Compliance

ISO 27001 for B2B SaaS: 12-month roadmap

For a B2B SaaS targeting enterprise clients in Europe, ISO 27001 has become a de facto entry requirement. Here is the realistic 12-month roadmap, the budget envelope, and the articulation with SOC 2 Type II for those who also want to address the US market.

11 min

ISO/IEC 27001:2022 is the international standard for information security management systems (ISMS). For a B2B SaaS in Europe, certification has become the de facto signal of cybersecurity maturity.

This article provides the realistic roadmap for a 30-100 person SaaS aiming for first certification in 12 months.

What ISO 27001 actually changes for a SaaS

Three concrete operational impacts:

Commercial. Enterprise security DDQ list ISO 27001 as a mandatory criterion from deal qualification. SaaS without ISO 27001 are filtered out at the RFP stage by 60-80% of European enterprise procurement teams in 2026.

Insurance. Cyber-insurers grant 20-40% preferential rates for ISO 27001-certified clients. Renewal risk is dramatically reduced.

Regulatory. ISO 27001 covers ~70% of NIS2 Article 21 requirements, ~30-40% of CRA, ~20% of EU AI Act. The investment is leveraged across multiple frameworks.

The 4 phases of the roadmap

Phase 1 — Gap analysis (months 1-2)

Scoping work: define the ISMS scope (which products, which entities, which sites — typically the SaaS production environment + supporting functions). Risk analysis: assets, threats, vulnerabilities, impact, likelihood. Statement of Applicability (SoA): which of the 93 Annex A controls apply, justifications, status.

Deliverables: ISMS scope document, risk register, SoA, risk treatment plan, security policy.

Effort: 25-40 consulting days + 0.3 internal FTE.

Phase 2 — Implementation (months 3-7)

Documentation: 25-40 procedures and policies (access management, incident management, change management, supplier management, business continuity, cryptography, secure development, etc.).

Technical controls: MFA on all accounts (passkeys for admins), EDR on endpoints, vault for secrets, SIEM/log management, vulnerability scanner, immutable backups, monitoring and alerting.

Awareness: training of all personnel, simulated phishing campaign, security onboarding for new hires.

Vendor reviews: contracts with security clauses for all critical providers, due diligence questionnaires.

Effort: 40-60 consulting days + 0.4-0.5 internal FTE.

Phase 3 — Internal audit (month 8)

Mock audit by external consultant: trace all 93 controls, identify gaps, document remediations. Management review: formal review by executive committee, decisions on residual risks.

Effort: 8-12 consulting days.

Phase 4 — Certifier audit (months 9-12)

Stage 1 (1-2 days): documentation review by the certifier (UKAS, BSI, AFNOR, or equivalent). Identifies any deal-breakers.

30-60 days observation: implementation of any pending controls, evidence accumulation.

Stage 2 (3-5 days): field audit. Interviews, observations, evidence sampling. Findings: observations (no impact), minor non-conformities (90 days to fix), major non-conformities (blocking — rare).

Findings remediation: 30-90 days. Certificate delivery.

Effort: 5-8 consulting days for audit support.

Total cost envelope

For a 30-50 person B2B SaaS (typical scale-up):

  • Consulting: €40-80K depending on initial maturity and scope.
  • Certifier audit: €15-25K (Stage 1 + Stage 2 + first surveillance).
  • Tooling: €5-15K/year if not already in place (GRC like Drata/Vanta/Secureframe, vault, SIEM).
  • Internal time: 0.3-0.5 FTE during 12 months.

Total cycle initial: €80-150K over 12 months.

Annual recurring: €25-40K (annual surveillance audit + tools + 0.1-0.2 internal FTE).

The 11 new controls of Annex A 2022

Annex A 2022 introduces 11 new controls vs 2013, reflecting modern risks:

  1. Threat intelligence (5.7): organized intake of CTI relevant to your context.
  2. ICT readiness for business continuity (5.30): ICT plan within BCP.
  3. Physical security monitoring (7.4): controls on physical access detection.
  4. Configuration management (8.9): hardened baselines, drift detection.
  5. Information deletion (8.10): secure deletion procedures.
  6. Data masking (8.11): pseudonymization, anonymization, redaction in non-prod.
  7. Data leakage prevention (8.12): DLP at endpoints, network, cloud.
  8. Monitoring activities (8.16): logging and SIEM aligned with risks.
  9. Web filtering (8.23): protection against malicious URLs.
  10. Secure coding (8.28): SAST, code review, secure SDLC.
  11. Use of cloud services (5.23): supplier security, configuration, exit strategy.

ISO 27001 → SOC 2 Type II

For B2B SaaS targeting both European and US markets, the recommended sequence is ISO 27001 first (9-12 months), then SOC 2 Type II in 6-9 additional months. SOC 2 reuses 70-80% of ISO 27001 controls. Cost saving: 30-40% vs two separate efforts.

SOC 2 has a 6-12 month observation period for Type II — start the SOC 2 Type II "observation" while finalizing ISO 27001 stage 2 to compress the timeline.

Critical objections to anticipate

"We're too small for ISO 27001"

Below 20 people, ISO 27001 may indeed be premature. The investment is heavy and the certification value is conditioned on having actual operations to certify. From 30+ people with active enterprise sales, ROI is typically positive in 12-18 months.

"Our security is good enough — we don't need a certificate"

The certificate value is not technical (your security exists or doesn't, regardless of certification). The value is signaling: enterprise procurement teams use ISO 27001 as a screening filter. Without the certificate, you don't get to the security DDQ phase.

"We'll do it without external consulting"

Possible but rare. Internal-only ISO 27001 typically extends timeline to 18-24 months and increases the risk of major findings at certifier audit. The cost saving (€40-80K consulting) is often eaten by extended timeline cost (lost commercial opportunities) and rework cost.

Frequently asked questions

How long does an ISO 27001 certification take?

For a B2B SaaS of 10 to 50 people starting from scratch, expect 9 to 12 months end-to-end: gap analysis (1 month), documentation and deployment (4-6 months), internal audit (1 month), control observation period (3 months), stage 1 then stage 2 audits by the certifier (1-2 months).

What is the difference between ISO 27001 and SOC 2?

ISO 27001 is an international certification valid for 3 years with annual audits, centered on the management system. SOC 2 is an American (AICPA) audit report covering a 6-12 month period, based on Trust Services Criteria. ISO 27001 is valued in Europe, SOC 2 in the United States. Many B2B SaaS obtain both.

How much does ISO 27001 certification cost for a 30-person SaaS?

Expect €80-150K over 12 months: consulting (€40-80K), tooling (GRC, SIEM, MFA, scanner — often already in place), certifier audit (€15-25K for the initial cycle), internal time (equivalent 0.3-0.5 FTE over 12 months). Annual recurring costs then represent €25-40K.

What are the 93 controls of Annex A 2022?

Annex A 2022 groups 93 controls into 4 themes: Organizational (37), People (8), Physical (14), Technological (34). Eleven controls are new in 2022: threat intelligence, ICT readiness for business continuity, physical security monitoring, configuration management, information deletion, data masking, data leakage prevention, monitoring activities, web filtering, secure coding, cloud services.

Do I need to use a consultant for ISO 27001?

For a first cycle, yes in 90% of cases. An experienced consultant brings gap mapping, document templates, scope expertise, and pre-audit management. In-house, a dedicated referent (CISO or delegate) at 30-50% of their time is required. Full outsourcing is risky: compliance must be operationalized in the organization.

A connected topic at your company?

A 20-minute scope call. No cold commercial pitch.

Book on Calendly