The one security standard recognized at every border you cross.
When a SOC 2 report isn't enough for your EU or global customers, B4Q builds and certifies an ISMS against ISO/IEC 27001:2022 — the internationally recognized standard for information security management.
- Accredited certification body coordination
- Recognized in 150+ countries
- 2022 Annex A controls, done right
SOC 2 opens US doors. ISO 27001 opens the rest.
Many EU and international procurement teams ask for ISO/IEC 27001 certification specifically, and won't accept a SOC 2 report as a substitute — it's a globally recognized, certifiable management system standard rather than a US-centric attestation.
Certification means an accredited third-party body has verified you operate a functioning Information Security Management System (ISMS) — not just a set of point-in-time controls, but an ongoing program of risk assessment, treatment, and continual improvement.
- 01 Unlocks EU and international enterprise deals that require certification, not attestation.
- 02 Builds a management system that keeps improving year over year, not just a report that expires.
- 03 Shares real control overlap with SOC 2, so holding both is far cheaper than building each from scratch.
93 controls, organized into four themes.
The 2022 revision of ISO/IEC 27001 restructured Annex A into four practical themes. We help you scope which controls genuinely apply to your business.
Organizational
Policies, roles, supplier relationships, and how security decisions get made.
People
Screening, training, remote working, and disciplinary processes for staff.
Physical
Secure areas, equipment, and physical entry controls for facilities.
Technological
Access control, cryptography, malware defense, logging, and secure development.
Two audit stages, one certification body.
Unlike SOC 2's Type I/II split, ISO 27001 certification runs through a two-stage external audit performed by an accredited certification body.
Stage 1: Readiness Review
The certification body reviews your ISMS documentation — scope, risk assessment, Statement of Applicability — to confirm you're ready for the operational audit.
- Confirms ISMS scope and boundaries are correctly defined
- Flags documentation gaps before Stage 2 begins
- Sets the timeline for the Stage 2 audit
Stage 2: Certification Audit
Auditors test whether your ISMS controls are actually implemented and operating as documented — interviews, evidence sampling, and site checks.
- Tests real operating evidence, not just policy documents
- Minor nonconformities get a corrective action window
- A pass results in a 3-year certificate with annual surveillance
From gap analysis to a 3-year certificate.
Certification isn't a one-time event — it's a management system that gets audited annually to stay valid.
Gap Analysis
We assess your current security practices against ISO/IEC 27001:2022's Annex A and define the ISMS scope and boundaries.
Build the ISMS
Risk assessment methodology, treatment plan, policies, and the Statement of Applicability get documented and implemented.
Internal Audit & Management Review
We run the internal audit and management review ISO 27001 requires before you're ready for external certification.
Stage 1 & Stage 2 Audits
We coordinate both audit stages with an accredited certification body and support you through any corrective actions.
Certification Issued
Your ISO/IEC 27001:2022 certificate is issued, valid for three years, and listed on the certification body's public registrar.
Annual Surveillance
Surveillance audits run in years one and two to keep the certificate active, with recertification at year three.
ISO 27001 is a continual-improvement cycle, not a one-and-done audit — your ISMS keeps evolving through every surveillance year.
An ISMS built to hold up under any auditor.
We coordinate the certification body relationship, so your team deals with one point of contact throughout.
Accredited Body Coordination
We manage scheduling and communication with your certification body across both audit stages.
SOC 2 Overlap, Reused
Already have SOC 2? We map existing evidence directly onto Annex A to cut duplicate work.
Documentation That Holds Up
Policies and evidence built to survive Stage 2 scrutiny, not just look complete on paper.
4–9 Month Realistic Timelines
Clear milestones from gap analysis to certificate, with faster paths for SOC 2-certified teams.
Surveillance-Year Support
We stay on for annual surveillance audits, not just the initial certification push.
50+ Businesses Served
Across SaaS, fintech, healthcare, and manufacturing, at every certification stage.
How this plays out for companies like yours.
Common paths we help clients through — from a stalled EU deal to running SOC 2 and ISO 27001 as one coordinated program.
ISO 27001 for EU Expansion
A US SaaS company signs its first major EU customer, whose procurement team asks for ISO 27001 specifically — SOC 2 alone won't satisfy them.
A gap analysis against Annex A, building the Statement of Applicability, and coordinating the two-stage audit with an accredited body.
Certification in four to nine months — faster for companies that already hold SOC 2.
One Audit Program, Two Certifications
A SOC 2-certified company is told ISO 27001 is now a hard requirement, and dreads what looks like a second full audit process.
We map Trust Services Criteria directly against Annex A and coordinate interviews and evidence so control owners answer once, not twice.
A fraction of the original effort for the second certification, run as one coordinated program.
ISO 27701 on Top of ISO 27001
An ISO 27001-certified company gets asked about privacy information management specifically — a gap 27001 alone doesn't close.
We extend the existing ISMS with ISO 27701's privacy-specific controls instead of duplicating the underlying management system.
A meaningfully faster path to privacy certification than starting from zero.
ISO 27001, answered.
Ready to take your ISMS to certification?
Book a free strategy call and we'll map out a realistic ISO 27001 timeline for your business.