ISO 27001 Certification Preparation Template

For most mid-size SaaS companies (100-500 employees), plan for 6-12 months from ISMS establishment to Stage 2 audit. Companies with existing security programs (SOC 2, strong security culture) can compress this to 4-6 months. The ISMS must be operational for at least 3 months before the Stage 1 audit, and you need at least one complete internal audit cycle and one management review before certification.

Total cost typically ranges from $50K-$300K depending on company size and maturity. Major components: certification body audit fees ($15K-$50K for initial certification), consulting support ($20K-$100K), security tooling ($10K-$50K), and internal staff time (often the largest cost). Annual surveillance audits cost roughly 30-40% of the initial audit fee. Recertification every 3 years costs similar to initial certification.

ISO 27001 is an international standard with a pass/fail certification outcome. SOC 2 is a US-based attestation framework with a Type I (point-in-time) or Type II (period of time) report. ISO 27001 is more prescriptive (93 specific controls in Annex A) while SOC 2 Trust Services Criteria are more flexible. Enterprise buyers outside the US typically require ISO 27001. US-based enterprise buyers often want SOC 2 Type II. Many B2B SaaS companies pursue both. For SOC 2 preparation, see the [SOC 2 readiness template](/templates). For understanding how security certifications affect your [product roadmap](/guides/how-to-build-a-product-roadmap), consider them as non-negotiable infrastructure investment.

The 2022 revision added 11 new controls: A.5.7 Threat intelligence, A.5.23 Information security for cloud services, A.5.30 ICT readiness for business continuity, A.7.4 Physical security monitoring, A.8.9 Configuration management, A.8.10 Information deletion, A.8.11 Data masking, A.8.12 Data leakage prevention, A.8.16 Monitoring activities, A.8.23 Web filtering, and A.8.28 Secure coding. These reflect modern threats and cloud-first architectures. If you are transitioning from the 2013 version, focus on these 11 controls plus the restructured control numbering.

No. You implement the controls that are relevant to the risks identified in your risk assessment. The Statement of Applicability (SoA) documents which controls are applicable and which are excluded, with justification for each exclusion. However, auditors scrutinize exclusions carefully. Common justified exclusions include physical controls for fully remote companies, or specific controls not applicable to your technology stack. Unjustified exclusions are a common audit finding. ---