ISO 27001
eye-ess-oh twenty-seven-oh-one
An international standard for information security management systems that provides a framework for managing and protecting sensitive data.
ISO 27001 is the international standard for information security management systems (ISMS). Published by the International Organization for Standardization, it provides a systematic approach to managing sensitive information through risk assessment, security controls, and continuous improvement.
Unlike SOC 2, which is primarily a US standard, ISO 27001 is recognized globally. European and Asian enterprise customers often require it. The standard covers 93 controls organized into four categories: organizational, people, physical, and technological. Companies implement the controls relevant to their risk profile and get certified by an accredited auditor.
Certification lasts three years with annual surveillance audits. The process typically takes 6-12 months and requires significant documentation: risk assessments, policies, procedures, and evidence of implementation. Many companies pursue both ISO 27001 and SOC 2 because different customers require different certifications. Companies selling to the US government may also need FedRAMP authorization.
Examples
A SaaS company expands into the European market.
Enterprise prospects in Germany and France ask for ISO 27001 certification. The company already has SOC 2, but European buyers prefer the internationally recognized standard. They begin the certification process.
An auditor conducts the ISO 27001 certification audit.
The auditor reviews the ISMS documentation, interviews staff, and checks that controls are implemented. They verify that risk assessments are current, incident response plans are tested, and access controls are enforced.
A company maintains its ISO 27001 certification.
Each year, an external auditor conducts a surveillance audit to verify ongoing compliance. The company must demonstrate continuous improvement: new risks identified, controls updated, incidents handled per procedure.
Frequently asked questions
What is the difference between ISO 27001 and SOC 2?
ISO 27001 is an international certification based on implementing an ISMS. SOC 2 is a US audit report based on trust service criteria. ISO 27001 results in a certificate; SOC 2 results in an audit report. Many companies get both.
How much does ISO 27001 certification cost?
Costs vary widely. Small companies might spend $20,000-$50,000 on implementation and the initial audit. Larger companies can spend $100,000 or more. Ongoing costs include annual surveillance audits and maintaining the ISMS.
Related terms
An auditing standard that evaluates whether a company's systems meet trust service criteria for security, availability, and confidentiality.
The US federal program that standardizes security assessment and authorization for cloud services used by government agencies.
The US federal law that sets standards for protecting sensitive patient health information from disclosure.
A security standard for any organization that handles credit card data, requiring specific controls to protect cardholder information.
Want the complete playbook?
Picks and Shovels is the definitive guide to developer marketing. Amazon #1 bestseller with practical strategies from 30 years of marketing to developers.