ISO/IEC 27001:2022 Certification

The one security standard recognized at every border you cross.

When a SOC 2 report isn't enough for your EU or global customers, B4Q builds and certifies an ISMS against ISO/IEC 27001:2022 — the internationally recognized standard for information security management.

  • Accredited certification body coordination
  • Recognized in 150+ countries
  • 2022 Annex A controls, done right
Organizational People Physical Technological
ISO 27001
2022 · Certified ISMS
0Years of Experience
0Satisfied Clients
0Annex A Controls Covered
0Control Themes
Why It Matters

SOC 2 opens US doors. ISO 27001 opens the rest.

Many EU and international procurement teams ask for ISO/IEC 27001 certification specifically, and won't accept a SOC 2 report as a substitute — it's a globally recognized, certifiable management system standard rather than a US-centric attestation.

Certification means an accredited third-party body has verified you operate a functioning Information Security Management System (ISMS) — not just a set of point-in-time controls, but an ongoing program of risk assessment, treatment, and continual improvement.

  • 01 Unlocks EU and international enterprise deals that require certification, not attestation.
  • 02 Builds a management system that keeps improving year over year, not just a report that expires.
  • 03 Shares real control overlap with SOC 2, so holding both is far cheaper than building each from scratch.
 ISO 27001SOC 2
Format CertificationAttestation report
Global recognition 150+ countriesPrimarily North America
Validity3-yr cycle + surveillance12-month report
Public listing On registrar Restricted use
Best paired withRun together for one coordinated audit program
The Framework

93 controls, organized into four themes.

The 2022 revision of ISO/IEC 27001 restructured Annex A into four practical themes. We help you scope which controls genuinely apply to your business.

A.5

Organizational

Policies, roles, supplier relationships, and how security decisions get made.

37controls
A.6

People

Screening, training, remote working, and disciplinary processes for staff.

8controls
A.7

Physical

Secure areas, equipment, and physical entry controls for facilities.

14controls
A.8

Technological

Access control, cryptography, malware defense, logging, and secure development.

34controls
The Certification Audit

Two audit stages, one certification body.

Unlike SOC 2's Type I/II split, ISO 27001 certification runs through a two-stage external audit performed by an accredited certification body.

Documentation review

Stage 1: Readiness Review

The certification body reviews your ISMS documentation — scope, risk assessment, Statement of Applicability — to confirm you're ready for the operational audit.

1–2 daysOn-site or remote
DocsPrimary focus
Gap listTypical output
  • Confirms ISMS scope and boundaries are correctly defined
  • Flags documentation gaps before Stage 2 begins
  • Sets the timeline for the Stage 2 audit
ISMS scope & boundaries defined
Risk assessment methodology documented
Statement of Applicability finalized
Controls operating & evidenced
Operational audit

Stage 2: Certification Audit

Auditors test whether your ISMS controls are actually implemented and operating as documented — interviews, evidence sampling, and site checks.

2–4 daysTypical duration
EvidencePrimary focus
CertificateTypical output
  • Tests real operating evidence, not just policy documents
  • Minor nonconformities get a corrective action window
  • A pass results in a 3-year certificate with annual surveillance
ISMS scope & boundaries defined
Risk assessment methodology documented
Statement of Applicability finalized
Controls operating & evidenced
How We Work

From gap analysis to a 3-year certificate.

Certification isn't a one-time event — it's a management system that gets audited annually to stay valid.

01

Gap Analysis

We assess your current security practices against ISO/IEC 27001:2022's Annex A and define the ISMS scope and boundaries.

02

Build the ISMS

Risk assessment methodology, treatment plan, policies, and the Statement of Applicability get documented and implemented.

03

Internal Audit & Management Review

We run the internal audit and management review ISO 27001 requires before you're ready for external certification.

04

Stage 1 & Stage 2 Audits

We coordinate both audit stages with an accredited certification body and support you through any corrective actions.

05

Certification Issued

Your ISO/IEC 27001:2022 certificate is issued, valid for three years, and listed on the certification body's public registrar.

06

Annual Surveillance

Surveillance audits run in years one and two to keep the certificate active, with recertification at year three.

ISO 27001 is a continual-improvement cycle, not a one-and-done audit — your ISMS keeps evolving through every surveillance year.

Why B4Q

An ISMS built to hold up under any auditor.

We coordinate the certification body relationship, so your team deals with one point of contact throughout.

Accredited Body Coordination

We manage scheduling and communication with your certification body across both audit stages.

SOC 2 Overlap, Reused

Already have SOC 2? We map existing evidence directly onto Annex A to cut duplicate work.

Documentation That Holds Up

Policies and evidence built to survive Stage 2 scrutiny, not just look complete on paper.

4–9 Month Realistic Timelines

Clear milestones from gap analysis to certificate, with faster paths for SOC 2-certified teams.

Surveillance-Year Support

We stay on for annual surveillance audits, not just the initial certification push.

50+ Businesses Served

Across SaaS, fintech, healthcare, and manufacturing, at every certification stage.

In Practice

How this plays out for companies like yours.

Common paths we help clients through — from a stalled EU deal to running SOC 2 and ISO 27001 as one coordinated program.

These scenarios are illustrative, based on patterns we see across engagements — not a specific named client. See verified client case studies →
Scenario · EU Expansion

ISO 27001 for EU Expansion

The situation

A US SaaS company signs its first major EU customer, whose procurement team asks for ISO 27001 specifically — SOC 2 alone won't satisfy them.

How B4Q approaches it

A gap analysis against Annex A, building the Statement of Applicability, and coordinating the two-stage audit with an accredited body.

Certification in four to nine months — faster for companies that already hold SOC 2.

Scenario · Multi-Framework

One Audit Program, Two Certifications

The situation

A SOC 2-certified company is told ISO 27001 is now a hard requirement, and dreads what looks like a second full audit process.

How B4Q approaches it

We map Trust Services Criteria directly against Annex A and coordinate interviews and evidence so control owners answer once, not twice.

A fraction of the original effort for the second certification, run as one coordinated program.

Scenario · Privacy Extension

ISO 27701 on Top of ISO 27001

The situation

An ISO 27001-certified company gets asked about privacy information management specifically — a gap 27001 alone doesn't close.

How B4Q approaches it

We extend the existing ISMS with ISO 27701's privacy-specific controls instead of duplicating the underlying management system.

A meaningfully faster path to privacy certification than starting from zero.

Questions

ISO 27001, answered.

How is ISO 27001 different from SOC 2?
ISO 27001 is a certifiable management system standard recognized internationally, while SOC 2 is a US-centric attestation report. Many companies pursue both — international customers often specifically require ISO 27001, while US enterprise buyers more commonly ask for SOC 2.
How long does certification take?
For a company with no prior ISO experience, four to nine months is typical from gap analysis through Stage 2 certification. Companies that already hold SOC 2 often move faster, since access management, incident response, and vendor risk evidence transfers directly.
Does the certificate expire?
Certificates are valid for three years, with annual surveillance audits in years one and two to confirm the ISMS is still operating as certified, and a recertification audit at year three.
Do we need to apply all 93 Annex A controls?
No. Your Statement of Applicability documents which controls apply to your business and why, based on your risk assessment — not every organization needs every control.
Can we run SOC 2 and ISO 27001 together?
Yes. Because the two frameworks overlap substantially, we coordinate evidence requests and interviews across both audits so your team isn't answering the same questions twice for two separate audit teams.

Ready to take your ISMS to certification?

Book a free strategy call and we'll map out a realistic ISO 27001 timeline for your business.