ISO 27001:2022 Complete Implementation Guide for US Companies Going International

#The certification every European customer expects

When a mid-market US SaaS company closes their first major European enterprise deal, the procurement packet has something new. "Please provide your current ISO/IEC 27001 certificate." SOC 2 Type II, which got them through every American procurement process, might not be enough. European buyers default to ISO 27001. Some will accept SOC 2 as equivalent evidence. Many will not.

This is the ISO 27001 problem. It's an international standard, not an American one. It's more rigorous than SOC 2 in some dimensions, less in others. It's certifiable (not just attestable). And getting certified takes 12-18 months minimum from cold start to initial certificate issued.

This post is the complete ISO 27001:2022 implementation guide. What the standard actually requires. The difference from ISO 27001:2013 (which many older companies are still certified against). How the Annex A controls changed. Budget ranges. Certification body selection. And the 18-month implementation path.

#Who this is for

• US B2B companies expanding into Europe who need international compliance
• Companies whose customers are pushing beyond SOC 2
• Organizations pursuing ISO 27001 for the first time
• Organizations transitioning from ISO 27001:2013 to 27001:2022
• Security leads comparing ISO 27001 vs. SOC 2 for program direction

#What ISO 27001 is

ISO/IEC 27001:2022 is the international standard for Information Security Management Systems (ISMS). Published jointly by ISO (International Organization for Standardization) and IEC (International Electrotechnical Commission). Certifiable by accredited certification bodies.

Two structural parts:

#The ISMS requirements

Clauses 4-10 cover what the management system itself must do:

• Clause 4: Context of the organization
• Clause 5: Leadership
• Clause 6: Planning
• Clause 7: Support
• Clause 8: Operation
• Clause 9: Performance evaluation
• Clause 10: Improvement

This is the "management system" part. It's how your organization governs cybersecurity, not specific controls.

#Annex A controls

93 controls organized into 4 categories:

• Organizational controls (37 controls) — policies, procedures, responsibilities
• People controls (8 controls) — workforce security
• Physical controls (14 controls) — facility security
• Technological controls (34 controls) — technical safeguards

These are the actual security controls. Organizations pick which ones apply to them via a Statement of Applicability (SoA) justifying inclusion or exclusion of each.

#What changed in 2022

ISO 27001:2013 was the prior version. Companies certified against 2013 had to transition to 2022 by October 31, 2025. Key changes:

#Annex A restructured

2013 had 114 controls in 14 categories. 2022 has 93 controls in 4 categories.

Not a reduction. Consolidation + modernization. Some controls combined, some new ones added.

#New controls added

11 entirely new controls:

• A.5.7 Threat intelligence
• A.5.23 Information security for use of cloud services
• A.5.30 ICT readiness for business continuity
• A.7.4 Physical security monitoring
• A.8.9 Configuration management
• A.8.10 Information deletion
• A.8.11 Data masking
• A.8.12 Data leakage prevention
• A.8.16 Monitoring activities
• A.8.23 Web filtering
• A.8.28 Secure coding

These reflect a decade of evolving practice.

#Annex A simplified

Categories consolidated from 14 to 4. Easier to understand and organize around.

#Stronger alignment with other frameworks

2022 aligns more explicitly with:

• NIST CSF
• GDPR privacy requirements
• Cloud-specific guidance (ISO 27017, ISO 27018)

#ISO 27001 vs. SOC 2

The comparison that every B2B company needs to understand.

| | ISO 27001 | SOC 2 |

|---|---|---|

| Type | Certification | Attestation |

| Geographic preference | International (Europe/Asia/Australia) | United States |

| Scope | ISMS + controls | Trust Services Criteria |

| Who issues | Accredited certification body | CPA firm |

| Deliverable | Certificate | Report |

| Validity | 3 years (with annual surveillance audits) | 12 months typical |

| Cost (first year, mid-market) | $40K-$150K | $25K-$80K |

| Timeline | 12-18 months | 10-14 months |

| Depth of ISMS requirements | Deep (clauses 4-10) | Lighter |

| Depth of controls | 93 Annex A controls | Trust Services Criteria |

| Flexibility | Statement of Applicability | Scope of criteria (Security required, others optional) |

| Public-facing format | Certificate can be shared publicly | Report shared under NDA |

When to pick which:

• SOC 2 only: Selling primarily to US customers, SaaS model, venture-funded
• ISO 27001 only: International from day one, heavier regulated industries
• Both: Selling globally at enterprise scale

Many companies do SOC 2 first (lower friction, faster time to initial certification), then add ISO 27001 when European expansion requires it.

#The Statement of Applicability (SoA)

The most important ISO 27001 artifact.

For each of the 93 Annex A controls:

• Is it applicable? (almost always yes, but specific exclusions are possible)
• If applicable, how is it implemented?
• If excluded, why? (justification required)

The SoA is the bridge between the abstract control set and your specific implementation. Auditors assess against the SoA, not generic standard interpretation.

Common exclusion examples:

• A.7.x (Physical controls) excluded for fully-remote companies
• A.5.19 (Information security in supplier relationships) narrowed if vendor base is small
• Specific cloud controls excluded if company is on-premises only

#The 18-month implementation plan

For a mid-market organization from zero.

#Months 1-3. Foundation + Gap Analysis

• Executive sponsorship secured
• Scope definition (what parts of the org, what services, what data)
• Context analysis (clauses 4.1-4.4)
• Gap analysis against ISMS requirements + Annex A controls
• Certification body preliminary selection

#Months 4-6. ISMS Framework

• Information security policy
• Roles, responsibilities, authorities
• Risk assessment methodology
• Initial risk assessment
• Risk treatment plan
• Statement of Applicability (draft)

#Months 7-12. Control Implementation

• Prioritized Annex A control implementation
• Workforce security (screening, training, disciplinary)
• Asset management (inventory, classification, handling)
• Access control
• Cryptography
• Physical + environmental security
• Operations security
• Communications security
• Systems acquisition + development
• Supplier relationships
• Incident management
• Business continuity
• Compliance

#Months 13-15. Internal Audit + Management Review

• Internal audit of the ISMS
• Nonconformities identified and corrected
• Management review meeting
• Continuous improvement input

#Months 16-18. Certification Audit

Two stages:

• Stage 1 audit (document review, readiness assessment)
• Stage 2 audit (full ISMS audit including evidence gathering)
• Response to findings
• Certificate issued (or additional work required if major nonconformities)

#Year 2 and beyond

• Annual surveillance audit (simpler scope)
• Year 3 recertification audit (full scope again)
• Continuous ISMS operation and improvement

#Certification body selection

Unlike SOC 2 where the CPA issuing the report is chosen freely, ISO 27001 requires an accredited certification body. Not all are equal.

#Tier 1 certification bodies

Big Four adjacent or equivalent:

• BSI (British Standards Institution)
• DNV (Norwegian origin, global)
• TÜV Rheinland / TÜV SÜD / TÜV NORD (German origin)
• Lloyd's Register
• Intertek
• SGS

These have the broadest international recognition. Premium pricing.

#Tier 2 certification bodies

Well-respected mid-market focused:

• A-LIGN
• Schellman
• Insight Assurance
• NQA
• CertPro

Often better pricing. Strong US presence.

#Accreditation matters

The certification body itself must be accredited by a national accreditation body (UKAS, ANAB in the US, etc.). Accreditation chains up through IAF (International Accreditation Forum) for mutual recognition.

If you're certified by a non-accredited body, your certificate may not be recognized by customers. Verify accreditation before signing.

#Cost framework

Honest ranges for a mid-market company (50-500 employees).

#First-year costs

• Consulting / implementation support: $40K-$150K
• Certification body audit: $20K-$60K
• Tools (compliance automation, SIEM, etc. if gaps exist): $30K-$200K
• Internal staff time: 0.5-1 FTE for 12-18 months = $75K-$200K equivalent
• Training (ISMS roles, internal auditor, etc.): $10K-$30K

Total: $175K-$640K depending on starting state.

#Ongoing costs

• Annual surveillance audit: $10K-$25K
• Consulting retainer (optional): $30K-$120K
• Continued tooling: $30K-$200K
• Staff time (0.25-0.5 FTE ongoing): $40K-$100K equivalent

Total: $110K-$445K annually.

#The compliance automation platforms

Vanta, Drata, Secureframe, Sprinto, Thoropass all support ISO 27001.

#How they help

• Evidence collection automation via integrations
• Policy templates
• Gap assessment tools
• Audit readiness dashboards
• Multi-framework (SOC 2 + ISO 27001 + others) in one platform

#Limits

• They collect evidence but can't replace the management system work
• Policy templates need customization
• Audit firm relationships + the actual audit still cost money
• The ISMS itself is your team's responsibility

Most mid-market companies pursuing ISO 27001 use one of these platforms. The work they save is real. The work they don't replace is also real.

#Common implementation pitfalls

From engagements where we've helped clients:

#1. Underestimating the ISMS requirements

Clauses 4-10 get neglected in favor of Annex A controls. The audit fails on ISMS management weaknesses, not technical controls.

#2. Over-scoping initial certification

Certifying the entire company when you could have certified just the product or business unit. Increases cost, timeline, and failure risk.

#3. Wrong Statement of Applicability detail level

Too thin (auditor rejects). Too detailed (maintenance burden). The right level is specific control descriptions with evidence references.

#4. Risk assessment that doesn't drive decisions

Risk assessment done as a checkbox exercise. Risk treatment plan generic. Auditor sees it's not operationally relevant.

#5. Management review meeting as a formality

Management review is required by the standard. Doing it as a rubber-stamp signing misses the improvement loop the standard demands.

#6. Internal audit skipped or weak

Internal audit is required. Using the same person who implemented to audit is a conflict. Auditor will flag.

#7. Certification body chosen without due diligence

Cheapest certification body that nobody's heard of. Customer won't accept the certificate. Start over.

#Maintaining certification year over year

Year 1: Initial certification audit (Stage 1 + Stage 2)

Year 2: Surveillance audit (simpler, 1-3 days typically)

Year 3: Surveillance audit OR recertification audit (if 3-year cycle)

Non-conformities surfaced during surveillance have to be closed within specific timelines or the certificate can be suspended/withdrawn.

Ongoing operational requirements:

• Risk assessment updated at least annually
• Management review at least annually
• Internal audit at least annually
• Controls maintained continuously
• Metrics and measurement ongoing

#Integration with other frameworks

#With SOC 2

Many controls map between ISO 27001 and SOC 2. Most compliance automation platforms handle cross-framework evidence.

Dual implementation (ISO 27001 + SOC 2) adds ~20-30% to the cost of the first framework, not 100%. Leverage is real.

#With GDPR

ISO 27701 is the privacy extension to ISO 27001. Specifically covers GDPR alignment. Many European customers prefer ISO 27701 for GDPR-adjacent requirements.

#With NIS2

EU NIS2 directive doesn't explicitly require ISO 27001 but frequently cites it as a reference standard. Mature ISO 27001 organizations are well-positioned for NIS2 compliance.

#With industry frameworks

ISO 27017 (cloud-specific), ISO 27018 (PII in cloud), ISO 27799 (healthcare) extend ISO 27001 for specific contexts.

#Working with us

We run ISO 27001 readiness and implementation engagements. Our typical work:

• Gap analysis against 27001:2022 requirements
• SoA development
• Risk assessment methodology
• Policy library (adapted from proven templates)
• Control implementation advisory
• Internal audit prep
• Certification body selection
• Stage 1 + Stage 2 audit preparation

For organizations already certified against 2013, we handle the transition assessment to 2022 (the October 2025 deadline is past but post-deadline transition work continues for specific cases).

For dual-track SOC 2 + ISO 27001 clients, we coordinate both engagements for maximum leverage.

Valtik Studios, valtikstudios.com.