ISO, ISO Baby: What’s changed over the last years?

Cristina's Compliance Corner

ISO 27001 has long reigned as a compliance champion in the world of information security. As a widely recognized framework, some 33,000 companies hold ISO 27001 certifications. But what’s it take to pursue this highly sought-after certification? How does one best prepare? And who is it even applicable to? 

I sat down with Collin Clifford, Thoropass’s resident ISO expert, certified lead implementer, and auditor. Collin has spent the last 12+ years learning, implementing, and refining the process at Thoropass and working closely with the framework (and others) for years before that at BDO and PwC. We had an opportunity to discuss the target markets for ISO, obtaining ISO certification, and key updates to the framework over the last year. 

Check out our whole discussion here:

ISO for all!

Collin fields two primary questions from prospects:

  • Who is ISO 27001 applicable to?
  • Is it only appropriate for SaaS companies? 

Who is ISO 27001 applicable to?

Collin explains that  “Generally, ISO standards are internationally known throughout most of the world except for the US. So, it’s meant for organizations primarily operating in international locations.” 

ISO 27001 is most often sought after by companies in the EU because it has a privacy component that closely aligns with GDPR (General Data Protection Regulation). 

However, this framework is not limited to companies operating within the EU. There is growing interest in ISO 27001 for US-based companies, especially as they look to expand geographically. Achieving ISO can help companies gain traction with international businesses and build credibility by being more closely aligned to requirements those companies are familiar with. 

Is ISO 27001 only appropriate for SaaS companies?

In short, No. Collin debunked the myth that ISO 27001 only applies to SaaS organizations. “​​That’s not necessarily the case,” he says. “The standard works for any organization, big or small, in any industry—and the standard has plenty of controls, not just for on-premises customers but also cloud or hybrid. They allow for different circumstances for any organization, making it a very flexible standard that any of our customers can achieve.” 

Flexibility means the playing field is now leveled; who you are, what you do, or what type of customers you service, ISO 27001 could apply to you and provide a competitive advantage. 

Stylized image of a life preserver on the side of a boat
Continued reading
Your guide to implementing an ISO 27001 backup policy template

Obtaining ISO 27001 compliance

Where does one even begin when considering pursuing ISO 27001? With so many components to consider, one must attack it in three phases:

  1. Implementation
  2. Readiness
  3. Audit


“​​The first thing is understanding the scope of the certification,” says Collin. “Some organizations want to include every single location and department because they handle sensitive data from their customers.” 

When it comes to scoping, it’s best to work with an expert. At the same time, there should be some level of understanding that comes from internal management alignment. Collaboration between external and internal expertise will govern the creation and iteration of the ISMS (information security management system) and ultimately drive the remainder of your implementation activities. 

“You can think of it as the glue that holds all of your policies and procedures together, including your statement applicability, all your entity-level controls, leadership, your interested parties, who would be interested in the security practices that you implement, what your risk assessment process look like, etc. What about continuous improvement in internal audits? Those types of things must be included within your ISMS itself. And that is something that the auditors will go through straight first to understand your overall environment to show your commitment to information security.”


Regarding readiness, the internal audit will evaluate your readiness for the audit. During an internal audit, an auditor will evaluate the controls you implemented over the last few weeks or months. “Think of the internal audit as a lighter scale mock audit before you get to your certification audit to make sure you have everything that you need from a higher level to get yourself in a good spot with your certification auditors.” 

During an internal audit, you’ll identify gaps and remediate them so that when you’re in front of the auditors during, there aren’t any significant landmines that could ultimately affect the audit outcome. 

It is crucial to note that an independent, certified lead ISO auditor must perform the internal audit. Reach out to the Thoropass team for additional information regarding this service offering. 


The audit is the culmination of all the effort from the implementation and readiness phases ISO 27001 has a three-year audit cycle, with the first year being the most intensive, deep dive style audit, and years two and three serving as surveillance (keep on keepin’ on!). 

The ISO 27001 audit itself occurs in two stages:  

  • Stage 1, where the auditors will review your policies, ISMS, Statement of Applicability, etc. This stage is more about of the governance oversight component of the audit.
  • Stage 2, where the auditors will get into the meat of your controls and review evidence as proof of design and implementation. 

If any major or minor nonconformities aduring the audit stages, you will have an opportunity to remediate them. Once all is otherwise reviewed and approved by the auditors and you’re comfortable with the scope of the ISMS, certification is issued. 

Changes and impact

Like many security and compliance frameworks, ISO 27001 has multiple iterations. It was updated from ISO 27001:2013 to the most recent version, ISO 27001:2022.

There are many reasons why iterations and updates such as these occur. The intention of the most recent update is to ensure ISO keeps up with changing technology and industry trends to ensure the greatest coverage of controls. 

They also tried to reduce the overall number of controls, going from 114 in 2013 to 90 in 2022. 

As Collin points out, “​​They took away a lot of the old school type of controls that aren’t applicable anymore with the technological environment that many of our customers and organizations see these days.” Overall, the updates modernize the ISO 27001 framework and keep it on par with what other frameworks and regulations require, such as SOC 2 and GDPR, require.

Updating your ISO 27001 certification

But what happens if someone has pursued ISO 27001 with the 2013 standard? Don’t sweat it! 

Collin says, “If you are an organization that has already been certified under the 2013 version, you have until October of 2023 to cut over to the 2022 version…You can change at any point during any surveillance year or any surveillance audit to transition to 2022 and then restart your audit cycle [with the 2022 standard]. So that is a nice benefit of the transition period that ISO gives.”

As always, if you have any questions regarding what makes the most sense for your organization, contact Thoropass to talk to an expert. 

Curious to learn more about ISO 27001?

ISO 27001 is an undertaking we don’t encourage customers and prospects to approach lightly. It involves alignment, commitment, and ultimately a fair bit of guidance coming for the first time. 

Don’t go at it alone—talk to our experts to learn more about the resources and support we provide when pursuing ISO 27001 with Thoropass.

Share this post with your network: