ISO 27001 is the world's most widely adopted standard for managing information security risks. Published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), it provides a systematic framework — called an Information Security Management System (ISMS) — for identifying, treating, and continuously monitoring security risks across an entire organization.
How ISO 27001 Works
Achieving ISO 27001 certification is not a checkbox exercise. It follows a structured sequence of activities rooted in the Plan-Do-Check-Act (PDCA) management cycle, culminating in an independent audit by an accredited certification body.
Define Scope and Context
Identify which business units, systems, data types, and locations fall under your ISMS. A payment company might scope its certification to include its core transaction processing environment, customer data stores, and supporting cloud infrastructure. A tight, well-justified scope speeds up the audit and reduces certification costs.
Conduct a Risk Assessment
Systematically identify information assets, the threats and vulnerabilities that could affect them, and the likelihood and impact of each risk scenario. ISO 27001 does not prescribe a specific risk methodology, but it requires the process to be repeatable and documented. Common approaches include asset-based and scenario-based risk registers.
Produce a Statement of Applicability (SoA)
Map your risk treatment decisions to the 93 controls in Annex A of the standard. For each control, state whether it is applicable, implemented, and why — or formally justify its exclusion. The SoA is a core audit artifact and demonstrates that your control selection is risk-driven, not arbitrary.
Implement Controls and Policies
Build or update the technical and organizational measures your SoA requires. This typically includes access control policies, incident response plans, supplier security assessments, cryptographic key management, and business continuity procedures. Evidence of implementation — logs, configurations, signed policies — must be retained for auditors.
Run Internal Audits and Management Reviews
Before the external audit, conduct at least one internal audit against the standard and a formal management review. These surface gaps and demonstrate that leadership is actively engaged in the ISMS — a requirement, not a formality.
Complete the External Audit (Stage 1 and Stage 2)
An accredited certification body reviews your ISMS documentation (Stage 1) and then tests whether controls are operating effectively in practice (Stage 2). Nonconformities must be addressed before the certificate is issued. Certification is then valid for three years, with annual surveillance audits.
Why ISO 27001 Matters
Information security failures carry severe financial and reputational consequences, and buyers increasingly use ISO 27001 certification as a proxy for vendor trustworthiness. Understanding the commercial and regulatory stakes makes a compelling case for pursuing certification.
The global average cost of a data breach reached $4.88 million USD in 2024, according to IBM's annual Cost of a Data Breach Report — a 10% increase year-over-year and the highest figure recorded. For payment companies handling cardholder data, that figure climbs further when regulatory fines, card-scheme penalties, and churn costs are included.
ISO 27001 certification is now a common procurement requirement in enterprise and financial services markets. A 2023 survey by IT Governance found that over 70% of large enterprise buyers now require evidence of ISO 27001 certification or equivalent during vendor onboarding, up from around 45% five years earlier.
The standard also reduces incident frequency. Organizations with a mature ISMS have demonstrably shorter mean-time-to-detect (MTTD) for security incidents because monitoring and logging requirements are baked into the framework, not bolted on after a breach.
2022 Update
ISO/IEC 27001:2022 reorganized Annex A from 114 controls across 14 categories into 93 controls across four themes. It added 11 new controls, including threat intelligence, cloud security, data masking, and secure coding. Organizations certified under the 2013 version had until October 2025 to transition.
ISO 27001 vs. SOC 2
Both frameworks address information security, but they serve different audiences and produce different outputs. Payment companies with global customers often need both.
| Dimension | ISO 27001 | SOC 2 |
|---|---|---|
| Origin | International (ISO/IEC) | United States (AICPA) |
| Output | Certificate | Attestation report |
| Scope | Full ISMS | Five Trust Service Criteria |
| Audit frequency | Annual surveillance + 3-year recert | Annual or point-in-time |
| Global recognition | 160+ countries | Primarily North America |
| Controls | 93 Annex A controls | Criteria-based, flexible |
| Mandatory risk assessment | Yes | Not explicitly required |
| Common use case | Enterprise/government procurement | SaaS vendor due diligence |
For companies subject to PCI compliance, neither ISO 27001 nor SOC 2 replaces PCI DSS — all three address different risk surfaces and are increasingly expected in parallel by acquiring banks and card networks.
Types of ISO 27001
ISO 27001 itself is a single standard, but several variants and companion standards shape how organizations implement and extend it.
ISO/IEC 27001:2022 is the current version, superseding the 2013 edition. It aligns with the ISO Harmonized Structure used across management system standards, making it easier to integrate with ISO 9001 (quality) or ISO 22301 (business continuity).
Sector-specific extensions exist for industries with elevated requirements. ISO/IEC 27017 adds cloud security controls. ISO/IEC 27018 addresses protection of personally identifiable information (PII) in public clouds — directly relevant to companies handling customer payment data subject to GDPR.
Multi-site and group certifications allow large organizations to certify a parent entity and its subsidiaries under a single ISMS scope, reducing duplicated audit effort while maintaining consistent controls.
Best Practices
For Merchants
Treat ISO 27001 as a business enablement tool, not just a compliance cost. Enterprise and public-sector buyers increasingly filter vendors by certification status before shortlisting, so certification can directly expand your addressable market.
- Start with a gap analysis against the standard before committing to a timeline. Most merchants underestimate how many undocumented processes exist in their environment.
- Integrate your ISMS with PCI DSS and GDPR obligations from the start. Overlap in controls (access management, logging, incident response) means shared evidence reduces total audit burden.
- Involve your payment processor and key SaaS vendors early. Supplier security is a formal ISO 27001 requirement, and your auditors will review how you assess third-party risk.
- Document everything with audit trails in mind. Policies without evidence of enforcement are nonconformities waiting to happen.
For Developers
Security controls in ISO 27001 are not just policy documents — they translate directly into engineering requirements that developers own day-to-day.
- Implement secure development lifecycle (SDL) practices formally. The 2022 update added a dedicated secure coding control (8.28), meaning auditors will look for code review processes, static analysis, and vulnerability scanning in your CI/CD pipeline.
- Automate evidence collection. Log aggregation, access reviews, and configuration compliance checks are far easier to sustain — and audit — when driven by tooling rather than manual exports.
- Treat cryptographic key management seriously. ISO 27001 control 8.24 requires a formal cryptographic policy. Hardcoded secrets, weak key rotation schedules, or ad-hoc encryption choices are common audit findings.
- Map your cloud configurations to Annex A controls using infrastructure-as-code. This makes scope changes and annual surveillance audits significantly less painful.
Common Mistakes
Organizations frequently stumble on the same pitfalls during their first ISO 27001 certification journey.
1. Scoping too broadly. Including every system and location in your ISMS scope dramatically increases audit complexity and cost. Define a tight, defensible scope first and expand it in later cycles once the ISMS is mature.
2. Treating risk assessment as a one-time exercise. ISO 27001 requires ongoing risk management. Organizations that complete a risk register during implementation and never revisit it will fail surveillance audits when new assets, threats, or vendors aren't reflected.
3. Confusing policy existence with control implementation. Auditors look for evidence that controls are operational — access logs, training records, patch histories, supplier assessment results. A well-written policy with no implementation artifacts is a nonconformity.
4. Underestimating supplier assessment requirements. Annex A control 5.19 requires a formal supplier security policy, and 5.20 requires addressing security in supplier agreements. Payment companies often rely on dozens of SaaS tools and cloud providers that must be assessed and documented.
5. Failing to close the loop on internal audit findings. Internal audits are only valuable if nonconformities are tracked, remediated, and verified. Leaving findings open is itself a major nonconformity in the external audit.
ISO 27001 and Tagada
Payment orchestration platforms like Tagada sit at the center of a merchant's data flow — routing transactions, managing provider credentials, and handling sensitive cardholder data on behalf of clients. That position makes ISO 27001 certification directly relevant.
ISO 27001 and Payment Orchestration
When evaluating a payment orchestration partner, ISO 27001 certification is a meaningful signal that the platform has a documented ISMS, formal risk management processes, and independently verified security controls. For merchants in regulated industries or selling to enterprise buyers, using a certified orchestration provider can strengthen your own compliance posture and simplify vendor due diligence questionnaires. Tagada's security posture is designed to support merchants pursuing their own ISO 27001 certification by providing transparent audit documentation and control evidence on request.