SaaSFort ISO 27001 Certification for SaaS Vendors: The 2026 Guide
Complete guide to ISO 27001:2022 certification for SaaS vendors. Covers the 93 Annex A controls, ISMS scoping, certification timeline (4-8 months), cost breakdown, common audit failures, and how to pair ISO 27001 with SOC 2 and CAIQ.
Why ISO 27001 Has Become a Sales Requirement
ISO 27001 used to be a nice-to-have. In 2026, it’s a gate.
Enterprise procurement teams — particularly in financial services, healthcare, and the public sector — now routinely reject SaaS vendors who cannot show an active ISO 27001 certificate. Where a SOC 2 Type II report satisfies North American buyers, ISO 27001 is the standard of record for EMEA enterprise deals.
For SaaS vendors selling into CAC 40 companies, German Mittelstand, or UK financial institutions, the question isn’t whether to pursue certification — it’s how to do it efficiently without derailing your engineering roadmap.
This guide covers what changed in the 2022 update, how to scope and build your ISMS, realistic timelines and costs, and how SaaSFort maps to the standard’s technical controls.
ISO 27001:2022 — What Changed from 2013
The 2022 revision restructured Annex A from 14 sections and 114 controls to 4 themes and 93 controls, with 11 new controls added specifically for cloud and digital-native organizations.
| Theme | Controls | Focus |
|---|---|---|
| Organizational (A.5) | 37 | Policies, roles, supplier management |
| People (A.6) | 8 | Screening, training, remote work |
| Physical (A.7) | 14 | Physical access, equipment security |
| Technological (A.8) | 34 | Endpoint, network, identity, monitoring |
The 11 New Controls That Matter for SaaS
| Control | ID | Why It Matters for SaaS |
|---|---|---|
| Threat intelligence | A.5.7 | Required feed of relevant threat data |
| Information security for cloud services | A.5.23 | Scopes cloud provider responsibilities |
| ICT readiness for business continuity | A.5.30 | DR/BCP alignment with DORA |
| Physical security monitoring | A.7.4 | Applies to co-lo or office servers |
| Configuration management | A.8.9 | IaC and baseline configs |
| Information deletion | A.8.10 | GDPR data lifecycle alignment |
| Data masking | A.8.11 | PII handling in dev/test environments |
| Data leakage prevention | A.8.12 | DLP tooling requirement |
| Web filtering | A.8.23 | Outbound traffic controls |
| Secure coding | A.8.28 | OWASP-aligned development practices |
| Monitoring activities | A.8.16 | SIEM/alerting for anomaly detection |
Key change for SaaS vendors: The 2022 revision explicitly addresses cloud service agreements (A.5.23). You must now document which security controls are your responsibility versus your cloud provider’s (AWS/GCP/Azure shared responsibility model). This is non-negotiable for auditors.
Scoping Your ISMS for a SaaS Product
The Information Security Management System (ISMS) scope definition is the most consequential decision in your certification journey. A poorly scoped ISMS either fails audit or requires rebuilding.
Scope Definition Principles
For a SaaS vendor, a typical ISMS scope covers:
- The SaaS application and its production infrastructure
- The development and CI/CD pipeline (if handling customer data)
- The data centers / cloud regions where customer data resides
- Personnel with access to production systems or customer data
- Third-party suppliers with access to in-scope systems
Common Scoping Mistakes
| Mistake | Consequence |
|---|---|
| Including all company systems | Tripling the control surface area and audit time |
| Excluding CI/CD from scope | Auditors will flag this — it’s where code ships from |
| Not defining asset inventory | Cannot demonstrate control of what you don’t list |
| Vague scope statement | Auditor discretion = unpredictable audit scope expansion |
| Forgetting contractors | Third parties with prod access must be in scope |
Certification Timeline: 4–8 Months for SaaS
A realistic timeline for a 20–100 person SaaS vendor from zero to certificate:
| Phase | Duration | Key Deliverables |
|---|---|---|
| Gap assessment | 2–4 weeks | Baseline against 93 controls, risk register |
| ISMS design | 4–6 weeks | Policies, procedures, Statement of Applicability |
| Control implementation | 6–10 weeks | Technical and organizational controls live |
| Internal audit | 2–3 weeks | Pre-audit dry run, non-conformities logged |
| Stage 1 audit (document review) | 1–2 weeks | Auditor reviews ISMS documentation |
| Stage 2 audit (on-site/remote) | 1–2 weeks | Evidence review, interviews, testing |
| Certificate issuance | 2–4 weeks | After zero major non-conformities |
Total: 4–8 months depending on your starting baseline and internal bandwidth.
SaaSFort Tip: Companies with SOC 2 Type II already completed cut 30–40% off their ISO 27001 timeline. The control overlap between the two frameworks is substantial — particularly in access control, incident response, and availability monitoring.
Cost Breakdown: €25K–€80K for First Certification
Certification costs vary by company size, scope complexity, and whether you use a consultant.
| Cost Item | Low Estimate | High Estimate | Notes |
|---|---|---|---|
| Certification body fees (Stage 1+2) | €6,000 | €18,000 | BSI, Bureau Veritas, DNV, TÜV |
| External consultant / vCISO | €8,000 | €30,000 | Optional but accelerates timeline |
| GRC tooling (Drata, Vanta, Sprinto) | €4,000 | €12,000/yr | Automates evidence collection |
| Internal engineering hours | €8,000 | €20,000 | Estimate: 80–200 hours at €100/hr |
| Total (Year 1) | €26,000 | €80,000 | |
| Annual surveillance audit (Year 2–3) | €4,000 | €10,000 | Lighter-touch annual check |
| Recertification (Year 3) | €6,000 | €18,000 | Full re-audit every 3 years |
Common Audit Failures — and How to Prevent Them
Based on audit patterns across SaaS vendors, these are the non-conformities most frequently cited by ISO 27001 auditors:
| Failure | Root Cause | Prevention |
|---|---|---|
| Incomplete risk assessment | Generic risk register, not tied to assets | Map each risk to a specific asset and owner |
| Undocumented supplier assessments | Vendors assessed informally or not at all | Quarterly supplier review process with records |
| Missing access review logs | No evidence of periodic access reviews | Quarterly IAM audit with sign-off |
| Untested incident response | IR plan exists on paper only | Tabletop exercise at least annually |
| No internal audit | Teams skip the pre-audit dry run | Schedule internal audit 6 weeks before Stage 2 |
| Configuration drift | Infrastructure diverges from documented baseline | IaC enforces baseline; drift detected by monitoring |
| Training records missing | Employees trained but no records kept | LMS with completion tracking per employee |
ISO 27001 vs SOC 2 vs CAIQ vs SIG
For SaaS vendors active in multiple geographies, you will face a combination of these frameworks. Understanding overlap avoids duplicate effort.
| Framework | Primary Market | Assessment Type | Recurrence | Overlap with ISO 27001 |
|---|---|---|---|---|
| ISO 27001 | EMEA (primary) | Third-party certification | 3-year cycle + annual surveillance | — |
| SOC 2 Type II | North America | CPA audit report | Annual | ~60% control overlap |
| CAIQ v4 | Cloud procurement | Self-assessment | On-request | ~45% |
| SIG Core | Financial services | Self-assessment + evidence | Per-relationship | ~55% |
| DORA (ICT) | EU financial sector | Contractual + regulatory | Ongoing | ~30% (A.5.30, resilience) |
The Dual-Track Strategy (ISO 27001 + SOC 2)
For SaaS vendors targeting both EMEA and North American enterprise:
- Start with ISO 27001 — broader control set, EMEA gate requirement
- Map to SOC 2 — use your existing ISMS policies + evidence for SOC 2 Trust Service Criteria
- Use CAIQ/SIG as derivative outputs — your ISMS documentation answers 60–70% of both questionnaires automatically
This approach reduces total compliance cost by 35–50% versus pursuing each framework independently.
SaaSFort Control Mapping: Technical Controls
SaaSFort’s automated scans address the following ISO 27001:2022 Annex A technical controls:
| Control ID | Control Name | SaaSFort Coverage |
|---|---|---|
| A.8.2 | Privileged access rights | OWASP broken access checks |
| A.8.5 | Secure authentication | Auth header analysis, HTTPS enforcement |
| A.8.7 | Protection against malware | Dependency exposure checks |
| A.8.9 | Configuration management | Security header baseline |
| A.8.16 | Monitoring activities | Exposed endpoint detection |
| A.8.20 | Network security | TLS/SSL configuration |
| A.8.21 | Security of network services | HTTP methods, exposed services |
| A.8.23 | Web filtering | Outbound link analysis |
| A.8.25 | Secure development lifecycle | SRI check, CSP implementation |
| A.8.28 | Secure coding | OWASP Top 10 mapping per finding |
Each SaaSFort Deal Report includes an explicit A.8 control coverage table — directly referenceable in audit evidence packages.
Your 30-Day ISO 27001 Quick Start Plan
If you’re 0% into ISO 27001 and need to show progress to a prospective buyer:
Week 1 — Scope + asset inventory
- Define ISMS scope (production systems + in-scope staff)
- Build asset inventory: servers, repos, databases, SaaS tools with customer data
- Assign an ISMS owner (CTO, CISO, or senior engineer)
Week 2 — Risk assessment baseline
- List top 20 risks against your asset inventory
- Score likelihood × impact (1–5 scale)
- Document existing controls and gaps
Week 3 — Priority control implementation
- Enforce MFA on all admin accounts and cloud consoles
- Document access review process and run first review
- Create incident response procedure (even one page is a start)
Week 4 — Documentation + evidence package
- Write Information Security Policy (1–2 pages, board-signed)
- Run SaaSFort scan → generate Deal Report as technical evidence baseline
- Create Statement of Applicability draft (list applicable controls)
At end of Week 4, you have a credible ISMS foundation to present to a prospective buyer — and a documented path to full certification.
Dalla lettura all'azione
Scansionate il vostro dominio gratuitamente. Primi risultati in meno di un'ora.
Scansione gratuita