Skip to main contentChat with us

ISO 27001 · Guide

Who Needs
ISO 27001?

ISO 27001 certification is voluntary — no law requires every organization to hold it. The pressure is commercial: enterprise customers, procurement teams, and sector regulators ask for it as independent proof that your information security management system actually works.

Rule of thumb: if other businesses trust you with their data and review your security before they sign, someone in your pipeline will eventually require ISO 27001, SOC 2, or both.

0laws mandating it universally
B2Bwhere demand actually comes from
500+audits delivered by TCSA

Plain-English guide · Vendor-neutral · Last reviewed July 2026

No law makes ISO 27001 universally mandatory. You need it when the organizations you sell to — or the regulators you answer to — require independent proof of a working information security management system. In practice, that means B2B companies handling customer data whose buyers ask, and sectors whose regulators reference it. The mechanics matter because they set your timeline and scope. Certification attests that an information security management system — the governed program described in the standard’s requirements — has been examined by an independent, accredited body and found to operate. Nobody legislates that every company must do this. Instead, the organizations that carry heavy security obligations — enterprises, regulators, governments — push proof requirements down their supply chains, and ISO 27001 is the proof format most of the world outside North America has standardized on. This guide maps where the demand comes from, who meets it most often, the events that turn it urgent, what buyers verify, and when waiting is the sensible call. For the full journey from nothing to certificate, see the ISO 27001 hub.

Demand

Where the Requirement Actually Comes From

ISO 27001 is voluntary the way a passport is voluntary: nothing forces you to hold one, but certain borders don’t open without it. Here the borders are commercial — written into contracts, tenders, and vendor-risk programs rather than statute books. Four channels generate almost all real-world demand:

  • Enterprise contracts and MSAs. Security schedules in enterprise master service agreements increasingly name ISO 27001 (or SOC 2) as a condition of doing business — sometimes as an ongoing warranty to maintain certification for the life of the contract.
  • RFPs and tenders. Public-sector and large-enterprise tenders — especially in UK, EU, Australian, and Gulf markets — list ISO 27001 as a pass/fail qualification criterion. Without it, a bid can be filtered out before anyone reads the technical proposal.
  • Vendor-risk programs. Enterprise security teams assess their suppliers annually. A current certificate collapses a several-hundred-question assessment into a scope check — which is why procurement prefers certified vendors even where policy doesn’t strictly require one.
  • Regulators and government supply chains. No global law mandates certification, but sector regulators and national frameworks reference ISO 27001 as an accepted baseline. Government and defence supply chains, cloud-hosting accreditation schemes, and telecom procurement are where it most often appears as a hard requirement.

When the requirement lands, it rarely says “be secure.” It says something like: supplier shall maintain certification to ISO/IEC 27001 issued by an accredited certification body, and shall provide the certificate and scope statement on request. Two words do the work: accredited — a certificate from an unrecognized issuer fails review — and scope, which must cover the specific service being bought. Both come up again below.

The practical consequence: “do we need ISO 27001?” really means “who in our pipeline will require it, and when?” For most B2B companies holding customer data, the honest answer is “the next serious enterprise deal.”

The profile

Who Typically Needs It

The organizations that certify share two traits: they hold or process other organizations’ data, and they sell to buyers large enough to run formal vendor-risk programs. That combination concentrates demand in seven profiles:

  • SaaS and cloud vendors. A multi-tenant platform concentrates many customers’ data behind one control environment — so every enterprise deal begins with a security review, and certification is the fastest way through it. The effort is spent once and reused across every prospect’s review, which is why it is often the first formal framework a growing platform adopts.
  • IT services firms and MSPs. Managed service providers hold privileged access to client networks and infrastructure. Clients increasingly require certified suppliers, because a compromised MSP is a compromise of everyone downstream.
  • BPOs and outsourced operations. Back-office processing, support desks, and document handling put client records into your systems and your staff’s hands. Outsourcing contracts routinely make certification a standing condition, and client auditors check that the certified scope covers the delivery locations doing their work.
  • Fintech and payment infrastructure. Banks and payment networks operate under their own regulatory obligations and flow security requirements down to every technology supplier they onboard. Due-diligence packs typically ask for the certificate before commercial terms are seriously discussed.
  • Healthtech and health-data platforms. Hospitals, insurers, and pharma partners demand independent proof of security before patient or trial data moves into a vendor’s systems. Certification doesn’t replace sector privacy obligations, but it is the security baseline those reviews start from.
  • Data processors and analytics providers. If you process personal data on another organization’s behalf, their privacy obligations become your contractual ones — and certification is the standard evidence that you can meet them.
  • Telecom suppliers. Operators run formal supplier-security frameworks that reference ISO 27001, and network-equipment and software vendors meet it as table stakes for procurement.

Recognize your company in more than one profile? Treat the question as “when,” not “if.” The pattern is strongest wherever services cross borders: an IT services or BPO firm serving overseas enterprise clients, for example, typically meets the requirement in its first serious UK, EU, or Australian procurement cycle, because the buyer’s vendor-risk program simply assumes certification. Wherever your buyers sit, the logic holds: the more of other organizations’ data you hold, the earlier the question arrives.

Timing

Five Moments That Turn “Someday” into “Now”

Almost nobody certifies on a quiet quarter. Demand arrives as an event — usually one of these five:

  • An enterprise deal stalls in security review. The most common trigger by far. Procurement asks for your certificate; you don’t have one; the deal waits. Many companies start building their ISMS the week this first happens.
  • A tender lists it as a qualification criterion. Government and large-enterprise RFPs often make certification a threshold requirement — you either hold it at submission (or can evidence a certification program underway) or you don’t bid.
  • Rebuilding trust after an incident. After a breach or a serious near-miss, certification is visible, independent evidence that the security program was rebuilt properly — something customers can verify rather than take on faith.
  • Investor or M&A diligence. Acquirers and late-stage investors read certification as operational maturity, and its absence as risk to be priced in. It now appears in diligence checklists alongside the financial audit.
  • Supply-chain flow-down. A certified customer is obliged to manage its own supplier risk — that’s part of their ISMS — so the requirement cascades: their certificate quietly creates demand for yours.

The uncomfortable arithmetic: certification means building and operating an ISMS and then passing a two-stage external audit — it cannot be conjured in the closing week of a deal. If any of these five events is plausibly on your horizon, the cheapest time to start is before the trigger fires. The certification guide walks through the full sequence, and the requirements overview shows what the standard actually asks of you. A useful discipline: count how many active deals, tenders, and diligence processes could plausibly ask for the certificate in the coming quarters. Once that count stops being zero, the business case has written itself.

Who can wait

Who May Not Need It Yet

Honest advisors will tell you when the answer is “not yet.” Certification is a real investment of management attention as much as money, and spending it before any buyer asks usually means re-scoping it under different assumptions later. Two situations reliably fall into the wait bucket:

  • Your sales are US-only. North American buyers usually ask for a SOC 2 report first — often instead of ISO 27001. If the pipeline is entirely US enterprise, SOC 2 is usually the better first spend.
  • You’re very early. Before enterprise deals enter the pipeline, a lightweight security baseline delivers more value per hour than a certifiable ISMS. Certify when the buyers who ask start appearing — not before. The controls you build early (access management, backups, endpoint hygiene) will count toward the eventual ISMS anyway.

Selling into both markets, or unsure which framework will be asked for first? The ISO 27001 vs SOC 2 comparison covers how far the two overlap, and the framework selector turns your buyer geography and data profile into a shortlist.

One factor that should not drive the decision is company size. ISO 27001 certifies a scoped management system, not a headcount: a 10-person company can certify a tightly scoped ISMS covering one platform and the people who operate it, applying only the Annex A controls its risk assessment makes relevant. Size doesn’t matter; scope does — provided the scope statement printed on the certificate covers the service your customers actually buy.

One structural point trips up first-time buyers: consultants don’t certify anyone. Certificates are issued by accredited certification bodies after a two-stage external audit — Stage 1 reviews your ISMS documentation and readiness, Stage 2 examines whether the system genuinely operates. Consulting firms — Tranquility Cybersecurity included — prepare you for that examination: gap assessment, risk assessment, documentation, internal audit. The certificate itself always comes from the body. Any vendor implying it can “issue” your ISO 27001 is describing a certificate that won’t survive procurement scrutiny.

The ask

What Buyers Actually Check

It helps to see what happens on the other side of the request. When a vendor-risk analyst receives your certificate, four things get verified:

  • The certificate itself — and who issued it. Vendor-risk teams check that the issuer is an accredited certification body; accreditation is what makes a certificate portable across buyers and borders. They also check the dates — certificates run on a three-year cycle with surveillance audits in between.
  • The scope statement. The certificate names exactly what was certified — products, locations, business units. Buyers read it to confirm the service they are purchasing sits inside the scope; a certificate that excludes the relevant platform fails the review.
  • The Statement of Applicability reference. ISO 27001 certificates reference the version of the Statement of Applicability the audit covered. Sophisticated reviewers ask for the SoA — or a summary — to see which controls were declared applicable and why.
  • What sits behind it. Some buyers stop at the certificate. Mature vendor-risk programs follow up with questionnaires, evidence requests, or contract clauses — and the operating ISMS behind the certificate is what lets you answer quickly.

This is why “get the cheapest certificate” backfires: the wrong scope, an unrecognized issuer, or an ISMS that can’t answer follow-ups costs a deal at exactly the moment certification was supposed to win one. If it is worth doing for your pipeline, it is worth doing in a form buyers will accept — the certification guide covers how to get there.

Who Needs ISO 27001 — Common Questions

Legal status, company size, industries, and the SOC 2 question.

Who needs ISO 27001 certification?

Any organization whose customers, regulators, or partners require independent proof of its information security management. In practice that concentrates in B2B companies holding or processing other organizations’ data: SaaS and cloud vendors, IT services firms and MSPs, BPOs, fintech and payment infrastructure, healthtech, data processors, and telecom suppliers. If enterprise buyers review your security before signing, you are in the population that eventually needs it.

Is ISO 27001 legally required?

No. ISO 27001 certification is voluntary — no law makes it universally mandatory in any country. What makes it feel mandatory is contract rather than statute: enterprise MSAs, public tenders, and vendor-risk programs increasingly name it as a condition of doing business, and some sector regulators and government supply-chain frameworks reference it as an accepted security baseline. A practical test: search your signed MSAs and active RFPs for “ISO 27001.” That — not legislation — is where your actual obligation will be written.

Do small companies need ISO 27001?

Size is not the deciding factor — buyer expectations are. A 10-person company selling into enterprise accounts faces the same security-review gates as a 500-person one, and the standard scales: you can certify a tightly scoped ISMS covering one product and the people who run it. If your customers are small businesses who never ask, certification can wait; if your next contract is with a bank or a government body, headcount won’t exempt you.

ISO 27001 or SOC 2 — which do buyers want?

It tracks your customers’ geography. North American buyers usually ask for a SOC 2 report first; buyers in the UK, EU, Australia, the Gulf, and much of Asia usually ask for ISO 27001. The two overlap heavily — much of the control effort transfers between them — so companies selling into both markets often pursue both, sequencing whichever their pipeline demands first. If one large prospect is driving the question, ask their procurement team which they accept — many take either.

Which industries most commonly certify?

SaaS and cloud services, IT services and managed service providers, BPO and outsourced operations, fintech and payment infrastructure, healthtech, data processing and analytics, and telecom suppliers. Beyond those, certification clusters wherever formal procurement rules apply: government and defence supply chains, cloud-hosting accreditation schemes, and large-enterprise vendor programs.

Can we get certified for just one product or team?

Yes. ISO 27001 is certified against a defined scope, and the scope statement — printed on the certificate — can cover a single product, platform, business unit, or location rather than the whole company. A tight scope is legitimate and common, with one caveat: it must cover the service your customer actually buys. Buyers and their auditors read scope statements, and a certificate that excludes the system they depend on won’t pass their review.

Related reading: the ISO 27001 hub, the step-by-step certification guide, ISO 27001 requirements, what an ISMS is, and ISO 27001 vs SOC 2. Choosing a first framework? Try the framework selector, and look up unfamiliar terms in the compliance glossary.

Written By Expert Auditors

Surendra Pal Singh
Surendra Pal Singh
Chief Information Security Officer & Data Protection Officer
CISODPOCISAMCSEITILISO 27001 Lead AuditorISO 27701 Lead AuditorISO 42001 Lead Auditor
Saundhi Chauhan
Saundhi Chauhan
Lead Auditor
ISO 27001 Lead AuditorISO 27701 Lead Auditor
Last reviewed: July 2026Content verified by certified lead auditors

Get in touch

Book a free consultation or send us your requirements. We respond within 24 hours.

Quick Call

Pick a time slot

Send Requirements

Get a custom quote in 24 hours

We're Online

⚠️ Business inquiries only. Personal email addresses will be rejected.

24hr Response
Free Consultation
No Obligations