Audit-ready in 90 days, not 9 months.
Free, no signup required for assessment.
Are you in scope?
Not sure? The 5-minute assessment gives you a definitive answer.
Take the assessment- 01B2B SaaS and tech companies selling into mid-market or enterprise. Security questionnaires are now gating deals rather than nice-to-haves.
- 02Companies whose customers contractually require ISO 27001 or SOC 2, usually the moment you cross 50 employees or land your first enterprise prospect.
- 03Regulated industries (fintech, healthtech, govtech, edtech) where ISO 27001 is a baseline expectation, not a differentiator.
- 04Organisations preparing for NIS2. ISO 27001 covers most of Article 21's risk-management requirements, so the work translates directly.
- 05Any business that wants a credible, internationally recognised security baseline with named controls and external verification.
What's required
Plain language, not legal jargon. Citations link to the source regulation.
Information Security Management System (ISMS)
Documented scope, security policy, objectives, and risk methodology covering people, processes, and technology. The ISMS is the spine the rest of the standard hangs from.
ISO/IEC 27001:2022 →Risk assessment and treatment
Identify, analyse, and treat information security risks. Maintain a Statement of Applicability against Annex A; this is the document auditors will spend the most time on.
Annex A controls (93 controls across 4 themes)
Organisational, people, physical, and technological controls, selected and justified based on your risk assessment. The 2022 revision reduced the count from 114 and reorganised the themes.
Internal audits
Conduct internal audits at planned intervals to verify the ISMS conforms to ISO 27001 and is effectively implemented. Auditors must be independent of what they audit.
Management review
Top management reviews the ISMS at planned intervals (typically annually) to ensure suitability, adequacy, and effectiveness. The minutes of these reviews are themselves audit evidence.
Continual improvement
Identify and act on nonconformities. Drive corrective action with documented root-cause analysis and effectiveness checks. The ISMS is expected to mature year over year.
Deadlines
- Customer-drivenMost companies start ISO 27001 because a major customer requires it, usually with 60–90 days' notice
- Month 0–2Gap assessment, policy development, control implementation, evidence collection
- Month 3Stage 1 audit: documentation review by the certification body
- Month 4–6Stage 2 audit: implementation review on-site or remote, certificate issuance
- AnnuallySurveillance audits in year 1 and 2; full recertification audit every 3 years
Consequences
Not a regulation, but missing it blocks enterprise sales contracts.
Beyond fines, non-compliance can block enterprise sales contracts, expose directors personally, and trigger reportable incidents under adjacent regulations.
How Skarpix helps
Gap assessment
Score your current state against the 93 Annex A controls in under 10 minutes, and get a prioritised remediation list.
Policy library
Pre-built, customisable policies covering all 14 mandatory ISMS documents. Tailor once, maintain over time.
Risk register
Track risks, treatment plans, owners, residual risk, and review cadence in exactly the shape auditors expect.
Evidence collection
Map evidence to controls. Auto-collect from connected systems where possible (HRIS, identity provider, cloud).
Audit-ready report pack
Generate the documentation pack auditors expect with one click: Statement of Applicability, ISMS scope, risk register, evidence index.
Continuous monitoring
Track control effectiveness between audits with scheduled re-checks, so the certification doesn't drift after the auditor leaves.
Ready to see where you stand on ISO 27001?
Frequently asked
ISO 27001 vs SOC 2: which do we need?+
European customers usually expect ISO 27001; US customers usually expect SOC 2. Many companies pursue both since the underlying controls overlap heavily (~80%). Skarpix maps controls across both frameworks so most evidence collected for one applies to the other.
How long does certification take?+
Realistic timeline: 3–6 months for a small SMB with reasonable existing security, 6–12 months if starting from scratch. The audit itself is fast (1–2 weeks elapsed); the bulk of time is gap closure and evidence collection. Skarpix compresses both phases significantly.
Do we need a consultant?+
Not necessarily. Many small companies certify successfully using a platform like Skarpix plus the audit engagement itself. Larger or regulated organisations often choose a consultant for the first cycle, then handle subsequent ones in-house once the ISMS is mature.
What does certification cost?+
Excluding internal labour: roughly EUR 5,000–15,000 for a small-company audit (depending on scope and certification body), plus the Skarpix subscription. Significantly less than consultant-led programmes, which typically run 5–10× higher.
How does ISO 27001 relate to NIS2?+
ISO 27001 controls cover most of NIS2 Article 21's risk-management requirements: risk management, incident handling, business continuity, supply chain, access control, cryptography, asset management. You'll still need NIS2-specific work for incident reporting timelines, management accountability training, and registration with your national authority, but the security backbone is shared.
Can we certify only part of our company?+
Yes. The ISMS scope is what you define it to be, as long as it's clearly bounded. Many companies start with a single product, customer-facing systems, or one business unit, then expand the scope at recertification. Auditors will validate the boundary is sensible and that excluded systems don't undermine in-scope controls.