We build and implement your Information Security Management System — from gap assessment to Stage 2 certificate — without pulling your engineers off product.
ISO 27001 implementation means designing, building, and embedding an Information Security Management System (ISMS) that meets the requirements of ISO/IEC 27001:2022. It covers policy creation, risk assessment, Annex A control selection and deployment, internal audit, management review, and preparation for Stage 1 and Stage 2 certification audits conducted by an accredited certification body.
ISO 27001 has 93 controls across 4 themes in Annex A. The standard requires a documented Statement of Applicability explaining which controls you implement and why. It requires a formal risk assessment methodology, a risk register, and evidence that management reviews the ISMS at defined intervals.
None of this is intuitive if you have not done it before. Most startup teams download a policy template pack, rename the company name, and discover three months later that their auditor considers it inadequate — because the policies were not tailored to their actual systems, and there is no evidence the controls are actually operating.
ProtectifyAI implements the ISMS with you, not just for you. We wire controls into your existing tooling, build processes your team can actually run, and sit with you through both audit stages until the certificate lands.
Scope definition, context of the organisation, interested parties analysis, and ISMS boundary documentation.
Risk methodology, asset inventory, threat and vulnerability identification, risk scoring, and risk treatment plan.
Full suite of ISO 27001-aligned policies tailored to your stack — not renamed templates.
Statement of Applicability, control selection rationale, and implementation evidence for all applicable controls.
Internal audit programme, audit plan, and findings report — required before Stage 2 can proceed.
Management review agenda, inputs, and documented outputs — a mandatory ISO 27001 requirement.
Supplier inventory, risk classification, contractual security requirements, and annual review process.
Certification body selection, Stage 1 and Stage 2 facilitation, nonconformity response, and certificate procurement.
| Phase | Duration | What happens |
|---|---|---|
| 01 | Weeks 1–3 | Gap assessment, scope definition, ISMS design, certification body shortlisting and selection |
| 02 | Weeks 4–7 | Risk assessment and risk treatment plan, Statement of Applicability, policy library creation |
| 03 | Weeks 8–13 | Annex A control implementation — access control, cryptography, physical security, supplier management, incident management, and remaining controls |
| 04 | Weeks 14–16 | Internal audit, management review, nonconformity remediation, Stage 1 preparation |
| 05 | Week 17–18 | Stage 1 audit (documentation review by certification body). Any nonconformities addressed. |
| 06 | Weeks 19–21 | Stage 2 audit (on-site or remote controls testing). Certificate issued on successful completion. |
| Factor | ISO 27001 | SOC 2 |
|---|---|---|
| Standard body | ISO/IEC (international) | AICPA (US) |
| Dominant market | UK, Europe, Middle East, Asia | US |
| Output | Certification (pass/fail) | Attestation report (auditor opinion) |
| Observation period | Not required for certification | 3–12 months for Type 2 |
| Time to first certificate | 4–6 months | 8–18 months (Type 2) |
| Control overlap | ~70% overlap — the second standard is significantly faster once the first is complete | |
The 52-point checklist we use internally before every ISO 27001 engagement. Covers ISMS design, risk assessment, Annex A controls, internal audit, and Stage 1/2 preparation. Enter your email to receive it.
Outcome-based pricing — fixed fee agreed upfront, payable on certification. No hourly meters, no scope-creep change orders.
Certification body fees are separate and quoted independently. We are vendor-neutral.
ISO 27001 implementation for a startup typically takes 4–6 months from engagement start to Stage 2 certificate, assuming reasonable team availability. The main variable is how quickly controls can be embedded into your existing systems and how much remediation is required after Stage 1.
Stage 1 is a documentation review — the auditor confirms your ISMS is designed correctly and your policies are in place. Stage 2 is the main certification audit, where the auditor tests whether controls are actually operating as documented. You must pass Stage 1 before Stage 2 can proceed. Nonconformities from Stage 1 must be closed before Stage 2 begins.
ProtectifyAI charges a fixed outcome-based fee agreed upfront and payable on certification. Certification body fees are separate and typically range from £5,000–£18,000 depending on scope and organisation size. Our fee does not increase if remediation takes longer than expected — unlike hourly consultancies.
An ISMS is a documented framework of policies, processes, and controls for managing information security risk. ISO 27001 requires one. For a startup, an ISMS does not need to be complex — a well-designed lean ISMS for a 10–50 person company can be operated by the existing team without a dedicated security hire.
ISO 27001 is an internationally recognised certification (pass/fail) governed by ISO/IEC. SOC 2 is a US attestation standard governed by the AICPA. ISO 27001 is dominant in UK and European procurement; SOC 2 is dominant in US enterprise procurement. Both are worth pursuing for AI startups targeting global enterprise deals — the control overlap is ~70%, making the second certification much faster.
No. A compliance platform helps automate evidence collection but is not required for ISO 27001 certification. ProtectifyAI is entirely vendor-neutral. We will recommend whether a platform makes financial and operational sense for your team, and work with whichever you choose — or build a manual evidence process if that is the better fit.
45 minutes on your actual ISO 27001 situation. No follow-up sequences if we're not the right fit.
Book a working session →