GlossaryPlain definitions for non-technical founders

ISO 27001.

ISO 27001 is an international standard for an information security management system, a documented and audited way of managing risk to the data your business holds. An accredited body certifies you against it, and the certificate is what an enterprise customer or partner often asks to see before they will sign. It is a commercial signal that you take data protection seriously, not a legal requirement.

01 / What ISO 27001 really is

It is a certification that an independent auditor grants when your way of managing information security meets a recognized international standard.

The heart of it is an information security management system, or ISMS. That is a plain way of saying you have written down what data you hold, what could go wrong, who is responsible, and what controls are in place, and that you keep it current instead of letting it rot. An accredited certification body reviews all of that, and if it holds up, you get a certificate that is valid for a set period with checks along the way.

For a founder who cannot read the code, the value is direct. When a large customer, an insurer, or an acquirer asks how you protect their data, ISO 27001 is a third party vouching that you have a real system rather than a shrug. That is why it comes up in sales cycles far more than in any law book. If you are weighing it against the North American equivalent, read our note on SOC 2 readiness alongside this one.

02 / ISO 27001 versus SOC 2

They cover similar ground, but ISO 27001 is a certification you pass, while SOC 2 is a report an auditor writes about you.

Buyers often ask for one or the other depending on where they are. ISO 27001 is the international standard, common when your customers are outside North America. SOC 2 is the report most US enterprise buyers request. If a customer has already told you which one they need, that decides it. If you are guessing, start with the one your biggest prospect is asking about.

SOC 2ISO 27001
What you getA report an auditor writes describing your controls.A certificate granted against an international standard.
Who tends to askUS enterprise customers and their security teams.International customers, partners, and some acquirers.
Shape of the workProve your controls operate over a window of time.Stand up and run a documented management system.
What triggers itA customer or deal asks for it.A customer or deal asks for it.

03 / When it is worth doing

The moment to act is when a customer, insurer, or acquirer asks, never because a headline told you to rush.

Certification takes real time and money to set up and keep running, so chasing it before anyone needs it is money spent early. The honest trigger is commercial. A deal stalls until you can show it, an insurer wants it on the policy, or a buyer wants it in diligence. When that happens, the fastest path is an audit that maps where you stand today against what the certificate expects, so you fix the real gaps instead of guessing.

  • + A named prospect or renewal is blocked on a security certificate
  • + An insurer or partner wants it written into the contract
  • + An acquirer or investor is asking about it in diligence
  • + You sell into markets where ISO 27001 is the default ask

Not sure which one your buyer means? Read what to do when a customer asks for SOC 2, or have our embedded team build the controls into the product. Start a conversation.

04 / How we help you get there

We build the software so the controls a certificate expects are already in place, then support the work to get certified.

Certification is easier when security was designed in from the start rather than retrofitted. That matters more as AI writes more of the code: research from Veracode in 2025 found that 45% of AI-generated code shipped with at least one OWASP Top-10 vulnerability. We build to the standard the certificate expects, following the practice we describe in secure by design, so the access rules, data handling, and evidence trail an auditor looks for are part of the system rather than a scramble the week before the review.

01

Audit first

We check where your software and process stand against the standard and hand you a plain list of gaps, in the order that matters.

credited to a build
02

Build to standard

We put the missing controls into the product itself, with the documentation and evidence an auditor expects to see.

you own every line
03

Stay accountable

We stay on to support the certification work and keep the system current, so the certificate does not lapse the day we leave.

audit-ready, not abandoned

Weighing ISO 27001 against SOC 2? Compare SOC 2 readiness before you commit. Start a conversation.

05 / Common questions

Do I legally have to be ISO 27001 certified?

No. ISO 27001 is a voluntary international standard, not a law. It comes up because a customer, insurer, or acquirer asks to see it before they will do business, not because a regulator requires it. Treat it as a commercial signal that unlocks deals and passes diligence, and pursue it when a real buyer is asking rather than on a rumor that it is now mandatory.

What is the difference between ISO 27001 and SOC 2?

ISO 27001 is a certification an accredited body grants you against an international standard, while SOC 2 is a report an auditor writes describing how your controls operate. US enterprise buyers usually ask for SOC 2, and international customers and partners more often ask for ISO 27001. If a customer has told you which one they need, that decides it. If not, start with the one your biggest prospect is requesting.

How long does ISO 27001 take to get?

It depends on how far your current setup already is from the standard, which is exactly what a software audit tells you. A build that was designed to standard from the start has far less to close than one where the controls were bolted on late. We map the gaps, build the missing controls into the product, and support the certification work so the timeline is driven by real findings rather than guesswork.

Can you get us certified, or just help?

The certificate itself is issued by an accredited certification body, not by us, and that independence is the point of it. What we do is make certification reachable. We audit where you stand, build the controls and evidence the standard expects into the software, and stay on to support the process. You end up audit-ready and built to the standard we describe in secure by design, owning every line, instead of scrambling before the review.

Do I need ISO 27001 if I already build to a high standard?

Building to a high standard and holding the certificate are different things. Good engineering lowers your risk, but ISO 27001 is a third party vouching for it in writing, which is what a cautious customer or acquirer wants to see. If nobody is asking, you may not need the certificate yet. When a deal, insurer, or buyer does ask, the certificate turns your good practice into something they can trust without taking your word for it.

Last updated June 2026 · Talk with Felipe

Your build

Taking on new builds

Have something in mind?

Tell us what you're making. We reply within a day with a fixed price and a date.