Kaamel offers Drata customers free one-month consultations to help build up your compliance baseline, jumpstart your compliance journey.Learn More

Get ISO 27001. Get on European vendor lists

European enterprises ask for ISO 27001 the way US buyers ask for SOC 2. We coach you through seven phases, from standards training to the final audit.

ISO 27001 certifies a management system. You have to build it, run it, and pass a two-stage audit, and teams that go it alone tend to wander. Our process has seven phases with a concrete deliverable at each one, so you always know where you stand and what remains.

AICPA SOCDrataVanta

Automation built on Vanta and Drata · Trusted by nearly 100 companies going global

3–6 mo
from kickoff to an accredited certificate
7 phases
of coaching, each with its own deliverable
3 years
of certificate validity; we handle the surveillance audits too

What are ISO 27001 and 27701?

ISO/IEC 27001 is the international standard for how a company manages information security. It certifies a management system (an ISMS), not a list of tools: how you assess risk, choose controls, assign owners, and keep improving. Unlike SOC 2, it ends in a real certificate, issued by an accredited certification body and recognized worldwide. ISO/IEC 27701 extends the same system to privacy management.

The ISMS

What the standard actually certifies: your system for assessing risk, selecting controls, assigning owners, and improving over time.

Annex A

The catalog of 93 controls in the 2022 edition. Which ones you picked, and why, lives in your Statement of Applicability, and the audit revolves around that document.

The two-stage audit

Stage 1 reviews your documentation. Stage 2 verifies the system actually operates. Pass both and the certificate is yours for three years.

ISO 27701

The privacy extension, built on top of 27001. It establishes a privacy information management system (PIMS) and doubles as strong GDPR evidence.

ISO 27001 vs. ISO 27701

ISO 27001ISO 27701
What it certifiesHow you manage information security (ISMS)How you manage privacy (PIMS), built on the same system
Who asks for itEuropean and global enterprises; standard in RFPsPrivacy-sensitive customers; GDPR evidence
When to do itFirstTogether with 27001, or after

Why ISO 27001 matters

SOC 2 answers US buyers. ISO 27001 answers Europe and much of the enterprise world, where it is often literally a checkbox in the RFP.

The ticket into tenders

Across the EU and UK, ISO 27001 is a standard requirement in vendor onboarding. Without the certificate you don't make the shortlist.

One certificate, recognized everywhere

It is the most widely recognized security standard in the world. One certification gives every market's buyers the same answer.

Add 27701 and privacy is covered too

Extend the same system to privacy, and when customers ask about GDPR you have certified evidence in hand.

Seven phases, a deliverable at every step

ISO 27001 certifies a running system, not a binder. Our coaching runs in seven phases, and progress is visible in the deliverables.

  1. 01

    Kickoff and standards training

    We hold the kickoff, set resources and the plan, and train your team on the 27001 and 27701 requirements so later conversations start from shared ground.

  2. 02

    Survey and gap analysis

    Questionnaires, interviews, site checks, and a review of existing policies produce a gap analysis report. The distance between today and the standard is on paper.

  3. 03

    Asset identification and risk assessment

    We identify your important information assets, assess the risks, and set the treatment plan, delivering a risk report and a high-risk register.

  4. 04

    Personal data mapping and impact assessment

    Added for 27701: we map the personal information your company handles and complete the impact assessment and risk treatment.

  5. 05

    System design and documentation

    We design the ISMS framework from the survey and risk results, then draft, review batch by batch, and formally publish the full document set.

  6. 06

    Trial run and internal audit

    The system runs and collects records. The internal audit and management review catch nonconformities before the external auditor does.

  7. 07

    External audit, by your side

    We accompany both audit stages, help fix whatever the auditor raises, and track the certificate until it is in your hands.

Want a timeline and a quote for your case?

Why Kaamel

An ISMS takes real work to design and run. We do that work, and we keep doing it after the certificate arrives.

Coaching you can audit

Seven phases, each with named deliverables: gap report, risk register, the document set, internal audit report. Where the project stands is never a mystery.

Automation that fits the standard

We configure Vanta or Drata against Annex A so evidence flows automatically, with no new tool for your team to learn.

Two teams, no time-zone gap

Delivery teams in Silicon Valley and Asia hand off around the clock, and the friction of dealing with European certification bodies is ours to absorb.

Stack your frameworks

ISO shares most of its controls with SOC 2 and GDPR. Build the system once, certify several times.

Customer stories

SOC 2 to ISO, one program

We manage the company's full certification sequence: SOC 2, HIPAA, GDPR, ISO 27001 and 27701. Double the pace, at a fraction of the previous budget.

A fast-growing smart device company

EU sandbox in 4 months

We coordinated security, legal, and engineering to qualify the company for a European GDPR sandbox program in four months.

A leading autonomous driving company

Patch rate up 75%

We hardened the company's security posture and delivered full GDPR compliance, which helped win three major contracts.

A leading global payment company

What's included

  • Kickoff and 27001/27701 standards training
  • Survey and gap analysis report
  • Asset identification, risk assessment, and treatment plan
  • Personal data mapping and impact assessment (27701)
  • The full document set: drafted, reviewed, published
  • Internal auditor training, internal audit, management review
  • Certification body coordination and two-stage audit accompaniment
  • Surveillance-audit support for the life of the certificate

ISO 27001 and 27701 FAQ

How long does ISO 27001 take?

Usually 3 to 6 months end to end. The fixed parts are the internal audit, the management review, and the two-stage certification audit; we compress everything around them with automation and hands-on coaching.

What determines the price?

A few factors: how many legal entities are in scope (affiliates included), the number and location of your offices, headcount across roles, and which key products the certification covers. After an assessment we quote against your actual footprint.

What's the difference between 27001 and 27701?

27001 certifies how you manage information security. 27701 extends the same system to privacy and aligns closely with the GDPR. You can't do 27701 alone; it always builds on a 27001 ISMS.

ISO 27001 or SOC 2 first?

Follow your pipeline: US buyers ask for SOC 2, European and global enterprises ask for ISO 27001. They share most controls, so the second one costs far less than the first. We'll help you sequence them.

Does the certification body matter?

Yes. Only an accredited body can issue a certificate that buyers accept. We bring in a reputable, accredited body and accompany both audit stages.

Is ISO 27001 sitting in an RFP in your pipeline?

Book a free assessment. We'll quote against your actual entities, offices, and headcount, and map the fastest sensible route to the certificate.