ISO 27001 · Implementation

ISO 27001 implementation

Most companies reach for ISO 27001 because a European or global buyer asked for it. This is a plain-language guide to what the standard actually is, the steps to get certified, a realistic timeline, and what it costs. We are a Toronto prep partner: we get you ready and coordinate the certification body, so you walk into the audit prepared.

Book a discovery call

What ISO 27001 actually is

ISO 27001 is an international standard for running an information security management system, usually shortened to ISMS. An ISMS is not a document or a tool. It is the ongoing set of policies, processes, and controls you use to keep information secure, plus the habit of measuring and improving them. The standard describes what that system has to include, and an accredited registrar, also called a certification body, audits you against it and issues the certificate if you pass.

The word certificate matters. Unlike SOC 2, which produces an attestation report signed by a CPA firm, ISO 27001 produces a certificate granted by a registrar. Both prove you take security seriously, but they come from different worlds. If you want the full comparison, read our guides on SOC 2 and ISO 27001 for startups and SOC 2 versus ISO 27001. The short version: SOC 2 is the North American default, ISO 27001 is what the rest of the world tends to ask for, and the controls underneath them overlap a great deal.

How ISO 27001 implementation works, step by step

Certification is a defined sequence. You build the management system, prove to yourself that it works, and then the registrar checks it in two stages. Here is the whole path.

  1. Scope the ISMS

    Decide what the management system covers: which products, teams, locations, and systems are in and out. Scope drives everything after it, including cost, so getting this right early keeps the project honest.

  2. Risk assessment and risk treatment plan

    Identify the risks to the information in scope, judge how likely and how damaging each one is, then decide what to do about each: reduce it, accept it, transfer it, or avoid it. That set of decisions becomes your risk treatment plan, which is the backbone of an ISO 27001 program.

  3. Statement of Applicability (SoA)

    Work through the Annex A controls and record which ones apply to you, which do not, and why. The SoA is the document a registrar reads first, because it maps your risks to the controls you have chosen to put in place.

  4. Implement the controls

    Put the Annex A control themes into practice across organizational, people, physical, and technological areas: access control, change management, logging and monitoring, supplier and vendor management, secure development, and incident response. This is where readiness turns into real, working security rather than paperwork.

  5. Internal audit and management review

    Before the registrar shows up, you audit yourself. An internal audit checks that the ISMS is actually operating, and a management review puts the results in front of leadership so decisions and improvements are on record. Both are required by the standard, not optional extras.

  6. Stage 1 audit (documentation)

    The registrar reviews your ISMS documentation, scope, SoA, and risk work to confirm you are ready. Think of it as a readiness check that surfaces gaps before the real thing.

  7. Stage 2 audit (certification)

    The registrar tests whether your controls are working in practice, gathering evidence and interviewing your team. Pass it and the certificate is issued. After that, expect yearly surveillance audits to keep it valid.

How long it takes

For a startup running on modern cloud infrastructure, plan for roughly 16 weeks of readiness work before you sit the Stage 1 and Stage 2 audits. The audits are then scheduled with your registrar and add a few more weeks on top. Older or more complex environments, or a wide scope, push that number up.

In terms of effort, ISO 27001 is comparable to a first SOC 2, but it leans more heavily on documentation. SOC 2 is largely about showing evidence against a set of trust criteria. ISO 27001 asks you to stand up a formal ISMS, produce a risk treatment plan, write the Statement of Applicability, and run an internal audit before the registrar ever arrives. None of that is hard on its own, but it is more process, so building it with someone who has done it before saves weeks.

What it costs

There are two clearly separate costs, and it helps to keep them apart in your head. The first is the registrar, or certification body, which runs the Stage 1 and Stage 2 audits and the yearly surveillance audits after that. Registrar fees are usually priced in USD and scale with the size and complexity of your scope, so a small, focused scope costs meaningfully less than a broad one. We do not quote the registrar; they are independent from us by design.

The second cost is readiness, which is our part. We price it as a fixed scope so you know the number before you start, rather than an open hourly meter. On top of those two, some teams add compliance tooling to automate evidence collection, which is a smaller, optional line item. For a broader way to think about compliance budgets, our guide to SOC 2 cost uses the same logic that applies here.

Honest note: we do not publish a single sticker price for ISO 27001, because it depends almost entirely on your scope. Anyone quoting a firm number before they understand your scope is guessing.

If you already have SOC 2 (or want both)

ISO 27001 and SOC 2 share a large amount of underlying work. Access control, change management, risk assessment, vendor management, and logging and monitoring show up in both. If you have done one, you are not starting the other from zero. The evidence, policies, and control implementations you built the first time carry over, so the second framework is mostly about reframing what you have and filling the gaps that are genuinely specific to it.

That is why teams who expect to need both often plan for it up front and build the evidence once. We walk through exactly how the two line up in our guide on SOC 2 and ISO 27001 for startups.

How traztech helps

We are a prep partner, not the registrar. We build the ISMS with you, run the risk assessment and risk treatment plan, draft the Statement of Applicability, implement the Annex A controls, run your internal audit and management review, and coordinate the certification body so the Stage 1 and Stage 2 audits go smoothly. What we do not do is issue the certificate, because keeping readiness and certification separate is how ISO 27001 is meant to work.

What makes us different is that we are unusually technical about it. Our founder is a published security researcher with six CVEs, including CVE-2024-45163, a CVSS 9.1 kill-switch for a variant of the Mirai botnet, so the controls we build hold up when a buyer or an auditor starts poking at them. We quote fixed scope, and because we are Canadian, we handle the PIPEDA and Quebec Law 25 overlap so you do not build the same evidence twice.

Get ISO 27001 ready with a partner who has done it

Tell us your scope, your deadline, and which buyer is asking. We will map the path, quote a fixed scope, and coordinate the registrar so certification is a formality, not a scramble.

Start your ISO 27001 prep

Frequently asked questions

Do we need ISO 27001 or SOC 2?

It usually comes down to who is asking. North American buyers tend to ask for a SOC 2 report, while European and global buyers tend to ask for an ISO 27001 certificate. If your customers are naming ISO 27001 in security questionnaires or contracts, that is your answer. Many companies eventually do both, because the underlying controls overlap heavily and evidence you build for one carries into the other.

How long does ISO 27001 take?

For a startup on modern cloud infrastructure, plan for roughly 16 weeks of readiness work before you sit the Stage 1 and Stage 2 audits. The audits themselves are scheduled with your registrar and add a few more weeks. The effort is comparable to a first SOC 2, but ISO 27001 is more documentation-heavy because you have to stand up a formal ISMS, a risk treatment plan, and an internal audit.

How much does ISO 27001 certification cost?

There are two separate costs. The registrar, or certification body, charges its own fee for the Stage 1 and Stage 2 audits and the yearly surveillance audits after that. Those fees are usually priced in USD and scale with the size and complexity of your scope. Separately, readiness work is a fixed-scope fee that we quote up front. Optional compliance tooling is a third, smaller line item. We do not publish a single number because it depends entirely on your scope.

Do you issue the certificate?

No. The ISO 27001 certificate is issued by an accredited registrar, also called a certification body, and only they can grant it. We are your prep partner. We build the ISMS, close the gaps, run the internal audit, and coordinate the registrar so the Stage 1 and Stage 2 audits go smoothly. Keeping readiness and certification separate is how the standard is meant to work.

Is ISO 27001 harder than SOC 2?

It is not harder so much as more formal. SOC 2 is a set of trust criteria you show evidence against. ISO 27001 asks you to run an actual management system: define scope, assess risk, write a risk treatment plan, produce a Statement of Applicability, and audit yourself before the registrar audits you. The technical controls overlap a lot, but the paperwork and process discipline are heavier.