The international standard your global buyers expect
When you sell into Europe, financial services, or large global enterprises, they ask for ISO 27001 — not SOC 2. Arclight builds your Information Security Management System from the ground up and takes you through certification, led by one senior expert who's done it dozens of times.
The basics
What ISO 27001 is — and why it's different
ISO/IEC 27001 is the leading international standard for information security management. Unlike SOC 2's attestation report, ISO 27001 is a true certification issued by an accredited body — and it requires a formal, living Information Security Management System (ISMS) with management review, internal audit, and continual improvement built in. That rigor is exactly why global enterprises trust it.
SOC 2
US-centric attestation report from a CPA firm. Point-in-time or period-based. Common in North American B2B SaaS procurement.
ISO 27001
Internationally recognized certification from an accredited body. Requires an ongoing ISMS. Preferred across Europe, finance, and global enterprise.
Annex A · 2022 revision
93 controls across four themes
The 2022 revision reorganized Annex A into four control themes. Your Statement of Applicability documents which apply to you and why — Arclight builds this with you so nothing is over- or under-scoped.
Organizational
37 controls
Policies, roles, supplier and information-handling governance.
People
8 controls
Screening, awareness, responsibilities, and remote working.
Physical
14 controls
Secure areas, equipment, and physical media protection.
Technological
34 controls
Access control, cryptography, logging, and secure development.
The engagement
How Arclight gets you certified
One senior practitioner, start to finish. We build the ISMS, run the risk work, and manage the certification body through both audit stages.
Scope & risk assessment
We define your ISMS scope, run a full risk assessment and treatment plan, and produce your Statement of Applicability against all 93 Annex A controls.
Build & operate the ISMS
We write the mandatory policies and procedures, stand up controls, and run the internal audit and management review the standard requires.
Stage 1 & Stage 2 audits
We prep you for the documentation review and the main audit, manage the certification body, and resolve findings — through to your certificate.
Questions
ISO 27001 FAQ
What is ISO 27001?
ISO/IEC 27001 is the leading international standard for information security management. Certification requires establishing an Information Security Management System (ISMS) and passing an audit by an accredited certification body. The current version is ISO 27001:2022, whose Annex A defines 93 controls across four themes.
How is it different from SOC 2?
SOC 2 is a US-centric attestation report from a CPA firm. ISO 27001 is an internationally recognized certification from an accredited body and requires a formal ISMS with ongoing management review, internal audit, and continual improvement. Buyers in Europe, financial services, and many global enterprises prefer or require ISO 27001.
How long does certification take?
For most startups, implementation runs 3 to 6 months to build the ISMS, complete a risk assessment, and operate controls long enough to generate evidence — followed by the Stage 1 and Stage 2 certification audits. The certificate is then valid for three years with annual surveillance audits.
What are the Stage 1 and Stage 2 audits?
Stage 1 is a documentation review where the certification body checks that your ISMS is designed and documented. Stage 2 is the main audit, where they verify your controls are actually operating. Arclight prepares you for both and manages the relationship with the certification body.
How much does it cost?
Arclight runs ISO 27001 implementation under the Arc Model with flat pricing from $2,000/mo, and a standalone ISO 27001 internal audit is $3,500. The accredited certification body's audit fee is separate and paid directly to them. See the Services page for all pricing.
Other frameworks
Need more than ISO 27001?
Many clients pursue ISO 27001 alongside SOC 2, or add HIPAA for healthcare data. Arclight runs them together under one roof.
Win the global deal.
Book a free 30-minute call. We'll map your ISMS scope, timeline, and cost — and tell you honestly whether ISO 27001 or SOC 2 fits your market.
Book a Free ISO 27001 Call