What ISO 27001 is, and why you lose tenders without it
Buyers increasingly require ISO 27001 certification to even let you bid, so missing it quietly drops you from shortlists you would have won.
You are losing tenders you should have won, and you may never see why. More buyers now set ISO 27001 certification as a gate: no certificate, no bid. The questionnaire arrives, your sales team flags the missing line, and the deal goes quiet. The cost is not a fine. It is the contract that goes to a certified competitor.
Across compliance projects this quarter I keep meeting the same firm. Strong product, good references, no certificate. A larger customer or a public tender asks for proof of an information security management system, and there is nothing to hand over. The deal stalls at procurement, not at the demo.
What ISO 27001 is
ISO 27001 is the international standard for running information security as a managed system, not a one-off project. The current version is ISO/IEC 27001:2022, the third edition, published in October 2022. It sets out how to build and keep an information security management system, an ISMS for short. An ISMS is simply the set of policies, roles, and routines that decide how your company protects its data and proves it does so.
The standard has two halves. The first is the management system: leadership owns the risk, you assess your security risks, you treat them, and you keep improving. The second is Annex A, a checklist of 93 security controls grouped into four themes (organizational, people, physical, and technological). You do not have to apply all 93. You pick the ones your risk assessment justifies and write down why, in a document called the Statement of Applicability.
The point of the standard is repeatability. It asks you to do the security work, write down that you do it, and prove it keeps happening. That is what a buyer wants to see.
What certification proves to a buyer
Certification is an outside auditor confirming your ISMS works, and that is what turns it into a sales asset. Anyone can claim they take security seriously. A certificate from an accredited body is third-party evidence, so a procurement officer can tick the box without taking your word for it.
The audit runs on a fixed cycle, which is worth knowing before you commit. A Stage 1 audit reviews your documentation to see if you are ready. A Stage 2 audit checks that the system runs in practice, with evidence. Pass both and you get a certificate valid for three years. Each year an auditor returns for a shorter surveillance audit to confirm the system is still alive, and at year three a recertification audit renews the cycle. So the certificate is not a one-time stamp. It signals an ongoing commitment, which is exactly why buyers trust it.
For buyers, that trust shortens their own work. A certified supplier passes security due diligence faster, because the certificate answers most of the questionnaire up front. In IT-related tenders and vendor onboarding, ISO 27001 is increasingly the prerequisite that decides who gets to bid at all.
Why this hits Norwegian firms now
The pressure reaches you through your customers’ contracts, whether or not any law names you. Norwegian buyers, public bodies, and enterprise customers selling into regulated sectors are pushing security requirements down to their suppliers. When a covered customer has to manage supplier risk, the simplest way to satisfy their own auditors is to require a recognised certificate from you.
This compounds with other rules already in motion. The same management system that earns ISO 27001 also covers most of the security groundwork that NIS2 and DORA expect. So the work is not single-use. A certificate built for tenders this year supports your regulatory position next year.
If your buyers are American rather than European, the question may arrive as SOC 2 instead of ISO 27001. We cover that in our explainer on what SOC 2 Type 2 is and why US customers ask for it. The two standards overlap heavily, and one ISMS can feed both.
The decision your board has to make
The one question for the board is whether ISO 27001 certification becomes a funded objective this year, with a named owner and a date. This is a yes or no, and it controls real money: certification has a cost in time and audit fees, but the alternative is exclusion from the tenders that require it.
To decide it well, ask for one short memo before you commit budget: which of your live and target customers already require ISO 27001 or are likely to, what revenue sits behind those accounts, and how far your current security routines already meet the standard. Most firms are closer than they fear, because they already do much of the work informally. The gap is usually documentation and proof, not capability.
If the answer is yes, the operational route is laid out in our ISO 27001 checklist for Norwegian SMBs, which walks through what to do first and what can wait. And if you want the wider case for treating this as growth rather than overhead, see from compliance burden to competitive advantage.
Next step
See FM CyberSecurity’s credentials and partner certifications at our partners page. Or book a 30-minute board-level conversation with our compliance practice on whether ISO 27001 is blocking deals you should be winning.
FAQ
What is ISO 27001 in plain terms?
ISO 27001 is the international standard for managing information security as an ongoing system rather than a one-time fix. The current version is ISO/IEC 27001:2022. It asks you to assess your security risks, decide how to treat them, write the decisions down, and keep improving. Certification means an outside auditor has confirmed the system works.
Is ISO 27001 certification legally required?
In most cases it is not a legal requirement, but it is increasingly a commercial one. Buyers, public tenders, and enterprise customers set ISO 27001 certification as a condition to bid or to be onboarded as a supplier. The practical effect is the same as a requirement: without it, you can be excluded from the deal.
How long does ISO 27001 certification last?
A certificate is valid for three years. During that time an auditor returns each year for a shorter surveillance audit to confirm the system is still running, and at the end of year three a recertification audit renews the three-year cycle. The certificate signals an ongoing commitment, not a single pass.
What is the difference between ISO 27001 and SOC 2?
Both prove to a buyer that you manage information security, but they come from different worlds. ISO 27001 is the international standard most European and global buyers ask for. SOC 2 is the report many US customers request instead. The two overlap heavily, so a single information security management system can support both.
Do we already have most of what ISO 27001 needs?
Often yes. Most firms already do much of the underlying security work, such as access control, backups, and incident handling. The usual gap is documentation and proof, not capability. A readiness review compares what you do against the standard and shows how far you have to go.
