ISO 27001 · Canada-wide

ISO 27001 readiness for Canadian SMBs — scope, ISMS, Stage 1 & 2

ISO 27001 is a certification with a lifecycle — an ISMS to build, a two-stage audit, then surveillance visits every year. We prepare Canadian SMBs for all of it: scoping, risk treatment, the Statement of Applicability, and support through Stage 1 and Stage 2. The certificate itself comes from an accredited certification body — we get you ready for them.

A certification, with a lifecycle

ISO/IEC 27001 is the international standard for an information security management system (ISMS) — the governance machinery that decides what you protect, how, and who checks. Unlike SOC 2, it ends in a certificate, and that certificate comes from an accredited certification body, never from a consultant. Our role is to make you ready for that body, and to stay beside you while it does its work.

Certification is a cycle, not an event. The certificate is typically valid for three years, with a defined path in and scheduled audits along the way:

  • Readiness. Scope the ISMS, treat the risks, build the documentation — the part we deliver with you.
  • Stage 1. The certification body reviews your documentation and confirms you’re ready for the real audit.
  • Stage 2. The implementation audit — auditors verify the ISMS actually operates, not just that it’s written down.
  • Surveillance audits. Shorter annual visits in years one and two confirm the system keeps running.
  • Recertification. A fuller audit near year three renews the certificate for another cycle.
The ISMS

Scope, risk treatment and the Statement of Applicability

Scoping is where certifications are won or lost. The certificate only speaks for what sits inside the ISMS scope, so we draw that boundary deliberately — the systems, sites and teams your buyers care about, and nothing that adds audit surface without adding trust.

From there, risk drives everything: we run the assessment, decide with you what gets treated, accepted or transferred, and turn those decisions into a treatment plan the auditors can follow.

The Statement of Applicability is the document auditors reach for first. It walks through every Annex A control and says whether it applies to you, and why — or why not. We draft it from your real environment, so each justification survives questioning.

  • Scope definition. The boundary your certificate will speak for.
  • Risk assessment & treatment plan. Documented decisions, not spreadsheets for their own sake.
  • Statement of Applicability. Every Annex A control, justified.
  • Internal audit & management review. Required before Stage 2 — we run them with you.

Coming from SOC 2? You’re closer than you think

If you already hold a SOC 2 report, most of your controls have an Annex A counterpart — access management, change control, logging, vendor risk and incident response all carry over. What ISO 27001 adds is the management system around them: the scope, the risk methodology, the internal audit, the management review and the Statement of Applicability. We map what you have before proposing anything, so the readiness fee covers the genuine remainder.

Starting from the attestation side instead? See our SOC 2 readiness service. Weighing the two? Read SOC 2 or ISO 27001 for SMBs.

Delivery

Automation, language and reach

Drata, mapped to Annex A

The same evidence automation we use for SOC 2 maps to ISO 27001 controls: continuous collection, drift alerts, and a dashboard that keeps you surveillance-ready between annual visits.

Bilingual delivery

ISMS documentation, training and certification-body liaison in French, English or both — whichever your team and your auditor work in.

Across Canada

Remote anywhere in Canada, in person in Gatineau and Ottawa. Founded in 2023, backed by 20+ years of security experience and Microsoft expert certifications (SC-100).

FAQ

Frequently asked questions

Who actually issues the ISO 27001 certificate?

An accredited certification body — an independent auditor accredited to certify against the standard. We can’t certify you, and no consultant can; anyone who implies otherwise is overselling. Our role ends where the certification body’s begins: we build the ISMS with you, get the documentation and evidence ready, help you choose a body, then support your team through the Stage 1 and Stage 2 audits and the surveillance visits that follow.

We already have SOC 2 — is ISO 27001 worth adding?

Only if a buyer says so. SOC 2 satisfies most North American clients, and adding a certificate nobody has asked for is an expensive way to feel thorough. ISO 27001 earns its keep when a contract names it, when a European or enterprise prospect treats it as table stakes, or when you’re entering markets where the certificate is the recognized currency. When that happens, your SOC 2 controls already map onto much of Annex A, so the readiness work is a top-up rather than a restart.

How long does ISO 27001 certification take?

Longer than most first estimates, because the ISMS has to operate before it can be certified — auditors want to see a completed risk cycle, an internal audit and a management review, not just documents. The realistic driver is your starting point: an organization with existing policies and evidence habits moves much faster than one building from nothing. We scope the readiness work after a short gap review and build the schedule around a certification body’s actual availability.

Is ISO 27001 legally required in Canada?

No law requires it. The pressure comes from contracts: enterprise procurement teams, international buyers — especially in Europe — and some supply-chain security clauses treat the certificate as a condition of doing business. If none of your buyers are asking, a SOC 2 report, or simply stronger controls measured against a baseline, may serve you better. We’ll tell you which applies before you spend anything.

How much does ISO 27001 readiness cost?

We quote a fixed fee once the scoping conversation is done — the size of your ISMS scope, the state of your existing controls and how much of the documentation you want us to draft all move the number, so a price before scoping would be a guess. Two things to budget separately: the certification body’s own audit fees (Stage 1, Stage 2 and the annual surveillance visits), which they set and invoice directly, and a platform subscription such as Drata if you choose to automate evidence.

Certification showing up in a contract?

Let’s scope your ISMS and map the path to Stage 2 — with a fixed readiness fee once scoping is done.

Get in touch