Skip to content
BastionSec
Contact us
Certification · ISO/IEC 27001:2022

ISO 27001: the certification your EU clients ask for, earned for real.

We take you from ISMS to the certification audit. The certificate is issued by an accredited body, independent from us, and that's exactly what makes it hold up with clients, investors and auditors.

  • We support you, we don't certify: the accredited body assesses and issues it.
  • ISMS, risk assessment and SoA across the 93 Annex A controls.
  • Honest timelines: preparation typically takes 3-6 months depending on your readiness.
Contact usWhat ISO 27001 is

Who ISO 27001 is for

Quick self-qualification: do you recognise yourself in one of these?

B2B SaaS with a stuck deal

An enterprise buyer is holding the contract because they require a security certification. We tackle it first.

Go to path

Startup heading into due diligence

You're preparing for a round or due diligence and need to look credible to investors and clients.

Go to path

Non-EU company entering the EU

You sell or operate in Italy/the EU, where ISO 27001 is the common language of security.

Go to path

What ISO 27001 certification is

ISO/IEC 27001:2022 is the international, certifiable standard for an ISMS: an Information Security Management System. It isn't a document: it's a set of processes, controls and evidence proving you manage risk systematically.

The certificate is valid for 3 years, with annual surveillance audits and recertification in year 3.

Want to understand the requirements and clauses first? Read the full guide to ISO 27001 on our standard page.

Who does what: us, you, and the certification body

Transparency on roles. We don't certify you, and we couldn't: whoever implements an ISMS cannot audit it (independence principle, ISO/IEC 17021). That separation is what gives your certificate its value.

Us (BastionSec)

Gap analysis, ISMS scoping, risk assessment, SoA, policies/procedures, controls implementation, internal audit, Stage 1/2 prep.

You (client)

Business decisions, access to systems and people, real adoption of policies and controls, operational evidence.

Accredited body

Conducts the certification audit (Stage 1 + Stage 2), assesses independently and issues the certificate.

What you get along the way

  • Gap analysis and ISMS scope (clauses 4-6).
  • Risk assessment with a documented methodology, risk register and risk treatment plan.
  • Statement of Applicability (SoA) across the 93 Annex A controls (4 themes: Organizational, People, Physical, Technological).
  • A set of policies and procedures (Information Security Policy, Access Control, Crypto, Supplier, Incident Management, Business Continuity…).
  • Technical controls implementation (access, MFA/SSO, logging, backups, vulnerability management).
  • Internal audit and management review before certification.
  • Stage 1 (documentation review) and Stage 2 (audit) support, and findings management.

How we get there

A staged method. AI speeds up the repetitive part (document production, evidence collection, first-pass analysis); people do the analysis and validate every deliverable. Your data stays protected: it's our day job.

  1. 1

    Gap analysis

    We photograph where you stand against the standard.

  2. 2

    Risk assessment & SoA

    Risks, treatment and Statement of Applicability.

  3. 3

    Policies and documentation

    Tailored policies and procedures, not template-and-go.

  4. 4

    Implementation

    We put the technical and organisational controls in place.

  5. 5

    Internal audit

    Internal review and management review before certification.

  6. 6

    The body's audit

    Stage 1 and Stage 2 by the accredited body.

  7. 7

    Certification and maintenance

    Certificate, surveillance and recertification.

How long it really takes

  1. 1

    Preparation : typically 3-6 months

    It depends on your starting point: an already-structured company moves faster, one starting from scratch needs more time.

  2. 2

    The body's audit : Stage 1 + Stage 2

    Documentation review (Stage 1) and certification audit (Stage 2).

  3. 3

    Certificate valid for 3 years : with annual surveillance

    Annual surveillance audits and recertification in year 3.

When you write to us we tell you where you stand right away. No sight-unseen promises.

What it costs

Tiered transparency: we give you a 'from' price and a range for the ISO 27001 path, pinned down after the gap analysis (scope drives price).

We're not the cheapest, we're the most efficient: AI lets us work faster, and that shows up in the price, without cutting quality. See the pricing page for the ranges.

Certification isn't an event: it's a state

ISO 27001 requires annual surveillance and recertification in year 3. With the continuous-security retainer we keep the ISMS alive, so you reach every surveillance audit ready.

Continuous security

Policy and evidence updates, periodic internal audits and a maintained Trust Center, to reach every surveillance audit ready.

Explore the retainer

Audit & Pentest

Periodic pentests as concrete evidence for ISO surveillance and for your enterprise clients.

Learn more

Frequently asked

Are ISO 27001 and SOC 2 the same thing?

No. ISO 27001 is a certification issued by an accredited body and valid for 3 years; SOC 2 is an attestation signed by a US CPA. EU clients usually ask for ISO 27001; US clients for SOC 2. Write to us and we'll figure out what you need.

Who issues the certificate? Do you?

No, and we couldn't: whoever implements the ISMS cannot certify it (independence, ISO/IEC 17021). We prepare and support you; an accredited certification body runs the audit and issues the certificate.

How long does it really take?

Preparation typically takes 3-6 months depending on your readiness, then the body's audit. We don't promise fixed timelines before seeing your starting point: that's what the gap analysis is for.

What do I need to have ready to start?

Nothing formal. We need access to your systems and the right people, plus genuine willingness to adopt the controls. The gap analysis photographs where you are.

How long does the certificate last?

3 years, with annual surveillance audits and recertification in year 3. Security must be maintained over time: that's why we offer a continuous-security retainer.

Is ISO 27001 enough to sell across the EU?

It's the common language of security across the EU and covers most client requests. Depending on your sector you may also need GDPR, NIS2 or DORA: write to us and we'll figure out what you need.

Do you use AI to write the policies? Can I trust them?

AI speeds up document production and first-pass analysis, but every deliverable is reviewed and validated by an expert. No 'generate-and-ship' policies. And your data stays protected.

Do you guarantee the certification?

No, and be wary of anyone who guarantees it: the outcome depends on an independent body's audit. What we do is genuinely take you through the controls and maximise your chances of success.

Go deeper

What ISO 27001 is

The full guide to the standard: requirements, clauses, Annex A. Informational, before you decide.

Read the guide

SOC 2

Certification vs attestation: when you need SOC 2 instead of (or alongside) ISO 27001.

Learn more

Our method

The steps of the path and the model we work with, from gap analysis to maintenance.

See the method

Find out where you stand.

Tell us your need: we tell you what you actually need and how long it takes, honestly.

Contact us