How long does ISO 27001 certification take for a first-time org?

Six to nine months from ISMS kickoff to Stage 2 audit for a prepared organization. A lot depends on the scope — a small SaaS with one production environment moves faster than an organization with multiple business units, multiple sites, and multiple production environments. Recertification is a single surveillance audit in year 3, much lighter than the initial cycle.

What's the difference between ISO 27001 and ISO 27002?

ISO 27001 is the certifiable standard — it specifies the ISMS requirements and is what your certificate is issued against. ISO 27002 is the implementation guidance for the Annex A controls — it's not certifiable on its own, but it's referenced constantly during implementation. Think of 27001 as 'what' and 27002 as 'how'.

Do we need ISO 27017 and ISO 27018?

If you're a cloud service provider whose buyers ask for cloud-specific security posture beyond base ISO 27001, yes. ISO 27017 adds 35 cloud-specific controls; ISO 27018 adds controls specific to PII processing in cloud. Both are usually certified together with a single audit cycle on top of your ISO 27001. For non-cloud organizations, these extensions are not applicable.

What's in the 2022 revision that wasn't in 2013?

The 2022 revision reorganizes the 114 Annex A controls into 93 controls across four themes (organizational, people, physical, technological) and adds eleven new controls around threat intelligence, cloud services, ICT readiness for business continuity, physical security monitoring, configuration management, information deletion, data masking, data leakage prevention, monitoring activities, web filtering, and secure coding. Existing certificate holders transitioned on a published schedule ending in 2025.

Can we pursue ISO 27001 and SOC 2 simultaneously?

Yes, and we recommend it when both are needed. Control overlap is 70-80%; the evidence pipeline serves both. Running them in parallel is roughly 1.3x the cost of running one alone rather than 2x. The timing: SOC 2 Type I can issue before ISO 27001 certification since Type I is point-in-time; ISO 27001 certification and SOC 2 Type II can issue in the same window.

← Frameworks · GLOBAL ISMS

ISO/IEC 27001:2022 — the international ISMS standard.

ISO 27001 is process-oriented. It certifies that an organization has an Information Security Management System in place and is operating it. The 2022 revision reorganizes Annex A into four themes and adds eleven controls around supply-chain, cloud, threat intelligence, and data leakage. We design the ISMS, draft the Statement of Applicability, and prepare the organization for Stage 1 and Stage 2 certification audits — with optional ISO 27017 (cloud) and 27018 (PII) extensions.

Book a scoping call →

Annex A controls

2022

Current revision

+27017/27018

Cloud & PII extensions

ISO 27001 in one paragraph

ISO/IEC 27001:2022 is the international standard for Information Security Management Systems (ISMS). Unlike prescriptive frameworks (NIST 800-171, FedRAMP), ISO 27001 is process-oriented — it certifies that an organization has a documented, operating ISMS rather than a specific control implementation. The standard's Annex A contains 93 controls organized into four themes: organizational, people, physical, and technological. Control selection is driven by the organization's risk assessment and documented in the Statement of Applicability. Certification is issued by accredited certification bodies following a two-stage audit and is valid for three years, with annual surveillance audits.

Who needs ISO 27001?

Global enterprise SaaS. European and international buyers often prefer or require ISO 27001. Companies expanding beyond North America find the ISO requirement in procurement more than in the US market.

Regulated industries. Financial services, healthcare, and critical infrastructure companies frequently hold ISO 27001 as a demonstration of ISMS discipline above the control-set bar of SOC 2.

Federal and defense ecosystem. ISO 27001 is increasingly adopted by DoD contractors as a parallel track alongside CMMC, particularly for operations serving allied nations that trust ISO more than US-specific frameworks.

Cloud service providers. With ISO 27017 (cloud-specific controls) and 27018 (PII in cloud) extensions, ISO 27001 is often the baseline for CSPs with international customers.

ISO 27001 vs SOC 2 — the short answer

They overlap substantially but are not substitutable in procurement.

SOC 2 is the North American preference — an AICPA attestation, single-report format, procurement-friendly, widely understood by US enterprise security teams.

ISO 27001 is the global preference — a certification rather than an attestation, documented ISMS rather than point-in-time controls, third-year cycle with annual surveillance, procurement-friendly in Europe and Asia.

Companies with global buyer bases typically hold both. The control overlap is 70-80%; running them in parallel is roughly 1.3x the cost of running one alone, far less than 2x. The sequencing depends on where your early enterprise deals are — if North American SaaS, SOC 2 first; if global or European enterprise, ISO 27001 first. Our [SOC 2 vs ISO 27001 deep-dive](/insights/soc2-vs-iso-27001-which-first/) walks through the decision tree in more detail, and the [framework overlap explorer](/framework-overlap/) shows the control-by-control reuse.

What a first-time ISO 27001 engagement looks like

Months 0–2 — ISMS scoping. Define the scope boundary, stand up the ISMS policy foundation, conduct the initial risk assessment. Draft the Statement of Applicability against the 93 Annex A controls with inclusion/exclusion justifications.

Months 2–5 — control implementation and evidence. Implement any controls not already in place. Stand up the evidence pipeline. Complete the internal audit (required before Stage 1).

Month 5 — Stage 1 certification audit (document review). The certification body evaluates the ISMS documentation for adequacy.

Month 6–7 — remediation of Stage 1 findings.

Month 7–8 — Stage 2 certification audit (operational review). Two to five days on-site (or remote) depending on organization size and scope.

Month 8–9 — certificate issued. Surveillance audit cycle begins (year 2 and year 3 are lighter-touch surveillance audits; recertification in year 3).

Why Fortinetics for ISO 27001

2022 revision fluency. The ISO 27001:2013 → 2022 transition reorganized Annex A and added eleven controls. We've run transitions for organizations holding older certifications and design new ISMSs against the 2022 baseline from the start. The IAF October 31, 2025 transition deadline has passed — see our [2013→2022 transition guide](/insights/iso-27001-2013-to-2022-transition/) for the recovery path if you missed it.

Parallel framework economies. ISO 27001 shares substantial control overlap with SOC 2, NIST 800-171, and FedRAMP. When clients need multiple certifications, we map controls once, implement once, and evidence once — across all frameworks simultaneously.

ISO 27017 / 27018 extensions. For cloud service providers, ISO 27017 (cloud controls) and ISO 27018 (PII in cloud) are commonly certified alongside ISO 27001. We add these when the client's buyers demand them. Our [ISO 27001 for cloud-native SaaS](/insights/iso-27001-for-cloud-saas/) piece covers the cloud-specific design considerations.

Frequently asked

Questions we get about ISO 27001.

How long does ISO 27001 certification take for a first-time org?: Six to nine months from ISMS kickoff to Stage 2 audit for a prepared organization. A lot depends on the scope — a small SaaS with one production environment moves faster than an organization with multiple business units, multiple sites, and multiple production environments. Recertification is a single surveillance audit in year 3, much lighter than the initial cycle.
What's the difference between ISO 27001 and ISO 27002?: ISO 27001 is the certifiable standard — it specifies the ISMS requirements and is what your certificate is issued against. ISO 27002 is the implementation guidance for the Annex A controls — it's not certifiable on its own, but it's referenced constantly during implementation. Think of 27001 as 'what' and 27002 as 'how'.
Do we need ISO 27017 and ISO 27018?: If you're a cloud service provider whose buyers ask for cloud-specific security posture beyond base ISO 27001, yes. ISO 27017 adds 35 cloud-specific controls; ISO 27018 adds controls specific to PII processing in cloud. Both are usually certified together with a single audit cycle on top of your ISO 27001. For non-cloud organizations, these extensions are not applicable.
What's in the 2022 revision that wasn't in 2013?: The 2022 revision reorganizes the 114 Annex A controls into 93 controls across four themes (organizational, people, physical, technological) and adds eleven new controls around threat intelligence, cloud services, ICT readiness for business continuity, physical security monitoring, configuration management, information deletion, data masking, data leakage prevention, monitoring activities, web filtering, and secure coding. Existing certificate holders transitioned on a published schedule ending in 2025.
Can we pursue ISO 27001 and SOC 2 simultaneously?: Yes, and we recommend it when both are needed. Control overlap is 70-80%; the evidence pipeline serves both. Running them in parallel is roughly 1.3x the cost of running one alone rather than 2x. The timing: SOC 2 Type I can issue before ISO 27001 certification since Type I is point-in-time; ISO 27001 certification and SOC 2 Type II can issue in the same window.

ISO 27001 insights

ISO27001 · 9 min read

ISO 27001:2022 transition: what changed from 2013, and what to do if you missed the October 2025 deadline

ISO27001 · 9 min read

ISO 27001:2022 for cloud-native SaaS: designing an ISMS that fits the product

SOC2 · 9 min read

SOC 2 vs ISO 27001: which to pursue first, when to pursue both

Next step

Book a scoping call.

Thirty minutes. We'll walk through your specific ISO 27001 target, current posture, and what a realistic engagement shape looks like. NDA-first when the scoping needs sensitive detail.

Book a scoping call →