Book a free readiness call
Information Security Standard

Your enterprise customers require ISO 27001. Here is what certification actually takes.

If your sales pipeline includes enterprise accounts or government procurement, ISO 27001:2022 certification is likely required before you close. Use Carbide's free readiness assessment to see exactly where your ISMS stands today.

✓ Take the free ISO 27001 readiness assessment Also need SOC 2? Take the free SOC 2 assessment
Controls
93 Annex A controls
ISO 27001:2022 organizes all Annex A controls across 4 themes
Assessment
Stage 1 + Stage 2 audit
Conducted by an accredited Certification Body — not self-attestation
Certification cycle
3-year certificate
Annual surveillance audits are required to maintain the certificate
Free assessment tools

Know your gaps before you engage anyone

Both tools are free and take 5 minutes each. Complete one and you will have a gap report you can act on before any other conversation.

Free tool 5 min
ISO 27001:2022 Readiness Assessment
Maps your posture against ISO 27001:2022 Annex A control domains and flags exactly where your gaps are. Results appear on-screen the moment you complete it.
Start the ISO 27001 Assessment →
Free tool 5 min · if enterprise customers are also requesting SOC 2
SOC 2 Readiness Assessment
Maps your posture against the Trust Services Criteria. Use alongside the ISO 27001 assessment if your customers include North American enterprises requesting a SOC 2 Type II report.
Start the SOC 2 Assessment →
Note ISO 27001 and SOC 2 are separate programs with no mutual recognition. An ISO 27001 certificate does not satisfy a customer requesting a SOC 2 Type II report. If both apply, each assessment above maps the gap picture independently.
What ISO 27001 requires

Three things that every ISO 27001:2022 certification covers

ISO 27001:2022 is the certifiable standard developed by ISO and IEC. Certification means your ISMS has been independently assessed against three interlocking requirements by an accredited Certification Body.

Part 1
The ISMS management framework
Mandatory clauses 4 through 10 define how your organization governs information security. They cover organizational context, leadership commitment, risk planning, resource allocation, operational execution, performance evaluation, and continual improvement. Every clause must be implemented before a certification audit begins — they cannot be excluded via your Statement of Applicability.
Part 2
93 Annex A controls
Annex A provides 93 security controls organized across 4 themes: Organizational (37 controls), People (8), Physical (14), and Technological (34). Not every control applies to every organization. Which controls apply to your scope is determined by your risk assessment. Your selection, and any exclusions, are documented in the Statement of Applicability.
Part 3
Statement of Applicability
The SoA is a mandatory document that lists all 93 Annex A controls, states whether each applies to your organization, and justifies any exclusions with documented reasoning. Your certification auditor reviews the SoA at Stage 1. An incomplete SoA or exclusions lacking documented justification are among the most common reasons a Stage 2 audit is delayed.
Note ISO 27001:2022 includes 11 controls that were introduced in this version of the standard. These address areas such as threat intelligence (A.5.7) and cloud service security (A.5.23). Your Statement of Applicability must address all 93 Annex A controls, including these additions, even if your organization excludes specific ones with documented justification.
Is this your situation?

Four scenarios where ISO 27001 certification is already in play

ISO 27001:2022 applies any time your enterprise customers, contracts, or regulated industry partners require a certified ISMS. These are the scenarios where the requirement is active and the timeline is shorter than most companies expect.

Enterprise market entry
ISO 27001 required in your enterprise sales pipeline
Your sales team is fielding security questionnaires that require an ISO 27001 certificate. Enterprise deals in financial services and regulated procurement have made it a gating requirement. You do not have a certificate and your ISMS documentation is incomplete.
By the time ISO 27001 appears in a formal RFP, it is too late to start the process and close the deal in the same quarter. The typical path from gap assessment to certification takes four to nine months, depending on scope and existing controls.
Scaling company
Security maturity needed before your next phase of growth
Your company is growing and enterprise customers, investors, or prospective acquirers are asking for evidence of your security governance. You have security practices in place but no documented ISMS, no formal risk treatment process, and no independent evidence that your controls meet a recognized standard.
ISO 27001:2022 gives you a recognized framework to formalize what you already do and build what you do not yet have. A certified ISMS answers security questionnaires more efficiently and opens doors to enterprise markets that require demonstrable security governance.
Contractual requirement
A customer or partner has set ISO 27001 as a condition with a deadline
A key customer or strategic partner has specified that ISO 27001 certification is required before the relationship can proceed or renew. You have a fixed timeline. You need to understand how long certification takes from your current posture and what the critical path looks like.
Certification timelines depend on your starting posture. A gap assessment in the first week tells you whether your target date is achievable and which gaps need to close first to stay on track.
In-house security team
Managing ISO 27001 evidence manually across disconnected tools
Your team tracks Annex A control status in spreadsheets, stores evidence in shared drives without a structured mapping to specific controls, and rebuilds the evidence package from scratch before each surveillance audit. Gaps accumulate between audits and there is no continuous audit trail linking your evidence to ISO 27001:2022 requirements.
The Carbide platform maps evidence directly to each Annex A control and keeps it current between audits. Your advisor works inside the same system, so control gaps are identified continuously rather than at the audit prep stage.

Not sure which situation applies to you? The free assessment takes 5 minutes and tells you exactly where you stand.

Take the free ISO 27001 Assessment → Talk to us
If your customers also require SOC 2

ISO 27001 and SOC 2 address different requirements. Both may apply to your company.

If your enterprise customers include North American businesses or U.S.-regulated organizations, a SOC 2 Type II report is often requested alongside an ISO 27001 certificate. The two programs overlap in control coverage, but neither satisfies the other.

ISO 27001 + SOC 2
Where the work overlaps — and where each stands alone

Where they align

Both require documented information security controls and independent evidence of implementation
Both involve third-party assessment — a Certification Body for ISO 27001, a licensed CPA firm for SOC 2
ISO 27001 Annex A controls overlap substantially with the Security Trust Services Criterion in SOC 2
Evidence collected for ISO 27001 can support SOC 2 in overlapping control areas when structured correctly

Where they diverge

ISO 27001:2022 issues a certificate, a binary pass or fail from an accredited Certification Body. SOC 2 produces an attestation report prepared by a licensed CPA firm. There is no SOC 2 certificate.
ISO 27001 requires a full ISMS management framework under mandatory clauses 4 through 10. SOC 2 focuses on the Trust Services Criteria relevant to your specific service commitments.
ISO 27001 certificates are globally recognized. SOC 2 reports carry more weight in North American markets, particularly for U.S.-based enterprise customers.
No mutual recognition. An ISO 27001 certificate does not satisfy a customer requesting a SOC 2 Type II report, and vice versa. Both require separate assessment engagements with different assessment bodies.
If your customers require both an ISO 27001 certificate and a SOC 2 Type II report: Carbide handles both programs in one engagement. The platform maps controls across both standards simultaneously, so evidence structured for one supports the other where they align. You do not need two vendors or two separate compliance programs.
How Carbide works

One engagement covers ISO 27001 end-to-end

Carbide pairs a compliance platform with a credentialed advisory team. The platform handles evidence collection and control mapping. Your advisor handles interpretation and document review, from initial gap assessment through Certification Body audit.

01
Gap assessment before remediation begins
A Carbide advisor maps your current posture against ISO 27001:2022's mandatory clauses and all applicable Annex A controls. The review covers your existing policies and risk treatment approach. It also checks whether your intended scope is clearly defined. The result is a gap report that tells you exactly what your ISMS needs before a Stage 1 audit.
02
Remediation with clear priorities
The platform generates a remediation plan ranked by audit risk and time to close. Your advisor works through each gap with your team, identifies which controls require technical implementation versus documentation, and flags anything likely to draw scrutiny during the Stage 1 document review.
03
Evidence collection and organization
The Carbide platform collects and organizes evidence against each Annex A control in your program. Your Statement of Applicability is built and maintained in the platform. Every policy, procedure, and control artifact is reviewed by your advisor.
04
Certification audit preparation
Your advisor manages the relationship with the Certification Body and prepares your team for both the Stage 1 document review and Stage 2 implementation audit. After certification, Carbide keeps your ISMS current through annual surveillance cycles.
Resources

Tools and reading on ISO 27001 compliance

Start with the free assessment. It gives you a gap report before any conversation with Carbide. The articles below address the questions that come up most often.

Free tools — start here
Free assessment tool
ISO 27001:2022 Readiness Assessment
Maps your posture against ISO 27001:2022 Annex A control domains and flags exactly where your gaps are.
Free assessment tool
SOC 2 Readiness Assessment
Maps your posture against the Trust Services Criteria if enterprise customers are also requesting a SOC 2 Type II report.
Articles and guides
Article
An Overview of ISO 27001:2022
Covers what the standard requires, who it applies to, and the key changes from the 2013 version.
Article
How to Add ISO 27701 to an Existing ISO 27001 Program Without Duplicating Work
How the ISO 27701 privacy extension relates to ISO 27001, where control overlap reduces duplicate work, and what the privacy standard requires on top of your existing program.
Case study
Why WonderMD Turned to Carbide for High-Stakes Healthcare Compliance
How WonderMD used Carbide to meet security and compliance requirements in a high-stakes healthcare environment.
Case study
How WorkAxle Got Their ISO 27001 Certification and Passed the Audit Process
How WorkAxle achieved ISO 27001 certification with Carbide and what the audit process involved.
Article library
All ISO 27001 articles and guides
Browse all ISO 27001 content on carbidesecure.com, covering standard requirements and certification prep guidance.
Get started

Start with the free assessment. Talk to an advisor when you're ready.

The free assessment gives you a clear gap report in 5 minutes. When you book a readiness call, your advisor uses those results to build a realistic roadmap to certification, with Carbide doing the heavy lifting from gap assessment through Certification Body audit.

Take the free ISO 27001 Assessment Talk to us