Question 1

What is ISO 27001?

Accepted Answer

ISO 27001 is an international standard that defines how organisations should manage information security. Published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), it sets out the requirements for an Information Security Management System (ISMS) — a documented framework of policies, risk assessments, and controls that protect company and customer data. The current version is ISO/IEC 27001:2022.

Question 2

How long does it take a startup to get ISO 27001 certified?

Accepted Answer

Most startups get ISO 27001 certified in 3 to 6 months when using a compliance automation platform. Manual implementation with a consultant typically takes 6 to 12 months. The timeline depends on three factors: the scope of your ISMS, how many of the 93 Annex A controls you already have in place, and how quickly your team can review policies and collect evidence. Startups with fewer than 50 employees and a well-defined cloud stack often hit the faster end of that range.

Question 3

How much does ISO 27001 certification cost for a startup?

Accepted Answer

For a startup, total ISO 27001 costs typically fall between €10,000 and €25,000 for the first year. That covers three things: a compliance platform (€5,000–€15,000/year), the external certification auditor (€4,000–€10,000 for Stage 1 + Stage 2), and internal time. Hiring a consultant instead of using automation software pushes the total to €20,000–€40,000+. Surveillance audits in years 2 and 3 are cheaper — roughly 40–60% of the initial audit fee.

Question 4

Do startups really need ISO 27001?

Accepted Answer

ISO 27001 is not legally required, but it is effectively required to sell to enterprise customers in Europe, the Middle East, and APAC. Procurement teams at mid-market and enterprise buyers increasingly treat the certificate as a baseline — without it, your startup is often filtered out before a sales conversation begins. If your buyers are mostly US-based, SOC 2 may be a faster first step; if you sell internationally or into regulated industries, ISO 27001 is the stronger foundation.

Question 5

What is an ISMS?

Accepted Answer

An Information Security Management System (ISMS) is the set of policies, processes, people, and technology a company uses to protect its information. ISO 27001 certification is essentially proof that your ISMS meets an internationally recognised standard. An ISMS is not a software tool — it is the operating model around your data, covering risk management, access control, incident response, vendor oversight, and continuous improvement.

Question 6

How many controls are there in ISO 27001?

Accepted Answer

ISO 27001:2022 includes 93 controls listed in Annex A, grouped into four themes: organisational (37), people (8), physical (14), and technological (34). You do not need to implement every control — you apply the ones that address your risks and document why others are excluded in a Statement of Applicability (SoA).

Question 7

What's the difference between ISO 27001 and SOC 2?

Accepted Answer

ISO 27001 is a globally recognised certification against a formal standard, issued by accredited certification bodies. SOC 2 is a US-focused attestation produced by an audit firm. ISO 27001 is built around a management system (the ISMS) and is renewed every 3 years; SOC 2 reports are issued annually and focus on operational controls over a specific period. Most European buyers prefer ISO 27001; most US buyers prefer SOC 2. Many startups eventually need both.

Question 8

Can a startup get ISO 27001 without a CISO?

Accepted Answer

Yes. Most early-stage startups get ISO 27001 certified without a full-time CISO. What you need is clear ownership — usually a founder, CTO, or head of engineering acting as the ISMS owner — plus a compliance platform or fractional CISO to guide the process. Secfix customers typically complete certification with a founder plus one or two engineers contributing a few hours per week.

Question 9

How do I get ISO 27001 certified?

Accepted Answer

ISO 27001 certification follows six steps: (1) define the ISMS scope, (2) run a risk assessment, (3) select and implement controls from Annex A, (4) document policies and procedures, (5) complete an internal audit, and (6) pass a two-stage external audit (Stage 1 document review, Stage 2 on-site or remote audit) with an accredited certification body. The certificate is valid for 3 years with annual surveillance audits.

Question 10

How long is an ISO 27001 certificate valid?

Accepted Answer

An ISO 27001 certificate is valid for 3 years. During those 3 years, the certification body performs annual surveillance audits to confirm your ISMS is still operating. At the end of year 3, a full recertification audit is required to renew the certificate for another 3-year cycle.

The ultimate TISAX® Guide

The practical TISAX® guide for automotive suppliers

Everything you need to get the TISAX® label

Enter your details to download

FAQs

What is TISAX®?

How long does it take to get TISAX® certified?

How much does TISAX® certification cost for an SMB?

Is TISAX® mandatory?

What are the three TISAX® assessment levels?

How long is a TISAX® label valid?

Do I need ISO 27001 before getting TISAX®?

What customers say about Secfix

Get the TISAX guide