Guides
/
Security & Compliance
In this article

What is ISO compliance?

A practical guide to ISO 27001 for software companies: what the standard requires, how certification works, and why it matters for enterprise sales.

Explore with AI
Open in ChatGPT
Open in Claude
Open in Perplexity

ISO compliance means meeting the requirements of a standard published by the International Organization for Standardization (ISO), an independent body that develops voluntary standards for nearly every industry. For software companies, the ISO standards that matter most live in the 27000 family, which covers information security. The flagship of that family is ISO/IEC 27001, the standard that customers, regulators, and procurement teams ask about by name.

This guide explains what ISO 27001 is, what achieving certification actually involves, how it compares to other security frameworks, and why software companies invest the time and money to pursue it.

What ISO is, and what "ISO compliance" actually means

The International Organization for Standardization is a non-governmental body headquartered in Geneva that publishes thousands of standards across industries: manufacturing, food safety, environmental management, quality control, medical devices, and information security, among others. Many of its information security standards are published jointly with the International Electrotechnical Commission (IEC), which is why you see them written as "ISO/IEC 27001."

Two terms get used loosely in this space, and they are not the same thing:

  • ISO compliance means an organization has implemented the practices the standard requires, but has not necessarily had a third party verify that.
  • ISO certification means an accredited certification body has audited the organization and issued a certificate confirming the standard's requirements are met.

When a customer asks "are you ISO 27001 compliant?" they almost always mean certified. A self-attested compliance claim has limited value in enterprise procurement.

The ISO 27000 family

The 27000 series is built around a core standard and a set of supporting standards that go deeper on specific domains:

  • ISO/IEC 27001 sets the requirements for an information security management system (ISMS). This is the certifiable standard.
  • ISO/IEC 27002 is the companion guide that explains how to implement the controls listed in 27001's Annex A.
  • ISO/IEC 27017 adds guidance specific to cloud services.
  • ISO/IEC 27018 covers protection of personally identifiable information in public clouds.
  • ISO/IEC 27701 extends 27001 into a privacy information management system, useful for GDPR alignment.
  • ISO/IEC 42001 is the newer standard for AI management systems, increasingly relevant for companies building AI products.

You get certified to 27001. You read 27002 to figure out how. The others extend the program for specific use cases.

ISO 27001 in detail

The current version is ISO/IEC 27001:2022, published in October 2022. The previous 2013 edition was retired at the end of October 2025, so any valid certificate today is against the 2022 standard.

ISO 27001 is structured in two halves. Clauses 4 through 10 lay out the management system requirements: how the organization defines the scope of its security program, how leadership commits to it, how risks are assessed and treated, how performance is measured, and how the program improves over time. Annex A then lists the security controls themselves.

The 2022 update reorganized Annex A into 93 controls grouped under four themes:

  • Organizational controls (37)
  • People controls (8)
  • Physical controls (14)
  • Technological controls (34)

Eleven controls are new in the 2022 edition, including controls for threat intelligence, information security for use of cloud services, ICT readiness for business continuity, data masking, data leakage prevention, web filtering, and secure coding. The total count came down from 114 in the 2013 version, but only because related controls were merged, not because anything was removed.

The ISMS

The most important concept in ISO 27001 is the ISMS, the information security management system. The ISMS is not a piece of software or a document. It is the set of policies, processes, roles, and ongoing activities by which an organization manages information security as a discipline.

A working ISMS includes:

  • A defined scope (which systems, locations, and business units it covers)
  • Risk assessment and risk treatment processes
  • A statement of applicability listing which Annex A controls are in scope and why
  • Documented policies and procedures
  • Defined roles and responsibilities
  • Internal audits and management reviews
  • A continuous improvement loop

The certification audit examines whether the ISMS exists, functions, and is being used.

What achieving compliance involves

Pursuing ISO 27001 certification typically follows a recognizable arc. The exact steps and timelines vary by company size and starting maturity, but most programs look something like this.

  1. Define the scope: Decide what is being certified. Most software companies scope the certification to the production environment, the people who build and operate it, and the corporate infrastructure that supports them. Narrow scopes are easier to certify but provide less assurance to customers. Customers will read the scope statement on your certificate carefully, so it is worth setting it deliberately.
  2. Run a gap analysis: Compare your current security program against the 27001 clauses and the Annex A controls. The output is a list of gaps to close before audit. Companies with mature engineering practices often find they meet more controls than they expected, but documentation is almost always behind.
  3. Build the ISMS and remediate gaps: Write the policies, define the processes, assign owners, and implement any missing controls. This is the longest phase. Most controls are not technical: they are about establishing repeatable processes for things like access reviews, vendor risk, change management, incident response, and security awareness training.
  4. Operate the ISMS: The auditor needs to see the ISMS in action, not just on paper. That means running an actual risk assessment, conducting an internal audit, holding a management review, and generating real records of the program working. Most companies need at least three months of operating evidence before they can pass audit.
  5. Stage 1 audit: The certification body reviews the ISMS documentation and confirms readiness for the full audit. This is sometimes called the documentation review.
  6. Stage 2 audit: The full certification audit. The auditor interviews staff, reviews evidence, and tests whether the controls work as documented. If the audit passes, with or without minor non-conformities to address, the certification body issues the ISO 27001 certificate.
  7. Surveillance and recertification: ISO 27001 certificates are valid for three years, but the program does not go quiet in between. Surveillance audits in years one and two confirm the ISMS is still operating. A full recertification audit happens at the end of year three.

How long it takes

A first-time certification typically takes six to twelve months for a mid-size software company that already has reasonable security hygiene. Companies starting from scratch can take longer. Costs vary widely, but the audit itself is usually the smaller line item; internal effort and tooling are larger.

Why software companies pursue ISO 27001

Software companies invest in ISO 27001 for a mix of commercial and operational reasons.

  • Enterprise sales. Large enterprises and regulated industries routinely require ISO 27001, or SOC 2, or both, before they will sign a contract. A certificate shortcuts long security questionnaires and gets deals through procurement faster. For companies selling internationally, ISO 27001 is the more universally recognized of the two.
  • International and European deals. SOC 2 is dominant in the United States but less recognized elsewhere. ISO 27001 is the global default. Companies expanding into Europe, the Middle East, Asia, or Australia will encounter ISO 27001 requirements far more often than SOC 2.
  • Regulatory alignment. ISO 27001 maps cleanly onto requirements in regulations like GDPR, DORA, NIS2, and HIPAA. The certification does not by itself make a company compliant with those regulations, but the underlying ISMS makes the compliance work substantially easier.
  • Internal discipline. Beyond the certificate, the process of building an ISMS forces a company to write down how it actually handles security. That documentation is valuable on its own when onboarding new engineers, responding to incidents, or scaling the security team.
  • Customer trust signal. A current ISO 27001 certificate, displayed on a trust page or shared under NDA, signals operational maturity to prospective customers in a way that marketing copy cannot.

ISO 27001 vs SOC 2

The two frameworks overlap significantly, and many software companies pursue both. The differences worth understanding:

  • Origin. ISO 27001 is an international standard. SOC 2 is a US auditing framework defined by the AICPA.
  • Output. ISO 27001 produces a certificate. SOC 2 produces an attestation report (Type 1 or Type 2) prepared by a CPA firm.
  • Structure. ISO 27001 is prescriptive about the management system but flexible on which controls apply. SOC 2 is built around five Trust Services Criteria, of which only Security is mandatory.
  • Audience. SOC 2 is recognized primarily in North America. ISO 27001 is recognized globally.
  • Sharing. ISO certificates are generally public. SOC 2 reports are confidential and shared under NDA.

For US-only software companies selling to other US companies, SOC 2 alone often suffices. For companies with international ambitions, ISO 27001 is usually the right next step.

Getting started

If you are at the beginning of an ISO 27001 program, three steps are worth taking before anything else.

First, decide who owns the program. Successful ISO 27001 efforts have a single accountable lead, usually a head of security, head of compliance, or experienced operator reporting to engineering or legal.

Second, choose your tooling and audit partner early. Compliance automation platforms handle a meaningful portion of evidence collection. Certification bodies need to be selected and booked months in advance.

Third, pick the scope honestly. A narrow but credible scope that you can fully defend is better than a broad scope you cannot operate.

ISO 27001 is not a security shortcut. The certificate matters because the work behind it is real. For software companies serving enterprise or international customers, the question is rarely whether to pursue it but when.

Further Reading:

A developer's guide to GDPR compliance

Security policy document examples for B2B SaaS apps

How to get SOC 2 compliance: A developer’s guide

A developer’s guide to startup security

Key differences between CCPA and GDPR: How location affects enterprise compliance

SOC 1 vs. SOC 2 vs. SOC 3: Why your company needs compliance to grow

Understanding CSRF attacks

The developer's guide to domain verification

OTP bots explained: What they are and how to stop them

Understanding cross-site scripting (XSS) attacks

Best practices for secrets management

What is device fingerprinting and how does it work?

What is CMMC 2.0 and who needs it?

What is a SIM swapping attack?

We’re hiring

Our global team is growing and we’re hiring all types of roles.

View open roles
About us

WorkOS builds developer tools for quickly adding enterprise features to applications.

Learn more

This site uses cookies to improve your experience. Please accept the use of cookies on this site. You can review our cookie policy here and our privacy policy here. If you choose to refuse, functionality of this site will be limited.