How long does ISO 27001 certification take?

For most SMBs, three to six months of preparation before the certification audit, depending on how much you already have in place. The audit itself is then split into two stages a few weeks apart. The platform shortens the preparation, which is where almost all the time goes.

Do we need a consultant?

No. Consultants exist because the documentation and evidence are tedious, not because the work is hard to understand. AIR-Tools drafts the documents and organises the evidence, so most SMBs can reach certification without one. You bring the decisions about your own business; we handle the structure.

What are the 93 controls?

Annex A of the 2022 version lists 93 controls grouped into four themes: organisational, people, physical and technological. You do not apply all of them blindly. You justify which ones fit your risks in the Statement of Applicability.

What does certification cost?

The audit itself is paid to an accredited certification body and depends on your size. The expensive part has traditionally been the months of consulting to get ready, which is what this platform replaces.

What is the difference between ISO 27001 and NEN 7510?

NEN 7510 is the Dutch standard for information security in healthcare. It is built on ISO 27001 and adds requirements specific to handling health data. If you work in Dutch healthcare, NEN 7510 is usually what is asked of you.

What is the fastest way to start?

Request a demo and run the scan on your real stack. You will see your starting scope, an asset inventory and a first set of gaps within the first session, instead of a blank template.

ISO 27001 for SMBs, the practical path to certification

What ISO 27001 actually is.

ISO 27001 is the international standard for managing information security. It does not hand you a checklist of tools to buy. It asks you to run an information security management system, an ISMS: you decide what needs protecting, assess the risks, choose controls to manage them, and prove you keep doing it. An accredited auditor then certifies that the system works.

Why it matters

More tenders and enterprise customers now treat ISO 27001 as the price of entry. The certificate is often what gets you onto the shortlist. No certificate, no conversation.

Who it is for.

Businesses bidding for contracts. Government and enterprise procurement increasingly require it before you can even submit.
SaaS and tech companies. Your customers push their security obligations down to you. The certificate answers most of their security questionnaire in one line.
Anyone handling sensitive data. If a breach would hurt your customers or your reputation, the standard gives you a defensible way to manage that risk.
Companies that want to grow up. It turns ad-hoc security habits into a system that survives staff changes and scales with you.

What the standard asks for.

A defined scope. Decide which parts of the business, systems and data the ISMS covers. Everything else follows from this.
A risk assessment. Identify what could go wrong with your information, how likely it is, and how bad it would be.
Controls and a Statement of Applicability. Pick which of the 93 Annex A controls you apply, justify what you leave out, and write it down.
Policies and procedures. Access control, incident response, supplier management, backups and the rest. Documented, not improvised.
Management commitment. Leadership has to own the ISMS, set objectives and review it. Auditors check this directly.
Monitoring and improvement. Internal audits, corrective actions and management reviews that show the system keeps getting better.

The road to certification.

Set the scope. Define what the ISMS covers and get leadership behind it.
Run the risk assessment. Map your information assets and the risks to them.
Select controls and write the SoA. Choose your Annex A controls and produce the Statement of Applicability.
Implement and document. Put the policies, procedures and technical measures in place and gather the evidence.
Run an internal audit. Check your own ISMS against the standard and fix the gaps before the auditor sees them.
Pass the certification audit. An accredited body reviews your documents in stage 1, then tests them in practice in stage 2.
Keep it alive. Annual surveillance audits and continual improvement keep the certificate valid.

How AIR-Tools gets you there faster.

Scope and asset discovery. Clair scans your stack and drafts the asset inventory and a starting scope. The blank-page problem, solved.
Risk assessment, guided. Each asset gets a suggested risk and a recommended control. You confirm; we record the rationale.
Statement of Applicability, drafted. The 93 controls are pre-mapped to your environment, with reasons for what you include and exclude.
Policy drafting. Access control, incident response, supplier management and more, drafted for your business, ready to approve.
Audit-ready evidence. Everything the auditor asks for lives in one place, linked to the control it proves.
Stays current. Drift, lapsed reviews and new risks are flagged before a surveillance audit finds them.

Work in Dutch healthcare?

NEN 7510 is the healthcare-specific version of ISO 27001 for the Netherlands. If you handle patient or client health data, that is the standard you are usually asked for.

Read the NEN 7510 guide

The short version.

ISO 27001 is a system, not a purchase. The slow part is the paperwork and the proof, not the security itself. That is exactly the part Clair does with you.

ISO 27001, without the consultant.