Compliance
ISO 27001
Quick definition
International standard for information security management systems (ISMS). Required by some European and Asian enterprise customers.
ISO 27001 is the international standard for Information Security Management Systems. More process-heavy than SOC 2 (requires documented ISMS, risk treatment plan, statement of applicability). Common in Europe, Asia-Pacific, and some US enterprise sales. Annual surveillance audits + 3-year recertification. Total first-year cost: $40K-$100K. US startups typically pursue SOC 2 first; add ISO 27001 if specific customers demand it.
Related compliance terms
SOC 2 Type I vs Type II
Type I attests controls are designed correctly at a point in time; Type II attests they operated effectively over 6–12 months.
SOC 1
Attestation report focused on internal controls over financial reporting (ICFR). Relevant for vendors whose services affect customers' financial statements.
HIPAA Compliance for Startups
Healthcare Information Privacy regulation governing protected health information (PHI). Required for any startup handling patient data.
GDPR (for US Startups)
EU General Data Protection Regulation governing how you handle personal data of EU residents — even if you're a US company.
Frequently asked questions
- What is ISO 27001?
- ISO 27001 is the international standard for Information Security Management Systems. More process-heavy than SOC 2 (requires documented ISMS, risk treatment plan, statement of applicability). Common in Europe, Asia-Pacific, and some US enterprise sales. Annual surveillance audits + 3-year recertification. Total first-year cost: $40K-$100K. US startups typically pursue SOC 2 first; add ISO 27001 if specific customers demand it.
- Why is ISO 27001 important for startups?
- ISO 27001 is a compliance concept that matters for startup founders because it directly affects fundraising readiness, financial decision-making, or operational discipline at the stage where mistakes are expensive to undo. Founders who understand it have a meaningfully easier time in diligence, board meetings, and investor conversations.
- What category does ISO 27001 belong to?
- ISO 27001 is a Compliance term in the StartupCFO finance glossary — alongside other compliance concepts that founders, CFOs, and accountants use in daily startup operations and reporting.
- Where can I learn more about ISO 27001?
- Beyond this definition, see the related compliance terms below, or explore StartupCFO's insights and tools that put ISO 27001 in context. For specific situations, talk to a fractional CFO who can walk through your numbers.
Got a finance question that needs more than a definition?
Talk to a real CFO. 30 minutes, no contract, free.
