Glocal Insight

ISO 27001 — Information Security Management Systems

ISO 27001 consulting that unlocks enterprise sales — without slowing engineering down.

We build ISMS designs for US SaaS, fintech, healthtech, and service businesses that satisfy ISO 27001:2022, leverage your existing cloud-native security tooling, and map directly to SOC 2 evidence when you need both. Audit-defensible, engineering-realistic.
Start a conversation Explore all services

Why this matters

ISO 27001 has shifted from an enterprise-only certification to a foundational compliance requirement for any US software or services company selling into the mid-market and up. International customers ask for it routinely. US enterprise customers increasingly require it (or SOC 2, or both) in their vendor risk programs. The 2022 update modernized Annex A to reflect cloud, threat intelligence, and data leakage realities, making it more relevant than ever.

Done well, ISO 27001 is the security management system that grows with you. Policies, evidence collection, and risk register all become routine artifacts rather than annual scrambles. New customer security questionnaires answer themselves from the SoA and risk register. SOC 2, NIST CSF, HIPAA, and customer-specific frameworks layer on with marginal effort because the underlying ISMS is sound.

Done poorly, ISO 27001 becomes a binder of policies nobody reads and a quarterly scramble of evidence collection that competes with engineering priorities. The difference is whether the ISMS is designed for how a modern cloud-native company actually operates — leveraging native cloud controls, automating evidence where it can be automated, and keeping policy density low enough that engineers can actually find what they need. That's what we build.

What's included

A full ISO 27001 engagement covers scope, risk, policy, controls, audit, and certification through certificate. Most clients also add ongoing surveillance support because the ISMS needs continuous attention to stay valid year over year. Components are available standalone — gap analysis, risk assessment refresh, internal audit, SoC 2 crossover mapping.

  • Scope definition & ISMS boundary

    Crisp definition of what's in and out of scope: which products, which infrastructure, which people, which locations, which data classifications. Scope clarity is the single biggest determinant of audit cost and ongoing maintenance effort.

  • Risk assessment & treatment plan

    Asset-based or scenario-based risk assessment calibrated to your business. Risk treatment decisions documented with rationale. Statement of Applicability mapping every Annex A 2022 control to your environment. The artifact your certification body audits hardest.

  • ISMS policies, procedures & evidence framework

    Information security policy, supporting policies (access control, cryptography, supplier security, secure development, incident response, business continuity, etc.), and the evidence-collection framework that proves the policies are being followed in practice.

  • Annex A 2022 controls implementation

    Operational implementation of every applicable Annex A control across organizational, people, physical, and technological domains. We map controls to your existing tooling (cloud provider native controls, EDR, IAM, SAML, MDM) rather than introducing parallel infrastructure.

  • Internal audit & management review

    First internal audit conducted by us, with auditor-grade findings documentation. Management review with senior leadership covering KPIs, risk register, incidents, audit results, and improvement decisions. Both produce the action register the certification body expects to see.

  • Stage 1 & Stage 2 audit support

    Stage 1 (documentation readiness review). Stage 2 (operational evidence review). We prepare interviewees, attend audits, and address findings. Our clients pass Stage 2 the first time as a matter of routine because we don't take them to the audit until the system can defend itself.

  • Ongoing surveillance & SOC 2 crossover support

    Annual internal audits, surveillance audit prep, evidence collection automation, control updates as your business evolves. If you also need SOC 2 Type 2, we map evidence across both audits so you collect once and report twice.

How we work

Engagement length scales with your starting baseline. Cloud-native SaaS companies with modern IAM and existing security policies move fastest. Companies starting from minimal baseline take longer. Existing SOC 2 Type 2 holders can often add ISO 27001 in three to four months.

  1. 01

    Scope & gap analysis (3–5 weeks)

    Define ISMS boundary, classify information assets, run initial risk assessment against Annex A 2022, identify which controls already exist (most cloud-native companies have 40–60% of controls in place already), produce gap roadmap with effort estimates per control.

  2. 02

    Build & implement (3–5 months)

    Policies authored and approved. Annex A controls implemented or evidenced. Statement of Applicability finalized. Risk register operational and reviewed. Awareness training delivered. Incident response and BCM exercises run. Internal audit and management review close out implementation.

  3. 03

    Certify (1–2 months)

    Stage 1 audit (documentation and readiness). Address findings — usually minor and process-oriented. Stage 2 audit (operational evidence across the full ISMS scope, typically 3–5 audit days for SMBs). Address any non-conformities. Receive ISO 27001:2022 certificate.

  4. 04

    Sustain & extend (ongoing)

    Annual internal audits, surveillance audits at year one and two, recertification at year three. Evidence collection automation matures. If SOC 2 enters scope, we map and reuse evidence. Cyber threat landscape changes drive policy and control updates on a defined cadence.

Where this fits in the US compliance landscape

ISO 27001 is the foundation. Most clients also need one or more adjacent frameworks for their specific buyer or regulatory context. We design the ISMS so adjacent frameworks layer on with shared evidence and shared audit cycles.

SOC 2 Type 2

The dominant US enterprise security framework — required by virtually every Fortune 1000 customer of a SaaS or service company. ISO 27001 and SOC 2 share roughly 60% of controls and evidence. Most clients pursue both. We scope integrated engagements so you collect evidence once and report against both frameworks.

NIST Cybersecurity Framework (CSF) 2.0

The US government's voluntary cybersecurity framework, increasingly required by federal contracts and state regulations. NIST CSF subcategories map cleanly to ISO 27001 Annex A controls. If you pursue ISO 27001 first, NIST CSF alignment is largely complete by the end.

HIPAA Security Rule

For healthcare and health-tech companies, HIPAA Security Rule compliance is a legal requirement. ISO 27001 covers most HIPAA technical safeguards and a substantial portion of administrative safeguards. We design ISMS scope to satisfy HIPAA as part of the same evidence base.

FedRAMP / StateRAMP

For SaaS companies selling to federal or state government, FedRAMP (or StateRAMP) is the gating compliance hurdle. FedRAMP Moderate is built on NIST 800-53 controls. ISO 27001 establishes the management-system foundation that FedRAMP authorization requires.

CMMC 2.0

For defense industrial base companies handling Controlled Unclassified Information, CMMC 2.0 Level 2 is the path to DoD contract eligibility. CMMC Level 2 maps to NIST 800-171 and significantly overlaps with ISO 27001 Annex A. Integrated implementation reduces total effort.

PCI DSS, GDPR, state privacy laws

PCI DSS for payment card environments, GDPR for EU customer data, and US state privacy laws (CCPA/CPRA, Colorado, Virginia, others) layer specific obligations on top of an ISMS. ISO 27001 provides the management-system foundation; we add the specific controls and documentation each regime requires.

ISO 27017 / 27018 / 27701 extensions

Once you hold ISO 27001, the cloud-specific (27017), cloud-PII (27018), and privacy-information (27701) extensions are incremental — useful for cloud service providers and companies subject to GDPR. We add them when they're commercially worth pursuing.

Who we serve

ISO 27001 fits any organization processing meaningful information assets. Our active engagements span:

  • SaaS, B2B software, and platform companies
  • Fintech, payments, and insurtech
  • Healthtech, digital health, and connected medical devices (combined with ISO 13485 when applicable)
  • Defense contractors and federal SaaS (alongside CMMC and FedRAMP)
  • Managed service providers (MSPs) and managed security service providers (MSSPs)
  • AI and ML companies handling customer data at training time
  • Professional services firms handling sensitive client data (legal, financial, advisory)
  • Critical infrastructure and OT-adjacent operations

Frequently asked

Common questions about ISO 27001

What's the real difference between ISO 27001 and SOC 2 — which should we do first?

SOC 2 is a US-centric attestation report describing your security controls and an auditor's opinion on them. ISO 27001 is a globally recognized certification that you operate an information security management system meeting an international standard. They overlap heavily (roughly 60% of controls and evidence) but differ in framing, audit format, and audience. The decision usually comes down to your buyer pool: US enterprise customers default to asking for SOC 2; international customers and security-mature buyers prefer ISO 27001; many enterprise customers now want both. If you need only one and your buyers are primarily US-domestic, SOC 2 is faster. If you need both, do them together from day one — we'll integrate the evidence base.

We're a 20-person SaaS startup. Is ISO 27001 even achievable for us?

Yes, and increasingly required. Most ISO 27001-certified companies under our care for first certification are 15 to 75 person SaaS and platform companies, often pursuing certification to unlock enterprise sales motion. The standard scales: a 25-person startup runs roughly 30 pages of policy documentation and 30 to 50 controls actively evidenced. Cloud-native architecture actually makes implementation easier because most technical controls inherit from the cloud provider's own ISO 27001-certified infrastructure.

How long does ISO 27001 certification take, realistically?

Five to eight months from kickoff to Stage 2 is typical for a US SaaS or services company starting from a partial baseline (cloud-native infrastructure, modern IAM/SSO, some existing security policies). Companies starting from a near-zero baseline take longer — eight to twelve months. Companies that already hold SOC 2 Type 2 can often add ISO 27001 in three to four months because most evidence already exists. The Stage 2 audit itself is typically scheduled three to four weeks after Stage 1.

Annex A 2022 has 93 controls. Do we need to implement all of them?

You implement the ones applicable to your scope and skip the ones that aren't, with documented rationale in the Statement of Applicability. Most SMB SaaS companies end up applying 70 to 85 of the 93 controls. The 'we don't have physical media so we exclude these physical controls' arguments are perfectly acceptable when documented honestly. Auditors look for clear, defensible scoping — not maximalism.

What about ISO 27001:2022 vs the older 2013 version — does it matter?

Yes, you must certify against ISO 27001:2022 now. The 2013 version reached its transition deadline in October 2025; any active certificate is now on 2022. The 2022 update reorganized Annex A into four control themes (organizational, people, physical, technological) and added 11 new controls covering threat intelligence, cloud services, ICT readiness for business continuity, data leakage prevention, and others. All our engagements are 2022-current.

Do you handle the technical implementation (deploying tools, configuring SSO, etc.) or only the policy and audit work?

We handle the management-system work end to end: scope, risk, policy, Annex A control design, SoA, internal audit, management review, and certification body liaison. We advise on technical implementation and review your team's work, but we don't replace your engineering team for actual configuration work (deploying EDR, configuring IAM, hardening cloud infrastructure). When deeper technical implementation help is needed, we coordinate with technical partners we trust rather than expanding scope.

What does ISO 27001 consulting typically cost?

Engagement scope dominates: gap analysis alone runs low five figures; full implementation from scratch ranges considerably higher and depends on your existing security maturity, scope complexity, and how much you want us to do directly. Certification body fees add roughly $8,000 to $20,000 for initial certification depending on size and audit days, plus surveillance audits in years one and two. We don't publish rate cards; we publish honest scope conversations.

We're using AWS / GCP / Azure native security tooling. Can our ISMS rely on that?

Yes — and should. Modern ISMS design treats cloud-provider native controls as inherited evidence. AWS, GCP, and Azure are themselves ISO 27001 certified, and their shared-responsibility model means many physical, environmental, and infrastructure controls flow down to you automatically. We design the ISMS to leverage native controls (CloudTrail, GuardDuty, IAM, Config; equivalent on GCP/Azure) rather than bolt parallel security tooling onto a cloud-native architecture. This is the difference between a 30-control and a 90-control implementation effort.

Other standards we cover

ISO 9001

Quality management

Learn more ISO 13485

Medical devices QMS

Learn more ISO 14001

Environmental management

Learn more

Ready to scope your ISO 27001 engagement?

Send a short note describing your current state, your target, and your timeline. We respond within one business day with clarifying questions and a path to a no-pressure scope call.

Start a conversation Explore all services

Last reviewed May 2026