ISO 27001 certification
The gold standard of information security for SaaS and Information Technology companies.
Reassure your clients you can be trusted.
What is ISO 27001?
ISO 27001 is the gold standard for information security. It is a recognised framework for managing information security and requires organisations to implement an Information Security Management System (ISMS) to protect client data.
To achieve ISO 27001 certification, a company must be audited by an accredited certification body. This is where Tempo Audits comes in - a boutique information security certification body dedicated to ISO 27001.
Who needs ISO 27001?
More and more companies are pursuing ISO 27001!
Industries commonly pursuing ISO 27001 include:
SaaS, IT, finance, fintech, law firms, legal tech, insurtech, insurance, healthtech, education, and edtech.
We live in a world of frequent data breaches and cyberattacks, making information security increasingly important. While many organisations choose to build and operate an effective Information Security Management System (ISMS) to protect themselves, the push to become ISO 27001 certified is often driven by external stakeholders.
Common drivers include customer requirements, procurement and tender processes, grant conditions, and insurance expectations.
Customer demand is the most common trigger we see. For example, a SaaS company may provisionally win a new client, only to find that ISO 27001 certification is required to pass procurement before the contract can proceed. This often creates urgency to certify within a short timeframe so the client can be activated.
This scenario is becoming increasingly common and is driving rapid growth in ISO 27001 adoption. According to the ISO Survey, the number of valid ISO/IEC 27001 certificates worldwide increased from 48,671 in 2023 to 96,709 in 2024, almost doubling in a single year.
The cost of an ISO 27001 audit is driven by the headcount of the company, combined with other relevant risk factors (e.g. number of sites, sensitivity of information, dependencies, level of software development), which allows the certification body to define the required audit length and therefore the cost. This process is regulated by ISO 27006.
For a full breakdown by headcount and audit days, see our detailed ISO 27001 certification cost page.
Tempo Audits offers:
Fast quotations
Competitive pricing
A low-overhead audit model
How much does ISO 27001 cost?
ISO 27001 Stage 1 vs ISO 27001 Stage 2
ISO 27001 certification audits are completed in two stages.
Stage 1 is a short readiness review, often 1 day, where the certification body checks your policies and ISMS design to confirm you are ready for the main audit.
Stage 2 is the core certification audit. It is more detailed and typically longer, ranging from 2 days to significantly more, depending on company size, and focuses on evidence that controls are operating effectively.
Benefits of ISO 27001 compliance
Being ISO 27001 certified is a badge of the maturity of your organisation and its processes. Displaying it proudly builds trust in what you do.
Build your reputation
Implement a broad range of controls that strengthen your data security, ranging from Organisational, People, Technological, and Physical controls.
Strengthen data security
If you’re competing against an uncertified provider, your ISO 27001 certification will give you a competitive edge in showing the maturity of your processes and the manner in which you protect your clients’ information.
Get a competitive edge
Protect the risk of valuable IP or code being lost or shared with competitors by implementing information security controls that protect them.
Secure your assets and IP
ISO 27001 certification builds trust with existing clients and partners, allowing you to deepen and build on those relationships.
Impress existing clients
More and more companies now require ISO 27001 certification from their vendors. Getting certified early helps you stay ahead of these requirements and unlock new opportunities across your client base.
Win more customers
ISO 27001 reduces risks of data leaks and breaches by creating a framework of controls to prevent them. By avoiding data leaks, you can avoid potential hefty fines and also limit the risk of substantial reputational damage.
Reduce risk of data leaks
ISO 27001 Resources
Why Tempo Audits?
Built by a former lawyer turned tech founder, Tempo Audits delivers high-quality ISO 27001 certification in a fast, practical, and tech-centric way. We are UKAS-accredited, demonstrating the highest audit standards and giving your customers confidence they can trust your certification.
High standards
Being audited may not be your idea of fun, but we make sure you feel supported at every step. Our auditors focus on helping you strengthen your security systems so you’re confident sharing them with customers. When we find issues, we explain them clearly and help you fix them. We speak plain English, not compliance jargon — because a high-quality audit should give you more than a certificate. It should give you a partner.
Helpful
Our founding team has built tech companies like yours. That’s why we don’t audit in a traditional way. Our approach is virtual, collaborative, and innovative - bringing the same agility and mindset you’d expect from a tech company.
Tech-centric
Our auditors take a collaborative, tech-first approach. We work alongside your team, explain requirements in plain English, and are supportive so that you can resolve issues quickly, making the audit faster, clearer, and far less stressful than traditional compliance audits.
Collaborative auditors
When your business is moving fast, compliance shouldn’t slow you down. We accelerate the path from preparation to certification, respond quickly, start audits within days of enquiry, and take a proactive approach — turning compliance into a launchpad, not a speed bump.
Fast-moving
Our Packages
*These packages show indicative pricing. Audit length is determined by headcount and other risk factors, using the audit-duration guidelines set out in ISO 27006. We are typically towards the lower end of the range, but this depends on your risk profile and business complexity. The packages above are based on Tempo Audit’s typical SaaS clients.
Our ISO 27001 certification process
The first step is to build your Information Security Management System (ISMS) — the connected set of policies, processes, and procedures required to meet ISO 27001. This typically takes 3-12 months, though very fast-moving teams may complete it in 1-2 months.
For impartiality reasons, Tempo Audits cannot support with ISMS implementation. However, we’re happy to help you find a suitable platform or consultant. Book a chat with us and, once we understand your needs, we’ll make an introduction.
1. Develop your management system
Once you’re ready - or even while you’re still preparing - share your company details, and we’ll put together a proposal. This will outline the audit timeline, based on your organisation’s size and ISMS complexity, along with clear pricing.
Once approved, we’ll schedule one of our tech-expert auditors to get started.
2. Audit application & planning
Now we’re into the Audit! The first step is the Stage 1 audit. At this stage, our Lead Auditor reviews your documentation and verifies your readiness to move on to Stage 2.
As a fast-moving firm, Tempo Audits typically shares the Stage 1 report within a day of completion, clearly outlining anything that needs to be addressed before progressing.
3. Stage 1 audit
Stage 2 is the final part of the audit. We usually run it 2-3 weeks after Stage 1, rather than the 1-3 months typical of more traditional certification bodies. We move quickly when our clients want to move quickly.
During Stage 2, we validate that your processes are operating effectively and conform to the standard. To issue a certificate, Tempo Audits needs evidence of conformity against every applicable clause and control, and we work closely with you during the audit to gather this.
If any gaps are identified, we raise non-conformities for you to close after the audit. We make this remediation process as clear and fast-moving as possible so certification isn’t delayed.
4. Stage 2 audit
Once we’re finished, we’ll provide you with a final report which, once you’ve closed out any non-conformities raised in the audit, will result in certification for 3 years!
In most instances, we’re in a position to share the certificate and report with you about 3 to 7 days after the Stage 2 audit finishes.
At this stage, you can pop the ISO 27001 badge on your website and start using it to win new clients!
5. Certification
6. Annual audits – Surveillance and recertification
After certification, we support you in maintaining it through annual audits, as required by the standard. At 12 and 24 months, we carry out surveillance audits, and at 36 months, we complete a recertification audit. Once passed, we issue a new three-year certificate, keeping your certification continuous.
Testimonials
“Is it weird to say I had a good time? We worked with a more traditional auditor for the last two years, but they didn't understand the needs of our start-up. Tempo Audits were much better – they understood our business and used that understanding to explain and audit the standard in a way that made sense to us.”
— Jonny Arnold
Head of Engineer, Nomio“An awesome founding team that is open to ideas and wants to properly understand your situation in order to give you a suitable offer that helps you take your first steps into security or accelerates you even further in this field.”
— Tim Pouw
COO, Turf“We couldn’t have asked for a better auditor or company. The process was smooth, professional, and genuinely enjoyable from start to finish. We really appreciated their clear communication and supportive, down-to-earth approach throughout the process.”
– Martin Kayser
CTO, SeenonsGet a Quote
Book a call below, and we’ll provide a quote without any forms being filled out.
Alternatively, if you have all the details, fill out this form here.
FAQs
-
It’s a standard created by the International Standards Organisation. At its core are 6 key clauses (Clauses 4-10) that define a structured process for identifying risks and selecting appropriate controls to manage and reduce them. These controls are typically drawn from ISO 27002.
ISO 27001 compliance is regulated by national IAF accreditation bodies, which authorise certification bodies to audit organisations and issue certificates. Increasingly, SaaS companies are required to evidence ISO 27001 compliance to demonstrate strong information security standards.
-
Companies must implement and operate an Information Security Management System that meets the requirements of the standard. Once in place, they can be audited by a certification body to evidence compliance and, if successful, receive an ISO 27001 certificate.
-
Some companies pursue ISO 27001 voluntarily to strengthen security, reduce the risk of data breaches, and increase credibility with customers. Where it becomes a requirement, it is usually driven by customer demand, as buyers increasingly expect vendors to evidence strong information security. Other common drivers include tender processes, partnerships, and grant requirements.
-
An ISO 27001 audit is carried out to validate compliance with the ISO 27001 standard. An external audit is conducted by a certification body and is required before an ISO 27001 certificate can be issued. Organisations can also perform an internal audit, which they arrange themselves as part of maintaining their Information Security Management System.
For external audits, there are several audit types: Stage 1 and Stage 2 audits, which together form the initial certification and result in a 3-year certificate. Over the following two years, organisations complete annual surveillance audits. At the end of the cycle, a recertification audit allows the organisation to renew its three-year certificate.
-
To be compliant, a company must operate an effective Information Security Management System and then undergo a certification audit to evidence compliance.
During the audit, the company must demonstrate conformity with every applicable clause and control of the standard. If successful, the certification body issues an ISO 27001 certificate. Where auditors identify non-conformities, the company must close them acceptably before certification can be granted.
-
An ISO 27001 certificate is valid for 3 years, provided the company completes the required annual surveillance audits. In the third year, the company can extend certification for a further 3 years by successfully completing a recertification audit before the certificate expires.
-
The longest phase is implementing the management system, which can take 2-3 months or significantly longer, depending on maturity. Once a client reaches audit, the overall audit process can span a few weeks to a few months. The audit time itself is usually 3-10 days; most delays come from gaps between stages.
Tempo Audits prefers to move fast. A typical fast-track schedule is a prompt Stage 1, Stage 2 within a few weeks, and certificate issuance within a week of Stage 2 - around three weeks from Stage 1 to certificate.
Some clients choose a slower pace, such as a 1-2 month gap between stages, and we’re happy to accommodate that.
-
The International Accreditation Forum (IAF) operates the IAF CertSearch database, which lets you verify certifications issued by IAF-approved certification bodies.
Likewise, Tempo Audits is UKAS-accredited, and UKAS runs its own CertCheck service for verification.
Some providers offer unaccredited certification, meaning they lack approval from an IAF-recognised accreditation body. These certifications are harder to verify, and the quality of the underlying audit is less clear. That’s why most companies insist on accredited certification that they can trust and validate easily.
-
ISO 27001 is the standard that organisations certify against. ISO 27002 sits alongside it, providing the catalogue of controls that companies typically implement as part of ISO 27001 compliance.
There is also a wider ISO 27000 family of related standards, for example, ISO 27006, which guides how ISO 27001 audits are conducted.
However, in practice, ISO 27001 is the only standard in the family that organisations routinely certify against.
-
GDPR is a law and, therefore, a requirement for all companies operating in the EU. ISO 27001, by contrast, is an elective certification. It is not legally required, but many organisations choose to meet the standard voluntarily or because stakeholders demand it.
GDPR focuses on data privacy, while ISO 27001 focuses on information security, putting controls in place to prevent data breaches, leaks, and cyberattacks.