Practical Guides from ISO 27001 Practitioners

ISO 27001 Certification Cost: What You'll Pay in 2026

Honest cost breakdown covering certification body fees, consultant costs, tooling, and staff time — with real ranges by company size.

Days 1–30Scope & gap analysis

Days 31–60Policies & risk

Days 61–90Evidence & audit

✓Inclusion/exclusion rationale

ISO 27001 for SaaS Startups: A Practical 90-Day Roadmap

How lean SaaS teams can achieve ISO 27001 certification without hiring a full-time compliance person or missing sprint deadlines.

Documentation

SoA must include:

✓All 93 Annex A controls

✓Implementation status

SurveillanceAnnual check-in

How to Write a Statement of Applicability That Passes Audit

The SoA is one of the most misunderstood ISO 27001 deliverables. Here's exactly what auditors look for — and the mistakes that create findings.

Certification

Stage 1Document review

Stage 2On-site audit

The ISO 27001 Certification Process: Stage 1, Stage 2, and Beyond

A clear walkthrough of what happens in Stage 1 and Stage 2 audits, how to choose a certification body, and what to expect during surveillance audits.

ISO 27001 Risk Assessment: A Step-by-Step Guide for Non-Security Experts

Clause 6.1 and 8.2 require a formal risk assessment. Here is how to complete it correctly — even without a deep information security background.

ISO 27001 Annex A Controls Explained: All 93 Controls in Plain English

Every ISO 27001:2022 Annex A control explained clearly — what it means, what evidence auditors look for, and which ones are most commonly failed.

Audit

PlanScope & schedule

ExecuteEvidence review

ReportFindings & actions

How to Run Your ISO 27001 Internal Audit (Without Hiring a Specialist)

Clause 9.2 requires internal audits. Here is a practical guide to planning, executing, and reporting an internal audit your certification body will accept.

Strategy

ISO 27001

Global · EU · Enterprise

SOC 2

US market focus

5 min read

ISO 27001 vs SOC 2: Which Should You Pursue First?

A side-by-side comparison for founders deciding between the two dominant frameworks, with decision criteria based on customer geography and market.

Small Business

10–20 staff8–14 weeks

20–50 staff12–18 weeks

50+ staff16–24 weeks

✗"You need perfect security"

ISO 27001 for Small Businesses: Is It Worth It (and How to Do It)?

ISO 27001 is not just for large enterprises. This guide explains how companies with 10–50 people can achieve certification efficiently and affordably.

Common Questions

✗"It takes 2 years"

✗"Only for big companies"

Month 12Surveillance audit 1

10 ISO 27001 Myths That Are Costing Companies Time and Money

From "you need perfect security to certify" to "it takes two years", these myths stop businesses from starting. Here is the truth behind each one.

Ongoing Compliance

Month 24Surveillance audit 2

Month 36Recertification

Maintaining ISO 27001 After Certification: What You Must Do Each Year

Getting certified is the beginning, not the end. Here is exactly what your annual surveillance audit requires — and how to stay compliant between audits.

ISO 27001 Document List: Every Mandatory Policy and Record Required

A complete reference of every mandatory policy, procedure, and record ISO 27001:2022 requires — with clause numbers and guidance on what auditors check.

Planning

Startup3–5 months

SMB5–9 months

Mid-market9–14 months

DocumentationStage 1 focus

How Long Does ISO 27001 Take? Realistic Timelines by Company Size

The honest answer: 3 to 18 months, depending on scope, team size, and approach. A phase-by-phase breakdown so you can build a realistic plan.

Audit Prep

RecordsPrimary Stage 2

System outputsTechnical proof

ISO 27001 Evidence: What Auditors Actually Look For in Stage 2

Policies describe your ISMS. Evidence proves it operates. A guide to the 5 evidence types auditors accept and the gaps that cause non-conformities.

WhatServices & activities

WhereLocations & systems

ExclusionsWith justification

ISO 27001 Scope Statement: How to Define It Correctly (With Examples)

The scope sets the boundary for your entire certification. Get it wrong and your certificate may not satisfy customers. Real examples and common mistakes explained.

Policies

Clause 5.2 requires:

✓Management commitment

✓Security objectives

✓Continual improvement

How to Write an ISO 27001 Information Security Policy

Clause 5.2 requires a top-level policy approved by management. Here is exactly what it must include, what it does not need, and how to structure it for audit.

Clauses 4–10Compliant / Partial / Gap

Annex A Controls93 to assess

OutputImplementation plan

How to Conduct an ISO 27001 Gap Assessment

A gap assessment tells you exactly how far you are from certification before you spend a penny on implementation. Here is how to run one in a day.

ISO 27001 Risk Treatment Plan: How to Build One That Passes Audit

The risk treatment plan turns your risk assessment into action. Here is exactly what it must contain, how it links to your SoA, and what auditors check.

A.5.19Supplier security policy

A.5.20Supplier agreements

A.5.21ICT supply chain

A.5.22Annual reviews

ISO 27001 Supplier Management: Controlling Third-Party Security Risk

Every supplier with access to your systems or data is a risk you are responsible for. Here is how to manage them under Annex A.5.19–5.22.

ISO 27001 Incident Management: Building a Process That Satisfies Auditors

ISO 27001 requires you to detect, respond to, and learn from every security incident. Here is what your process must cover and what records to keep.

JoinersProvision access

MoversUpdate permissions

LeaversRevoke same day

ISO 27001 Access Control: What Annex A.5.15 Actually Requires

Access control is one of the most-sampled controls in Stage 2. Here is what your policy, provisioning process, and access reviews must look like to pass audit.

A.5.29Business continuity planning

A.5.30ICT readiness for disruption

A.8.13Backup controls

ISO 27001 Business Continuity: What You Actually Need to Implement

ISO 27001 requires you to plan for disruption — but not in the way most guides suggest. Here is what Annex A.5.29–5.30 actually requires and what auditors look for.

ISO 27001 HR Security: What Annex A.6 Requires at Every Employment Stage

HR security controls apply before someone joins, while they work for you, and after they leave. Here is what ISO 27001 Annex A.6 requires at each stage.

At restAES-256 / equivalent

In transitTLS 1.2+

Key lifecycleGenerate → Revoke → Destroy

ISO 27001 Cryptography Policy: What Annex A.8.24 Requires

A cryptography policy is required by ISO 27001 — but most organisations get the scope wrong. Here is what it must cover and what evidence auditors request.

Cloud providerInfrastructure security

Your teamIAM, config, monitoring

A.5.23Policy + evidence required

FrequencyAt planned intervals

ISO 27001 Cloud Security: What the 2022 Version Added and What Auditors Check

ISO 27001:2022 added cloud security as a dedicated control. Here is what A.5.23 requires, how it differs from your cloud provider's compliance, and what evidence you need.

Governance

AttendeesTop management required

MinutesMandatory evidence

9 inputsClause 9.3 specifies all

ISO 27001 Management Review: What Clause 9.3 Requires and How to Run One

Management review is one of the most evidence-checked clauses in Stage 2. Here is what your review must cover, who must attend, and what the minutes need to contain.

Phase 1Mandatory documents

Phase 2Operational controls

Phase 3Evidence collection

Phase 4Audit readiness

ISO 27001 Certification Checklist: Everything You Need

A complete ISO 27001 certification checklist covering documentation, controls, evidence, and audit readiness. Use this to track your implementation from gap to certified.

Compliance

ISO 27001

Voluntary · Certificate

GDPR

Mandatory · Regulation

2013114 controls, 14 domains

ISO 27001 vs GDPR: How They Overlap and Differ

ISO 27001 and GDPR both address information security but serve different purposes. Learn how they overlap, where they differ, and whether achieving one helps with the other.

2022 Standard

202293 controls, 4 themes

New11 brand-new controls