ISO 27001 Buyer’s Guide 

by: A-LIGN 6 mins
resource feature ISO 27001 Buyers Guide 1 0

ISO/IEC 27001 is often cited as the gold standard for cybersecurity across industries. This complex framework ensures security for customers’ valuable information and demonstrates a commitment to a high level of security. But what makes it so special? Read on to learn why this framework is so popular and how your organization can get started on its ISO 27001 certification. Follow along and download the guide here. In this guide, we will: 

  • Break down ISO 27001 and understand who needs it 
  • Explain the certification process 
  • Share best practices for choosing an assessor 
  • Spotlight stories from real-life organizations 
  • Give you a checklist of questions to ask potential assessors

Understanding ISO 27001 

ISO 27001 is an international standard for information security management systems. It provides a systematic approach to managing sensitive company information, ensuring its confidentiality, integrity, and availability. The standard outlines requirements for establishing, implementing, maintaining, and continuously improving an organization’s information security management system, commonly referred to as ISMS.  

Who needs ISO 27001? 

This framework is incredibly popular and growing. In fact, the 2025 Compliance Benchmark Report found that 81% of organizations have adopted ISO 27001 compared to 67% in 2024. ISO 27001 is becoming the baseline for many global cybersecurity standards and regulations. 

ISO 27001 is used by companies spanning industries. Some of the more popular users include organizations working in: 

  • Information technology  
  • Healthcare  
  • Finance  
  • Consulting  
  • Telecommunications 

Who can certify my company? 

An organization can earn its ISO 27001 certification from a certification body, which is an organization that provides certification of a particular standard. These bodies can be accredited or unaccredited, which describes whether the certification body has completed rigorous evaluation by a standard’s accreditation body. While both certifications are allowed, many customers only accept ISO 27001 certificates from accredited certification bodies. 

The certification process 

The ISO 27001 certification process is well-established, but is still a multi-pronged process that requires attention to detail and a generous time commitment. The five steps to ISO 27001 certification include:

  1. Optional pre-assessment     
  1. Stage 1 audit     
  1. Stage 2 audit     
  1. Surveillance audit     
  1. Recertification    

Step 1: Pre-assessment 

The pre-assessment is designed for companies that are undergoing the certification process for the first time. This assessment is only performed on an as-needed basis but is highly recommended prior to the actual audit.    

The pre-assessment involves performing a review of an organization’s scope, policies, procedures, and processes to review any gaps in conformance that may need remediation before the actual certification process begins.    

Step 2: Stage 1 audit    

During a Stage 1 audit, an auditor reviews the high-risk clauses and annex controls of an organization’s ISMS to confirm that it has been established and implemented in conformance with the ISO 27001 standard. This audit also checks to see if the mandatory activities of an ISMS have either been completed prior to starting Stage 2.    

Upon completion, the Stage 1 audit will reveal if an organization is ready to move forward to Stage 2 or if there are any areas of concern regarding policies, procedures, and supporting documentation that may need to be remediated before proceeding.    

Step 3: Stage 2 audit    

The Stage 2 audit tests the conformance of an organization’s ISMS against the ISO 27001 standard. Upon completion of Stage 2, the auditor will determine if an organization is ready for certification.    

If any major nonconformities were identified during the audit, they will need to be remediated by the organization before a certificate can be issued.     

Stage 4: Surveillance audit   

The ISO 27001 certification process doesn’t simply end after a certificate has been issued. For the two years following certification, the auditor will conduct annual surveillance audits to ensure an organization’s ongoing compliance with the ISO 27001 standards. This step ensures your cybersecurity practices are operating at the highest possible level.    

Stage 5: Recertification    

An ISO 27001 certification is valid for three years after the certificate’s issue date. Organizations need to recertify before the certificate’s expiration date or be required to begin the certification process again. Recertification audits review the entire management system, similar to the Stage 2 audit. For more about these steps, download our ISO 27001 Buyer’s Guide.

Selecting the right ISO 27001 certification body 

Choosing the right partner for your ISO 27001 certification is essential. You’ll be working with this auditor throughout the process and spending a lot of time together, so expertise and quality are important considerations when choosing a certification body. Beyond this, efficiency and budget are key elements to choosing an auditor. 

Audit expertise 

As mentioned before, a certification body is an organization that provides certifications around a chosen standard. These organizations come in two forms: accredited and unaccredited.  While unaccredited certifications are allowed, they don’t hold the same value and prestige as an accredited certification. 

There are three major certification bodies in the United States: ANAB, IAS and UAF. The two most prominent bodies for ISO management system certification are the ANSI National Accreditation Board (ANAB) and the International Accreditation Service (IAS).  Among these, ANAB is considered the industry leader. Why? It has a long track record of success in upholding standards internationally across industries, its accreditation process is the most rigorous, and many enterprises, governments, and other bodies explicitly require ANAB-accredited ISO certification from their vendors and partners because of its high standards and reputation. 

Quality audit process 

Beyond accreditation, choosing a quality auditor is crucial. A-LIGN’s 2025 Compliance Benchmark Report found that report and auditor quality remain top of mind for compliance teams. Our survey revealed that the most important factors for companies when choosing an auditor are:  

  • Experienced audit team  
  • Report quality  
  • Tech-enabled audit   

This means that you’ll want to choose an audit partner that has a wide range of experience in ISO 27001 and in your organization’s industry. You’ll also want to ask any potential auditor about their reports. Any quality auditor should be providing thorough, actionable insights when sharing a final report. 

Efficiency 

Efficiency is vital when it comes to choosing the right audit partner. It demonstrates a commitment to detail and customer experience that helps lead to successful audits. Efficiency is often driven by audit management technology, which can create a seamless certification process, streamline communication, and reduce manual work. 

An efficient auditor may also use practices like audit harmonization to streamline the audit process, especially if you are seeking out multiple frameworks. This process streamlines requirements by cutting redundant file retrieval and identifying overlaps between the frameworks your organization is pursuing. By coordinating and harmonizing your audit efforts with a single provider, organizations can work smarter throughout the audit journey. 

Budget 

Budget is an important factor to consider alongside other elements of choosing the right assessor. Think about your timeline, the quality and reputation of an assessor, and whether your organization is willing to pay more for these elements. Budget assessors that offer certifications for well below market value are likely going to get what you pay for. Besides, if you’re already committed to earning the certification, don’t you want the highest-quality audit available? 

Case study: Butterfly Network 

Butterfly Network Inc. develops, manufactures, and commercializes ultrasound imaging solutions with a mission to democratize healthcare around the globe. 

With the appointment of a new Chief Information Security Officer Mike Tiemeyer, a seasoned technology executive, Butterfly revamped its Information Security program and took on the challenge of simultaneously completing planning and readying four assessments slated for 2025. 

This tall task to strengthen Butterfly’s security posture involved pulling together all elements into a coherent plan that could be executed on time so the company could provide assurance to their global clients that their data was in good hands. 

CISO Mike Tiemeyer initially chose A-LIGN as his previous company’s audit provider based on numerous recommendations from professionals in his network. 

The Butterfly Security team finds the experience with A-LIGN to be vastly different from past experiences with other auditors in the cybersecurity certification space, which were marked by ambiguity and reactive practices. 

Butterfly looks forward to a bright future with a continuously expanding compliance program, supported by the expertise and efficiency of working with A-LIGN. 

“We don’t want to be in a constant state of audit. Having an assessment firm like A-LIGN, which has conducted an independent assessment across hundreds of requirements and artifacts to obtain multiple high-quality audit reports, is truly a badge of honor.” 
-Mike Tiemeyer, CISO 

Checklist: Questions to ask an assessor 

As you well know by now, choosing an assessor is one of the most important steps to earning ISO 27001 certification for your organization. This decision will impact every other step – from start to finish, your assessor will be with you through it all. This checklist details questions that we recommend you ask any potential assessor. 

  • What is your experience with ISO 27001 audits? 
  • Is your company accredited by a certification body? If so, which one? 
  • How many ISO certifications have you completed? 
  • How many ISO auditors does your team have? 
  • Do you have experience conducting ISO 27001 audits in my industry? 
  • Does your team have experience with other ISO standards like ISO 42001 or ISO 27701? 
  • Do you have any ISO-specific training with any of the ISO standards? 
  • Does your organization conduct other audits? 
  • Are we able to pursue multiple frameworks at the same time with your organization? How does your team handle this? 
  • Do you have experience identifying overlaps among multiple frameworks? 
  • What can I expect during the audit process? 
  • Does your organization use technology to enhance the audit process? 
  • What is your response time to questions from our team? 
  • How do you ensure the quality of your audits? 
  • How do you define quality? 
  • What sets your audit process apart from other audit firms? 
  • How much will my ISO 27001 audit cost? 
  • What are your rates and what do they include? 
  • How long does an ISO 27001 audit take with your organization? 
  • How long will each step of the process take? 
  • Do you have references and case studies from satisfied customers? 

Ready to take the next step? Reach out today to get started on your compliance journey. Plus, you can download the ISO 27001 Buyer’s Guide to share with your team.

Let's map out your compliance roadmap.

Begin your compliance journey with A-LIGN today.

GET STARTED