SaaSFort Why ISO 27001 Has Become a Sales Requirement
ISO 27001 used to be a nice-to-have. In 2026, it’s a gate.
Enterprise procurement teams — particularly in financial services, healthcare, and the public sector — now routinely reject SaaS vendors who cannot show an active ISO 27001 certificate. Where a SOC 2 Type II report satisfies North American buyers, ISO 27001 is the standard of record for EMEA enterprise deals. For a detailed framework comparison including NIS2, see our SOC 2 vs NIS2 guide.
For SaaS vendors selling into CAC 40 companies, German Mittelstand, or UK financial institutions, the question isn’t whether to pursue certification — it’s how to do it efficiently without derailing your engineering roadmap. German companies in NIS2 scope face additional pressure: Geschäftsführer haften persönlich for security failures — ISO 27001 is one of the strongest defenses.
This guide covers what changed in the 2022 update, how to scope and build your ISMS, realistic timelines and costs, and how SaaSFort maps to the standard’s technical controls.
ISO 27001:2022 — What Changed from 2013
The 2022 revision restructured Annex A from 14 sections and 114 controls to 4 themes and 93 controls, with 11 new controls added specifically for cloud and digital-native organizations.
| Theme | Controls | Focus |
|---|---|---|
| Organizational (A.5) | 37 | Policies, roles, supplier management |
| People (A.6) | 8 | Screening, training, remote work |
| Physical (A.7) | 14 | Physical access, equipment security |
| Technological (A.8) | 34 | Endpoint, network, identity, monitoring |
The 11 New Controls That Matter for SaaS
| Control | ID | Why It Matters for SaaS |
|---|---|---|
| Threat intelligence | A.5.7 | Required feed of relevant threat data |
| Information security for cloud services | A.5.23 | Scopes cloud provider responsibilities |
| ICT readiness for business continuity | A.5.30 | DR/BCP alignment with DORA |
| Physical security monitoring | A.7.4 | Applies to co-lo or office servers |
| Configuration management | A.8.9 | IaC and baseline configs |
| Information deletion | A.8.10 | GDPR data lifecycle alignment |
| Data masking | A.8.11 | PII handling in dev/test environments |
| Data leakage prevention | A.8.12 | DLP tooling requirement |
| Web filtering | A.8.23 | Outbound traffic controls |
| Secure coding | A.8.28 | OWASP-aligned development practices |
| Monitoring activities | A.8.16 | SIEM/alerting for anomaly detection |
Key change for SaaS vendors: The 2022 revision explicitly addresses cloud service agreements (A.5.23). You must now document which security controls are your responsibility versus your cloud provider’s (AWS/GCP/Azure shared responsibility model). This is non-negotiable for auditors.
Scoping Your ISMS for a SaaS Product
The Information Security Management System (ISMS) scope definition is the most consequential decision in your certification journey. A poorly scoped ISMS either fails audit or requires rebuilding.
Scope Definition Principles
For a SaaS vendor, a typical ISMS scope covers:
- The SaaS application and its production infrastructure
- The development and CI/CD pipeline (if handling customer data)
- The data centers / cloud regions where customer data resides
- Personnel with access to production systems or customer data
- Third-party suppliers with access to in-scope systems
Common Scoping Mistakes
| Mistake | Consequence |
|---|---|
| Including all company systems | Tripling the control surface area and audit time |
| Excluding CI/CD from scope | Auditors will flag this — it’s where code ships from |
| Not defining asset inventory | Cannot demonstrate control of what you don’t list |
| Vague scope statement | Auditor discretion = unpredictable audit scope expansion |
| Forgetting contractors | Third parties with prod access must be in scope |
Certification Timeline: 4–8 Months for SaaS
A realistic timeline for a 20–100 person SaaS vendor from zero to certificate:
| Phase | Duration | Key Deliverables |
|---|---|---|
| Gap assessment | 2–4 weeks | Baseline against 93 controls, risk register |
| ISMS design | 4–6 weeks | Policies, procedures, Statement of Applicability |
| Control implementation | 6–10 weeks | Technical and organizational controls live |
| Internal audit | 2–3 weeks | Pre-audit dry run, non-conformities logged |
| Stage 1 audit (document review) | 1–2 weeks | Auditor reviews ISMS documentation |
| Stage 2 audit (on-site/remote) | 1–2 weeks | Evidence review, interviews, testing |
| Certificate issuance | 2–4 weeks | After zero major non-conformities |
Total: 4–8 months depending on your starting baseline and internal bandwidth.
SaaSFort Tip: Companies with SOC 2 Type II already completed cut 30–40% off their ISO 27001 timeline. The control overlap between the two frameworks is substantial — particularly in access control, incident response, and availability monitoring.
Cost Breakdown: €25K–€80K for First Certification
Certification costs vary by company size, scope complexity, and whether you use a consultant.
| Cost Item | Low Estimate | High Estimate | Notes |
|---|---|---|---|
| Certification body fees (Stage 1+2) | €6,000 | €18,000 | BSI, Bureau Veritas, DNV, TÜV |
| External consultant / vCISO | €8,000 | €30,000 | Optional but accelerates timeline |
| GRC tooling (Drata, Vanta, Sprinto) | €4,000 | €12,000/yr | Automates evidence collection |
| Internal engineering hours | €8,000 | €20,000 | Estimate: 80–200 hours at €100/hr |
| Total (Year 1) | €26,000 | €80,000 | |
| Annual surveillance audit (Year 2–3) | €4,000 | €10,000 | Lighter-touch annual check |
| Recertification (Year 3) | €6,000 | €18,000 | Full re-audit every 3 years |
Common Audit Failures — and How to Prevent Them
Based on audit patterns across SaaS vendors, these are the non-conformities most frequently cited by ISO 27001 auditors:
| Failure | Root Cause | Prevention |
|---|---|---|
| Incomplete risk assessment | Generic risk register, not tied to assets | Map each risk to a specific asset and owner |
| Undocumented supplier assessments | Vendors assessed informally or not at all | Quarterly supplier review process with records |
| Missing access review logs | No evidence of periodic access reviews | Quarterly IAM audit with sign-off |
| Untested incident response | IR plan exists on paper only | Tabletop exercise at least annually |
| No internal audit | Teams skip the pre-audit dry run | Schedule internal audit 6 weeks before Stage 2 |
| Configuration drift | Infrastructure diverges from documented baseline | IaC enforces baseline; drift detected by monitoring |
| Training records missing | Employees trained but no records kept | LMS with completion tracking per employee |
ISO 27001 vs SOC 2 vs CAIQ vs SIG
For SaaS vendors active in multiple geographies, you will face a combination of these frameworks. Understanding overlap avoids duplicate effort.
| Framework | Primary Market | Assessment Type | Recurrence | Overlap with ISO 27001 |
|---|---|---|---|---|
| ISO 27001 | EMEA (primary) | Third-party certification | 3-year cycle + annual surveillance | — |
| SOC 2 Type II | North America | CPA audit report | Annual | ~60% control overlap |
| CAIQ v4 | Cloud procurement | Self-assessment | On-request | ~45% |
| SIG Core | Financial services | Self-assessment + evidence | Per-relationship | ~55% |
| DORA (ICT) | EU financial sector | Contractual + regulatory | Ongoing | ~30% (A.5.30, resilience) |
The Dual-Track Strategy (ISO 27001 + SOC 2)
For SaaS vendors targeting both EMEA and North American enterprise:
- Start with ISO 27001 — broader control set, EMEA gate requirement
- Map to SOC 2 — use your existing ISMS policies + evidence for SOC 2 Trust Service Criteria
- Use CAIQ/SIG as derivative outputs — your ISMS documentation answers 60–70% of both questionnaires automatically
This approach reduces total compliance cost by 35–50% versus pursuing each framework independently.
SaaSFort Control Mapping: Technical Controls
SaaSFort’s automated scans address the following ISO 27001:2022 Annex A technical controls:
| Control ID | Control Name | SaaSFort Coverage |
|---|---|---|
| A.8.2 | Privileged access rights | OWASP broken access checks |
| A.8.5 | Secure authentication | Auth header analysis, HTTPS enforcement |
| A.8.7 | Protection against malware | Dependency exposure checks |
| A.8.9 | Configuration management | Security header baseline |
| A.8.16 | Monitoring activities | Exposed endpoint detection |
| A.8.20 | Network security | TLS/SSL configuration |
| A.8.21 | Security of network services | HTTP methods, exposed services |
| A.8.23 | Web filtering | Outbound link analysis |
| A.8.25 | Secure development lifecycle | SRI check, CSP implementation |
| A.8.28 | Secure coding | OWASP Top 10 mapping per finding |
Each SaaSFort Deal Report includes an explicit A.8 control coverage table — directly referenceable in audit evidence packages. For NIS2-scoped customers, you can generate a NIS2 compliance PDF that maps scan results to Article 21(2) controls alongside your ISO 27001 evidence.
Your 30-Day ISO 27001 Quick Start Plan
If you’re 0% into ISO 27001 and need to show progress to a prospective buyer:
Week 1 — Scope + asset inventory
- Define ISMS scope (production systems + in-scope staff)
- Build asset inventory: servers, repos, databases, SaaS tools with customer data
- Assign an ISMS owner (CTO, CISO, or senior engineer)
Week 2 — Risk assessment baseline
- List top 20 risks against your asset inventory
- Score likelihood × impact (1–5 scale)
- Document existing controls and gaps
Week 3 — Priority control implementation
- Enforce MFA on all admin accounts and cloud consoles
- Document access review process and run first review
- Create incident response procedure (even one page is a start)
Week 4 — Documentation + evidence package
- Write Information Security Policy (1–2 pages, board-signed)
- Run SaaSFort scan → generate Deal Report as technical evidence baseline (free scan here)
- For NIS2-scoped customers, also generate the NIS2 PDF export as supplemental evidence
- Create Statement of Applicability draft (list applicable controls)
At end of Week 4, you have a credible ISMS foundation to present to a prospective buyer — and a documented path to full certification.
Related Resources
- SOC 2 vs OWASP Compliance — how SOC 2 complements ISO 27001 for North American buyers
- CAIQ v4 Cloud Security Self-Assessment — CAIQ maps to ~45% of ISO 27001 controls
- DORA Compliance for SaaS Vendors — ISO 27001 covers ~30% of DORA requirements
- NIS2 SaaS Vendor Compliance Checklist — ISO 27001 aligns with NIS2 Article 21 measures
- NIS2 Technical Security Requirements for SaaS CTOs — detailed implementation guide for each Article 21 measure
- NIS2 Supply Chain Compliance for SaaS Vendors — supply chain evidence your enterprise customers expect
- How to Build Security Evidence That Closes Enterprise Deals — package your ISO 27001 evidence
- DevSecOps Guide for SaaS Vendors — CI/CD security integrations that auditors look for
Frequently Asked Questions
How long does ISO 27001 certification take for a SaaS vendor?
For a 20-100 person SaaS vendor starting from zero, expect 4-8 months from gap assessment to certificate issuance. Companies with existing SOC 2 Type II cut 30-40% off this timeline due to substantial control overlap. The biggest time investment is control implementation (6-10 weeks) and ISMS documentation.
How much does ISO 27001 certification cost?
First-year certification costs range from €25,000 to €80,000 including certification body fees (€6,000-€18,000), optional consultant/vCISO (€8,000-€30,000), GRC tooling (€4,000-€12,000/year), and internal engineering hours (€8,000-€20,000). Annual surveillance audits cost €4,000-€10,000. Recertification every 3 years costs €6,000-€18,000.
What changed in ISO 27001:2022 compared to the 2013 version?
The 2022 revision restructured Annex A from 14 sections and 114 controls to 4 themes and 93 controls, adding 11 new controls specifically for cloud and digital-native organizations. Key additions include: information security for cloud services (A.5.23), configuration management (A.8.9), data masking (A.8.11), secure coding (A.8.28), and monitoring activities (A.8.16).
Can SaaS vendors pursue both ISO 27001 and SOC 2 efficiently?
Yes. ISO 27001 and SOC 2 share approximately 60% control overlap — particularly in access control, incident response, and availability monitoring. The recommended approach: start with ISO 27001 (broader control set, EMEA gate requirement), then map existing ISMS policies and evidence to SOC 2 Trust Service Criteria. This reduces total compliance cost by 35-50%.
What are the most common ISO 27001 audit failures for SaaS vendors?
According to SaaSFort’s analysis, the top failures are: (1) incomplete risk assessment not tied to specific assets, (2) undocumented supplier/vendor assessments, (3) missing access review logs, (4) incident response plan never tested (no tabletop exercise), (5) no internal audit conducted before Stage 2, and (6) configuration drift where infrastructure diverges from documented baseline.
Run a free security scan to see your security grade in under 60 seconds. For a complete compliance framework, download our free SaaS Security Playbook 2026.
Von der Theorie zur Praxis
Scannen Sie Ihre Domain kostenlos. Erste Ergebnisse in unter 10 Sekunden — ohne Registrierung.