Get an ISO/IEC 27001 certificate for your organization

On average a standard project runs 50–75 business days and includes: developing the ISMS document package (information security policy, risk assessment, statement of applicability and Annex A controls), implementation, submission to the body, a two-stage certification audit and receiving the certificate. For large companies (over 1000 staff, multiple sites) timelines are calculated individually. For a tight deadline there are options to fast-track the project.

With IAF accreditation — yes, in all IAF MLA countries: the EU, USA, UAE, China, the EAEU — that's 97 countries. The body's accreditation status can be verified online in 2 minutes.

Without IAF — for other purposes and internal corporate requirements. Such a certificate has no international recognition, but it's cheaper and faster. We match the body to your goal.

For a foreign client we run documentation and the audit in Russian and English.

These are three different standards. ISO/IEC 27001 was created by the international organization ISO and the IEC technical committee — today it's the core standard for managing information security in organizations. Government bodies take the international standard as a basis and issue national versions: ST RK — the Kazakhstani one, GOST R ISO/IEC — the Russian one. They're 95% identical, differing only in certain terms.

So if you operate in more than one country, it's more advantageous to get an internationally recognized certificate with IAF accreditation — in most cases it covers your needs in the available markets. The exceptions are national-security projects or work with information assets critical to the state.

The certificate itself is voluntary — the law doesn't require it. Kazakhstan's personal data law obliges the operator to ensure data security: localization in Kazakhstan, incident notification, access control, encryption.

ISO 27001 and its extension ISO 27701 are a recognized way to show clients and the regulator that controls are in place and that you exercise due diligence.

ISO 27001 is the information security management system (ISMS) as a whole. ISO 27701 is an extension on top of 27001 specifically for personal data protection (privacy). They're often implemented together.

SOC 2 is a separate report, more often requested by US clients. It's a different framework: ISO 27001 is an internationally recognized certificate. We'll tell you exactly what your client requires and won't substitute one for the other.

No. The transition period from ISO/IEC 27001:2013 to the 2022 edition ended on 31 October 2025 — certificates to the 2013 version are invalid after that date.

If you still hold one, we'll move you to the current 2022 edition: we'll update the documentation to the new Annex A (93 controls) and pass a transition audit.

The certificate is issued for 3 years and includes 3 audits: the initial certification audit (after which you receive the certificate), the first surveillance audit (months 9–12) and the second surveillance audit (months 21–24). Costs fall into two parts: obtaining the certificate and maintaining it over three years.

1. Obtaining the certificate (if you don't have an ISMS yet):

Developing the documentation. Two paths.

— In-house: hiring a specialist (≈€200), a workspace (≈€500), salary (€500–1 000/mo), buying standards and regulations (up to €200), training (≈€500). Timeline ≥ 6 months. Total €4 400–7 000 over six months, before taxes.

— Bring in expertise: the price depends on the certification scope, company size and the consultant's experience. From €500 (usually templates) to €7 000 (a full project). Timeline 3–4 months.

The certification audit. The cost depends on the organization's size, geography, certification scope and the body's fee, plus auditor expenses (audit days, transport, per diem). From €2 000 to €12 000 for an internationally accredited body.

If you wish, you can run a preliminary documentation review or a trial audit on site to minimize risks and check readiness with no consequences.

If nonconformities are found during the audit, extra costs depend on severity: ≈€200 for a minor one, up to €2 000 for a major one + a possible re-audit.

2. Maintaining the certificate (per year):

— Surveillance audit: ≈70% of the initial audit cost (€1 400–8 400) + auditor expenses.

— Maintaining the ISMS: the salary of the responsible specialist — €6 000–12 000 for 12 months, before taxes.

— Staff training: about €500 per employee per year.

— Risk reassessment and security testing: varies widely with the infrastructure.

From experience: if the documents aren't maintained during the year, many nonconformities pile up at the surveillance audit — and if they aren't resolved, the certificate is suspended. It's also worth acting on the areas for improvement the auditor points out — this significantly improves the auditor's opinion of the organization.

Estimate it for your own company in the calculator on this page in 45 seconds. We send the exact quote within 24 hours after a short call — the price is fixed in tenge in the contract, part at the start, the rest after you receive the certificate.

Every certificate has a unique number and is verified in the certification body's register — most often a public database available without registration.

For IAF-accredited ones there's an additional check in the international IAF CertSearch database and confirmation of the body's own status on iaf.nu. That's enough for foreign partners and qualifying for tenders abroad.

Some bodies issue certificates on unique numbered letterheads, which also helps build confidence in the certificate's authenticity

It depends on the tender spec. On goszakup.gov.kz and samruk.kz, IT procurement often requires ISO/IEC 27001 specifically, sometimes also ISO 27701 (personal data) or ISO 22301 (business continuity).

They all integrate with 27001 through Annex SL — one audit for several standards, a shared documentation package. Send us the spec — within an hour we'll tell you which set covers the requirements.

For a tight deadline we issue a preliminary letter on the certification status — it's attached to the tender application to pass qualification.

The full certificate is issued in parallel, usually by the time the contract is signed. This hybrid scenario is standard for tenders with a tight deadline; we've done it many times.

Most clients don't keep a dedicated information security specialist on staff; instead they spread ISMS responsibility across several employees. We prepare all the ISMS documentation (information security policy, risk assessment, statement of applicability, procedures) and train two of your internal auditors. There's no need to hire a separate employee — it saves on payroll.

Over three years the certification body runs 2 surveillance audits — in months 9–12 and 21–24 from the issue date.

Between audits the company maintains the ISMS on its own: updating documents, reassessing risks, resolving nonconformities, training staff. If the documents aren't maintained, the surveillance audit reveals issues — and if they aren't resolved, the certificate is suspended.

In the 3rd year — recertification under the full program. You can switch certification bodies without losing your track record — that's normal practice.