ISO/IEC 27001:2022
Your ISO 27001 report, 8–12 weeks from now.
ISO 27001 is what international and EU customers ask for instead of (or in addition to) SOC 2. We build out your full Information Security Management System — Statement of Applicability, risk treatment plan, all 93 Annex A controls, internal audit, management review — and walk you through Stage 1 and Stage 2 with an accredited certification body.
What you get
Everything in your ISO 27001 program
Built specifically for global saas and enterprise.
Full ISMS scope definition + Statement of Applicability (SoA) covering all 93 Annex A controls
Information security risk assessment + risk treatment plan, refreshed quarterly
All ISO 27001 mandatory documents (4.3, 5.2, 6.1, 6.2, 7.5, 8.1, 8.2, 8.3, 9.1, 9.2, 9.3, 10.1, 10.2)
Internal audit program + management review meetings (we run them with you)
Continuous monitoring of all Annex A technical controls (A.5–A.8)
Direct intros to UKAS / ANAB / ANSI accredited certification bodies
Stage 1 readiness review + Stage 2 audit support — our consultant joins your audit calls
3-year recertification cycle managed end-to-end (annual surveillance audits + recert in year 3)
Pricing
Fixed price. No annual contract.
Setup gets you to the report. The retainer keeps you compliant. Cancel any time.
One-time, fixed-fee
- Full ISO 27001 program build
- Auditor introductions and prep
- 8–12 weeks to Stage 1 audit
Cancel any time
- Continuous control monitoring
- Quarterly access reviews + risk refresh
- Drift remediation by our team
- Annual re-audit support included
Audit fees paid directly to your auditor (not marked up). We negotiate fixed-fee quotes from our auditor network.
Stack frameworks, save money
Reuse your ISO 27001 work across other frameworks
Most controls overlap. Your second framework costs a fraction of the first.
ISO 27001 questions, answered
If your customers are mostly US-based: SOC 2 first. If mostly EU/UK/APAC: ISO 27001 first. If you sell globally, do both — the controls overlap ~80% so the incremental cost is small.
Plan on 6 months end-to-end. We need 8–12 weeks of buildout (ISMS scope, SoA, policies, controls), then a Stage 1 readiness audit, then a 1–3 month wait for Stage 2. Total from kickoff to certificate is typically 5–7 months.
ISO/IEC 27001:2022 (current version). The 2013 version is being phased out — all new certifications are issued against 2022. If you have a 2013 certificate, we handle the transition.
The audit is paid directly to the certification body (we don't mark it up). Expect $15K–$30K for Stage 1 + Stage 2 from a reputable accredited body. We negotiate fixed-fee quotes from our network so you know the number up front.
These are extensions to ISO 27001 — 27017 (cloud), 27018 (cloud privacy), 27701 (privacy management). We offer them as add-ons to a base ISO 27001 program. Most companies don't need them on day one.
Ready to ship your ISO 27001?
Tell us your timeline. We'll scope the work, give you a fixed price, and start this week.