A-LIGN

The federal cloud landscape is transforming, thanks to FedRAMP 20x. Announced in March 2025, this pilot initiative aims to accelerate the path to FedRAMP authorization, cutting timelines from years to weeks. By simplifying processes and leveraging automation, FedRAMP 20x offers a streamlined, cloud-native approach to security compliance.

FedRAMP 20x

FedRAMP 20x addresses long-standing challenges in the FedRAMP authorization process. Traditionally, approval took years, requiring extensive documentation and layers of review. FedRAMP 20x aims to simplify this process, approving cloud services in weeks.

Key improvements include:

Automation of compliance: Using machine-readable processes to reduce manual tasks.
Adoption of industry standards: Aligning with frameworks like SOC 2 and ISO 27001 to leverage existing security investments.
Continuous monitoring: Validating security through real-time data instead of periodic audits.
Direct collaboration: Encouraging more agile relationships between Cloud Service Providers (CSPs) and federal agencies.
Rapid innovation: Eliminating delays to enable faster adoption of secure cloud services.

This initiative prioritizes flexibility, empowering CSPs and agencies to work more directly and limit bureaucratic bottlenecks.

Phase 1 pilot program overview

Phase 1 represents a crucial testing ground for FedRAMP 20x, showcasing how streamlined processes and automation can revolutionize cloud compliance for the federal space.

Quick milestones

The first phase of FedRAMP 20x focuses on low-impact cloud systems. Open to any CSP, it replaces the traditional 325-item control baseline with a list of Key Security Indicators (KSIs). Participants submit machine-readable security documents, assessed by a Third Party Assessment Organization (3PAO). Successful systems can achieve provisional authorization in weeks.

Timeline: Formal submissions started May 30, 2025.
Fast-track approvals: CSPs earning low-impact authorization may gain priority for FedRAMP Moderate authorizations in the next phase.

Participation criteria

Providers suited for Phase 1 typically:

Host solutions on FedRAMP-authorized platforms.
Offer simple, internet-facing services.
Maintain strong security through frameworks like SOC 2 or recent federal ATOs.
Partner with a FedRAMP-accredited 3PAO for assessments.

The removal of the federal sponsorship requirement for low-impact systems widens access, making compliance achievable for emerging providers and small businesses.

Benefits of FedRAMP 20x

For CSPs targeting the federal market, FedRAMP 20x offers major benefits:

Faster approvals: Reduce authorization timelines from years to weeks.
Easier processes: Minimized paperwork and increased automation lower costs and effort.
Self-initiation: No agency sponsor needed for low-impact systems, opening opportunities for smaller providers.
Cloud-native alignment: Requirements are more developer-friendly, focusing on agility and outcomes.
Encouraged innovation: Continuous monitoring ensures new features can roll out quickly without delaying compliance.

By lowering barriers and fostering competition, FedRAMP 20x brings more providers into the federal sector, supporting rapid technological advancement.

Getting ready for FedRAMP 20x

To get ready for FedRAMP 20x, CSPs should take these steps:

Learn the new standards: Study the draft KSIs to understand security expectations.
Assess readiness: Compare your current compliance posture to the pilot’s criteria, identifying gaps.
Engage with stakeholders: Join FedRAMP working groups for updates and insights.
Prepare evidence: Plan machine-readable security submissions, working closely with a 3PAO to streamline assessments.
Maintain basics: Continue following FedRAMP Rev.5 guidelines, as traditional routes to authorization remain valid.

Organizations meeting Phase 1 criteria should consider joining the pilot to gain early access and a competitive edge. Even if you delay participation, investing in automation and compliance improvements now will prepare you for FedRAMP 20x expansion to higher-impact systems.

How A-LIGN can support your FedRAMP journey

Navigating FedRAMP alone can be challenging. A-LIGN, as a trusted FedRAMP-accredited 3PAO, offers expert guidance for traditional FedRAMP and the 20x pilot.

Readiness assessment: We help identify gaps, align security controls, and prepare your team for FedRAMP requirements.
Assessment and documentation: Our expertise ensures seamless evaluations, minimizing surprises during the submission process.
Continuous monitoring: A-LIGN supports post-authorization security through ongoing assessments and adaptable strategies.

With FedRAMP 20x reshaping compliance standards, having a knowledgeable partner can make all the difference. We’re committed to supporting you at every stage, from preparation to long-term success.

Cyber threats are becoming more sophisticated by the day. For organizations serious about fortifying their defenses, “red teaming” has become an indispensable practice. But what exactly is red teaming, and why does it hold such an important place in modern cybersecurity strategies?

In this guide, we’ll break down the concept of red teaming, walk you through its process, explain how it differs from penetration testing, and outline its benefits.

What is red teaming?

Red teaming is a process used to simulate an adversary’s attack on a system, organization, or network to test its security, resilience, and response capabilities. The “Red Team” is a group of experts who take on the role of an attacker or adversary, attempting to exploit vulnerabilities and identify weaknesses across people, processes, and technologies of an organization.

Unlike routine security checks, red teaming is a holistic exercise. It evaluates not just technological vulnerabilities but also human and procedural gaps, offering a more comprehensive view of an organization’s readiness. It mimics real-world scenarios, forcing organizations to test their detection, response, and prevention mechanisms under controlled conditions.

When should you use red teaming?

Red teaming is especially valuable for organizations that:

Handle sensitive customer data or intellectual property.
Operate in highly regulated industries, like finance or healthcare.
Desire to conduct an advanced security assessment beyond standard penetration testing.

What is the process of a Red Team exercise?

Red Team exercises are methodical, typically following these six key steps to simulate an attack and assess an organization’s weaknesses:

1. Define objectives & scope

Before launching an exercise, it’s critical to establish clear goals and identify boundaries—such as systems, people, or processes—while conducting extensive research to gather information about the target systems, organization, and personnel.

2. Planning & strategy

The Red Team begins by developing a detailed plan outlining the methods, tools, and tactics to be used during the red teaming exercise. This step ensures alignment with the agreed scope and objectives.

3. Attack simulation

Once potential weaknesses are identified, the Red Team attempts to exploit vulnerabilities using the tactics, techniques, and procedures (TTPs) of real-world adversaries. After gaining initial access, they will maintain persistence and navigate through the network to achieve defined goals, such as accessing sensitive data or critical systems.

4. Reporting & documentation

Following the exercise, a comprehensive report is created detailing TTPs, how vulnerabilities were identified, and actionable recommendations to enhance security controls.

5. Recommendations

The Red Team will then provide actionable recommendations to mitigate identified risks and strengthen the organization’s defenses.

6. Post-engagement debrief

The last step in the process is to conduct a thorough review of the exercise with stakeholders, highlighting lessons learned and discussing the implementation of mitigation strategies.

How is red teaming different from penetration testing?

Although both focus on ensuring organizations are protected against cybersecurity threats, the two services play different roles.

Penetration testing focuses on identifying and exploiting specific vulnerabilities within a defined scope. It simulates attacks to evaluate the security of specific systems, networks, or applications.

Red teaming, however, takes a more comprehensive approach. It simulates real-world cyberattacks to assess an organization’s overall security posture. These engagements use multiple TTPs to replicate the methods of advanced adversaries.

What are the benefits of red teaming?

Red teaming offers significant benefits for organizations serious about cybersecurity:

Proactively identify and resolve risk
Red teaming goes beyond basic assessments to uncover critical vulnerabilities and provide deeper insight into your organization’s unique systems, culture, and weaknesses. This proactive approach helps identify and resolve potential risks before they can be exploited, protecting your organization from costly breaches and disruptions.

Deeper security alignment with industry standards
Effective internal red team exercises aren’t just about fixing vulnerabilities. They also ensure your security strategies align with industry standards and regulatory requirements, particularly those set by frameworks like FedRAMP and ISO 27001. Achieving compliance with FedRAMP Rev 5 requirements is simplified through a proven, ironclad process that ensures success.

Enhanced incident response
Conducting regular red team exercises sharpens incident response capabilities. It creates realistic, high-pressure scenarios where teams can practice detecting and mitigating threats, building stronger, more agile response capabilities over time.

Comprehensive security evaluation
Unlike traditional vulnerability scans, red teaming evaluates your organization holistically. It goes beyond technical defenses to assess workflows and overall readiness to handle sophisticated threats.

Red teaming is the future of proactive cyber defense

As cyber threats grow more sophisticated, so must an organization’s defenses. Red teaming helps security professionals and IT managers go beyond checkbox compliance to truly assess and improve their resilience to attacks. By simulating real-world scenarios, red teaming provides a 360-degree view of security posture.

Want to take your cybersecurity to the next level? Our certified Red Teamers are equipped with the deep knowledge and credentials. With a track record of zero rejections and seamless acceptance, we ensure your red teaming exercise is compliant, efficient, and delivers without delays. Contact us today to get started.

Across the EU and broader EMEA region, regulations such as the EU AI Act, DORA, and NIS2 are redefining what security, privacy, and operational resilience require. According to our 2025 Compliance Benchmark Report, 85% of UKI businesses anticipate changes to their compliance strategy as these regulations come into force. These frameworks do not only mandate control, they also require traceability, oversight, and measurable performance. Organizations that treat compliance as a checklist will find themselves reacting to audits, buyer concerns, and enforcement notices. Conversely, organizations that adopt a system-based approach have an opportunity to align security and privacy with business resilience, buyer trust, and growth.

Instead of responding to each demand separately, organizations should use ISO/IEC 27001:2022 to build a structured system that addresses many needs at once. ISO 27001 establishes a management system that enables businesses to systematically govern, operate, and improve their information security programs. When extended with ISO/IEC 27701, the system also supports global privacy obligations.

For an overview of ISO 27001 and how it structures security governance, see our dedicated primer, ISO 27001: Everything You Need to Know.

As a brief summary, ISO 27001 is the international standard for building an Information Security Management System (ISMS). It defines a structured approach to:

Identify and treat information security risks
Define leadership roles and responsibilities
Set measurable security objectives
Document policies and operational controls
Continuously monitor, evaluate, and improve

ISO 27001 is not a checklist of technical tools, but a full management system focused on how security is governed and maintained across your organization.

How ISO 27001 supports internal stakeholders

Internal leadership needs confidence that security and privacy risks are being properly managed. An ISO 27001-aligned ISMS creates that confidence by:

Assigning clear ownership for information security
Aligning security objectives with business goals
Ensuring risk assessments are conducted regularly
Requiring internal audits and leadership reviews
Driving continual improvement over time

The ISMS creates a predictable and verifiable framework that leadership can rely on for reporting, decision-making, and accountability.

How ISO 27001 addresses customer requirements

Many customer contracts now require evidence of strong information security and privacy practices. An ISO 27001-certified ISMS helps meet these requirements by:

Providing globally recognized certification to reference during contract negotiations
Supplying standardized evidence such as a Statement of Applicability and audit results
Documenting incident response, access control, and supplier management processes
Reducing the time and complexity of customer security reviews

When organizations add ISO 27701 to the ISMS, they also meet privacy-related contractual obligations such as data subject rights management, consent tracking, and lawful processing requirements.

How ISO 27001 helps meet regulatory obligations

New regulations are setting higher standards for security and resilience. ISO 27001, combined with ISO 27701, provides a strong operational foundation for compliance with:

DORA (Digital Operational Resilience Act)

For financial services and critical ICT providers in the EU, DORA requires organizations to manage ICT risks, test resilience, oversee third parties, and report incidents. ISO 27001 supports these activities by:

Establishing governance for ICT risk
Requiring ongoing risk assessments and treatment plans
Building formalized incident response and monitoring processes
Supporting third-party risk management through supplier controls

NIS2 (Network and Information Security Directive)

NIS2 expands cybersecurity obligations across essential and important sectors. ISO 27001 aligns with NIS2 by:

Documenting organizational risk management practices
Formalizing business continuity and incident response
Enforcing supply chain risk management measures
Requiring evidence of security testing and audits

DSA (Digital Services Act)

While DSA is primarily focused on content moderation and systemic risk in digital platforms, ISO 27001 supports operational resilience and user data protection requirements.

Adding ISO 27701 strengthens the organization’s ability to manage lawful data processing, user consent, and data subject rights under DSA privacy obligations.

Why privacy management should be included

Security is only part of the equation. Privacy laws like GDPR, CCPA, and others require organizations to prove that personal data is collected, processed, and protected properly. ISO 27701 extends ISO 27001 by adding:

Lawful basis documentation for personal data processing
Procedures for managing consent and data subject rights
Controls for data minimization and purpose limitation
Oversight of third-party data processors

By implementing ISO 27701 together with ISO 27001, organizations can build a single, integrated system that supports both security and privacy compliance.

Building a sustainable system

ISO 27001 is built around the drive for continual improvement. Organizations must regularly review risks, measure performance, conduct internal audits, and update controls. This approach ensures that the ISMS is not a static project. It adapts to new threats, new regulations, and new business priorities without needing to be rebuilt each time external expectations change. A sustainable ISMS gives organizations the operational flexibility needed to stay ahead of customer demands and regulatory shifts. It offers unlimited capacity to innovate while limiting organizational risk.

ISO 27001, supported by ISO 27701 for privacy and ISO/IEC 27036-1 for third-party oversight, provides a practical foundation for organizations operating in the EMEA region. It enables clients to address diverse regulatory obligations through a single, scalable system. It also allows them to extend risk management across the supply chain and demonstrate maturity in vendor oversight (TPRM). Organizations that invest in certification now are better positioned to meet buyer expectations, reduce compliance uncertainty, and move confidently into additional regulated markets.

By building an ISMS, organizations create a single, scalable system that strengthens resilience, reduces compliance costs, and increases trust across stakeholders. With one “operating system” you can consistently create desired outcomes for your organization while optimizing both risk and costs.

Artificial intelligence has revolutionized many industries, but its rapid growth has also brought ethical, privacy, and security concerns. To address these challenges, the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) devised a new standard, ISO/IEC 42001. This standard provides guidance to organizations that design, develop, and deploy AI systems on factors such as transparency, accountability, bias identification and mitigation, safety, and privacy. This article will explore:

Key elements of ISO 42001
The benefits of implementing this standard
Stories from organizations successfully instituting ISO 42001
Next steps for businesses

Structure of ISO 42001

Like several other ISO/IEC standards, ISO 42001 has several annexes that provide much of the detailed guidance organizations need. Here’s a quick breakdown of these annexes:

Annex A: Management guide for AI system development, including a list of controls
Annex B: Implementation guidance for the AI controls listed in Annex A, including data management processes
Annex C: AI-related organizational objectives and risk sources
Annex D: Domain- and sector-specific standards

Key themes of ISO 42001

ISO 42001 covers issues throughout the AI system lifecycle, from the initial concept phase to the final deployment and operation of the system. It is designed to help organizations manage the risks associated with AI and ensure that their AI systems are developed and used responsibly.

Some of the key requirements covered in the published standard include:

Leadership: Top management should demonstrate leadership and commitment to the AI management system (AIMS) and establish policies and objectives that are consistent with the organization’s strategic direction.
Planning: Identify and assess risks and opportunities associated with AI and develop a plan to address them.
Support: Provide resources and support for the AIMS, including training, awareness, and communication.
Operation: Establish processes and procedures for the development, deployment, and maintenance of AI systems.
Performance evaluation: Monitor, measure, analyze, and evaluate the performance of AI systems and take corrective actions when necessary.
Continual improvement: Continually improve the AIMS, and ensure that it remains relevant and effective.

Related resources

ISO 42001 Buyer’s Guide
The Ultimate Guide to ISO 42001 [WEBINAR]
Synthesia Earns ISO 42001 Certification with A-LIGN
Why Early Adoption of ISO 42001 Matters
ISO 42001 Checklist

Key themes of ISO 42001

Some of the key requirements covered in the published standard include:

Leadership: Top management should demonstrate leadership and commitment to the AI management system (AIMS) and establish policies and objectives that are consistent with the organization’s strategic direction.

Planning: Identify and assess risks and opportunities associated with AI and develop a plan to address them.

Support: Provide resources and support for the AIMS, including training, awareness, and communication.

Operation: Establish processes and procedures for the development, deployment, and maintenance of AI systems.

Performance evaluation: Monitor, measure, analyze, and evaluate the performance of AI systems and take corrective actions when necessary.

Continual improvement: Continually improve the AIMS, and ensure that it remains relevant and effective.

Learn more about these requirements and how to start your organization’s compliance journey in our ISO 42001 buyer’s guide.

Is ISO 42001 mandatory?

If your organization produces, develops, or uses AI, you may be wondering to what extent you should be scrambling to become certified in ISO 42001. In short, this framework is a voluntary standard and is not legally binding. However, given its significance and emerging recognition, it is highly likely to become the benchmark for AI management systems in the future. Organizations should anticipate possible regulatory developments and consider proactively adopting this framework.

Get the ultimate guide to ISO 42001 in our two-part webinar series.

Organizational roles and responsibilities

Effectively implementing ISO 42001 starts with identifying your organization’s role in your current AI ecosystem:

AI provider: An organization or entity that provides products or services that uses one or more AI systems. AI providers encompass AI platform providers and AI product or service providers.
AI producer: An organization or entity that designs, develops, tests and deploys products or services that use one or more AI system. This includes AI developers that are concerned with the development of AI services and products. Examples of AI developers include model designers, implementers, computation verifiers, and model verifiers.
AI user: An organization or entity that uses an AI product or service either directly or by its provision to AI users.

Benefits of implementing ISO 42001

Though few organizations relish the idea of more audits, there are good reasons to move forward with certification sooner rather than later. (Plus, if you practice strategic compliance and consolidate your audits, adding this standard to your compliance program may be easier than you think.)

Learn more about the benefits of early adoption of ISO 42001 in our guide.

Managing AI risks and opportunities

ISO 42001 provides organizations with a systematic approach to identify, evaluate, and address the risks associated with AI. This can help organizations mitigate the risks of AI and protect themselves from potential harm.

Competitive advantage

Implementing this standard enables organizations to showcase their early adopter status, demonstrating their commitment to responsible AI use. This can enhance stakeholders’ trust and distinguish the organization from competitors.

Streamlined process

By incorporating ISO 42001’s best practices, organizations can streamline their AI processes, identify and rectify vulnerabilities earlier, and reduce the potential financial and reputational costs associated with AI failures.

Preparing for EU AI Act Compliance with ISO 42001

The EU AI Act mandates an ongoing governance framework for AI risk management, transparency, and compliance. Unlike one-time risk assessments or ad hoc governance policies, ISO 42001 establishes a systematic, repeatable process for AI compliance, ensuring organizations:

Proactively manage AI risks rather than responding to enforcement actions.
Align AI governance with business operations using structured risk-management frameworks.
Demonstrate compliance through audit-ready documentation and performance evaluation.

This standard provides an adaptable compliance framework that evolves alongside regulatory requirements, making it an ideal foundation for AI governance. Though it is not an approved harmonized standard for AI Act conformity, it does provide the foundation you’ll need to be successful when the final QMS conformity standard is released.

Learn more: How to prepare for the EU AI Act with ISO 42001

Case study: Synthesia

London-based Synthesia is the leading AI video platform to enable the creation of studio-quality videos with AI avatars and voiceovers in over 140 languages.

With an innovative product used by 65,000 clients worldwide, including 70% of Fortune 100 companies, Synthesia aimed to showcase their dedication to responsible AI use and high-quality security practices. To do this, Synthesia partnered with A-LIGN to achieve ISO/IEC 42001 certification and become trailblazers in AI compliance.

The challenge

As AI technology progresses, global regulations evolve to address emerging challenges. The EU AI Act set transparency, fairness, and accountability standards for AI systems, prompting Synthesia to proactively adapt and lead in compliance, standing apart from companies slower to react.

“It was challenging to find the right audit partner, as no firms were yet accredited. We saw A-LIGN as a market leader ready to take on the challenge with us.”
-Nicolás Barberis, Security Manager

With robust governance and a strong ethical foundation, Synthesia prioritized data protection, responsible use, and abuse prevention to build customer trust. The EU AI Act became a catalyst for strengthening security measures and meeting the rising expectations for compliance.

Why A-LIGN

Synthesia identified A-LIGN as a market leader and trusted collaborator, partnering with them to overcome challenges and achieve certification as a team.

Moreover, Synthesia recognized that certifications from established organizations like A-LIGN fostered greater trust in the accreditation process. This credibility influenced how Synthesia’s customers perceived certifications, emphasizing the clear advantage of working with reputable and experienced firm.

Results

After a successful assessment, Synthesia became the first AI video generation company to become ISO 42001 certified.

Earning ISO 42001 certification validated Synthesia’s already stringent security practices, which included robust AI governance, supply chain accountability, and adherence to strict obligations. This milestone showcased to the world that Synthesia meets the highest standards for security and compliance.

The achievement had a positive reputational impact, drawing media coverage and significant interest from customers, vendors, and other stakeholders who were eager to learn about their journey, motivations, and approach. Learn more about Synthesia’s work with A-LIGN.

ISO 42001: Next steps for businesses

To navigate the complex landscape of AI governance and compliance, compliance managers should consider the following steps:

Purchase and understand the standard: Obtain a copy of ISO/IEC 42001 and familiarize yourself with its provisions. It is crucial to understand the requirements, recommendations, and other applicable requirements (i.e. ISO/IEC 22989, ISO/IEC 23894) to effectively implement the standard.
Start internal talks about certification: Initiating conversations about the certification audit process within your organization is essential. Understanding the steps involved and allocating necessary resources will ensure a smooth transition toward ISO 42001 compliance.
Get a readiness assessment: Consider engaging a trusted compliance partner like A-LIGN to conduct a readiness assessment tailored to your organization’s specific needs. This assessment will help identify any potential findings when pursuing this certification. Download our ISO 42001 checklist to ensure your organization is ready to take the next step.

As the AI landscape continues to evolve, embracing ISO 42001 will position businesses as leaders in the field, fostering trust and ensuring the long-term success of AI initiatives. Stay ahead in the AI era by leveraging ISO 42001 and building a solid foundation for your AI management system. Contact us today to get started.

New ways to target your information security management security are emerging each day, making an ISO/IEC 27001 certification all the more important. But where do you begin? Check out our guide to ISO 27001 implementation for your organization.

What is ISO 27001 and why does it matter?

ISO 27001 is a standard created by the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) that focuses on establishing and developing a strong ISMS within organizations.

It is an internationally used security framework that focuses on data confidentiality, integrity, and availability. ISO 27001 prepares organizations to create a stronger, more holistic approach to data security. 

Step-by-step guide to ISO 27001 implementation

Now that you’ve learned why ISO 27001 is important, you can dive in.

ISO 27001 implementation is a long process, but the result will bring your organization customer trust and protection for your most sensitive data. Here’s how we recommend you get started:

Understand the standard

Go deeper. Understanding the ISO 27001 requirements is key to a successful ISO 27001 implementation. Read up on (or hire an expert to teach you about) the clauses and annexes in this standard and consider which controls apply to your ISMS. This understanding will help you gain buy-in across the business to the importance of this certification. Your organization’s compliance, executive, and IT teams should all be on board to execute changes to meet the standard and complete your ISO 27001 implementation.

Turn to the professionals

After you’ve learned about ISO 27001 and earned buy-in from relevant stakeholders, it’s time to work with the professionals: certification bodies, also called audit firms or audit partners.

Certification bodies come in two forms: accredited and unaccredited.

Accredited certification bodies have completed a rigorous certification process themselves to appropriately issue ISO 27001 certificates while unaccredited certification bodies have not.

This difference can determine which certification body your organization completes its audit with. It’s important to learn whether any of your clients require a certificate from an accredited certification body. Plus, it’s good to know what your audit partner is made up of: their processes, certifications, and more before choosing to work with them on your ISO 27001 implementation.

Beyond these certifications, there are a number of considerations to keep in mind when choosing an audit partner. From experience on the team to the number of certifications the auditor has issued for your chosen framework, there’s a lot to consider. Check out this ISO 27001 buyer’s guide to learn more about what to look for in an assessor.

Select your auditor

After evaluating all your options, it’s time to make a decision. Ensure you’ve picked an audit partner that holds your organization’s values and has experience auditing for companies in your field. Plus, choosing a quality partner is key.

After notifying your chosen partner, you can expect a series of steps to take place:

Signing the contract: During this step, you can expect to receive a contract that defines the scope of work you can expect from your auditor. This will detail the systems they plan to test and for what purposes along with legal elements like terms and conditions of the audit.
Project kickoff: Kicking off your audit and aligning on timeline is essential. This step ensures every party on either side is in the know about when you can expect certain parts of the audit cycle to take place. Plus, it gets your project moving.
Meeting your audit team: Like any successful organization, the most important part of your audit cycle is the people. These relationships are going to carry your organization through your audit and beyond as your auditor becomes a trusted member of your team.
Acquaint yourself with the tech: Whether you’ve implemented a GRC platform or your auditor uses in-house technology, it’s beneficial to familiarize yourself with the platforms you’ll be using during the audit cycle to streamline the process.

Begin your audit cycle

Now it’s time to begin your audit cycle for ISO 27001 certification. Your audit partner should walk you through the steps it takes to complete ISO 27001 certification. This is a multi-pronged process, but the general steps include:

Optional Pre-Assessment  
The Stage 1 Audit  
The Stage 2 Audit  
A Surveillance Audit  
Recertification

Step 1: Pre-assessment    

The pre-assessment is designed for companies that are undergoing the certification process for the first time. This assessment is only performed on an as-needed basis but is highly recommended prior to the actual audit.   

The pre-assessment involves performing a review of an organization’s scope, policies, procedures, and processes to review any gaps in conformance that may need remediation before the actual certification process begins.   

Step 2: Stage 1 audit   

During a Stage 1 audit, an auditor reviews the high-risk clauses and annex controls of an organization’s ISMS to confirm that it has been established and implemented in conformance with the ISO 27001 standard. This audit also checks to see if the mandatory activities of an ISMS have either been completed prior to starting Stage 2.   

Upon completion, the Stage 1 audit will reveal if an organization is ready to move forward to Stage 2 or if there are any areas of concern regarding policies, procedures, and supporting documentation that may need to be remediated before proceeding.   

Step 3: Stage 2 audit   

The Stage 2 audit tests the conformance of an organization’s ISMS against the ISO 27001 standard. Upon completion of Stage 2, the auditor will determine if an organization is ready for certification.   

If any major nonconformities were identified during the audit, they will need to be remediated by the organization before a certificate can be issued.    

Stage 4: Surveillance audit   

The ISO 27001 certification process doesn’t simply end after a certificate has been issued. For the two years following certification, the auditor will conduct annual surveillance audits to ensure an organization’s ongoing compliance with the ISO 27001 standards. This step ensures your cybersecurity practices are operating at the highest possible level.   

Stage 5: Recertification   

An ISO 27001 certification is valid for three years after the certificate’s issue date. Organizations need to recertify before the certificate’s expiration date or be required to begin the certification process again. Recertification audits review the entire management system, similar to the Stage 2 audit.

This process may require that you make changes to your ISMS and your processes to earn full ISO 27001 certification. This process will not take place overnight, and you will need to keep in close contact with your audit partner to learn how your team handles client information going forward.

After ISO 27001 certification

After your ISO 27001 certification, it’s time for continual improvement. This model is a part of the ISO 27001 standard and ensures that as you add new products or services, these additions are accounted for in your ISMS and the controls you have in place to stay compliant with ISO 27001.

The other follow-up step for ISO 27001 implementation is recertification. An ISO 27001 certificate is valid for three years after the issue date and organizations must recertify before the expiration date or begin the certification process again. Recertification is similar to a Stage 2 audit and reviews the entire management system.

Ready to get started on your ISO 27001 implementation?

As an accredited ISO 27001 certification body, A-LIGN can provide your organization with the experience and guidance needed to achieve certification.  Contact us to get started today.

ISO certified companies have achieved a major accomplishment. Customers and other stakeholders value an organization’s commitment to a high level of security that protects sensitive information from bad actors. But where do you start?

ISO 42001 and ISO 27001 requirements are complex and rigorous. This intricacy is what makes the framework so valuable. ISO certified companies go through a meticulous process to become certified, which is why picking the correct auditor is an essential first step in the process.

Keep reading to learn why these ISO certified companies chose A-LIGN as their trusted audit partner.

ISO certified companies

testimonial 75476 custom v1 flex (2) (1)

Butterfly Network embraces audit harmonization to strengthen global compliance program

Butterfly Network shows their dedication to international security by partnering with A-LIGN to achieve ISO/IEC 27001, C5, StateRAMP, and NHS DSPT England Security compliance.

Partnering with A-LIGN, they streamlined compliance efforts and reinforced security, ensuring a proactive approach to audits and future growth.

Menlo Security reduces evidence collection time by 60% with consolidated audit approach

Menlo Security chose A-LIGN as their audit partner to accomplish ISO/IEC 27001, ISO 27017, ISO 27018, and SOC 2 compliance.

By combining their ISO 27001 and SOC 2 engagements together, the Menlo team achieved impressive efficiency—cutting evidence collection time by 60% while delivering fast, impactful results.

“I am very proud that Menlo Security and A-LIGN worked together to consolidate our SOC 2 and ISO 27001 assessments at the same time to reduce time, resources, and costs. This process has been carefully planned, communicated, and executed with a high degree of success.”
Rashpal Singh

Why ISO certified companies choose A-LIGN

As the leading accredited ISO certification body, A-LIGN can provide your organization with the experience and guidance needed to become ISO certified.  By the numbers, A-LIGN is proud to have:

Completed 4k+ ISO assessments

5.7k+ global clients

96% client satisfaction rating

20+ years of experience

Ready to get started on your organization’s path to ISO certification? Contact us today to get started on your compliance journey and learn why these companies choose A-LIGN as their trusted audit partner.

Businesses in the United Kingdom and Ireland (UKI) face increasing pressure to meet rigorous compliance standards as cybersecurity threats grow more complex and regulations tighten across these countries. That’s why A-LIGN created a dedicated UKI edition of our global 2025 Compliance Benchmark Report — to provide regional insights, benchmarks, and practical recommendations tailored to the distinct challenges and opportunities that companies in this part of the world are navigating.

Our footprint in the UK and Ireland is expanding rapidly, and so are the needs of our clients. With the implementation of EU-specific regulations like the Digital Operational Resilience Act (DORA), the EU AI Act and the NIS2 Directive, it’s clear that companies operating in and with the EU must stay ahead of evolving compliance demands. A localised version of this benchmark report gives businesses in those countries a clearer picture of where they stand and what they should prioritise to stay compliant and competitive in 2025 and beyond.

So, what are the biggest takeaways for the UK and Ireland this year?

1. Audit quality isn’t optional — it’s the standard.

In a regulatory environment where small gaps can lead to big consequences, the UKI market has made it clear: audit quality is paramount. 95% of respondents said the quality of their audit report is “important” or “extremely important,” and 68% have observed clear differences in report quality across auditors.

What defines a high-quality audit? According to respondents, it comes down to two things: the number of controls tested and the length of the audit report. Notably, businesses weren’t impressed by additions like generic best practices or glossy formatting. They’re demanding detailed, technically sound audits that thoroughly evaluate their controls — because that’s what uncovers the real risks for their companies.

When choosing an auditor, businesses in this region ranked the experience of the audit team as the top factor, followed closely by report quality. That means organisations are no longer willing to trade depth for speed or affordability. Compliance is now a strategic investment, not a check-the-box exercise.

2. AI compliance is moving from idea to action.

Artificial intelligence is reshaping how businesses manage risk and meet compliance obligations. In the UK and Ireland, 89% of surveyed companies already have or are developing an AI compliance policy, with 71% planning to pursue an AI audit or certification within the next 24 months.

This momentum is largely driven by uncertainty. 60% of businesses expressed concern about AI’s impact on future regulations, and many are proactively seeking ways to formalise their approach. Software companies are leading the charge, with 84% of firms in that sector expecting to adopt an AI compliance framework within two years.

The bottom line? The companies that act early on AI compliance will be better equipped to handle the future wave of AI-related regulations and gain trust with customers, partners, and regulators in the process.

3. New cybersecurity laws are reshaping compliance.

The convergence of data protection, cyber risk, and digital infrastructure laws is redefining how businesses in the UK and Ireland approach compliance — especially those working across EU borders. In 2025, 85% of UK respondents said they expect their compliance strategy to change in response to laws like the EU AI Act, DORA and the NIS2 Directive.

ISO 27001, the international standard for information security management systems, is emerging as the tool of choice to address these regulatory shifts. Already the most common audit pursued by businesses in these regions, ISO 27001 provides a structured framework for managing cybersecurity risks and aligning with new EU requirements.

By mapping existing controls to the requirements of NIS2 and DORA, companies can streamline their compliance efforts and avoid costly gaps. And with 85% of UKI businesses planning an ISO 27001 audit in 2025, it’s clear that proactive compliance is becoming the new normal.

Get all the details in our UKI Compliance Benchmark Report

The UKI edition of A-LIGN’s 2025 Compliance Benchmark Report is packed with data and expert analysis to help your company plan for the future. Whether you’re building a compliance program from the ground up or refining an established strategy, this report is a must-read. Download the full report to learn more about:

Why the number of controls tested matters in compliance audits

The most popular AI compliance frameworks in the UK and Ireland

Which cybersecurity regulations compliance leaders are most concerned about

Our recommendations for how to shift your compliance strategy in 2025 and beyond

Get the free report now to see how your organisation stacks up and what you should do next to be prepared for the changing compliance environment in the UK and Ireland.

ISO/IEC 27001 is often cited as the gold standard for cybersecurity across industries. This complex framework ensures security for customers’ valuable information and demonstrates a commitment to a high level of security. But what makes it so special? Read on to learn why this framework is so popular and how your organization can get started on its ISO 27001 certification. Follow along and download the guide here. In this guide, we will:

Break down ISO 27001 and understand who needs it

Explain the certification process

Share best practices for choosing an assessor

Spotlight stories from real-life organizations

Give you a checklist of questions to ask potential assessors

Understanding ISO 27001

ISO 27001 is an international standard for information security management systems. It provides a systematic approach to managing sensitive company information, ensuring its confidentiality, integrity, and availability. The standard outlines requirements for establishing, implementing, maintaining, and continuously improving an organization’s information security management system, commonly referred to as ISMS. 

Who needs ISO 27001?

This framework is incredibly popular and growing. In fact, the 2025 Compliance Benchmark Report found that 81% of organizations have adopted ISO 27001 compared to 67% in 2024. ISO 27001 is becoming the baseline for many global cybersecurity standards and regulations.

ISO 27001 is used by companies spanning industries. Some of the more popular users include organizations working in:

Information technology

Healthcare

Finance

Consulting

Telecommunications

Who can certify my company?

An organization can earn its ISO 27001 certification from a certification body, which is an organization that provides certification of a particular standard. These bodies can be accredited or unaccredited, which describes whether the certification body has completed rigorous evaluation by a standard’s accreditation body. While both certifications are allowed, many customers only accept ISO 27001 certificates from accredited certification bodies.

The certification process

The ISO 27001 certification process is well-established, but is still a multi-pronged process that requires attention to detail and a generous time commitment. The five steps to ISO 27001 certification include:

Optional pre-assessment

Stage 1 audit

Stage 2 audit

Surveillance audit

Recertification