ISO 27001
[ on roadmap ]isms certification — not earned yet
[ what it actually means ]
ISO 27001 certifies an information security management system — the organizational machinery around security: risk assessment, a statement of applicability across the Annex A controls, management review, internal audit, and a three-year certification cycle with surveillance audits. It overlaps heavily with SOC 2 but is more prescriptive about the management system itself, and it is the certificate large enterprises and non-US buyers most often require. We do not hold it, and there is no badge on this page because the audit has not happened.
[ our posture ]
On the roadmap, honestly sequenced
ISO 27001 certification is planned, sequenced behind the work it depends on. We will not announce a target quarter we cannot defend; when an audit is scheduled, this page will say so.
The control overlap is already running
A large share of Annex A controls — access control, cryptography, operations security, incident management — are the same controls in our SOC 2 scope and already operate. The gap is the management-system formalism, not the security substance.
Gap assessment before auditor selection
The first concrete step is a formal gap assessment against the current standard, so the certification project starts from evidence rather than optimism.
No 'ISO-ready' claims in the meantime
Until an accredited auditor issues a certificate, we will not describe ourselves as ISO 27001 'ready', 'compliant', or 'aligned' in sales material. The status is on-roadmap, and that is the only phrase we will use.
[ request documentation ]
We can share our SOC 2 report under NDA and a control-mapping summary showing Annex A overlap, plus the current certification timeline once one exists.