Missed the ISO 27001:2022 transition? Certificates on the 2013 version expired October 31, 2025 — recertification is a fresh start. We'll get you back

Frameworks · ISO/IEC 27001:2022

Your ticket to the
global market.

In the EU, UK, and APAC, ISO 27001 isn't a nice-to-have — it's a pass/fail gate on the tender. Certificates worldwide have roughly doubled in a year, and your competitors are in the queue. Lionfish builds your ISMS in the Cyber Tackle Box™: the 93 Annex A controls, the risk treatment plan, the internal audit, and the training clause 7.2 demands — a certificate that survives surveillance year after year.

ISO 27001:202293 Annex A controlsPairs with SOC 2International tenders

Why ISO 27001 is becoming the global baseline

0
valid ISO 27001 certificates worldwide in 2024 — roughly double the prior year
0
Annex A controls in the 2022 revision — including threat intel, cloud security, and secure coding
0 yr
certification cycle: initial audit, two annual surveillance audits, then recertification — forever
$0K
typical ceiling for initial certification-body fees alone — before consultants and internal time

Sources: ISO Survey 2024 (methodology-change caveat applies to the doubling); StrongDM and Konfirmity certification-cost data. The 2013→2022 transition deadline passed October 31, 2025.

Who this is for

For companies whose next market speaks ISO

SOC 2 answers American procurement. The rest of the world asks for the certificate.

  • Companies expanding into EU, UK, or APAC deals where an ISO 27001 certificate is a hard tender requirement — no cert, no bid.
  • Teams that already hold SOC 2 and can reuse most of that control set — multi-framework mapping makes the second certification dramatically cheaper than the first.
  • Organizations with a lapsed 2013 certificate — the October 2025 transition deadline was a cliff, and getting back means a full initial audit. We run the rescue.

Sound familiar?

The pain we hear on every first call

  • !The documentation mountain. ISMS scope, Statement of Applicability across 93 controls, risk treatment plan, management review — heavier paperwork than any US framework.
  • !The internal audit you can't do yourself. The standard requires an independent internal audit before the certification body arrives. Someone qualified has to run it — that's us.
  • !Surveillance never sleeps. Years 2 and 3 bring annual surveillance audits; a nonconformity risks suspension — and suspension breaches every contract that required the certificate.

The platform

How the Cyber Tackle Box™ runs your ISO 27001 program

Build the control set once — the Tackle Box maps it across ISO 27001, SOC 2, NIST, and HIPAA, so every new framework starts 70% done.

ISMS Document Templates

Scope statement, Statement of Applicability, risk methodology, and the policy library — proven structure across all 93 Annex A controls.

Objectives & Risk Treatment

Risks scored, treatments chosen, owners assigned — a living risk treatment plan your certification body can follow, not a spreadsheet snapshot.

Nonconformity & POA&M Tracking

Findings from internal audit and surveillance driven to documented closure — the difference between a minor finding and a suspension.

Evidence & the Intel Hub

Control evidence timestamped in one system of record, with threat intelligence on tap — Annex A 5.7 asks for it by name.

Audit Playbooks

Stage 1, Stage 2, and surveillance runbooks — plus the independent internal audit clause 9.2 requires, run by our practitioners.

Clause 7.2 Training

Competence and awareness training the standard mandates, delivered from a state-accredited school and tracked per person for the auditor.

Why Lionfish

A platform with humans attached

Practitioners, not just software

Checkbox tools leave you alone with the checklist. Our compliance advisors — the same team that trains certified CMMC assessors — work your program by, with, and through your people.

One system of record

Controls, policies, tasks, evidence, POA&Ms, and your workforce training in one platform — mapped across frameworks so one piece of evidence satisfies many requirements at once.

Veteran-owned & battle-tested

SDVOSB founded by a Green Beret, 4 IEEE-published papers, Purdue CERIAS partner, and multi-tenant for MSPs — trusted where security actually matters.

Straight answers

ISO 27001 questions we answer every week

How much does ISO 27001 certification cost?

Certification-body fees typically run $4.5K–$25K for the initial Stage 1 + Stage 2 audit, plus $3K–$12K per year in surveillance audits. Total programs for small and mid-sized organizations commonly land between $15K and $75K over the three-year cycle once readiness and internal time are counted. Reusing an existing SOC 2 control set cuts that substantially.

How long does ISO 27001 take?

Very small organizations can reach certification in about 3 months; 21–200 employee companies typically need 5–8 months. The long poles are the risk assessment, the Statement of Applicability, and scheduling the certification body — start the scheduling early, slots book out.

Our ISO 27001:2013 certificate lapsed — what now?

The transition deadline was October 31, 2025; all 2013 certificates are now expired or withdrawn, and organizations that missed it must go through a full initial certification as a new client. The silver lining: your old ISMS is a head start, and the 2022 revision actually consolidated controls from 114 to 93. We rebuild and re-certify on an accelerated track.

Should we do SOC 2 or ISO 27001 first?

Follow the revenue: US enterprise customers usually ask for SOC 2; international tenders demand ISO 27001. The control sets overlap heavily, so the honest answer is often "first the one your biggest deal needs, then the other at a steep discount" — the Cyber Tackle Box maps one evidence set across both.

Get in touch

Start your ISO 27001 program

Tell us which market is asking for the certificate and whether you hold SOC 2 today. You'll get a scoped path to certification within one business day.

  • 1We reply within one business day — usually faster.
  • 2A 30-minute call with someone who can actually answer your questions.
  • 3A straight recommendation — even if it's that you don't need us yet.

Prefer to skip the form? Book a time directly or call 1-877-732-6772.

Book a Free Call