cost between $5,000–$35,000. The range is wide because the biggest variable is how mature your existing security controls are when you start.
For organizations under 50 employees, expect 3–6 audit days at roughly $1,500 per day, putting fees closer to $5,000–$10,000.
Related ISO 27001 Costs
Expense Item | Cost |
|---|---|
Gap analysis | ~$7,000-$10,000 |
Preparation and remediation | $10,000–$60,000 |
Annual internal and surveillance audits (years 2 and 3) | $15,000 annually (~$7,500 for each audit) |
ISO 27001 Certification Timeline
Most first-time certifications take 3–12 months. The main factors that impact your individual timeline include:
- Your organization’s size
- The state of your existing security maturity
- Your documentation readiness
- Whether you use compliance automation platforms or have managed IT services
ISO 27001 vs SOC 2: Understanding the Difference
Both ISO 27001 and SOC 2 frameworks address information security, but they answer different questions for different audiences.
ISO 27001 is an international standard that results in a formal certification. It’s process-based: the audit evaluates whether your organization has a functioning ISMS – the policies, risk management process, controls, and continual improvement cycle. It’s recognized globally, particularly in Europe, Asia-Pacific, and the Middle East. The certificate can be displayed publicly and referenced in contracts.
SOC 2 is a US-focused framework built around the AICPA Trust Services Criteria. It produces an attestation report (an auditor’s opinion on specific controls) rather than a certificate. It’s more flexible and customizable to your service model and customer base. In the US market, SOC 2 Type II is often the first thing enterprise procurement teams request.
Many organizations end up pursuing both – especially those selling globally. There’s control overlap between the two frameworks, so achieving one does simplify the path to the other.
ISO 27001 tends to come first for internationally oriented organizations; SOC 2 tends to come first for US-focused ones.
The Four-step Process to Getting ISO 27001 Certified
The certification path follows a consistent sequence regardless of organization size:
1. Gap Assessment
An independent assessor, like Teal, evaluates your current environment against ISO 27001 requirements and produces a prioritized list of what needs to be built, documented, or evidenced before you can pass an audit.
2. Controls Implementation and Documentation
In this step, you address the gaps (including building missing controls, writing policies, training staff, and establishing evidence collection processes). This is where working with a managed IT services provider changes the economics for your organization.
A provider already managing your access controls, endpoint security, patch management, incident response, and backup isn’t building those things with you from scratch. They’re helping you document what already exists. That can be the difference between $60,000 in preparation costs and $10,000.
One factor worth weighing when selecting a managed IT provider for this process, is working with a provider that is itself ISO 27001 certified. Because they have already been through the full assessment. They know what auditors look for, what documentation needs to say, and where organizations typically fail.
3. Stage 1 Audit
Your certification body reviews your documentation (your ISMS scope, risk assessment, Statement of Applicability, and core policies). This is a desk review. So, if significant gaps are found, you remediate them before moving on to Stage 2.
4. Stage 2 Audit
The auditor tests your controls in operation (reviewing evidence, interviewing staff, and verifying that what’s documented is actually happening). Pass Stage 2, and you’re certified.
Ready to Get ISO 27001 Certified?
ISO 27001 compliance is increasingly expected by enterprise clients and regulated industries. If your organization is ready to get serious about ISO 27001, the best first step to take is understanding what you already have.
Teal’s managed compliance services are built around the same controls ISO 27001 auditors look for, and as a certified provider, we’ve already been through the process ourselves. Contact Teal today to see if our services are right for your organization.
