Framework Guide · ISO 27001
ISO/IEC 27001
The international standard for information security management.
Who needs it: Companies selling globally — especially in Europe, the UK, and APAC — or working with enterprises that mandate ISO certification.
Overview
ISO 27001 requires an Information Security Management System (ISMS) built on risk assessment, Annex A controls, and continual improvement. Certification is issued by accredited third-party bodies.
Timeline
6–12 months to certification, plus surveillance audits annually.
Typical cost
$30k–$100k including certification body fees and prep.
What it covers
How Scarlet Risk helps
ISMS scaffolding
Scope, statement of applicability, and Annex A control mapping.
Risk register
Continuous risk assessment with owner accountability.
Audit evidence
Structured evidence collection for internal and certification audits.
Frequently asked
SOC 2 or ISO 27001 — which first?
US-heavy customers → SOC 2 first. International or European customers → ISO 27001. Selling to both? Do them in parallel — 80% of the work overlaps.
How often do I recertify?
Certification lasts three years with annual surveillance audits. Recertification audit at year three.
What is Annex A?
The 93 controls (in the 2022 revision) organized under Organizational, People, Physical, and Technological themes. You pick applicable ones based on your risk assessment.
Ready to shortcut ISO 27001?
Scarlet Comply and our on-demand reports collapse months of prep into hours.
