Many enterprise procurement processes accept either. ISO 27001 is generally more accepted internationally; SOC 2 is more common in North American technology buyers.

What is the difference between ISO 27001 and ISO 27002?

ISO 27001 is the certifiable management-system standard. ISO 27002 is the implementation guide for the controls referenced in ISO 27001's Annex A.

How long does ISO 27001 certification take?

Initial certification typically takes 6–12 months from initial gap assessment to certificate issue, depending on starting maturity. Continuous evidence collection shortens that timeline.

What is ISO/IEC 27001? Definition, components, and why it matters

Definition

ISO 27001 is published jointly by ISO (International Organization for Standardization) and IEC (International Electrotechnical Commission). It specifies requirements for establishing, implementing, maintaining, and continually improving an ISMS.

The 2022 revision restructured Annex A from the earlier version's 14 control domains to 4 themes (Organisational, People, Physical, Technological) and 93 controls. ISO/IEC 27002:2022 is the implementation guidance for the Annex A controls.

Certification requires audit by an accredited certification body. The certificate is typically valid three years with annual surveillance audits and recertification at the end of each cycle.

Core components

Clauses 4–10 (Management-system requirements). Context, leadership, planning, support, operation, performance evaluation, improvement — the management-system core.
Annex A 2022 controls (93 controls). Organised into Organisational (37), People (8), Physical (14), and Technological (34) themes.
Statement of Applicability (SoA). Document listing all Annex A controls with applicability and implementation status. Required for certification.
Risk Assessment and Risk Treatment. Documented risk assessment process and risk treatment plan are required.
Internal audit. Regular internal audit of the ISMS is required — typically annual.
Management review. Top-management review of the ISMS at planned intervals.

Why it matters

ISO 27001 has become the international trust signal for information security. Many international procurement processes, particularly outside North America, require ISO 27001 before a vendor is considered.

For MSPs, ISO 27001 plays two roles: the MSP's own certification as a credibility signal for serving ISO-conscious clients, and ISO 27001 readiness delivered as a service to client tenants.

ISO 27001 and SOC 2 overlap substantially in control content. Many organisations pursue both since SOC 2 is more accepted by North American technology buyers and ISO 27001 is more accepted internationally.

How Lavawall® helps with ISO/IEC 27001

Lavawall® treats ISO 27001 as a first-class framework. The 93 Annex A 2022 controls map to live evidence Lavawall® already collects from Windows / macOS / Linux endpoints and M365 / Entra / Azure / Google Workspace tenants.

Multi-tenant by design lets an MSP deliver ISO 27001 readiness across multiple client tenants from one console. Statement of Applicability is generated from the live control implementation rather than a generic template.

For organisations pursuing both ISO 27001 and SOC 2, the same evidence base satisfies both audits where the controls overlap.

Frequently asked

ISO 27001 or SOC 2?: Many enterprise procurement processes accept either. ISO 27001 is generally more accepted internationally; SOC 2 is more common in North American technology buyers.
What is the difference between ISO 27001 and ISO 27002?: ISO 27001 is the certifiable management-system standard. ISO 27002 is the implementation guide for the controls referenced in ISO 27001's Annex A.
How long does ISO 27001 certification take?: Initial certification typically takes 6–12 months from initial gap assessment to certificate issue, depending on starting maturity. Continuous evidence collection shortens that timeline.