TL;DR: ISO 27001:2022 is the global gold standard for information security management. The 2022 revision restructured controls from 114 to 93, added 11 new ones (including cloud security and threat intelligence), and the transition deadline from the 2013 version passed in October 2025. If you are a SaaS company selling to enterprise customers, this certification opens doors – and according to industry data, companies with ISO 27001 certification close enterprise deals up to 30% faster. Here is how to get it done properly.
Why ISO 27001 Matters for SaaS Companies
Every B2B SaaS company hits the same wall eventually: a prospective customer sends over a security questionnaire, and buried in page four is the question, "Are you ISO 27001 certified?"
For companies with fewer than 50 employees, the instinct is to view this as a burden – another heavyweight compliance framework that will consume engineering cycles and deliver nothing but a certificate for the wall. That instinct is wrong.
ISO 27001 certification is a competitive advantage that directly translates to revenue. It shortens sales cycles, reduces the friction of security questionnaires, and signals to enterprise buyers that your organisation takes information security seriously at a structural level – not just as an afterthought.
The certification proves three things to your customers:
- You have a systematic approach to managing sensitive information, backed by documented processes and regular review
- You have identified and mitigated risks specific to your business, your technology stack, and your data flows
- You continuously improve your security posture through regular internal audits, management reviews, and corrective actions
If you are also pursuing SOC 2 compliance, there is significant overlap – roughly 60% of controls map across both frameworks, which means the marginal effort of achieving the second certification is substantially lower than the first.
What Changed in the 2022 Revision
The 2013 version had 114 controls spread across 14 domains. The 2022 revision – formally published as ISO/IEC 27001:2022 – consolidated these into 93 controls across four thematic categories. This restructuring is more than cosmetic; it reflects how modern organisations actually think about security.
| Theme | Controls | Examples |
|---|---|---|
| Organisational | 37 | Threat intelligence, cloud security, ICT readiness for business continuity |
| People | 8 | Screening, awareness training, remote working |
| Physical | 14 | Security monitoring, clean desk, equipment maintenance |
| Technological | 34 | Data masking, DLP, secure coding, monitoring activities |
The 11 New Controls
These additions reflect the realities of cloud-native, remote-first organisations – precisely the profile of most growing SaaS companies:
- Threat intelligence (5.7) – actively gathering and analysing threat data relevant to your organisation, not just reacting to incidents
- Cloud services security (5.23) – specific requirements for managing cloud environments, including shared responsibility models with providers like AWS, Azure, and GCP
- ICT readiness for business continuity (5.30) – going beyond a disaster recovery document to demonstrate tested, validated recovery capabilities
- Physical security monitoring (7.4) – surveillance and intrusion detection for physical premises
- Configuration management (8.9) – maintaining baseline configurations and detecting drift across your infrastructure
- Information deletion (8.10) – proper data disposal when retention periods expire or customers request deletion
- Data masking (8.11) – anonymisation and pseudonymisation techniques for protecting sensitive data in non-production environments
- Data leakage prevention (8.12) – DLP tooling and processes to prevent unauthorised data exfiltration
- Monitoring activities (8.16) – comprehensive network and system monitoring with defined alerting thresholds
- Web filtering (8.23) – controlling access to external websites that pose security risks
- Secure coding (8.28) – formal secure development practices including code review, SAST, and dependency management
For SaaS companies, controls 5.23 (cloud services), 8.9 (configuration management), and 8.28 (secure coding) are particularly relevant – and if you are following modern engineering practices, you are likely already doing much of this informally.
The 8-Step Implementation Path
Step 1: Define Your Scope
- Define scope around your core product and the data it processes
- Include CI/CD pipelines and third-party SaaS tools that access customer data
- Document every exclusion with clear, defensible justification
Step 2: Run a Gap Analysis
- Mark each of the 93 controls as: Implemented, Partially implemented, Not implemented, or Not applicable
- Most SaaS companies find 40-60% of controls informally in place already
- Spend 2-3 days with engineering lead, senior developer, and operations
Step 3: Build Your Risk Assessment
- Identify information assets: databases, code repos, API keys, documentation
- Map threats to each asset and assess likelihood and impact
- Determine treatment for each risk: mitigate, accept, transfer, or avoid
Step 4: Write Your Statement of Applicability (SoA)
- List all 93 Annex A controls with justification for inclusion or exclusion
- Provide clear, defensible reasons for any excluded controls
- This document is the auditor's primary roadmap for the certification audit
Step 5: Implement Controls
- Access management: RBAC, quarterly access reviews, JIT privilege elevation
- Incident management: documented response plan with severity levels and SLAs
- Supplier management: third-party risk assessments and contractual data protection
- Business continuity: tested backup and recovery with documented RTO and RPO
- Secure development: code review standards, SAST/DAST in CI/CD, dependency scanning
Step 6: Train Your People
- Short and practical training covering phishing, incident reporting, and data handling
- Role-specific training: secure coding for developers, data classification for managers
- Run quarterly phishing simulations and track results over time
- New joiners must complete training within their first week
Step 7: Internal Audit
- Formal requirement - cannot be skipped before the certification audit
- Auditor must be independent of ISMS management and the certification body
- Identifies non-conformities to address before the Stage 2 audit
Step 8: Certification Audit (Stage 1 and Stage 2)
- Stage 1 (1-2 days): documentation review verifying ISMS design and readiness
- Stage 2 (3-5 days): implementation audit verifying controls are actually working
- Annual surveillance audits and full recertification every three years
Realistic Timeline and Budget
For a SaaS company of 20–100 people:
| Item | Timeline | Cost (GBP) |
|---|---|---|
| Gap analysis | 2–4 weeks | £2,000–5,000 |
| Implementation | 3–6 months | £15,000–40,000 |
| Compliance platform (Vanta/Drata/Secureframe) | Ongoing | £8,000–15,000/year |
| Internal audit | 1–2 weeks | £3,000–6,000 |
| Certification audit (Stage 1 + Stage 2) | 2–3 weeks | £8,000–15,000 |
| Total first year | 4–8 months | £36,000–81,000 |
If you are bootstrapped or budget-constrained, you can reduce costs significantly by doing the gap analysis and much of the implementation yourself. The compliance platform is optional but saves enormous time on evidence collection – without it, expect your team to spend hundreds of hours taking screenshots, exporting logs, and organising evidence folders.
Where to save money:
- Do the gap analysis internally (free, but allocate two to three days of senior time)
- Write policies yourself using the standard's requirements as a checklist rather than buying template packs
- Use open-source tooling for SAST, SCA, and IaC scanning where commercial tools are not justified
Where not to cut corners:
- The certification audit itself (cheap auditors often lack SaaS experience)
- The internal audit (a thorough internal audit prevents expensive surprises in Stage 2)
- Staff training (auditors verify this rigorously)
Maintaining Certification
Certification is not a one-off achievement. The ongoing commitment includes:
- Surveillance audits annually – smaller than the initial audit but still thorough enough to catch drift
- Recertification every three years – a full audit that re-examines the entire ISMS
- Continuous improvement – you need to demonstrate that the ISMS is evolving, not static
Build compliance into your operational rhythm. A dedicated compliance channel in Slack for flagging issues, monthly reviews of open risks, quarterly access reviews, and annual management reviews – these small habits prevent the annual panic that derails engineering sprints.
A sustainable compliance calendar:
| Frequency | Activity |
|---|---|
| Weekly | Review security alerts and incident tickets |
| Monthly | Update risk register, review open corrective actions |
| Quarterly | Access reviews, phishing simulations, champion meetings |
| Biannually | Test disaster recovery and business continuity plans |
| Annually | Management review, internal audit, surveillance audit, training refresh |
ISO 27001 vs SOC 2: Understanding the Overlap
Many SaaS companies need both certifications – ISO 27001 for European and international customers, and SOC 2 for North American buyers. The good news is that approximately 60% of controls overlap.
| Factor | ISO 27001 | SOC 2 |
|---|---|---|
| Geography | Global, especially UK and EU | Primarily North America |
| Type | Certification (pass or fail) | Attestation report (auditor's opinion) |
| Validity | 3 years with annual surveillance | 12 months |
| Framework | 93 Annex A controls | Trust Services Criteria |
| Prescriptiveness | Risk-based (you choose proportionate controls) | Criteria-based (you demonstrate you meet criteria) |
| Cost (first year) | £36,000–81,000 | £26,000–75,000 |
| Ongoing cost | £15,000–30,000/year | £20,000–50,000/year |
If you plan to pursue both, start with whichever your current pipeline demands most urgently, then use the overlap to achieve the second within six months.
Common Mistakes to Avoid
- Scope creep – do not try to certify everything at once. Start with your core product and expand later if needed.
- Copy-paste policies – auditors spot generic template policies instantly. Make every policy specific to your business, your technology, and your actual processes.
- Treating it as IT-only – ISO 27001 is a business-wide management system. HR, legal, finance, and leadership all have roles to play.
- Ignoring supplier risk – your SaaS depends on dozens of third parties. Each one that touches customer data needs assessment and documented due diligence.
- No management buy-in – the standard requires active management involvement, including formal management reviews. If leadership is not genuinely engaged, you will fail the audit.
- Over-engineering the risk assessment – a sophisticated GRC platform is not necessary for a 50-person company. A well-structured spreadsheet with clear methodology is sufficient and far easier to maintain.
- Neglecting the human element – controls are only as effective as the people operating them. Invest in building a security culture alongside the formal management system.
- Forgetting about evidence retention – controls that work perfectly but have no evidence trail will be flagged as non-conformities. Automate evidence collection wherever possible.
What This Means for Your Organisation
ISO 27001 certification is achievable for any SaaS company that takes security seriously. The standard formalises good practices – it does not invent artificial ones. If you are already doing sensible things with your infrastructure, your code, and your data, you are closer than you think.
The key is approaching implementation pragmatically. Start with a thorough gap analysis to understand where you actually stand. Define a scope that is credible but manageable. Build controls into your existing engineering workflows rather than creating parallel compliance processes. And invest in people – train your team, establish security champions, and ensure leadership is visibly committed.
The certification itself is valuable, but the real payoff is the management system you build along the way. A well-implemented ISMS gives you a structured framework for identifying risks, responding to incidents, and continuously improving your security posture. That framework serves you whether you are responding to a customer security questionnaire, handling a security incident, or scaling your engineering team.
Start this week: download the standard, run your gap analysis, and get leadership sign-off on the timeline. The enterprise deals are waiting.
