International standard. Strong adoption in EU, UK, Asia-Pacific, and global enterprise.

ISO 27001

ISO/IEC 27001 (Information Security Management Systems)

Applies to

Any organisation selling into international enterprise, especially EU/UK and APAC. Often a procurement prerequisite outside the US.

Creates urgency when

European or APAC enterprise prospect makes ISO 27001 a hard requirement, or when expanding outside the US for the first time.

Evidence burden

Documented ISMS plus 93 Annex A controls. Three-year certification cycle with annual surveillance audits. Heavier paperwork burden than SOC 2.

Buying-committee effect

Brings in international procurement, legal, and the global head of security. Often requires regional certification body engagement.

GTM angle

The international companion to SOC 2. Sold as "the same audit pain, but for the deals that pay in euros and yen." Buyers who already have SOC 2 evaluate add-on-cost vs separate-program-cost; greenfield ISO buyers evaluate full programs.