Compliance Framework
ISO 27001 Compliance
The international standard for information security management. What it costs, who needs it, what is actually involved, and how it connects to AI governance.
By Harrison Painter, AI Business Strategist · Last updated March 2026
What happens
if I do
nothing?
The short answer: you lose deals, pay more for insurance, and carry liability you cannot defend against.
You get excluded from international contracts. ISO 27001 is the baseline expectation for information security in Europe, Asia Pacific, and the Middle East. If your company sells to customers outside the United States, procurement teams will ask for your ISO 27001 certificate. Without it, you are disqualified before the conversation starts. Over 70,000 organizations worldwide hold ISO 27001 certification. Your competitors are among them.
You fail procurement requirements at enterprise accounts. Even domestic enterprise buyers increasingly require ISO 27001 from their vendors. According to a 2025 Gartner survey, 62% of enterprise procurement teams now include ISO 27001 certification as a mandatory or preferred requirement in vendor assessments. Without it, you spend weeks filling out security questionnaires that a certificate would have answered instantly.
Your cyber insurance becomes more expensive, or unavailable. Cyber insurance underwriters evaluate your security posture during the application process. Companies without a recognized information security management system face higher premiums, lower coverage limits, and more exclusions. The average cost of a data breach in 2025 was $4.44 million globally (IBM Cost of a Data Breach Report). Without ISO 27001, you are carrying that risk with no demonstrable system to manage it.
You have no defensible position after a breach. When a data breach occurs, regulators and courts ask what controls you had in place. ISO 27001 certification provides documented, audited evidence that you operated a systematic approach to information security. Without it, you are arguing that you did your best. That argument does not hold up in litigation, regulatory investigations, or customer negotiations.
You cannot build toward AI compliance. ISO 42001, the new international standard for AI management systems, was specifically designed to build on ISO 27001. If you plan to deploy AI responsibly and need to demonstrate that to customers or regulators, ISO 27001 is the foundation. Skipping it means starting ISO 42001 from scratch instead of extending what you already have.
What it
actually
means
ISO 27001 is the international standard for building and operating an Information Security Management System (ISMS).
In plain English: it is a structured way to identify your information security risks, decide how to address them, implement controls, and continuously monitor whether those controls actually work. The standard was first published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). The current version is ISO/IEC 27001:2022.
Unlike SOC 2, which produces an attestation report from a CPA firm, ISO 27001 is a certification. An accredited certification body audits your ISMS and, if you meet the requirements, issues a formal certificate. You are either certified or you are not. There is no spectrum of opinions.
The standard has two main parts. The first part (Clauses 4 through 10) defines the management system requirements: context of the organization, leadership commitment, planning, support resources, operations, performance evaluation, and improvement. These clauses follow Annex SL, the common structure shared by all ISO management system standards.
The second part is Annex A, which contains 93 reference controls organized into four categories:
37 Controls
Organizational
Policies, roles, responsibilities, asset management, access control, supplier relationships, and incident management.
8 Controls
People
Screening, terms of employment, awareness training, disciplinary processes, and responsibilities after termination.
14 Controls
Physical
Physical security perimeters, entry controls, office security, equipment protection, and secure disposal.
34 Controls
Technological
Authentication, encryption, logging, network security, malware protection, vulnerability management, and secure development.
The critical concept is that ISO 27001 is risk-based, not checklist-based. You do not implement all 93 controls by default. You conduct a risk assessment, determine which risks are relevant to your organization, and select the controls that address those risks. Your Statement of Applicability documents which controls you selected and which you excluded, along with the justification for each decision.
Who needs ISO 27001?
ISO 27001 is not limited to any single industry. These are the most common business scenarios where certification is expected or required.
Companies with international customers
If you sell products or services to customers in Europe, the UK, Asia Pacific, or the Middle East, ISO 27001 is the expected security baseline. GDPR compliance alone is not enough. Buyers want to see a certified management system behind it.
Companies with EU operations
The EU AI Act, NIS2 Directive, and DORA (Digital Operational Resilience Act) all reference international standards for information security. ISO 27001 is the most widely recognized standard that satisfies these references. Operating in the EU without it creates regulatory friction.
Government contractors
Federal and state government procurement increasingly requires demonstrated information security management. While US federal contracts often specify NIST frameworks, ISO 27001 is accepted as equivalent in many contexts. State and local government RFPs frequently list it as a preferred qualification.
Healthcare and health data
Organizations handling protected health information (PHI) benefit from ISO 27001 as a complement to HIPAA. ISO 27001 provides the management system framework that HIPAA lacks. Many healthcare organizations pursue ISO 27001 alongside HITRUST certification for comprehensive coverage.
Financial services
Banks, insurance companies, fintech companies, and their vendors face some of the strictest information security requirements. Regulators like the OCC, FDIC, and state banking departments expect robust security programs. ISO 27001 provides auditable evidence of systematic security management.
Companies planning for ISO 42001
ISO 42001 (AI Management Systems) was built on the same Annex SL structure as ISO 27001. Organizations that achieve ISO 27001 first can extend their existing management system to cover AI governance, rather than building a separate system from the ground up. This saves significant time and cost.
What it
actually
costs
Most vendors and consultants are vague about ISO 27001 costs. Here are the real numbers for small and mid-sized businesses.
Initial Certification
$15K - $75KThis includes consultant/implementation support ($5K-$30K), the Stage 1 and Stage 2 certification audits ($5K-$20K), and internal labor costs. The range depends on company size, scope, and the maturity of existing security controls. Companies with an existing SOC 2 program are at the lower end.
Annual Surveillance Audits
$3K - $10KRequired every year to maintain certification. Surveillance audits are shorter than the initial certification audit, but they still require preparation, evidence gathering, and auditor time. Budget for both external audit fees and internal preparation effort.
Recertification (Every 3 Years)
$7K - $16KISO 27001 certificates are valid for three years. At the end of each cycle, you go through a full recertification audit, similar in scope to the initial Stage 2 audit. This is typically less expensive than the initial certification because the ISMS is already established.
GRC Platform and Tooling
$5K - $20K/yrGovernance, Risk, and Compliance (GRC) platforms like Vanta, Drata, Sprinto, or OneTrust help automate evidence collection, control monitoring, and audit preparation. They are not required but significantly reduce the manual effort of maintaining an ISMS. Pricing scales with company size and features.
Internal Resource Investment
6 - 12 monthsThe largest hidden cost is internal time. Someone (or a team) must own the ISMS, conduct the risk assessment, write policies, implement controls, run internal audits, and coordinate with the external auditor. For small companies, this is often a part-time responsibility for a security lead or CTO. For larger organizations, it may require a dedicated compliance team.
Total first-year cost for a typical SMB: $50,000 to $120,000 including consultant fees, tooling, audit fees, and internal labor. Ongoing annual cost: $25,000 to $55,000. These numbers are real. Any vendor that quotes significantly below this range is likely cutting corners on scope or using an unaccredited certification body.
The certification process: step by step
From initial scoping to receiving your certificate, here is what the ISO 27001 certification journey looks like in practice.
Scoping
Define which parts of your organization, which products, and which locations the ISMS will cover. Scoping is the single most important cost and complexity decision you will make. A narrower scope means less documentation, fewer controls, and lower audit fees.
Risk Assessment
Identify information security risks across your scoped environment. Evaluate the likelihood and impact of each risk. Document your risk treatment decisions: accept, mitigate, transfer, or avoid. This is the backbone of your entire ISMS.
Statement of Applicability (SoA)
Review all 93 controls in Annex A and document which ones apply to your organization and why. Also document which controls you have excluded and the justification for each exclusion. The SoA is the auditor's primary reference document.
Implement Controls
Put the selected controls into practice. This includes technical controls (access management, encryption, network security), organizational controls (policies, training, supplier management), and physical controls (facility access, equipment disposal).
Internal Audit
Conduct a formal internal audit of your ISMS before the external auditor arrives. The internal audit must be performed by someone independent of the processes being audited. Document findings and corrective actions.
Management Review
Senior leadership formally reviews the ISMS performance, audit results, risk status, and improvement opportunities. This is not optional. Auditors will ask for evidence that management is actively engaged in the ISMS.
Stage 1 Audit (Documentation Review)
The external certification body reviews your ISMS documentation, policies, risk assessment, and Statement of Applicability. They verify that your system is designed correctly and ready for the effectiveness audit. This is typically a one to two day visit.
Stage 2 Audit (Effectiveness Audit)
The external auditor tests whether your controls are actually working. They interview staff, review evidence, test processes, and verify that the ISMS operates as documented. This is typically three to five days depending on scope and company size.
Certification Decision
The certification body reviews the Stage 2 audit findings. If no major nonconformities exist, they issue your ISO 27001 certificate. The certificate is valid for three years, with annual surveillance audits required to maintain it.
Common misconceptions
These misunderstandings cause companies to either avoid ISO 27001 unnecessarily or pursue it with the wrong expectations.
Myth
“ISO 27001 is just for IT departments”
Reality: ISO 27001 is an organizational standard, not a technical one. It covers people, processes, and technology. HR, legal, facilities, procurement, and executive leadership all have roles in the ISMS. The auditor will interview people from across the organization, not just the IT team.
Myth
“Annex A is a checklist you must complete”
Reality: Annex A contains 93 reference controls organized into four categories: organizational, people, physical, and technological. You do not implement all of them. You select controls based on your risk assessment and document your justification in the Statement of Applicability. Implementing controls that do not address identified risks is a waste of resources.
Myth
“Certification means you are secure”
Reality: Certification means you have a functioning information security management system. It means you identify risks, implement controls, monitor effectiveness, and continuously improve. It does not guarantee that a breach will never happen. It guarantees that you have a disciplined system for managing information security risk.
Myth
“It is too expensive for small companies”
Reality: The cost of ISO 27001 scales directly with scope. A 50-person SaaS company certifying a single product can achieve certification for $15,000 to $40,000 in year one. The key is disciplined scoping. You do not need to certify your entire organization on day one. Start with the product or service that your customers are asking about.
Red flags
to watch
for
When evaluating vendors, partners, or your own certification process, these warning signs indicate something is wrong.
Vendor claims certification but will not show the certificate
ISO 27001 certificates are not confidential. Any certified organization should be able to provide their certificate on request. The certificate lists the certification body, the scope of the ISMS, the certification date, and the expiration date. If a vendor refuses to share this, assume they are not certified.
The certificate scope does not cover the services you use
A company might hold ISO 27001 certification for their on-premises data center but not for the cloud product you are buying. Always read the scope statement on the certificate. If the service you are purchasing is not within the certified scope, the certification provides no assurance for your use case.
The certification body is not accredited
ISO 27001 certificates must be issued by certification bodies accredited by a national accreditation body (like UKAS in the UK or ANAB in the US). Certificates from unaccredited bodies have no recognized standing. Check the accreditation status of the issuing body before accepting any certificate.
No surveillance audit dates on record
ISO 27001 requires annual surveillance audits to maintain certification. If a vendor's most recent audit was more than 12 months ago, their certificate may have lapsed. Ask for the date of their last surveillance audit and the date of their next scheduled audit.
ISO 27001 and AI compliance
ISO 27001 is not an AI standard. But it is the foundation that AI compliance standards are built on.
Direct Extension
ISO 42001: AI Management Systems
ISO 42001 was published in December 2023 as the first international standard for AI management systems. It follows the same Annex SL structure as ISO 27001, meaning the management system framework (risk assessment, internal audit, management review, continual improvement) carries over directly. Organizations already certified to ISO 27001 can extend their ISMS to cover AI governance with significantly less effort than building a standalone AI management system.
Read our ISO 42001 guide →Regulatory Context
EU AI Act and State AI Laws
The EU AI Act explicitly references international standards as a pathway to demonstrating compliance for high-risk AI systems. ISO 27001 and ISO 42001 together provide the most comprehensive standards-based approach to meeting these requirements. In the US, state-level AI laws like the Colorado AI Act and Illinois AI Hiring Law create new obligations for AI deployers. A strong information security foundation makes compliance with these laws significantly more achievable.
Track AI legislation →Not sure which framework you need?
ISO 27001, SOC 2, ISO 42001, NIST AI RMF, and the EU AI Act all address different aspects of security and AI governance. The right choice depends on your customers, your industry, and where you operate.
Find the Right FrameworkFrequently asked questions
How long does it take to get ISO 27001 certified?
Most organizations take 6 to 12 months from the decision to pursue certification through receiving their certificate. The timeline depends on the scope of your ISMS, the maturity of your existing security controls, and how quickly you can complete the required documentation and internal audits. Organizations with existing SOC 2 compliance or strong security programs may move faster. Companies starting from scratch should plan for the full 12 months.
What is the difference between ISO 27001 and SOC 2?
ISO 27001 is an international certification standard, meaning you either pass or fail and receive a formal certificate from an accredited certification body. SOC 2 is an attestation report issued by a CPA firm, resulting in a detailed report rather than a pass/fail certificate. ISO 27001 is more recognized internationally, especially in Europe, while SOC 2 is dominant in the United States. Many organizations pursue both.
Can a small company afford ISO 27001 certification?
Yes, but it requires careful scoping. The key cost control mechanism in ISO 27001 is defining the scope of your Information Security Management System. A small company does not need to certify the entire organization. You can scope your ISMS to cover specific products, services, or business units. A tightly scoped certification for a small company might cost $15,000 to $40,000 in the first year including consultant fees, tooling, and certification audit fees.
How does ISO 27001 relate to AI compliance and ISO 42001?
ISO 27001 is the foundational standard for information security management, and ISO 42001 extends that foundation specifically for AI management systems. ISO 42001 was designed to integrate with ISO 27001, sharing the same management system structure (Annex SL). Organizations that already hold ISO 27001 certification have a significant head start on ISO 42001, because the risk management framework, internal audit processes, and management review procedures carry over directly.
Need help navigating ISO 27001 and AI compliance?
LaunchReady.ai helps businesses understand which compliance frameworks they actually need and build a practical roadmap to get there. No vendor lock-in, no unnecessary certifications.
Talk to Our Team