ISO 27001

ISO 27001 is the leading international standard for information security, published by ISO (International Organization for Standardization). It defines requirements for an information security management system — the policies, processes, and controls a company uses to manage data risk.

Certification process: a company implements the ISMS based on ISO 27001's framework (114 controls across 14 domains: access control, cryptography, physical security, operations security, etc.). An accredited external auditor reviews the implementation; if it meets the standard, the company is certified. Certification is valid for 3 years with surveillance audits each year.

ISO 27001 vs SOC 2: both signal mature security practices. SOC 2 is more common in US tech (it's an AICPA audit, US-focused, easier to scope for SaaS). ISO 27001 is more common globally (recognized in EU, Asia, Latin America). Enterprise customers — especially in Europe — often require ISO 27001 in procurement; US enterprise often requires SOC 2 Type II. Companies serving both markets pursue both certifications.

Cost and timeline: a small SaaS getting ISO 27001 certified typically pays $40-150K for the initial certification (consultant + audit fees + tooling), and 6-12 months of implementation work. Annual surveillance audits cost $15-40K. Re-certification at year 3 costs roughly the initial amount minus the consultant cost (the team already knows what to do).

Practical impact: customers in regulated industries (healthcare, finance, government, education) often won't sign a contract without ISO 27001 or SOC 2 evidence. Even non-regulated enterprise customers increasingly require it in procurement questionnaires. For startups, the question is when to invest — usually after the first $1M-5M ARR, or earlier if pursuing enterprise contracts.