The moment you land your first enterprise client, you'll receive a security questionnaire. If you can't answer it — if you have no information security policy, no risk register, no documented access controls — the deal stalls. Or worse, it goes to a competitor who has their governance in order.

ISO 27001 is the international standard for information security management. It doesn't just protect your systems — it proves to enterprise buyers, investors and partners that you take security seriously and have the documentation to back it up.

Why ISO 27001 Matters for SaaS Companies Under 50 People

Ten years ago, ISO 27001 was considered a large enterprise concern. That has changed significantly. Today:

  • Financial services firms routinely require ISO 27001 from all SaaS vendors in their supply chain
  • Public sector procurement in Ireland and the UK increasingly mandates it
  • Enterprise sales cycles commonly include a security review that stalls without it
  • Investors conducting due diligence expect evidence of security governance

For a 20-person SaaS company, ISO 27001 is not bureaucracy — it is a commercial unlock.

What ISO 27001 Actually Requires

ISO 27001 requires you to establish, implement, maintain and continually improve an Information Security Management System (ISMS). At its core this means:

1. Scope Definition

Defining exactly what systems, processes, data and people are within the boundary of your ISMS. For a SaaS company this typically includes your cloud infrastructure, software development process, customer data handling and employee access management.

2. Risk Assessment and Risk Register

Identifying and documenting the risks to your information assets — and deciding how to treat each one (accept, mitigate, transfer or avoid). This is the foundation of the entire standard.

3. Policies and Procedures

Documented policies covering: information security, acceptable use, access control, data classification, incident response, business continuity, change management and vendor management. These must be tailored to your business — not generic templates.

4. Controls Implementation (Annex A)

ISO 27001's Annex A lists 93 controls across four categories: organisational, people, physical and technological. You don't need all 93 — you need the ones relevant to your risk profile. A Statement of Applicability (SoA) documents which controls you've selected and why.

5. Evidence and Audit Trails

The certification auditor needs to see that your policies are actually followed — not just written. This means access logs, training records, incident logs, review meetings minutes and change approval records.

The most common gap we find in SaaS companies: They have some policies written but zero evidence that those policies are followed. Auditors don't just read your policy documents — they ask for proof.

The ISO 27001 Certification Process

Stage 1 — Readiness (your preparation phase)

This is where you build everything: ISMS scope, risk register, policies, controls, SoA and evidence. This is what Plotwise Digital helps with. The goal is to reach a state where you are genuinely ready before paying for a formal audit.

Stage 2 — Stage 1 Audit (documentation review)

The accredited certification body reviews your documentation to check it meets the standard's requirements. Issues raised here delay the Stage 2 audit. Good preparation eliminates most Stage 1 findings.

Stage 3 — Stage 2 Audit (implementation audit)

The auditor tests whether your controls are actually working. They will interview staff, review logs and access records, and test whether people in your organisation actually know and follow the documented procedures.

Stage 4 — Certification

If the audit is successful, you receive ISO 27001 certification, valid for three years with annual surveillance audits.

How Long Does It Take?

For a 20-person SaaS company starting from scratch, realistic timelines are:

  • With specialist help: 3–6 months from kickoff to audit-ready
  • DIY approach: 9–18 months (if it gets done at all)
  • Stage 1 + Stage 2 audit: 4–8 weeks after submitting for certification

The difference is not just speed — it's quality. Companies that try to build their ISMS internally often produce documentation that looks complete but fails Stage 2 because it's not actually embedded in how the business operates.

How Much Does ISO 27001 Certification Cost?

Total cost typically breaks down into:

  • Preparation/consulting: From €12,000 (depending on scope and starting point)
  • Certification body audit fees: From €5,000 (depending on company size)
  • Annual surveillance audits: From €2,000/year

These numbers look significant — but compare them to a single enterprise deal worth €50,000+ ARR that stalled because you couldn't pass their security review. For most SaaS companies, certification pays for itself with the first contract it unlocks.

Where to Start

The most practical first step is a governance gap assessment — a structured review of your current state against the ISO 27001 requirements. This tells you exactly where you are, what you're missing and how long it will realistically take to get ready. It prevents you from spending money on certification before you're prepared to pass.

Start With a Free Governance Review

Book a 30-minute call with a Plotwise Digital governance specialist. We'll assess your current security posture and give you an honest view of what ISO 27001 readiness would take for your business.

Book Free Review →

Related Reading

Share this article: LinkedIn