How much does ISO 27001 certification cost?

Costs vary by organisation size and scope. Expect certification body audit fees of USD 10,000-50,000 for SMEs, plus internal implementation costs including staff time, tooling, and any external consultancy.

What is the difference between ISO 27001 and ISO 27002?

ISO 27001 is the certifiable standard that defines requirements. ISO 27002 is the guidance document that explains how to implement controls. You certify to 27001, not 27002.

Is ISO 27001 required for UN R155 compliance?

Not formally required, but recommended. UN R155 expects a Cyber Security Management System; ISO 27001 provides a recognised framework for demonstrating one.

Can a provider hold ISO 27001 without covering the platform I use?

Yes. Certification scope is defined by the organisation. A provider may certify their corporate IT environment but exclude the telematics platform or cloud infrastructure you depend on. Always ask to see the scope statement, not just the certificate.

Does ISO 27001 cover cloud-hosted systems?

Yes, if the cloud environment is within the ISMS scope. The 2022 revision introduced specific controls for cloud security. For fleet operators, this means your telematics provider cloud infrastructure can and should be covered by their certification.

What happens during a surveillance audit?

Surveillance audits occur annually in years one and two of the three-year certification cycle. Auditors sample different areas each year, reviewing evidence that the ISMS is being maintained and improved, not just documented.

How does ISO 27001 apply to sub-processors?

If your telematics provider uses sub-processors for analytics, storage, or mobile app functionality, those relationships should be governed by the ISMS and documented in the risk assessment.

How do I verify that a provider ISO 27001 certification is current?

Check three things: the certification body is accredited, the certificate is within its three-year validity period, and the scope description names the platform or service you use. Certificates under the 2013 edition are no longer valid.

ISO 27001 Reference Guide

Information Security Management Systems

Request a Consultation

What Is ISO 27001?

ISO 27001 is the international standard for Information Security Management Systems (ISMS). Published by ISO and IEC, it provides a framework for establishing, implementing, maintaining, and improving information security within an organisation.

The standard requires organisations to assess information security risks systematically, implement controls to address those risks, and demonstrate ongoing management and improvement. Certification is awarded by accredited third-party auditors following a formal audit process.

The current version is ISO/IEC 27001:2022, which replaced the 2013 edition. The revision reorganised controls from 14 domains into four themes, reduced the total from 114 to 93, and introduced 11 new controls addressing threat intelligence, cloud security, data masking, and secure coding. Organisations certified to the 2013 edition must transition by 31 October 2025.

Who Needs ISO 27001?

ISO 27001 applies to any organisation that wants to demonstrate information security maturity. Certification is voluntary, but increasingly required by customers, regulators, and partners as a condition of doing business.

Technology and Service Providers

Organisations supplying software, connectivity, or platforms to enterprise customers. OEMs and large enterprises require certification before supplier onboarding, particularly when systems handle vehicle telemetry, driver data, or operational information.

Fleet and Logistics Operators

Organisations handling sensitive operational data at scale across ASEAN and the Middle East. A breach or access control failure can trigger regulatory penalties, contract terminations, and reputational damage. ISO 27001 certification demonstrates that data security is actively managed.

Connected Device Manufacturers

Producers of telematics units, sensors, or IoT hardware. Device manufacturers are part of supply chains that OEMs must secure under regulations like UN R155. Certification demonstrates that development and support processes meet recognised standards.

What Does ISO 27001 Require?

ISO 27001 has two parts: the management system clauses (4-10) and the control catalogue (Annex A). Certification requires compliance with both.

Management System Requirements (Clauses 4-10)

Clauses 4-10 define what your ISMS must include. These are mandatory; you cannot exclude them.

Clause 4 requires you to understand your organisation's context and define the scope of your ISMS.
Clause 5 addresses leadership: top management commitment, information security policy, and assigned responsibilities.
Clause 6 covers planning, including formal risk assessment and risk treatment.
Clause 7 addresses support: resources, competence, awareness, communication, and documented information.
Clause 8 requires you to implement the risk treatment plan and manage operational changes.
Clause 9 covers performance evaluation: monitoring, internal audits, and management reviews.
Clause 10 addresses improvement through corrective action.

Annex A Controls

Annex A provides 93 controls organised into four themes. You select controls based on your risk assessment and document your selections and exclusions in the Statement of Applicability.

Organisational (37 controls):
Policies, roles, threat intelligence, asset inventory, supplier security, incident management, business continuity.

People (8 controls):
Screening, employment terms, security awareness, disciplinary process, remote working.

Physical (14 controls):
Security perimeters, entry controls, equipment protection, clear desk, secure disposal.

Technological (34 controls):
Access control, authentication, malware protection, logging, monitoring, cryptography, secure development

Note: ISO 27001:2022 contains 93 controls across four themes. You apply the controls relevant to your risk assessment and document which you have excluded and why.

Key Terms

TTMI maintains continuous alignment with international cybersecurity standards, updating platform controls as regulations evolve. Our architecture aligns with international requirements for cybersecurity engineering, software integrity, and information security management.

Control: A measure that modifies risk. Can be technical (encryption), procedural (access request process), or physical (locked server room).

Corrective Action: Action taken to eliminate the cause of a nonconformity and prevent recurrence.

Information Security Policy: Top-level document stating management's commitment to information security and the organisation's security objectives.

Internal Audit: Audits conducted by your organisation to verify ISMS compliance before the certification audit.

ISMS: Information Security Management System. The set of policies, procedures, processes, and controls that manage information security risks.

Management Review: Periodic review by top management to assess ISMS performance and alignment with business objectives. Required at least annually.

Nonconformity: A failure to meet a requirement. Major nonconformities prevent certification until resolved. Minor nonconformities must be addressed but do not block certification.

Risk Assessment: The process of identifying information assets, threats, vulnerabilities, likelihood, and impact. Determines which risks require treatment.

Risk Treatment Plan: The plan for addressing identified risks: apply controls, transfer risk, avoid the activity, or accept the risk with justification.

Scope: The boundaries of your ISMS: which locations, business units, systems, and processes are included. Must be clearly defined and documented.

Statement of Applicability (SoA): A document listing all 93 Annex A controls, stating which are applicable, which are excluded, and the justification for each decision. Core audit document.

The Certification Process

ISO 27001 certification involves implementing your ISMS, then undergoing a two-stage audit by an accredited certification body. The process typically takes 6-12 months from project start to certification.

Step 1

Step 2

Step 3

Gap Analysis (Optional). Gap Analysis (Optional). Assess your current state against ISO 27001 requirements, identify gaps, and plan remediation. Typically 2-4 weeks.

ISMS Implementation. Define the ISMS scope, conduct a risk assessment, select and implement controls, write the supporting policies and procedures, train staff, and operate the system through at least one cycle of internal audit and management review. Typically 3-9 months depending on complexity

Stage 1 Audit (Documentation Review). Certification body reviews your ISMS documentation: scope, policies, Statement of Applicability, risk assessment, risk treatment plan. Auditor confirms you are ready for Stage 2. Typically 1-2 days on-site or remote.

Step 4

Stage 2 Audit (Implementation Audit). Certification body verifies your ISMS is implemented and effective. Interviews with staff. Evidence review. Observation of processes. Identification of any nonconformities. Typically 2-5 days on-site, depending on scope.

Step 5

Certification Decision. If no major nonconformities, the certification body issues your ISO 27001 certificate. Valid for three years.

Step 6

Surveillance Audits (Years 1 and 2). Annual audits to verify continued compliance. Typically 1-2 days. Auditors sample different areas each year.

Step 7

Recertification Audit (Year 3). Full audit before certificate expires. Similar to Stage 2. If successful, certificate renewed for another three years.

Frequently Asked Questions

We answer the questions that drive cybersecurity decisions.

How TTMI Helps

TTMI's platform architecture addresses the technical controls that typically consume the most implementation effort: access control, encryption, audit logging, monitoring, and anomaly detection. This gives you a foundation to build your ISO 27001 certification around, rather than starting from scratch.

Platform Controls: Role-based access, multi-tenant isolation, encrypted transmission, structured audit logging built into the architecture.

Extended Protection: PII detection, anomaly alerting, and threat intelligence through integrated monitoring capabilities.

Implementation Guidance: Support navigating the ISMS governance framework, risk register, policies, and internal audit cycle.

Explore our cybersecurity services.

Cybersecurity at TTMI

Related Standards and Official Sources

The official documentation for each standard is published by its governing body. We have linked directly to the source material for each one.

cyber investigation team working in a governmental

ISO 27001

International standard for information security management.

UN R155

UN regulation on vehicle cybersecurity management systems.

UN R156

UN regulation on firmware update management systems.

ISO/SAE 21434

Road vehicle cybersecurity engineering lifecycle requirements.

Speak with our Cybersecurity Team

Whether you are beginning the certification pathway or looking to strengthen existing controls, we can help you understand where you stand and what comes next.

Request a Consultation

ISO 27001 Reference Guide

What Is ISO 27001?

Who Needs ISO 27001?

Technology and Service Providers

Fleet and Logistics Operators

Connected Device Manufacturers

What Does ISO 27001 Require?

Management System Requirements (Clauses 4-10)

Annex A Controls

Key Terms

The Certification Process

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Frequently Asked Questions

How much does ISO 27001 certification cost?

What is the difference between ISO 27001 and ISO 27002?

Is ISO 27001 required for UN R155 compliance?

Can a provider hold ISO 27001 without covering the platform I use?

Does ISO 27001 cover cloud-hosted systems?

What happens during a surveillance audit?

How does ISO 27001 apply to sub-processors?

How do I verify that a provider's ISO 27001 certification is current?

How TTMI Helps

Related Standards and Official Sources

Speak with our Cybersecurity Team