How long does an ISO 27001 certification take?

For a B2B SaaS of 10 to 50 people starting from scratch, 9 to 12 months end-to-end: gap analysis (1 month), documentation and deployment (4-6 months), internal audit (1 month), observation period (3 months), stage 1 then stage 2 audits (1-2 months).

What is the difference between ISO 27001 and SOC 2 Type II?

ISO 27001 is an international certification valid for 3 years with annual audits, valued in Europe. SOC 2 Type II is an American (AICPA) audit report on 6-12 months, valued in the US. Many B2B SaaS obtain both. Bundle ISO 27001 + SOC 2 over 18 months: 30-40% saving vs two separate efforts.

How much does ISO 27001 certification cost?

For a 30-50 person B2B SaaS: €80-150K over 12 months (consulting €40-80K, certifier audit €15-25K, tooling and internal time). Annual recurring costs: €25-40K/year (surveillance audit + tooling + 0.1-0.2 FTE).

ISO 27001 in 2026 · Comprehensive guide for SaaS B2B

Q: What are the 11 new ISO 27001 Annex A 2022 controls?

Threat intelligence, ICT readiness for business continuity, physical security monitoring, configuration management, information deletion, data masking, data leakage prevention, monitoring activities, web filtering, secure coding, use of cloud services. Reflects modern risks: supply chain, cloud, data leakage, threat intel.

TL;DR — the essentials in 5 points

ISO/IEC 27001:2022: international ISMS standard, 93 controls in Annex A, certification valid 3 years.
Total cost initial cycle: €80-150K over 9-12 months for a 30-person SaaS.
Annex A 2022: 4 themes (Organizational 37, People 8, Physical 14, Technological 34) — 11 new controls vs 2013.
Migration mandate: 2013 version no longer recognized in 2026. Transition cost: €15-30K.
Synergy with SOC 2 / NIS2 / EU AI Act: 60-80% controls reused. Pooled approach economical and operational.

Why ISO 27001 in 2026?

ISO 27001 has become the de facto standard for B2B SaaS demonstrating cybersecurity maturity to enterprise clients in Europe. Three drivers:

Client requirement. Enterprise security DDQ list ISO 27001 (or SOC 2 Type II for US clients) as a mandatory criterion from the deal qualification phase.

Cyber-insurance. Insurers grant preferential rates for ISO 27001-certified clients (-20-40% depending on coverage).

Regulatory leverage. ISO 27001 facilitates 60-80% of NIS2 compliance, 30-40% of CRA, ~20% of EU AI Act. The investment serves multiple frameworks.

The 93 controls of Annex A 2022

The 4 themes:

A.5 Organizational controls: 37 controls. Policies, governance, risk management, supplier management.
A.6 People controls: 8 controls. Awareness, training, screening, end-of-employment.
A.7 Physical controls: 14 controls. Physical access, equipment, environment.
A.8 Technological controls: 34 controls. Authentication, cryptography, secure development, monitoring.

The 11 new controls introduced in 2022: threat intelligence, ICT readiness for business continuity, physical security monitoring, configuration management, information deletion, data masking, data leakage prevention, monitoring activities, web filtering, secure coding, use of cloud services.

The 12-month roadmap (typical SaaS B2B 30-50 people)

Months 1-2 — Gap analysis & ISMS foundation. Scope definition, current state assessment, risk analysis, Statement of Applicability (SoA), risk treatment plan, security policy.

Months 3-7 — Implementation. Documentation of policies and procedures, technical control deployment (MFA, EDR, vault, SIEM, scanner), awareness training, vendor reviews, incident management.

Month 8 — Internal audit. Mock audit by external consultant, gap remediation, management review.

Months 9-12 — Certifier audit. Stage 1 (1-2 days, documentation review). 30-60 days observation. Stage 2 (3-5 days, field audit). Findings remediation. Certificate delivery.

ISO 27001 vs SOC 2 Type II

Complementary rather than competing:

ISO 27001: international certification, 3-year validity, valued in Europe.
SOC 2 Type II: American audit report (AICPA), 6-12 months observation, valued in US.

Recommended sequence for B2B SaaS targeting both markets: ISO 27001 first (9-12 months), then SOC 2 Type II in 6-9 additional months (reusing 70-80% of ISO 27001 controls). Cost saving: 30-40% vs two separate efforts.

ISO 27001 → NIS2 → DORA → EU AI Act

The ISO 27001 ISMS is the structuring base for:

NIS2: covers ~70% of Article 21 requirements. Add: 24h incident notification, supply chain security, board responsibility.
DORA: covers ~60% for financial services SaaS. Add: TLPT, ICT contractual obligations, threat intel.
EU AI Act: covers ~30% via ISO 42001 alignment. Add: AI-specific risk management, technical documentation Annex IV.
CRA: covers ~30-40%. Add: SBOM, signing, VDP, support duration.

The pooled approach allows treating multiple frameworks simultaneously instead of stacking certifications.

Total cost and ROI

For a 30-50 person B2B SaaS:

Initial cycle: €80-150K over 12 months (consulting €40-80K, certifier audit €15-25K, tooling already in place often).
Annual recurring cost: €25-40K (annual surveillance audit + tool maintenance + 0.1-0.2 internal FTE).
Internal time: 0.3-0.5 FTE during implementation.

ROI typically positive in less than 18 months for SaaS B2B targeting enterprise clients (1-2 saved deals = covered investment).

Dedicated services on this topic

Beyond the guide above, here are the WeeSec engagements that directly address this perimeter.

Dedicated service

Fractional CISO / vCISO

Drive your ISO 27001 certification

Dedicated service

EU AI Act Compliance

Pooled with ISO 42001

Want to discuss?

A 20-minute scope call to frame your situation. No commitment.

Book on Calendly →