New: Autonomous AI risk intelligence is live — your compliance program in 12 minutes. Get started →

Framework Guide · ISO 27001

ISO/IEC 27001

The international standard for information security management.

Who needs it: Companies selling globally — especially in Europe, the UK, and APAC — or working with enterprises that mandate ISO certification.

Overview

ISO 27001 requires an Information Security Management System (ISMS) built on risk assessment, Annex A controls, and continual improvement. Certification is issued by accredited third-party bodies.

Timeline

6–12 months to certification, plus surveillance audits annually.

Typical cost

$30k–$100k including certification body fees and prep.

What it covers

ISMS scope & policyRisk assessmentAnnex A controlsInternal auditManagement reviewCorrective action

How Scarlet Risk helps

  • ISMS scaffolding

    Scope, statement of applicability, and Annex A control mapping.

  • Risk register

    Continuous risk assessment with owner accountability.

  • Audit evidence

    Structured evidence collection for internal and certification audits.

Frequently asked

SOC 2 or ISO 27001 — which first?

US-heavy customers → SOC 2 first. International or European customers → ISO 27001. Selling to both? Do them in parallel — 80% of the work overlaps.

How often do I recertify?

Certification lasts three years with annual surveillance audits. Recertification audit at year three.

What is Annex A?

The 93 controls (in the 2022 revision) organized under Organizational, People, Physical, and Technological themes. You pick applicable ones based on your risk assessment.

Ready to shortcut ISO 27001?

Scarlet Comply and our on-demand reports collapse months of prep into hours.

Other frameworks