ISO 27001 is the international floor for procurement. European customers, UK financial regulators, APAC enterprise buyers, government partnerships abroad, and globally-headquartered parent companies all expect a recognized international standard — and SOC 2 alone is treated as supplementary, not sufficient.
The current standard is ISO/IEC 27001:2022. The October 31, 2025 transition deadline has passed — every 2013 certificate is now invalid. New certifications require Stage 1 plus Stage 2 audits against the restructured Annex A: 93 controls across 4 themes, with 11 controls that didn't exist in the 2013 version.
If you already run a SOC 2 program, you're approximately 80% of the way there. The remaining 20% is the work that makes the credential.
Book an ISO 27001 Strategy Call// THE INTERNATIONAL PROCUREMENT WALL
A pattern that shows up consistently in mid-market expansion: a US company with a strong SOC 2 Type II report wins a European customer's technical review, gets through legal, and stalls at procurement. The reviewer comes back with one question — "Do you have an ISO 27001 certificate?" — and the deal goes cold while the company spends 6 to 8 months on a certification it didn't think it needed.
The same pattern shows up in UK financial services partnerships, APAC enterprise procurement, government partnerships abroad (especially NATO and EU member states), and any sales motion that touches a globally-headquartered parent company. Whoever is gating the contract — a procurement office in Frankfurt, a CISO in Singapore, or a group risk committee in London — the answer is the same: show us the ISO 27001 certificate or wait.
The current standard is ISO/IEC 27001:2022. The 2013 version transitioned out on October 31, 2025. Organizations still operating on 2013 certificates cannot renew or transition — they need full Stage 1 plus Stage 2 recertification under the restructured Annex A.
The arithmetic from a cold start: 6 to 8 months for first-time certification (Gap → ISMS Buildout → Stage 1 → Stage 2). With an existing SOC 2 program, 3 to 4 months on the strength of the 80% control overlap. Deciding to "start ISO 27001 this quarter" because a European deal slipped leaves you a quarter away from a usable certificate.
// ANNEX A // THE FOUR CONTROL THEMES
The 2022 revision restructured Annex A from 114 controls across 14 domains into 93 controls across 4 themes — organizational, people, physical, and technological. Eleven controls are entirely new, reflecting cloud services, threat intelligence, ICT continuity, data leakage prevention, and modern secure development practices.
Every certification audit reads the Statement of Applicability first — the document that declares which controls apply to your ISMS and how they're implemented. Most failed Stage 1 audits trace back to a weak or stale SoA.
// A.5 // 37 CONTROLS
The governance backbone of the ISMS. Information security policies, roles and responsibilities, supplier relationships, threat intelligence (A.5.7), and security for the use of cloud services (A.5.23) — both new in 2022.
Failure mode: policies on paper but no operating evidence. Auditors test whether the policy is followed, not whether it's written.
// A.6 // 8 CONTROLS
The human factor — typically the weakest layer in any ISMS. Screening, employment terms, awareness training, disciplinary processes, post-employment responsibilities, remote working (a 2022 addition), and confidentiality agreements.
Failure mode: training completed but not documented per role; offboarding processes that leave former workforce with access.
// A.7 // 14 CONTROLS
Protection of physical assets and facilities. Security perimeters, entry controls, secure areas, equipment maintenance, clear desk policies, and physical security monitoring (A.7.4) — new in 2022.
Failure mode: remote-first organizations under-scoping physical controls. The scope still includes home offices for staff handling sensitive data.
// A.8 // 34 CONTROLS
The largest theme by control count. Access management, authentication, encryption, secure development (A.8.25-A.8.31), data masking, data leakage prevention, web filtering, and configuration management — most carrying significant 2022 updates.
Failure mode: tooling deployed but evidence not captured. Logs without retention policies don't survive surveillance audit.
// THE ISO 27001 CERTIFICATION LIFECYCLE
ISO 27001 certifications are valid for three years, contingent on annual surveillance audits in years 1 and 2 and a full recertification audit at year 3. The lifecycle is fundamentally different from SOC 2's annual renewal cycle — and operating discipline across the three years is what keeps the certificate in good standing.
GAP
MONTH 0–2
Current state assessed against all 93 Annex A controls. Findings prioritized. SoA outline drafted.
ISMS BUILDOUT
MONTH 2–5
Scope defined. Risk assessment + treatment plan authored. Policies, procedures, and internal audit program established.
STAGE 1
MONTH 5–6
Documentation review. SoA, risk treatment plan, and ISMS scope assessed. Findings addressed before Stage 2.
STAGE 2
MONTH 6–7
Evidence audit. Controls tested in operation. Certificate issued. Valid 3 years contingent on surveillance.
SURVEILLANCE
MONTH 12, 24
Shorter audits (30–50% scope of Stage 2). Subset of controls sampled. Corrective actions from prior audit verified.
RECERT
MONTH 36
Full audit. Similar scope to Stage 2. New 3-year certificate issued. Cycle resets.
● BLUE NODES = readiness and ISMS buildout (WatchUr6-led) · ● AMBER NODES = audit milestones (accredited certification body-led, WatchUr6-coordinated). The three-year cycle includes four audit touchpoints — Stage 1, Stage 2, two annual surveillance audits, and recertification.
// THE ISO 27001 ENGAGEMENT MODEL
ISO 27001 isn't a one-shot certification — it's an ISMS that operates continuously, validated by an accredited certification body every twelve months. Engagements are structured around the lifecycle: get the ISMS built, get the certificate issued, sustain it across the three-year cycle. Each phase produces the artifacts the next phase depends on.
// 01 // GAP ASSESSMENT
Full assessment against all 93 controls in Annex A of ISO 27001:2022 — Organizational, People, Physical, and Technological themes.
Scored against the methodology accredited certification bodies apply during Stage 1 and Stage 2 fieldwork. SoA outline drafted at this stage so the rest of the buildout flows naturally from it.
If you already have a SOC 2 program, this is the engagement where we map your existing evidence to the corresponding Annex A controls — typically capturing ~80% reuse.
// INCLUDES
// 02 // ISMS BUILDOUT
The Information Security Management System itself — scoped, documented, and operating. ISMS scope defined against organizational boundaries, locations, products, and data classes.
Risk assessment + risk treatment plan authored. Statement of Applicability completed against all 93 controls. Internal audit program established. Management review cadence defined.
The artifacts the auditor reads first in Stage 1: SoA, risk treatment plan, ISMS scope statement, internal audit reports, and management review minutes.
// INCLUDES
// 03 // STAGE 1
Accredited certification body selection (ANAB, UKAS, DAkkS) and engagement scoping. Documentation review preparation. Stage 1 is the documentation audit — the certification body reads your SoA, risk treatment plan, ISMS scope, and supporting evidence to determine whether the ISMS is ready for Stage 2.
Pre-audit readiness review captures and resolves Stage 1 findings before fieldwork. Operator-led representation during the audit itself.
// INCLUDES
// 04 // STAGE 2
The evidence audit. Controls tested in operation across the ISMS. Sample-based testing of access reviews, change management, training records, vendor assessments, incident response, and operating procedures.
Walkthrough rehearsals before fieldwork. Operator-led representation during the audit. Nonconformity response if minor or major findings arise.
On successful Stage 2: certificate issued, valid for three years contingent on surveillance.
// INCLUDES
// 05 // SURVEILLANCE
The annual operating cadence that keeps the certificate in good standing.
Internal audits run on schedule. Management reviews held and documented. Risk treatment plan updated as the environment changes. Corrective actions from prior audits tracked to closure.
Surveillance audits are shorter (30–50% scope of Stage 2) but sample across all four Annex A themes over the two-year window. Evidence captured at the time, not reconstructed.
// INCLUDES
// 06 // RECERTIFICATION
The full recertification audit at month 36. Similar scope and depth to Stage 2 of the original certification.
Pre-recertification readiness review identifies and closes gaps that accumulated over the cycle. SoA refreshed to reflect any control set changes. Annex A revisions tracked (the 2022 standard is current; future revisions will require recertification updates).
New three-year certificate issued. Cycle resets.
// INCLUDES
// CONNECTED INTELLIGENCE
ISO 27001 is one framework inside Audit Readiness — one pillar of the integrated program. Most ISO 27001 engagements pull on the others: the SOC 2 control library that already exists, the tech-startup vertical context shaping how the ISMS is scoped, and the security operations that make the technological controls more than documentation.
// PARENT SERVICE
ISO 27001 is one of ten frameworks under Audit Readiness.
The operator who runs your ISO 27001 engagement is the same operator who would represent you in a SOC 2, HIPAA, or HITRUST audit.
One methodology. Multiple frameworks. Maximum reuse across overlapping control sets.
Audit Readiness Brief// SIBLING FRAMEWORK
The most common question on this page: "do I do SOC 2 first or ISO 27001?"
Short answer for most US-domiciled organizations: SOC 2 first (US enterprise B2B floor), ISO 27001 second (international floor). The SOC 2 brief covers timing, scoping, and the Trust Services Criteria selection that ~80% reuses into ISO 27001.
SOC 2 Brief// VERTICAL CONTEXT
International expansion is the most common trigger for ISO 27001 in tech.
The Tech & SaaS brief covers how to sequence SOC 2 → ISO 27001 as you move from US enterprise B2B into European and APAC customer pipelines, what GDPR alignment looks like operationally, and how ISMS scope should evolve as the company scales.
Tech & SaaS Brief// THE NUMBERS
6–8 MO
Gap assessment, ISMS buildout, Stage 1, and Stage 2 audit fieldwork.
Faster (3–4 months) if SOC 2 already exists. Slower without documented controls or risk methodology.
3 YR
Issued after Stage 2, contingent on annual surveillance audits and recertification at year 3.
Surveillance audits are shorter (30–50% of Stage 2 scope) but sample across the full Annex A.
100%
Every WatchUr6 audit-readiness engagement arrived audit-ready on the first engagement.
The framework changes. The methodology is consistent — operator-led, evidence-backed, pre-rehearsed.
// THE OPERATOR TEAM
Fortune 500 senior CISO leads ISMS program strategy, scope definition, and management review cadence. CISSP-credentialed cloud architect engineers the technological controls across AWS, Azure, and GCP environments.
Army Special Forces communications sergeant (Green Beret, 18B/18C) leads accredited certification body coordination and Stage 1 / Stage 2 representation. Naval Special Warfare veteran runs surveillance-audit cadence and corrective-action management across the three-year cycle.
SDVOSB · DVBE · SBE · CMAS #3-25-06-1018 · CAGE 9CQZ9 · SAM-registered · veteran-led.
// SELF-QUALIFICATION CHECK
Three quick questions to help you orient: whether ISO 27001 fits your market roadmap, when you'd need certification by, and how much of the work reuses from a SOC 2 program you already have.
// 01 // APPLICABILITY
ISO 27001 is the international floor. It applies if your sales motion, partnerships, or parent-company structure crosses national borders.
// 02 // TIMING
There's no government deadline. The deadline is whichever comes first from the list below.
// 03 // SOC 2 LEVERAGE
~80% of your SOC 2 control library reuses into ISO 27001's Annex A. The remaining 20% is what makes the certification.
// FREQUENTLY ASKED
Only the 2022 version. The International Accreditation Forum (IAF) established a three-year transition window after ISO 27001:2022 was published in October 2022, with a hard deadline of October 31, 2025.
After that date, all ISO 27001:2013 certificates are considered invalid by accreditation bodies, certification bodies, and the international procurement community. If your organization missed the transition deadline, you cannot pursue a transition audit — you need a full Stage 1 plus Stage 2 recertification under ISO/IEC 27001:2022.
The 2022 version restructured Annex A from 114 controls across 14 domains down to 93 controls across 4 themes (Organizational, People, Physical, Technological) and introduced 11 entirely new controls — threat intelligence, cloud services governance, ICT readiness for business continuity, physical security monitoring, configuration management, information deletion, data masking, data leakage prevention, monitoring activities, web filtering, and secure coding.
Approximately 80% of SOC 2's Common Criteria (Security category) overlaps with ISO 27001:2022's Annex A controls — particularly the Organizational and Technological themes.
Organizations with a mature SOC 2 program can typically reach ISO 27001 certification readiness in 3 to 4 months rather than the 6 to 8 months required for a cold start, because the underlying control library, policy framework, evidence trails, and risk register already exist.
What does not transfer directly: ISO 27001 requires a formal Information Security Management System (ISMS) with documented scope, an internal audit program separate from your external audit, a management review cadence with documented minutes and outcomes, a formal risk treatment plan distinct from a risk register, and a Statement of Applicability (SoA) that lists all 93 Annex A controls with justification for inclusion or exclusion.
The SoA is the single most important document in your ISMS from an audit perspective — certification bodies review it before any other artifact during Stage 1. We build a crosswalk document at engagement start that maps your existing SOC 2 evidence to the corresponding Annex A controls.
It matters significantly. ISO 27001 certifications must be issued by a certification body accredited by a national accreditation body that is itself a signatory to the International Accreditation Forum (IAF) Multilateral Recognition Arrangement.
In the United States the relevant accreditation body is ANAB (ANSI National Accreditation Board). In the UK, UKAS. In Germany, DAkkS. Accredited certification bodies appear on the directory maintained by their accreditation body, and your customers and procurement reviewers can verify accreditation status.
Non-accredited certification bodies issue certificates that are not recognized internationally and may not satisfy procurement requirements. Beyond accreditation status, selection matters for three additional reasons: industry specialization (some bodies focus on tech, others on healthcare or manufacturing), cost and audit cycle length, and flexibility on remote versus on-site audits.
WatchUr6 does not perform the audit itself — we coordinate certification body selection, scope negotiation, audit preparation, and walkthrough rehearsals so Stage 1 and Stage 2 fieldwork runs cleanly.
The Statement of Applicability (SoA) is a single document that lists all 93 Annex A controls from ISO 27001:2022, declares whether each control is applicable or not applicable to your organization, justifies the inclusion or exclusion of each control, and describes how each applicable control is implemented.
It is the most important document in your ISMS from an audit perspective. During Stage 1, the certification body's auditor reads your SoA before reading anything else — your policies, your risk treatment plan, your evidence repository, and your internal audit reports are all evaluated against what your SoA says is in place.
The most common SoA failure modes: controls marked applicable with no implementation description, controls marked not applicable with weak or absent justification (especially for the 11 new 2022 controls around cloud services and threat intelligence, which are difficult to defend as not applicable for most modern organizations), and control descriptions out of date with how the organization actually operates.
A well-authored SoA shortens audit time substantially. A poorly authored one extends fieldwork and increases the risk of major nonconformities.
ISO 27001 certificates are valid for three years, contingent on annual surveillance audits in years 1 and 2 and a full recertification audit in year 3.
Surveillance audits are not full audits — they are shorter audits (typically 30 to 50 percent of the certification audit's scope) that verify the ISMS is still operating effectively and that all corrective actions from prior audits have been completed. Surveillance audits sample a subset of Annex A controls each year, with the expectation that across the three-year cycle every control will be audited at least once. The recertification audit at year 3 is similar in scope and depth to the original Stage 2 certification audit.
Common failure modes: missed surveillance audit dates (certification can be suspended or withdrawn), unaddressed minor nonconformities from prior audits accumulating into major nonconformities, internal audit program lapses (the standard requires internal audits at a frequency you set, typically annual, and skipping them is itself a finding), and management review meetings held but not documented to the standard's requirements.
The work between audits is operational discipline more than technical engineering. We run the sustainment cadence to keep the certification in good standing across the full three-year cycle.
Probably not today — but the question is whether your customer base will stay exclusively US over the next 2 to 3 years.
ISO 27001 is the international floor for procurement; SOC 2 is the US enterprise B2B floor. They serve different gatekeepers. If your sales pipeline includes any European or UK customers, any APAC customers in regulated industries, any government or quasi-government partnerships outside the US, any subsidiaries of internationally-headquartered parent companies, or any global enterprise procurement processes — ISO 27001 is the credential that opens those doors.
SOC 2 reports are recognized in international procurement but are typically treated as supplementary rather than sufficient. European procurement reviewers, in particular, will often request ISO 27001 by name.
The other consideration is GDPR alignment. ISO 27001 is the most widely accepted demonstration of "appropriate technical and organizational measures" under GDPR Article 32. If your data processing footprint includes EU residents — even through US-based customers serving EU users — ISO 27001 carries demonstrable weight in GDPR enforcement matters that SOC 2 does not.
For a US-only company with no international roadmap and no EU data subjects, SOC 2 alone may be sufficient. For everyone else, ISO 27001 is the next logical step.
// THE NEXT MOVE
Book a 30-minute ISO 27001 strategy call with a WatchUr6 advisor. Bring the customer, partner, or parent-company requirement that triggered this — and your existing SOC 2 report if you have one.
You'll walk away with a tactical read on your realistic certification timeline, the Annex A scope your ISMS needs to cover, how much of the work reuses from SOC 2, and which accredited certification bodies fit your industry — whether you hire us or not.
Book an ISO 27001 Strategy Call