ISO/IEC 27001:2022 IS THE GLOBAL TRUST SIGNAL B2B BUYERS NOW VERIFY

ISO 27001 Compliance: Pass the Stage 2 Audit Without the Surprise.

ISO/IEC 27001:2022 is the international information security management standard. Multinational customers, EU buyers, and increasingly US enterprise procurement demand it. The Stage 2 certification audit is structural — months of evidence collection compressed into a four-week assessment. We translate the requirement in a 30-minute call. If your current IT can already pass the gap analysis, you don’t need us.

Updated May 3, 2026

What changed in ISO/IEC 27001:2022?

The 2022 revision restructured Annex A controls from the prior 114 controls in 14 domains to 93 controls in 4 themes (Organizational, People, Physical, Technological). The clause structure (4-10) remained largely the same, but the Statement of Applicability now uses the 2022 control catalog. Firms certified under 27001:2013 had a transition period that closed October 31, 2025 — recertification under 2013 controls is no longer accepted.

The 2022 revision added 11 new controls reflecting the 2018-2022 threat environment: threat intelligence (5.7), information security for cloud services (5.23), ICT readiness for business continuity (5.30), physical security monitoring (7.4), configuration management (8.9), information deletion (8.10), data masking (8.11), data leakage prevention (8.12), web filtering (8.23), secure coding (8.28), and monitoring activities (8.16).

The Information Security Management System (ISMS) is the core deliverable. ISO 27001 Clause 4-10 require a documented management system with defined scope, leadership commitment, planning for risks and opportunities, support and resources, operation, performance evaluation, and continuous improvement. Annex A is the control catalog the ISMS implements; it is not the certification target itself.

The Statement of Applicability (SoA) is the artifact certification bodies inspect first. It documents which Annex A controls the firm applies, which it excludes, and the justification for each decision. A SoA that excludes controls without business-justified reasoning fails Stage 1. A SoA without revision history showing annual review fails Stage 2.

What does the certification body actually inspect?

The Stage 1 audit (typically 1-2 weeks before Stage 2) inspects the ISMS documentation: scope statement, information security policy, risk assessment methodology, risk treatment plan, Statement of Applicability, and the documented procedures supporting the management system clauses. Stage 1 either confirms readiness for Stage 2 or identifies gaps that must close before Stage 2 begins.

The Stage 2 audit (typically 4-8 weeks after Stage 1) inspects operating effectiveness across the Annex A controls in scope. The auditor samples evidence per control: access reviews, vulnerability scans, training records, incident response evidence, change management records, vendor assessments. Each control either has documented evidence operating across the audit period or it does not.

Internal audit and management review are the two clauses (9.2 and 9.3) that catch firms who have implemented controls but not built the management system around them. The certification body expects documented internal audits covering the ISMS scope, with findings tracked to closure. They expect documented management review meetings with agenda, attendees, decisions, and action items. A control framework without these management-system elements fails certification.

Compliance is a snapshot, not a destination. ISO 27001 certification is a three-year cycle with annual surveillance audits. Recertification at year three is not a fresh start — the certification body reviews the prior cycle’s findings and expects continuous improvement evidence. Firms that treat certification as a one-time project rebuild the entire evidence file each surveillance audit and pay for the rebuild.

What happens if you fail Stage 2?

Stage 2 findings are categorized: Major Nonconformity, Minor Nonconformity, or Observation. A Major Nonconformity blocks certification — the firm must remediate and demonstrate effectiveness before the certification body issues the certificate. The certification timeline extends by the remediation period; a target ship date for the certificate slides accordingly.

Minor Nonconformities require corrective action plans documented in writing, with remediation evidence due before the next surveillance audit. The certificate is issued but with documented findings. The findings appear in the public certificate registry and are visible to customer due-diligence reviews.

For B2B firms targeting EU customers under GDPR Article 28 vendor obligations, an absent or late ISO 27001 certificate stalls customer contracts. EU enterprise procurement increasingly requires the certificate before vendor approval. The opportunity cost of a 6-month certification delay is typically 6-12 months of EU pipeline.

For multinational firms, ISO 27001 certification interlocks with regional compliance programs — SOC 2 in the US, GDPR in the EU, customer-specific frameworks elsewhere. A certification gap exposes the entire commercial position; firms that maintain continuous certification compound their B2B credibility quarter over quarter.

How does Triton get your firm ISO 27001-ready?

We deploy Sophos Endpoint XDR, Microsoft Defender for Endpoint, Sophos Firewall, AWS-backed infrastructure with documented control inheritance, and continuous monitoring tooling. We then author the ISMS documentation suite — scope, policy, risk methodology, risk treatment plan, Statement of Applicability covering all 93 Annex A controls — and establish the management system clauses (internal audit, management review, continuous improvement).

The stack matters because each component produces evidence mapped to specific Annex A controls. Sophos XDR satisfies 8.7 (protection against malware), 8.16 (monitoring activities), and contributes to 8.8 (technical vulnerability management). Microsoft Defender covers 8.3 (information access restriction) and 5.15-5.18 (access control family). Sophos Firewall handles 8.20-8.22 (networks security family). AWS produces inheritance documentation for 8.30-8.33 (development and acquisition family) when managed services are used.

We deploy on AWS because downtime is not an option. ISO 27001 Annex A 5.30 specifically addresses ICT readiness for business continuity. AWS-backed infrastructure with documented RTO/RPO and tested restoration produces the evidence the auditor expects for that control.

Our typical ISO 27001 readiness engagement runs 4-6 months from engagement start to Stage 1 audit-ready. Stage 2 follows 4-8 weeks after Stage 1. The end-to-end window from “decided to certify” to “certificate in hand” is typically 8-10 months. We do not function as the certification body — that creates an independence conflict — but the readiness file we deliver is the bulk of the work the auditor validates against.

What evidence does the certification body actually want on file?

Six artifact categories the certification body inspects across Stage 1 and Stage 2. The Statement of Applicability is the master index; the underlying evidence file backs every applied control.

Why start now? Because the certification body queue is months out.

ISO 27001 certification body availability is constrained — Stage 1 + Stage 2 typically requires 8-12 weeks of audit calendar across two visits. ISMS implementation and evidence accumulation requires 4-6 months. The end-to-end window from decision to certificate is 8-10 months. Firms targeting an EU enterprise customer’s next procurement cycle need to start now, not when the customer asks.

Northeast B2B SaaS, MSP, and professional services firms we have helped through ISO 27001 certification started 9-12 months before targeted customer pipelines opened. The firms that compressed into 4-6 months either failed Stage 2 or accepted scope reductions that limited the certificate’s commercial value.

Frequently Asked Questions

Is ISO 27001 the same as SOC 2?

Both are information security frameworks but with different structures and audiences. SOC 2 is AICPA-defined, US-focused, attestation-based, with Trust Services Criteria. ISO 27001 is ISO/IEC defined, internationally recognized, certification-based, with Annex A controls. Many firms hold both — SOC 2 for US enterprise customers, ISO 27001 for EU and multinational customers. The underlying control work overlaps substantially; the audit and reporting structures are different.

How long does ISO 27001 certification take?

Total elapsed time from engagement start to certificate is typically 8-10 months. Readiness work runs 4-6 months. Stage 1 audit follows. Stage 2 audit is 4-8 weeks after Stage 1. Certificate issuance is 2-4 weeks after Stage 2 closure. The certification body queue typically adds 4-8 weeks at the start.

How much does ISO 27001 certification cost?

Total first-year investment for a 25-100 employee firm typically runs $80,000 to $180,000. The split: readiness work and ISMS authoring ($30-60K), Stage 1 + Stage 2 audit fees ($25-55K), continuous monitoring tooling ($10-25K annual), and surveillance audit fees in years 2 and 3 ($15-30K each). Recertification at year 3 runs comparable to the first audit cycle.

Can we use Vanta or Drata for ISO 27001?

Yes — both vendors support ISO 27001 alongside SOC 2. The control mapping differs but the underlying evidence collection is largely the same. Continuous monitoring tooling is operationally necessary at scale; ISO 27001 surveillance audits sample across the prior year, and manual evidence collection across that window is fragile.

Should we transition from SOC 2 to ISO 27001 or maintain both?

For most US-based firms with international customer pipelines, the answer is both. SOC 2 satisfies US enterprise procurement; ISO 27001 satisfies EU and multinational requirements. The incremental cost of adding ISO 27001 to an existing SOC 2 program is substantially less than implementing either from scratch — the underlying evidence largely overlaps.

What is the difference between ISO 27001 and ISO 27002?

ISO 27001 is the certifiable management standard with mandatory clauses (4-10) and Annex A controls. ISO 27002 is the implementation guidance for the Annex A controls — it provides best practices but is not separately certifiable. Firms certify against 27001 and use 27002 as the operational guide.

Do we need to migrate from 27001:2013 to 27001:2022?

Yes if you held a 2013-based certificate. The transition period closed October 31, 2025; recertification audits now require the 2022 control catalog. Firms with active 2013 certificates were required to transition by their next surveillance or recertification audit.

Do we need dark web monitoring for ISO 27001?

No. Dark web monitoring is a notification service, not an Annex A control. Annex A 8.16 (monitoring activities) requires monitoring of systems and information processing — operational telemetry, not external alerting. We do not bundle dark web monitoring and it does not appear in any ISO 27001 evidence list.

Founded in 2001

25 Years of IT Expertise

Worcester · Providence · Hartford

Regional Offices

Ranked 84th Percentile Nationally

National Benchmark

Under 10 Minute Response

Third-Party Verified

HIPAA · CMMC · SOC 2 · PCI

Multi-Framework Compliance

Let's Discuss Your IT Needs

Triton Technologies delivers managed IT services, cybersecurity, and IT support for businesses across Connecticut, Massachusetts, New York, Rhode Island, and beyond. Contact our team today to start a conversation about your technology environment.