Get ISO 27001. Get on European vendor lists
European enterprises ask for ISO 27001 the way US buyers ask for SOC 2. We coach you through seven phases, from standards training to the final audit.
ISO 27001 certifies a management system. You have to build it, run it, and pass a two-stage audit, and teams that go it alone tend to wander. Our process has seven phases with a concrete deliverable at each one, so you always know where you stand and what remains.



Automation built on Vanta and Drata · Trusted by nearly 100 companies going global
What are ISO 27001 and 27701?
ISO/IEC 27001 is the international standard for how a company manages information security. It certifies a management system (an ISMS), not a list of tools: how you assess risk, choose controls, assign owners, and keep improving. Unlike SOC 2, it ends in a real certificate, issued by an accredited certification body and recognized worldwide. ISO/IEC 27701 extends the same system to privacy management.
The ISMS
What the standard actually certifies: your system for assessing risk, selecting controls, assigning owners, and improving over time.
Annex A
The catalog of 93 controls in the 2022 edition. Which ones you picked, and why, lives in your Statement of Applicability, and the audit revolves around that document.
The two-stage audit
Stage 1 reviews your documentation. Stage 2 verifies the system actually operates. Pass both and the certificate is yours for three years.
ISO 27701
The privacy extension, built on top of 27001. It establishes a privacy information management system (PIMS) and doubles as strong GDPR evidence.
ISO 27001 vs. ISO 27701
| ISO 27001 | ISO 27701 | |
|---|---|---|
| What it certifies | How you manage information security (ISMS) | How you manage privacy (PIMS), built on the same system |
| Who asks for it | European and global enterprises; standard in RFPs | Privacy-sensitive customers; GDPR evidence |
| When to do it | First | Together with 27001, or after |
Why ISO 27001 matters
SOC 2 answers US buyers. ISO 27001 answers Europe and much of the enterprise world, where it is often literally a checkbox in the RFP.
The ticket into tenders
Across the EU and UK, ISO 27001 is a standard requirement in vendor onboarding. Without the certificate you don't make the shortlist.
One certificate, recognized everywhere
It is the most widely recognized security standard in the world. One certification gives every market's buyers the same answer.
Add 27701 and privacy is covered too
Extend the same system to privacy, and when customers ask about GDPR you have certified evidence in hand.
Seven phases, a deliverable at every step
ISO 27001 certifies a running system, not a binder. Our coaching runs in seven phases, and progress is visible in the deliverables.
- 01
Kickoff and standards training
We hold the kickoff, set resources and the plan, and train your team on the 27001 and 27701 requirements so later conversations start from shared ground.
- 02
Survey and gap analysis
Questionnaires, interviews, site checks, and a review of existing policies produce a gap analysis report. The distance between today and the standard is on paper.
- 03
Asset identification and risk assessment
We identify your important information assets, assess the risks, and set the treatment plan, delivering a risk report and a high-risk register.
- 04
Personal data mapping and impact assessment
Added for 27701: we map the personal information your company handles and complete the impact assessment and risk treatment.
- 05
System design and documentation
We design the ISMS framework from the survey and risk results, then draft, review batch by batch, and formally publish the full document set.
- 06
Trial run and internal audit
The system runs and collects records. The internal audit and management review catch nonconformities before the external auditor does.
- 07
External audit, by your side
We accompany both audit stages, help fix whatever the auditor raises, and track the certificate until it is in your hands.
Why Kaamel
An ISMS takes real work to design and run. We do that work, and we keep doing it after the certificate arrives.
Coaching you can audit
Seven phases, each with named deliverables: gap report, risk register, the document set, internal audit report. Where the project stands is never a mystery.
Automation that fits the standard
We configure Vanta or Drata against Annex A so evidence flows automatically, with no new tool for your team to learn.
Two teams, no time-zone gap
Delivery teams in Silicon Valley and Asia hand off around the clock, and the friction of dealing with European certification bodies is ours to absorb.
Stack your frameworks
ISO shares most of its controls with SOC 2 and GDPR. Build the system once, certify several times.
Customer stories
We manage the company's full certification sequence: SOC 2, HIPAA, GDPR, ISO 27001 and 27701. Double the pace, at a fraction of the previous budget.
A fast-growing smart device company
We coordinated security, legal, and engineering to qualify the company for a European GDPR sandbox program in four months.
A leading autonomous driving company
We hardened the company's security posture and delivered full GDPR compliance, which helped win three major contracts.
A leading global payment company
What's included
- Kickoff and 27001/27701 standards training
- Survey and gap analysis report
- Asset identification, risk assessment, and treatment plan
- Personal data mapping and impact assessment (27701)
- The full document set: drafted, reviewed, published
- Internal auditor training, internal audit, management review
- Certification body coordination and two-stage audit accompaniment
- Surveillance-audit support for the life of the certificate
ISO 27001 and 27701 FAQ
How long does ISO 27001 take?
Usually 3 to 6 months end to end. The fixed parts are the internal audit, the management review, and the two-stage certification audit; we compress everything around them with automation and hands-on coaching.
What determines the price?
A few factors: how many legal entities are in scope (affiliates included), the number and location of your offices, headcount across roles, and which key products the certification covers. After an assessment we quote against your actual footprint.
What's the difference between 27001 and 27701?
27001 certifies how you manage information security. 27701 extends the same system to privacy and aligns closely with the GDPR. You can't do 27701 alone; it always builds on a 27001 ISMS.
ISO 27001 or SOC 2 first?
Follow your pipeline: US buyers ask for SOC 2, European and global enterprises ask for ISO 27001. They share most controls, so the second one costs far less than the first. We'll help you sequence them.
Does the certification body matter?
Yes. Only an accredited body can issue a certificate that buyers accept. We bring in a reputable, accredited body and accompany both audit stages.

