ISO 27001 is the international standard for building and running an information security management system (ISMS), published jointly by ISO and IEC. The current version, ISO/IEC 27001:2022, replaced the 2013 edition and organizes its requirements into 93 Annex A controls grouped under four themes: organizational (37 controls), people (8), physical (14), and technological (34). Companies pursue certification — issued by an accredited body after a two-stage audit — to prove to customers, regulators, and insurers that they manage security risk systematically rather than ad hoc. As of the 2022 ISO Survey, more than 71,000 organizations worldwide held valid ISO 27001 certificates, with the largest concentrations in China, Japan, the UK, and India. For software vendors selling into enterprises, healthcare, or government, an ISO 27001 certificate has become table stakes in vendor security questionnaires — right alongside SOC 2 and, increasingly, evidence of software supply chain controls like SBOMs and dependency risk management.
What exactly does ISO 27001 require an organization to do?
ISO 27001 requires an organization to run a continuous risk management cycle: identify information assets, assess risks to their confidentiality, integrity, and availability, select controls to mitigate those risks, and prove the controls operate effectively over time. Clauses 4 through 10 of the standard set the management-system requirements — things like defining the ISMS scope (Clause 4), securing top management commitment (Clause 5), planning risk treatment (Clause 6), and running internal audits and management reviews (Clauses 9-10). Annex A then supplies the control catalog itself. A company doesn't have to implement all 93 controls; it produces a Statement of Applicability (SOA) that documents which controls apply to its risk profile and why others are excluded. Auditors check the SOA against actual evidence — access logs, vendor contracts, incident tickets, patch records — during certification audits, not just against policy documents.
What are the 93 Annex A controls, concretely?
The 93 Annex A controls in ISO/IEC 27001:2022 cover everything from access control (A.8.2, A.8.3) to cryptography (A.8.24) to supplier relationships (A.5.19-A.5.23). This is down from 114 controls in the 2013 version — the 2022 revision consolidated overlapping controls and added 11 new ones, including A.5.7 (threat intelligence), A.8.9 (configuration management), and A.8.16 (monitoring activities). The control most relevant to software vendors is A.5.21, "Managing information security in the ICT supply chain," which requires organizations to assess and manage security risk introduced by suppliers, open-source components, and third-party code — the exact territory covered by SBOMs, dependency scanning, and vulnerability management. Controls A.8.25 through A.8.29 cover secure development lifecycle practices, including secure coding, security testing, and separation of development/test/production environments — directly applicable to CI/CD pipelines.
Who actually needs ISO 27001 certification?
Any organization that stores, processes, or transmits sensitive data for customers can pursue ISO 27001, but it's effectively mandatory for B2B software vendors selling into the EU, UK, Japan, or any regulated industry. Financial services firms often require it contractually before onboarding a SaaS vendor; the EU's NIS2 Directive, which took effect in October 2024, pushes critical-infrastructure operators toward ISO 27001-aligned risk management as a baseline. Government contractors in the UK routinely list ISO 27001 as a bid requirement. Unlike SOC 2, which is largely a US/North America expectation, ISO 27001 is the default ask in European and Asia-Pacific procurement. A company selling identical software in San Francisco and Frankfurt will typically be asked for SOC 2 by the first customer and ISO 27001 by the second.
How long does ISO 27001 certification take and what does it cost?
ISO 27001 certification typically takes 6 to 12 months from a standing start and costs between $15,000 and $60,000 in direct audit fees, not counting internal labor or tooling. The timeline breaks down roughly as: 2-3 months for gap assessment and ISMS documentation, 2-4 months to operate the controls long enough to generate audit evidence, then a Stage 1 audit (documentation review, 1-2 days) followed 4-8 weeks later by a Stage 2 audit (evidence review and interviews, 2-5 days depending on headcount). Certificates are valid for three years, with mandatory surveillance audits in years one and two and a full recertification audit in year three. Audit fees scale with employee count and site count — a 50-person, single-site SaaS company might pay $12,000-$18,000 for the initial audit cycle through a body like BSI, DNV, or Schellman, while a 500-person multi-site company can pay $40,000 or more.
How is ISO 27001 different from SOC 2?
ISO 27001 is a certifiable management-system standard with a fixed control catalog, while SOC 2 is an attestation report scoped to whatever Trust Services Criteria a company selects (Security, Availability, Confidentiality, Processing Integrity, Privacy). ISO 27001 auditors issue a certificate valid for three years against the same 93 controls for every certified company, which makes cross-company comparison easier. SOC 2 auditors issue a report — Type I is a point-in-time design review, Type II covers control operation over an observation window, typically 3, 6, or 12 months — and the scope varies by company, so a SOC 2 report from one vendor isn't directly comparable to another's. Many software vendors selling globally end up maintaining both: SOC 2 Type II satisfies US enterprise buyers, ISO 27001 satisfies European and APAC buyers, and the underlying control evidence (access reviews, vulnerability scans, incident logs) overlaps enough that a shared GRC and security tooling stack can serve both audits without duplicating work.
Does ISO 27001 cover software supply chain and open-source risk?
Yes — ISO/IEC 27001:2022 added explicit supply chain requirements that weren't as clearly stated in the 2013 version. Control A.5.21 requires organizations to define security requirements for ICT products and services acquired from suppliers, which auditors now interpret to include open-source components and third-party libraries embedded in a company's own software. Control A.8.28 requires secure coding practices, and A.8.29 requires security testing during development, both of which auditors expect to see evidence of through SAST/DAST scan results and remediation records, not just policy statements. In practice, this means an ISO 27001 auditor reviewing a software company in 2026 will ask for a current inventory of open-source dependencies, evidence that known-vulnerable versions were remediated within a defined SLA, and proof that the SDLC controls in Annex A section 8.25-8.34 were actually followed on recent releases — turning what used to be a paperwork exercise into one that requires real SBOM and vulnerability management data.
How Safeguard Helps
Safeguard maps directly onto the A.5.21 and A.8.25-A.8.34 evidence auditors ask for during ISO 27001 audits. Our platform generates and ingests SBOMs across your codebase and containers, giving you the supplier and component inventory A.5.21 requires without manual spreadsheet tracking. Griffin AI triages incoming CVEs against your actual dependency tree, and our reachability analysis determines whether a vulnerable function is ever called in your compiled code path — cutting the noise auditors and engineers both have to wade through and letting you document risk-based prioritization rather than patch-everything policies. When a real, reachable vulnerability is confirmed, Safeguard opens an auto-fix pull request with the minimal version bump needed to resolve it, creating the remediation timestamp and audit trail that A.8.28 and A.8.29 evidence requests expect. Teams preparing for a Stage 2 audit use this evidence directly to answer supplier-risk and secure-development control questions without building a separate reporting process from scratch.