Is ISO 27001 a certification?
Yes. Unlike SOC 2, which is an attestation report, ISO/IEC 27001 is a formal certification issued by an accredited certification body. After a successful Stage 1 and Stage 2 audit, you receive a certificate that is valid for three years, subject to annual surveillance audits. The certificate verifies that your Information Security Management System (ISMS) conforms to the ISO 27001 standard.
What is an ISMS?
An Information Security Management System (ISMS) is the documented set of policies, processes, roles, and controls you use to manage information security risk. ISO 27001 is built around the ISMS: you define scope, assess risk, select controls, and continually improve them through a Plan-Do-Check-Act cycle. Agency builds and operates your ISMS end-to-end rather than handing you templates to maintain yourself.
What is the difference between a Stage 1 and Stage 2 audit?
ISO 27001 certification happens in two stages. The Stage 1 audit is a documentation and readiness review — the auditor checks that your ISMS, risk assessment, Statement of Applicability, and core policies exist and are sound. The Stage 2 audit is the main certification audit, where the auditor tests that your controls are actually implemented and operating effectively. Agency prepares you for both and coordinates the certification body through fieldwork.
What are Annex A controls?
Annex A of ISO 27001:2022 is a catalog of 93 security controls grouped into four themes: organizational, people, physical, and technological. You assess which controls apply to your risks and document your decisions in a Statement of Applicability (SoA). You do not have to implement every control — you justify inclusions and exclusions based on your risk assessment. Agency maps Annex A to your environment and implements the applicable controls across your stack.
What is the Statement of Applicability (SoA)?
The Statement of Applicability is the central ISO 27001 document that lists every Annex A control, states whether it applies to your organization, and explains the justification and implementation status. Auditors use the SoA as the backbone of the Stage 2 audit. Agency produces and maintains your SoA so it always reflects how your controls actually operate.
How long does ISO 27001 certification take?
Most companies reach Stage 2 readiness in roughly 3 to 6 months depending on their starting security posture and the scope of the ISMS, followed by the certification audit itself. Agency's forward-deployed engineers compress that timeline by building the ISMS, running the risk assessment, implementing Annex A controls, and collecting evidence directly instead of handing you a checklist.
How much does ISO 27001 cost?
The all-in cost of ISO 27001 is more than the certification-body fee. It includes the GRC platform (Vanta, Drata, or similar), the accredited certification body, penetration testing, and — usually the largest line item — the internal engineering and compliance time spent building the ISMS, implementing controls, and running surveillance. Agency lowers that total cost of ownership: we operate your GRC platform for you, and our clients save an average of 200+ hours and well over $100K in engineering and compliance time each year.
Do we have to replace Vanta or Drata to work with Agency?
No. Agency is GRC platform agnostic and operates on top of Vanta, Drata, and the rest of your existing stack — there is no rip-and-replace and no migration. Both platforms support ISO 27001 control mapping and Annex A evidence; we run whichever one you own, or help you choose and stand one up.
How is ISO 27001 different from SOC 2?
SOC 2 is a US-centric attestation report against the AICPA's Trust Services Criteria, while ISO 27001 is an internationally recognized certification of a formal ISMS. SOC 2 is often preferred by US buyers; ISO 27001 is frequently required for European and global enterprise deals. The control sets overlap heavily, so once Agency has built one program, adding the other reuses much of the same evidence and effort.
What are surveillance audits?
An ISO 27001 certificate is valid for three years, but the certification body conducts surveillance audits in years one and two to confirm your ISMS is still operating effectively, followed by a full recertification audit in year three. This makes ISO 27001 an ongoing program, not a one-time project — which is why Agency runs continuous monitoring and evidence collection year-round rather than only at audit time.
Can an early-stage startup get ISO 27001 certified?
Yes. Startups regularly pursue ISO 27001 to unlock European and global enterprise deals. The key is scoping the ISMS to what you actually do and implementing right-sized controls rather than enterprise overhead. Agency runs ISO 27001 for companies from seed stage through scale and operates the ISMS so a small team can stay certified without hiring a dedicated security function.
