Securance logo

How to get and maintain ISO 27001 certification

A practical guide for SaaS teams

Azwedo l lc 7 g5kp Bbqm I unsplash

If you're a compliance officer or CISO at a SaaS company, chances are ISO 27001 has been on your radar for a while. A customer security questionnaire arrives, a prospect asks for your certificate, or your legal team flags an upcoming NIS2 obligation. Suddenly "we should look into ISO 27001" becomes "we need ISO 27001 by Q3."

The good news: it's entirely achievable. The honest news: it takes more than a folder of policies. This guide walks you through the full ISO 27001 certification process, from scoping to Stage 2, and then the year-round maintenance routine that keeps your certificate valid and your controls actually working.

 

What getting ISO 27001 certified actually involves

ISO/IEC 27001:2022 requires you to build an Information Security Management System (ISMS) and then prove, through an external audit, that it operates effectively. The audit happens in two stages:

  • Stage 1 (documentation review): your auditor checks that your ISMS is designed correctly, your scope is coherent, and your documentation is in order.
  • Stage 2 (operational evidence): the auditor samples real evidence to confirm controls are running as documented.

Once certified, your certificate is valid for three years. During that cycle, you'll face annual surveillance audits and a full recertification before expiry.

One important note for teams still on the older standard: all ISO/IEC 27001:2013 certifications expired or were required to be withdrawn by 31 October 2025 (SGS SA, May 2024). If you're starting fresh, you're working to ISO 27001:2022 from day one.

 

Define your scope before anything else

Scope is where most SaaS teams either make or lose time. Your ISMS scope statement defines which services, systems, teams, and locations are covered. Get it right and your evidence collection becomes manageable. Drift into scope creep and you'll be preparing evidence for things that don't matter to your customers or your risk profile.

Practical approach for SaaS:

  • Anchor scope to the product or service your customers actually rely on, not your entire corporate entity.
  • Identify interested parties: customers, regulators, cloud providers, sub-processors.
  • Document the boundary clearly: what's inside (e.g., your production environment, your engineering team) and what's explicitly excluded (e.g., a separate HR payroll system).

Common traps include treating scope as a formality, listing cloud infrastructure without naming specific services, and forgetting that a key sub-processor probably needs a place in your risk register.

 

Plan your ISMS: governance, risk, and objectives

Before you build a control set, you need the foundations. That means:

  1. A signed Information Security Policy with named ownership at leadership level.
  2. A documented risk assessment methodology (how you identify, analyse, and evaluate risks).
  3. A risk treatment plan that maps each accepted risk to a specific Annex A control or a justified exclusion.
  4. Measurable security objectives tied to your risk priorities.

The link between risk and control is what auditors follow in Stage 2. If your risk register identifies "unauthorised access to production database" as a high risk, your auditor will expect to see the relevant access control evidence. A cybersecurity risk assessment aligned with ISO 27001 and NIS2 gives you the structured method to build this traceably.

 

Build a Statement of Applicability that survives Stage 2

The Statement of Applicability (SoA) is the document that lists all 93 controls from Annex A of ISO 27001:2022 (confirmed by both DataGuard and Vanta). For each control, your SoA must show:

  • Whether the control is included or excluded
  • The justification for that decision (rooted in your risk assessment)
  • Implementation status
  • A pointer to where the evidence lives

ISO 27001:2022 groups these 93 controls across four categories: organisational, people, physical, and technological. The most common SoA failure is unjustified exclusions. "We're a cloud company so physical security doesn't apply" rarely satisfies an auditor when your staff work from offices or use endpoint devices.

 

Implement controls and build your evidence pack

This is where compliance moves from documents to operations. Each control needs an owner, a frequency, and a record. For SaaS teams, the highest-scrutiny areas in Stage 2 typically include:

  • Identity and access management (IAM/MFA): access provisioning logs, joiners/movers/leavers records, quarterly access reviews
  • Asset inventory: up-to-date register of systems, data stores, and cloud services within scope
  • Incident management: incident log with dates, classification, response actions, and lessons learned
  • Vulnerability management: scan results with remediation timelines, patch records
  • Backup and recovery: scheduled backup logs, restore test results with dates
  • Configuration and monitoring: SIEM/log configuration, alerting rules, and monitoring review records
  • Vendor/supplier security: due diligence records, contracts with security clauses, periodic supplier reviews

Organise all of this into an evidence "data room" structured by Annex A control or ISO clause number. Consistent naming conventions and clear retention periods save enormous time at audit.

 

Typical certification timeline: 6 to 12+ months

The honest range is six months for a small SaaS team with strong existing controls, to 12 months or more for a multi-product organisation starting from a low maturity baseline.

A workable phased plan looks like this:

ISO 27001 table 1

Role ownership matters throughout. Assign the CISO or compliance lead to own the ISMS and SoA. IT/SecOps own operational evidence (logs, scans, access reviews). HR owns onboarding/offboarding security records. Procurement owns supplier due diligence files.

 

Stage 1 vs Stage 2: what to expect

Stage 1 is a readiness check. Your auditor reviews your ISMS documentation: scope statement, information security policy, risk assessment and treatment plan, SoA, objectives, and internal audit results. The outcome is either a green light for Stage 2 or a list of issues to address first. Treat it as a structured dress rehearsal, not a rubber stamp.

Stage 2 is where auditors test whether your controls are actually running. They'll interview staff ("walk me through what happens when a new employee joins"), request samples ("show me the last three access review records"), and probe for evidence depth. This is why evidence collection needs to start the moment you begin implementing, not the week before the audit.

Nonconformities come in two types. Minor nonconformities are isolated gaps that don't invalidate your system; you'll typically have 30–90 days to close them with documented corrective actions. Major nonconformities indicate a systematic failure; these must be resolved before certification can be granted.

 

How to maintain ISO 27001 certification year-round

This is where most teams underestimate the ongoing work. Your certificate is valid for three years, but annual surveillance audits mean the auditor returns each year to check your ISMS is still running. Skipping your internal audit or letting your risk register gather dust will surface quickly.

A practical 12-month maintenance cadence:

  • Month 1: Review risk register, update for any new services, threats, or changes since last review
  • Month 2–3: Conduct supplier/vendor security reviews; update due diligence records
  • Month 4: Run security awareness training; update records
  • Month 5–6: Internal audit (Clause 9.2): schedule, conduct, and document findings
  • Month 7: Corrective action follow-up; close any open findings
  • Month 8: Review and update SoA for any control changes
  • Month 9: Prepare management review inputs (Clause 9.3 requires top management to conduct evidence-based ISMS performance reviews)
  • Month 10: Management review meeting: review objectives, incidents, audit results, and improvement actions
  • Month 11: Address improvement actions (Clause 10.1 requires a continual improvement process for your ISMS)
  • Month 12: Surveillance audit readiness check; confirm evidence data room is current

Keeping this cadence requires ownership. Someone has to own the calendar and chase evidence owners. Continuous improvement (Clause 10.1) isn't just a clause to satisfy; it's the mechanism that stops your certification becoming a one-time event that erodes over three years.

 

Templates and evidence checklist: what to prepare before your first external audit

Here's what you need to produce before Stage 1:

ISO 27001 table 2

Common reasons ISO 27001 certification stalls

Four patterns account for most delays and failed audits:

  1. Superficial risk assessments. If auditors can't trace a risk to a control decision, the SoA collapses. Every inclusion and exclusion needs a risk story behind it.
  2. Weak evidence collection. Evidence without dates, owners, or context doesn't count. "We do it" isn't evidence. "Here's the record of when we did it, who did it, and what the outcome was" is.
  3. Stage 1 complacency. Teams that sail through Stage 1 sometimes assume Stage 2 is similar. It's not. Stage 1 checks design; Stage 2 tests reality. Use the time between stages to run your operational activities and gather fresh evidence.
  4. Neglecting continual improvement. Missing a management review or skipping an internal audit cycle isn't just a procedural gap; it's a finding. The discipline of Clauses 9.2, 9.3, and 10.1 needs to be calendar-blocking, not optional.

 

How Securance simplifies the whole process

For SaaS and tech teams managing multiple compliance obligations at once, the overhead of separate audit processes adds up fast. Securance's Single Audit, Multiple Standards approach is built specifically for this. One streamlined workflow covers ISO 27001 alongside SOC 1, SOC 2, ISAE 3402, NIS2, and DORA, so you're not repeating evidence collection for each standard separately.

Beyond the audit process, Securance runs monthly cyber scanning to detect risks early, which feeds directly into your continual improvement cycle and keeps your risk register from becoming stale between annual reviews. That's the kind of connection between assurance and cybersecurity that turns a compliance programme from a point-in-time exercise into something genuinely useful.

Trusted by 800+ professional firms and SMEs across Europe, Securance combines governance advisory, independent assurance, and technical cybersecurity in one place. If you're thinking about scope, timeline, or which standards to pursue alongside ISO 27001, a consultation is a good place to start.

 

Frequently asked questions

How long does it take to get ISO 27001 certified? Typically 6 to 12 months, depending on the size of your scope, your existing control maturity, and how quickly you can collect operational evidence. Teams starting from a strong security baseline often move faster.

How long is ISO 27001 certification valid? Three years from the certificate issue date. You'll have annual surveillance audits in years one and two, and a full recertification audit before expiry.

What's the difference between Stage 1 and Stage 2? Stage 1 is a documentation and readiness review; the auditor checks your ISMS design. Stage 2 is an operational evidence audit; the auditor tests whether controls are actually running. Both are required before you receive your certificate.

What evidence do auditors expect for common SaaS areas? For IAM/MFA: access provisioning records, MFA configuration screenshots, access review logs. For logging: SIEM configuration, log retention settings, review records. For incidents: incident log with response timeline. For backups: scheduled backup logs and restore test results. For vendor access: supplier register, due diligence records, contracts with security requirements.

How do we maintain ISO 27001 compliance after certification? Through annual surveillance audits, regular internal audits (Clause 9.2), management reviews (Clause 9.3), and a continual improvement process (Clause 10.1). Monthly cyber scanning and an up-to-date risk register help you stay ahead of findings rather than reacting to them at audit time. You can also explore how ISO 27001 compares to SOC 2, ISAE 3000, and NIS2 if you're managing multiple standards simultaneously.