ISO 27001 is the international standard for information security, and for a growing number of European tech companies it has quietly become the price of entry to serious deals. If a prospect's procurement team has ever asked for your security certification before signing, you already know the feeling. The good news: ISO 27001 is far more achievable than its reputation suggests, especially once you understand what auditors are really looking for. This guide walks through the standard, the certification path, the real costs, and the mistakes that trip teams up.
We will keep it practical. By the end you will know what an Information Security Management System actually is, which 93 controls you need to consider, and where most first-time projects lose months they did not need to lose.
What is ISO 27001?
ISO 27001 is the globally recognized standard for building and running an Information Security Management System, or ISMS. Published by the International Organization for Standardization, it sets out requirements for how an organization identifies information security risks and manages them in a structured, repeatable way.
The key word is system. ISO 27001 does not hand you a checklist of firewalls to install. It asks you to prove that you have a living process for protecting information: you assess risks, you decide on controls, you implement them, and you keep checking that they work. That process-first philosophy is why a certificate carries weight. It tells a customer that security is built into how you operate, not bolted on the week before an audit.
The current version is ISO/IEC 27001:2022. Organizations that held the older 2013 certificate had until October 31, 2025 to transition, a deadline that has now passed, so any valid certificate today reflects the 2022 requirements. If you are starting fresh in 2026, you start on the current version by default. For a deeper primer on the moving parts, the ISO 27001 certification overview from Kertos breaks the standard down into plain language.
How ISO 27001 is structured
The standard splits into two parts: the main clauses that define the management system, and Annex A, which lists the security controls you choose from. Understanding this split is the single most useful thing you can do before you start.
Clauses 4 through 10 are the mandatory backbone. They are not optional, and an auditor will examine every one of them. They cover the context of your organization, leadership commitment, planning and risk assessment, support and resources, operation, performance evaluation, and continual improvement. This is the famous Plan-Do-Check-Act cycle in standard form, and European guidance from agencies like ENISA consistently points to this kind of structured management approach as the foundation of mature security.
Annex A is where the 2022 revision changed things. The control set was consolidated from 114 down to 93 controls and reorganized into four clear themes. Eleven entirely new controls were added to reflect cloud computing, threat intelligence, and secure development. You do not implement all 93 by default; you select the ones your risk assessment justifies and document why in a Statement of Applicability. If you want to go control by control, the Kertos guide to ISO 27001 controls is a useful companion.
Who needs ISO 27001 certification?
Anyone who handles other people's data and wants to sell to organizations that take security seriously. That now includes a very large slice of the European tech market, and increasingly it is regulation, not just sales pressure, that forces the question.
Certification is voluntary in the strict legal sense, but several frameworks make an ISMS effectively unavoidable. The EU's NIS2 directive expands cybersecurity obligations to thousands of mid-sized companies across critical and important sectors, and the management practices it demands map closely onto ISO 27001. We explore that overlap in detail in the Kertos breakdown of interpreting NIS2 through ISO 27001.
Financial firms face DORA, automotive suppliers face TISAX, and many enterprise buyers simply will not onboard a vendor without a recognized security certificate. The official European Commission guidance on NIS2 is worth reading if you are unsure whether your sector is in scope. For early-stage teams trying to figure out where to begin, the Kertos guide to building an ISMS for startups shows how to scope a system that grows with you rather than crushing you on day one.
The road to certification: the four phases
Certification follows a predictable arc, and knowing the phases up front prevents nasty surprises. Most projects move through preparation, implementation, internal audit, and the external certification audit itself.
Phase one is scoping and gap analysis. You define which parts of the business the ISMS covers, run a risk assessment, and compare where you are against what the standard requires. Phase two is implementation: writing policies, deploying controls, and collecting the evidence that proves each one works. Phase three is the internal audit and management review, your own dress rehearsal before the real thing. Phase four is the two-stage external audit conducted by an accredited certification body, which issues the certificate that is then valid for three years with annual surveillance audits in between.
The timeline depends heavily on your starting maturity and how much of the evidence work is automated. Teams that try to manage everything in spreadsheets routinely take nine to twelve months. Teams using a dedicated platform compress that significantly; the Kertos guide on how to get ISO 27001 certified quickly shows where the time actually goes.
What ISO 27001 certification costs
Total cost falls into two buckets: the certification body's audit fees, which you cannot avoid, and the internal effort to get ready, which is where the real money goes. For most mid-sized companies the implementation effort dwarfs the audit invoice.
Audit fees scale with headcount and complexity, and they recur because the certificate requires annual surveillance. The hidden cost is the months of staff time spent writing documentation and chasing evidence, which is exactly the work that good automation removes. The Kertos rundown of the best ISO 27001 compliance tools compares how different approaches change that math.
Treat these as planning ranges, not quotes. The variable you control most directly is internal effort, and that is where reducing manual work pays for itself fastest.
Where teams stumble: common audit findings
Most first-time failures are not exotic. They are the same handful of gaps auditors see again and again, and almost all of them come down to evidence that does not match reality.
The top recurring finding is documentation that describes a process nobody actually follows. Your access control policy says reviews happen quarterly, but there is no record of the last three. Auditors check the trail, not the intention. A close second is a Statement of Applicability that excludes controls without a defensible reason, which signals that the risk assessment was rushed. Risk assessments that exist as a one-time spreadsheet rather than a maintained, dated process are another frequent flag, and the NIST risk management resources are a solid reference for getting that methodology right.
The pattern is clear: ISO 27001 rewards living systems and punishes paperwork theater. The Kertos ISO 27001 automation playbook goes deep on how to keep evidence continuously fresh so a surveillance audit never catches you scrambling.
Certification is the start, not the finish
A common misconception is that the certificate is the destination. It is the opening of a three-year relationship with your certification body, punctuated by annual surveillance audits that confirm the ISMS is still alive and improving.
This is where spreadsheet-based compliance quietly falls apart. The project team disperses after the celebration, evidence collection lapses, and the next surveillance audit becomes a fire drill. Continuous compliance solves this by making evidence collection an ongoing background process rather than an annual event, an approach the Kertos compliance platform is built around. The teams that stay calm at renewal are the ones who never stopped collecting.
How Kertos helps you get certified, faster
ISO 27001 does not have to consume a year of your team's life. Kertos pairs an agentic compliance platform with accredited experts who work alongside you, so you get both the automation and the human judgment an audit demands. The platform automates evidence collection and maps your controls, while real specialists guide scoping, risk assessment, and audit preparation.
That combination is why a customer like AskUI reached ISO 27001 certification in roughly 2.5 months rather than the usual year, with teams typically cutting manual compliance effort by around 80 percent. Because Kertos is built in Europe and hosted on European infrastructure, it also fits the data residency expectations that NIS2 and GDPR put on you. If ISO 27001 is on your roadmap and you want it done properly without the spreadsheet marathon, the fastest next step is to book a Kertos demo and map your specific path to certification.
Frequently asked questions
How long does ISO 27001 certification take?
Anywhere from three to twelve months. Maturity and automation are the deciding factors. Teams using a dedicated platform and expert support routinely finish in a fraction of the time spreadsheet-driven projects take.
Is ISO 27001 mandatory?
Not by law on its own, but frameworks like NIS2, DORA, and TISAX, plus enterprise procurement requirements, make it effectively required for many European tech companies that want to sell upmarket.
What is the difference between ISO 27001 and ISO 27002?
ISO 27001 is the certifiable standard that defines the management system requirements. ISO 27002 is a supporting guideline that explains how to implement the Annex A controls in practice. You get certified against 27001, and you consult 27002 for detail.
How many controls are in ISO 27001:2022?
Annex A contains 93 controls grouped into four themes: organizational, people, physical, and technological. You select the controls relevant to your risk profile and justify them in your Statement of Applicability.
How often is recertification required?
The certificate is valid for three years, with annual surveillance audits in between and a full recertification audit at the end of the cycle. Maintaining evidence continuously is what keeps each of those audits painless. You can browse all supported compliance frameworks to see how ISO 27001 fits alongside SOC 2, GDPR, and NIS2.
