Fortinetics
← Case Studies · Commercial Software (Global SaaS) ·

ISO 27001:2022 certification for a global SaaS company: meeting European enterprise buyers

A SaaS company with European and global enterprise buyers requiring ISO 27001 certification (name withheld per engagement confidentiality)

Duration
8 months
Frameworks
ISO/IEC 27001:2022 · ISO/IEC 27017 · SOC 2 (parallel program)
Outcome
The ISMS was operational and the risk assessment, Statement of Applicability, and internal audit program were in place ahead of certification. Stage 1 was passed with a short list of documented observations; the Stage 2 certification audit was completed and the certification recommendation issued, pending the certification body's standard issuance process. The program ran in parallel with the company's SOC 2 work and shared most of its control evidence.
ISO 27001:2022 ISMS — the management-system cycle, 93 Annex A controls in four themes, the certification path, and the SOC 2 evidence overlap An ISO 27001:2022 certification for a global SaaS company. The Information Security Management System runs a continual-improvement cycle — scope, risk assessment, risk treatment, Statement of Applicability, internal audit and management review. The 2022 Annex A restructure organizes 93 controls into four themes: Organizational (37), People (8), Physical (14), Technological (34). A Stage 1 readiness review precedes a Stage 2 operating audit and the certification recommendation, then annual surveillance. The program ran in parallel with SOC 2, sharing roughly 70 to 80 percent of control evidence through one pipeline mapped to both Annex A and the Trust Services Criteria. PLATE CS-07 · ISO 27001:2022 · ISMS CERTIFICATION 93 ANNEX A CONTROLS · 4 THEMES CERTIFICATION PATH ISMS · ISO/IEC 27001:2022 MANAGED SYSTEM A system for managing information-security risk over time — not a point-in-time control set. Scope ISMS boundary Risk assessment Risk treatment SoA 93 controls Internal audit + mgmt review ↺ CONTINUAL IMPROVEMENT ANNEX A · 2022 RESTRUCTURE · 4 THEMES · 93 CONTROLS 37 ORGANIZATIONAL 8 PEOPLE 14 PHYSICAL 34 TECHNOLOGICAL 2022 added threat intelligence, security for cloud services, and data masking — SoA reasoned per control and authored to the current four-theme structure. ISO 27017 cloud extension deliberately deferred to a later cycle. STAGE 1 Documentation & readiness passed · short observations STAGE 2 System in operation sampled · tested · interviewed OUTCOME Certification recommendation issued · pending body issuance STANDING Surveillance annual · same ISMS & evidence RUN IN PARALLEL WITH SOC 2 · ONE EVIDENCE PIPELINE, TWO AUDITS ISO-only SHARED CONTROL EVIDENCE · ≈70–80% SOC 2-only Designed once, mapped to both Annex A and the Trust Services Criteria — parallel cost ≈ 1.3× a single framework, not 2×. 8 MONTHS · STAGE 1 → STAGE 2 COMPLETE · CERT RECOMMENDATION ISSUED FORTINETICS · ISMS + DUAL-FRAMEWORK LEAD
Fig. · ISO 27001:2022 ISMS. The management-system cycle a certification body audits, the 93 Annex A controls across the four 2022 themes, the Stage 1 → Stage 2 path, and the ~70–80% control-evidence overlap with the parallel SOC 2 program. All references anonymized per engagement confidentiality.

The situation

A SaaS company selling into European and global enterprise accounts kept meeting the same gate. Where its North American buyers asked for SOC 2, its European and international buyers asked for ISO 27001. For a number of those accounts, ISO 27001 was not a preference in a questionnaire — it was a stated requirement in the procurement process, and the absence of a certificate was enough to stall the conversation.

The company had a real security posture and, as it happened, an active SOC 2 effort already underway. What it did not have was an Information Security Management System in the sense ISO means it: a defined scope, a risk assessment methodology, a Statement of Applicability reasoned against the Annex A controls, an internal audit program, and a management review cadence — the management-system machinery that an ISO certification audit examines as much as it examines any individual control. ISO 27001 certifies that an organization runs a system for managing information security risk over time, not merely that a set of controls exists on a given day.

The engagement was scoped to design and operate that management system, build the documentation an external certification body would audit, and carry the company through Stage 1 and Stage 2 — while taking deliberate advantage of the SOC 2 work happening alongside it rather than duplicating effort across the two.

The approach

The engagement ran eight months to the Stage 2 certification audit, structured to stand up the ISMS, accumulate the operating record a certification audit requires, and run the two stages in sequence. From the outset, the program was designed to share control evidence with the company’s SOC 2 effort wherever the two frameworks asked for the same thing.

Months 1–2 — ISMS scope and risk methodology. We defined the ISMS scope — the parts of the organization, the systems, and the information the management system would cover — because an over-broad scope inflates the audit and the operating burden, while a too-narrow scope produces a certificate that buyers discount. We then established the risk assessment and treatment methodology: how the company would identify information security risks, assess them on a consistent scale, decide treatment, and track the result. An asset register and a risk register were built as living documents, not one-time deliverables, because the certification audit and every surveillance audit after it will ask to see them maintained.

Months 2–4 — Statement of Applicability and documentation. Against the 93 Annex A controls of the 2022 revision, we produced the Statement of Applicability — for each control, whether it applied, the justification, and how it was implemented. The 2022 revision restructured Annex A into four themes (organizational, people, physical, and technological) and introduced controls — threat intelligence, information security for cloud services, and data masking among them — that a 2013-era SoA would not have addressed; we authored the SoA to the current structure throughout. In parallel, we built the policy framework and the ISMS documentation set: the information security policy, the supporting topic-specific policies, and the records the management system generates as it runs.

Months 4–6 — Operating the ISMS and internal audit. A certification body needs to see the management system operating, not just designed. We ran the ISMS through this period — risk treatment progressing, controls operating and producing records, corrective actions raised and closed — and stood up the internal audit program. An internal audit against the company’s own ISMS, conducted before the certification body arrived, surfaced the gaps that Stage 1 would otherwise have raised, and those were corrected while there was time. A management review brought leadership into the system on the cadence ISO expects, producing the records that demonstrate the management system is genuinely managed.

Months 6–7 — Stage 1 audit. The certification body’s Stage 1 audit is largely a documentation and readiness review — does the ISMS exist, is the documentation coherent, is the organization ready for Stage 2. Stage 1 was passed with a short list of documented observations rather than any blocking nonconformity, and we worked those observations before Stage 2.

Months 7–8 — Stage 2 audit. Stage 2 examines the management system in operation — sampling controls, testing records, interviewing control owners. The Stage 2 certification audit was completed and the certification recommendation issued, pending the certification body’s standard issuance process. The ISO 27017 cloud controls extension was scoped and deliberately deferred to a later cycle, so the first certification stayed focused rather than carrying an extension the company did not yet need to satisfy a buyer.

What made this engagement fit

The work was the management system and its documentation, not missing technology. The company had functional security controls. What it lacked was the ISMS — the scope, the risk methodology, the Statement of Applicability, the internal audit and management review machinery, and the documentation a certification body audits. That gap is the center of how we work: building and operating the management system is the majority of the effort; net-new controls are the minority.

Running ISO and SOC 2 together captured the overlap instead of paying for it twice. ISO 27001 and SOC 2 share a large fraction of their underlying controls — access management, change management, logging and monitoring, vendor risk, incident response, and the rest. In our experience the two programs overlap in the range of seventy to eighty percent at the control level, which means running them in parallel costs on the order of one-and-a-third times what a single framework alone would cost, rather than two times. We designed one set of controls and one evidence pipeline, then mapped that single body of evidence to both the Trust Services Criteria and Annex A. The company paid once to operate each control and presented the result to both audits. Sequencing them apart would have meant rebuilding much of the same evidence twice.

Scope discipline kept the certificate credible and the audit proportionate. Defining a clear ISMS scope, authoring the SoA to the 2022 structure, and deferring ISO 27017 to a later cycle kept the first certification focused. A certificate with an inflated scope the organization cannot actually sustain is a liability at the first surveillance audit, not an asset in a sales conversation.

The outcome

By the certification audit, the ISMS was operational and the risk assessment, Statement of Applicability, internal audit program, and management review cadence were all in place and producing records. Stage 1 was passed with a short list of documented observations and no blocking nonconformity. The Stage 2 certification audit was completed and the certification recommendation issued, pending the certification body’s standard issuance process — the normal final step before the certificate is in hand.

Because the program ran alongside the company’s SOC 2 effort and shared most of its control evidence, the company built toward two attestations on close to the cost of one. The ISMS is a standing system rather than a one-time push: the same risk register, control set, and internal audit cadence carry into the annual surveillance audits, and the shared evidence pipeline continues to feed both the ISO surveillance cycle and the SOC 2 program.

This is a young firm and a recent engagement, and the honest framing is that the company reached a completed Stage 2 with a certification recommendation issued and put a durable, dual-framework program in place — not that a certificate alone rewrote its European pipeline overnight.

Commercial structure

The engagement combined a firm fixed-price scope for ISMS design, risk methodology, and the documentation set with a time-and-materials period covering the operating window, the internal audit, and certification-audit support — phases whose effort depends on how the ISMS runs in practice and on the certification body’s findings. The Stage 1 and Stage 2 audits were contracted directly between the client and an accredited certification body; we prepared and supported but did not mark up the certification body’s work. Where this engagement ran alongside a SOC 2 program, the shared scope was priced to reflect the overlap rather than charging twice for the same controls. Engagement pricing is scope-dependent and is defined during a scoping call; we do not publish price lists.

If your European and global deals require ISO 27001 — especially if you already have SOC 2 in motion — book a thirty-minute scoping call — we’ll give you an honest read on the runway and how much the two programs share.

Similar engagement?

Start a scoping conversation.

If you're building a classified facility, pursuing a certification, or scoping an accreditation — we'll walk through your situation honestly in a thirty-minute call.

Book a scoping call →