What is ISO 27001 (ISO/IEC 27001)?
An international standard for information security management systems (ISMS). Specifies requirements for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving information security. The 2022 revision is the current edition; the cousin standards 27017 (cloud) and 27018 (PII in the cloud) extend it.
Full explanation
ISO 27001 certification means an external auditor has confirmed the organization runs a mature ISMS. The standard defines 93 Annex A controls grouped into organizational, people, physical, and technological categories. Certification is process-heavy: define scope, run a risk assessment, document policies, implement controls, run an internal audit, then a Stage 1 + Stage 2 external audit. Typical timeline 6-12 months from kickoff. ISO 27001 is the international counterpart to SOC 2 — many enterprise customers (especially in EU and APAC) require ISO 27001 in lieu of SOC 2 or alongside it.
Example
An EU enterprise customer's procurement team requires ISO 27001 + SOC 2 Type II before signing a master services agreement. Most US-domiciled SaaS startups pursue SOC 2 first (cheaper, faster, US-recognized) and ISO 27001 second (expands EU + APAC market access).
FAQ
Is ISO 27001 the same as SOC 2?
No. SOC 2 is a US AICPA attestation against five trust service criteria. ISO 27001 is an international standard for an ISMS. They overlap (both audit security controls) but differ in scope, audit format, and recognition geography. Most enterprise SaaS vendors pursue both.
How long does ISO 27001 take?
Typical 6-12 months from kickoff to certificate. Tooling (Vanta, Drata, Tugboat Logic) automates much of the evidence collection.