ISO/IEC 27001 is the international standard for an Information Security Management System (ISMS) — a certifiable, audited framework recognized worldwide.
Companies selling internationally or into enterprise and EU buyers who prefer a certification over a US attestation, and teams that want a durable security management system.
The core of what ISO 27001 asks you to put in place.
Building the ISMS and evidence typically takes several months. Certification is a two-stage external audit (Stage 1 documentation, Stage 2 effectiveness), followed by annual surveillance audits over a three-year cycle.
We stand up your ISMS, run the risk assessment, build the Statement of Applicability and Annex A controls, and prepare you for a Stage 1 and Stage 2 certification audit — reusing evidence you may already have from SOC 2.
See Security and Compliance, or compare estimated ISO 27001 cost in CAD. Based in Toronto and led by a published CVE researcher, we deliver across Canada and the US with our partner Lorikeet Security.
Yes. An accredited certification body audits your ISMS and issues a certificate valid for three years, with annual surveillance audits.
SOC 2 is a US attestation report on control effectiveness. ISO 27001 certifies a management system and is often preferred by international and EU buyers.
A document listing which Annex A controls apply to your ISMS, whether each is implemented, and the justification for inclusion or exclusion.
Largely yes. The underlying controls overlap heavily, so most of a SOC 2 evidence base carries into an ISMS.
Three years, with annual surveillance audits and a full recertification at the end of the cycle.
Book a free discovery call. We will tell you whether ISO 27001 fits, what it would take, and roughly what it would cost.