Frameworks · ISO/IEC 27001:2022
Your ticket to the
global market.
In the EU, UK, and APAC, ISO 27001 isn't a nice-to-have — it's a pass/fail gate on the tender. Certificates worldwide have roughly doubled in a year, and your competitors are in the queue. Lionfish builds your ISMS in the Cyber Tackle Box™: the 93 Annex A controls, the risk treatment plan, the internal audit, and the training clause 7.2 demands — a certificate that survives surveillance year after year.
Why ISO 27001 is becoming the global baseline
Sources: ISO Survey 2024 (methodology-change caveat applies to the doubling); StrongDM and Konfirmity certification-cost data. The 2013→2022 transition deadline passed October 31, 2025.
Who this is for
For companies whose next market speaks ISO
SOC 2 answers American procurement. The rest of the world asks for the certificate.
- ✓Companies expanding into EU, UK, or APAC deals where an ISO 27001 certificate is a hard tender requirement — no cert, no bid.
- ✓Teams that already hold SOC 2 and can reuse most of that control set — multi-framework mapping makes the second certification dramatically cheaper than the first.
- ✓Organizations with a lapsed 2013 certificate — the October 2025 transition deadline was a cliff, and getting back means a full initial audit. We run the rescue.
Sound familiar?
The pain we hear on every first call
- !The documentation mountain. ISMS scope, Statement of Applicability across 93 controls, risk treatment plan, management review — heavier paperwork than any US framework.
- !The internal audit you can't do yourself. The standard requires an independent internal audit before the certification body arrives. Someone qualified has to run it — that's us.
- !Surveillance never sleeps. Years 2 and 3 bring annual surveillance audits; a nonconformity risks suspension — and suspension breaches every contract that required the certificate.
The platform
How the Cyber Tackle Box™ runs your ISO 27001 program
Build the control set once — the Tackle Box maps it across ISO 27001, SOC 2, NIST, and HIPAA, so every new framework starts 70% done.
ISMS Document Templates
Scope statement, Statement of Applicability, risk methodology, and the policy library — proven structure across all 93 Annex A controls.
Objectives & Risk Treatment
Risks scored, treatments chosen, owners assigned — a living risk treatment plan your certification body can follow, not a spreadsheet snapshot.
Nonconformity & POA&M Tracking
Findings from internal audit and surveillance driven to documented closure — the difference between a minor finding and a suspension.
Evidence & the Intel Hub
Control evidence timestamped in one system of record, with threat intelligence on tap — Annex A 5.7 asks for it by name.
Audit Playbooks
Stage 1, Stage 2, and surveillance runbooks — plus the independent internal audit clause 9.2 requires, run by our practitioners.
Clause 7.2 Training
Competence and awareness training the standard mandates, delivered from a state-accredited school and tracked per person for the auditor.
Why Lionfish
A platform with humans attached
Practitioners, not just software
Checkbox tools leave you alone with the checklist. Our compliance advisors — the same team that trains certified CMMC assessors — work your program by, with, and through your people.
One system of record
Controls, policies, tasks, evidence, POA&Ms, and your workforce training in one platform — mapped across frameworks so one piece of evidence satisfies many requirements at once.
Veteran-owned & battle-tested
SDVOSB founded by a Green Beret, 4 IEEE-published papers, Purdue CERIAS partner, and multi-tenant for MSPs — trusted where security actually matters.
Straight answers
ISO 27001 questions we answer every week
How much does ISO 27001 certification cost?
Certification-body fees typically run $4.5K–$25K for the initial Stage 1 + Stage 2 audit, plus $3K–$12K per year in surveillance audits. Total programs for small and mid-sized organizations commonly land between $15K and $75K over the three-year cycle once readiness and internal time are counted. Reusing an existing SOC 2 control set cuts that substantially.
How long does ISO 27001 take?
Very small organizations can reach certification in about 3 months; 21–200 employee companies typically need 5–8 months. The long poles are the risk assessment, the Statement of Applicability, and scheduling the certification body — start the scheduling early, slots book out.
Our ISO 27001:2013 certificate lapsed — what now?
The transition deadline was October 31, 2025; all 2013 certificates are now expired or withdrawn, and organizations that missed it must go through a full initial certification as a new client. The silver lining: your old ISMS is a head start, and the 2022 revision actually consolidated controls from 114 to 93. We rebuild and re-certify on an accelerated track.
Should we do SOC 2 or ISO 27001 first?
Follow the revenue: US enterprise customers usually ask for SOC 2; international tenders demand ISO 27001. The control sets overlap heavily, so the honest answer is often "first the one your biggest deal needs, then the other at a steep discount" — the Cyber Tackle Box maps one evidence set across both.
Get in touch
Start your ISO 27001 program
Tell us which market is asking for the certificate and whether you hold SOC 2 today. You'll get a scoped path to certification within one business day.
- 1We reply within one business day — usually faster.
- 2A 30-minute call with someone who can actually answer your questions.
- 3A straight recommendation — even if it's that you don't need us yet.
Prefer to skip the form? Book a time directly or call 1-877-732-6772.