ISO/IEC 27001:2022 · checked July 2026

ISO 27001, without the horror stories.

ISO 27001 is the international information-security management standard, recognised in 180+ countries. It is the one MNC procurement teams and export customers name directly in a vendor questionnaire. The horror stories you have heard are almost always scoping failures, not the standard itself: a project sized wrong at the start, not a document that was too hard to write.

Readiness record · private issue

Status AUDIT-READY AS AT JUL 2026
CSA mark area · issued separately
Scheme
ISO 27001
Scope
S$35,000 · 4 TO 6 MONTHS
Consultant
NAMED ON EVERY JOB
Reviewed
JUL 2026
A readiness record, not a certificate. Certification is issued by the scheme's appointed bodies.

ISO 27001 implementation for an SME: S$35,000, about thirty-five days of work over four to six months. That's the whole sentence.

The international standard for information-security management. Certification shows global clients you manage data risk to a recognised benchmark.

Who actually needs it.

ISO 27001 is not for every SME. It earns its cost for three groups in particular.

Selling to MNCs or financial institutions

Vendor risk teams name ISO 27001 by name in the questionnaire, not "an equivalent standard".

Exporting, or serving overseas enterprise customers

It is the one mark recognised the same way in 180+ countries, so it travels with the deal.

SaaS vendors whose customers audit them annually

The security questionnaire treadmill usually ends the day you can point to a certificate instead of answering it again.

The staircase discount is real.

If you have already done the homework for Cyber Essentials or Cyber Trust, mainly the asset lists, the policies, the evidence packs, that work carries directly into the ISMS at the centre of ISO 27001. We do not throw it away and start again. Starting from a mark we built together shortens the ISO road materially. We will not promise you a number for that shortcut before we have seen your existing evidence, but the direction is always the same: less rework, not more. (say real: got CE already? then ISO much faster.)

The money, counted out.

Three separate costs, all named here. Nobody should discover a surprise invoice partway through an ISMS build.

  • Our readiness fee: S$35,000. About 35 days of consultant work, spread over four to six months.
  • EDG funding, up to 50%, for first-time adoption. You must apply to Enterprise Singapore before work starts. EDG is being merged into the EDGE scheme in 2H 2026; current rules apply until launch
  • The certification body's audit fee, billed by them. It sits on a 3-year certification cycle with annual surveillance audits keeping it current in between.
Work out your number

ISO 27001 engagements

From 2027.

We sequence our own practice the way we sequence clients: one mark built properly before the next one opens. Cyber Essentials and Cyber Trust are running now; ISO 27001 engagements open from 2027. We say that plainly rather than promise a start date we cannot keep.

Join the list via contact

Scoped once, properly, before anyone starts writing policy.

Most ISO 27001 horror stories trace back to a scope drawn too wide on day one. We agree the ISMS boundary with you in writing before any document gets written, so the four-to-six-month timeline holds.

Plain answers

How long does ISO 27001 really take?

Within the scope we prepare, about 35 consulting days spread across four to six months for an SME. The calendar time is mostly evidence gathering and the management review cycle, not our hours on site.

What does certification cost on top of your fee?

The certification body runs its own audit and bills separately; we do not mark that fee up or resell it. The Enterprise Development Grant can support qualifying costs for a first-time adoption, up to 50%, if you apply before work starts.

ISO 27001 or Cyber Trust: which do we need?

ISO 27001 is the international standard, recognised in 180+ countries; Cyber Trust is CSA's national, tiered mark for Singapore. Many mid-market firms end up holding both, because they answer different questions: one for global procurement, one for local regulatory and tender requirements.

Can we do ISO 27001 without consultants?

Yes, some organisations do, usually when they already have a dedicated information-security lead with ISMS experience and time to run the project internally. If that is you, we will say so plainly in the first chat rather than sell you work you do not need.

Planning a 2027 start?

Get on the list now and we plan the staircase backwards from your target date.