ISO 27001 is the certificate most SaaS buyers ask for. For a software company it certifies the management system behind the platform, not just the code: clauses 4 to 10 plus the 93 Annex A controls, with the cloud and secure development controls carrying the most weight. It is commercial, not government mandated.
Why do SaaS buyers ask for ISO 27001?
Because it lets them skip their own due diligence. A SaaS vendor selling into enterprise or government meets the same security questionnaire on every deal. An ISO 27001 certificate answers most of it before the question is asked, which is why it appears as a line in tenders, vendor onboarding and procurement contracts. The certificate does not prove your product is secure. It proves an accredited body checked that you run a managed system for keeping it secure, and will check again every year. For an Australian SaaS company the demand is commercial, not regulatory: customers, partners and tenders drive it, the way SOC 2 does for United States buyers. No Australian law requires it.
What does ISO 27001 certify for a SaaS company?
The management system, not the platform. ISO 27001:2022 certifies an information security management system built from clauses 4 to 10, context, leadership, planning, support, operation, performance evaluation and improvement, supported by the 93 Annex A controls. None of that audits your source code line by line. The auditor confirms you have identified your risks, chosen controls to treat them, written them into the Statement of Applicability, and can show records that the system runs. A clean penetration test is evidence for a control; it is not the certificate. This is the point most engineering teams get wrong. They expect a product audit and get a management system audit.
Which Annex A controls matter most for SaaS?
A handful do the heavy lifting. Annex A is a reference set of 93 controls across four themes; you select what your risk treatment needs and justify the rest out in the Statement of Applicability. For a SaaS platform the controls auditors and customers focus on cluster around the cloud and the way you build software.
| Control | What it covers | Why it matters for SaaS |
|---|---|---|
| A.5.23 Information security for use of cloud services | Acquiring, using, managing and exiting cloud services securely | Your platform runs on a hyperscaler; this is where you show you manage that dependency |
| A.8.25 Secure development life cycle | Security built into every stage of development | The standard expects security in your SDLC, not bolted on after release |
| A.8.28 Secure coding | Secure coding rules and standards | A customer reviewing a software vendor looks for this directly |
| A.8.29 Security testing in development and acceptance | Testing security before release and acceptance | Maps to your test gates and penetration testing |
| A.8.9 Configuration management | Hardened, controlled configurations | Multi tenant platforms live or die on configuration |
These sit inside the technological theme. The organisational, people and physical themes still apply, so a SaaS company cannot certify the codebase and ignore access management, supplier security or staff screening.
How do you scope ISO 27001 for a SaaS platform?
Scope is the decision that shapes the whole project. Clause 4.3 requires you to define the boundary of the management system. Most SaaS companies scope it to the platform, the teams that build and run it, and the cloud environment it sits in, then decide whether corporate functions such as HR and finance fall in or out. Draw it too wide and the audit, and the audit fees, grow with every person in scope under ISO/IEC 27006-1:2024. Draw it too narrow and a customer’s security team notices the gap. Shared responsibility matters here. Your hyperscaler holds its own ISO 27001 certificate for the infrastructure, but that covers their layer only. Your configuration, your application and your handling of customer data are yours to certify.
ISO 27001 or SOC 2 for a SaaS company?
It depends on who is buying. Sell mostly to United States customers and they will usually ask for SOC 2, an AICPA attestation report. Sell into Australia, Europe, Asia or to government adjacent buyers and ISO 27001 is the more common ask. Plenty of SaaS companies end up doing both, and the work overlaps: AICPA publishes an official mapping between the Trust Services Criteria and ISO 27001, so evidence gathered for one feeds the other. If you do one first, let your sales pipeline decide which.
How long does ISO 27001 take, and what does it cost?
Plan for the better part of a year. Building the management system, running it long enough to generate records, and passing the two stage audit usually takes 6 to 12 months; the figure is indicative and depends on how much you already have in place. There is no fixed minimum operating period in the standard, but Stage 2 tests that the system runs, so you need at least one internal audit and one management review before it. Cost has three centres: building and running the ISMS, the accredited body’s audit fees across the three year cycle, and ongoing maintenance. Audit fees scale with the number of people in scope, not your revenue. A focused readiness checklist is the cheapest way to find the gaps before the auditor does.
Your management system, which sits across the company and the platform. It is not a product certification. The audit checks that you identify risks and run controls to manage them, then repeats every year.
If your customers ask for SOC 2, yes. They are different instruments. The controls overlap heavily, so most of the evidence carries across.
No. Their certificate covers their infrastructure. Your configuration, application and handling of customer data are a separate scope that you certify yourself.
There is no minimum size. Audit time and fees scale with the number of people in scope, so a small team scopes a smaller, cheaper audit. Early stage startups certify regularly.
Written by Gaurav Vikash, an ASD endorsed IRAP assessor and senior cyber security leader with 18 years of experience across Australia, the UK and Asia, including CISO and senior security leadership roles. He holds CISSP, CISA, CISM and CRISC and is an ISO 27001 and ISO 42001 Lead Implementer, and speaks regularly at industry conferences.
Sources:
- ISO/IEC 27001:2022, Information security management systems, 2022
- ISO/IEC 27002:2022, Information security controls (Annex A guidance, including A.5.23, A.8.25, A.8.28), 2022
- ISO/IEC 27006-1:2024, Requirements for bodies providing audit and certification of information security management systems, 2024
- AICPA, Mapping of the 2017 Trust Services Criteria to ISO/IEC 27001, 2022
Last updated: 21 June, 2026