Will Clients Require ISO 27001 From You?

ISO 27001 asks come from a different buyer than SOC 2. Here are the signals that predict one is coming, and what to do the day it arrives mid-deal.


A client's procurement team just asked whether you are ISO 27001 certified, and you are not. Unlike a SOC 2 request, which tends to show up out of nowhere in a US enterprise deal, an ISO 27001 ask is usually predictable in advance if you know what to watch for: who you are selling to, what kind of tender you are responding to, and what certifications your own customers already hold. What you do in the next few days matters, but the bigger opportunity is seeing this coming before it lands mid-deal.

This is the international counterpart to a scenario Scadable sees constantly on the SOC 2 side, covered in what happens if a customer requires SOC 2. The shape of the problem is the same: a deal is moving, then a requirement lands that nobody scoped for. But the buyer signal is different, and that difference changes both how predictable the ask is and what a credible interim answer looks like.

What predicts an eventual ISO 27001 ask?

Three signals show up again and again. First, selling into Europe or working with international customers generally. ISO 27001 is the certification EU and broader international enterprise buyers reach for by default, the way SOC 2 is the default in US enterprise software. If your pipeline includes European logos, an ISO 27001 ask is not a matter of if, it is a matter of when.

Second, responding to public-sector or government tenders. Procurement processes in the public sector, in the EU especially, frequently list ISO 27001 as a formal requirement or a heavily weighted evaluation criterion, not a soft preference. If you are bidding on government work anywhere outside the US, check the tender document for ISO 27001 before you invest time in the bid.

Third, and easy to miss, working with clients who already hold ISO 27001 themselves. Companies that have gone through certification tend to expect their vendors to meet the same bar, because their own ISMS risk assessment often requires them to evaluate vendor security posture formally. If a prospect mentions their own ISO 27001 certificate on a call, treat that as a strong signal the question is coming, even if it has not been asked yet.

None of this is guaranteed. A US-only company selling exclusively to venture-backed startups may never see an ISO 27001 request. But the pattern is legible enough in advance that most companies do not need to be caught flat-footed by it, unlike a SOC 2 ask that can appear with no warning inside a single enterprise questionnaire.

What do you do when the ask arrives mid-deal?

The instinct to buy time honestly is the same as with any framework request. Offer what you actually have: existing security documentation, current policies, any risk assessment work already done, and a specific, dated plan for what an ISO 27001 process would look like. Be direct that you are not certified today, and explain why that is normal for a company at your stage.

If an ISMS effort is already underway, a completed Stage 1 audit, the documentation review stage, is a genuinely credible in-progress signal, more credible than a vague promise of certification "soon." A buyer's security or procurement reviewer can independently verify that a Stage 1 review happened and what it found, which makes it a much stronger interim answer than an unverifiable claim.

What kills deals here is the same thing that kills SOC 2 deals: silence, or a promise with no specifics behind it. What keeps them alive is a plan a reviewer can check, sequenced honestly, with the caveat that full certification takes real time.

What is the honest timeline, and where does it actually move fast?

Certification runs in two stages, and they behave very differently under deal pressure. Stage 1 is a documentation review: the auditor checks your ISMS scope, your risk assessment, and your Statement of Applicability for readiness. If the underlying ISMS groundwork is already real, meaning the risk assessment genuinely happened and the Statement of Applicability genuinely reflects which of the 93 Annex A controls apply and why, Stage 1 can move faster than most founders expect.

Stage 2 cannot be rushed the same way. It is an audit of whether the controls are actually operating, not whether they are documented. There is no way to compress that into a sprint, because the auditor is examining evidence of operation over time, not reviewing a policy binder. Certification, once issued, is valid for three years with annual surveillance audits confirming the ISMS is still running, not archived. Our ISO 27001 framework page covers the full certification cycle and what the Statement of Applicability actually requires if you want the mechanics before that first scoping call.

What is the mistake to avoid under deal pressure?

The same trap that catches SOC 2 deals catches ISO 27001 deals, with an ISO-specific version: signing with a vendor that hands over a policy template and calls it an ISMS. A Statement of Applicability copied from a template with no real risk assessment behind it will not survive Stage 2, because Stage 2 is specifically designed to catch documentation that does not reflect what is actually operating. A vendor promising a fast certificate without a real scoping conversation about your actual environment, risk profile, and existing controls is selling a template, not a management system.

The way to avoid this is the same discipline that applies to any compliance vendor decision under deal pressure: insist on a real scoping conversation before signing anything, and be skeptical of any timeline that skips straight past Stage 2's operational reality. Our ISO 27001 compliance checklist walks through the actual steps, from scope definition through the external audit, if you want to see what a real process looks like before evaluating a vendor's pitch.

Frequently asked questions

How do I know if my clients will eventually require ISO 27001? Watch the buyer profile, not the calendar. Selling into Europe, responding to a public-sector or government tender, or working with clients who already hold ISO 27001 themselves are the three strongest signals. ISO 27001 is the default procurement bar in those worlds the way SOC 2 is the default in US enterprise software.

A client just asked for our ISO 27001 certificate and we do not have one. What do we do first? Do not promise a certificate you cannot produce. Offer what you actually have, such as existing security documentation, policies, and risk assessments, plus a specific, dated plan for when a certification process would start. If an ISMS effort is already underway, a completed Stage 1 review is a credible in-progress signal a buyer can check.

Can we get ISO 27001 certified fast enough to close a deal this quarter? Rarely as full certification. Stage 1, the documentation review, can move faster than people expect if the ISMS groundwork, meaning a real risk assessment and a genuine Statement of Applicability, already exists. Stage 2, the audit of whether the controls are actually operating, cannot be rushed, because there has to be something operating for the auditor to examine.

Is ISO 27001 the same ask as SOC 2? No. They cover overlapping ground but come from different buyer profiles and different mechanisms. SOC 2 is an AICPA attestation report, more common with US enterprise buyers. ISO 27001 is a certification issued by an accredited third party after an audit, and it is the default in Europe, in public-sector tenders, and among buyers who expect their vendors to run the same kind of management system they run themselves.

Is it a mistake to hire an ISO 27001 vendor right after a client asks for it? It is a mistake to hire one under deal pressure without a real scoping conversation first. A vendor that hands over a policy template and calls it an ISMS will not survive Stage 2, because Stage 2 checks whether the controls are actually operating, not whether the paperwork exists.

Last reviewed: July 12, 2026.

Where Scadable fits

The ISO 27001 version of this problem is structurally the same one Scadable solves for SOC 2, just with a different buyer and a heavier operational bar. Scadable maps what is actually achievable in the timeline a real deal or tender allows, is honest about where Stage 1 can move fast and where Stage 2 genuinely cannot, and does the work of building and running the ISMS instead of handing over a template and leaving the risk assessment to you. Book a call and bring the actual deal or tender timeline; that is what the plan gets built around.