Ask Astra

How do I prep for ISO 27001 certification?

From zero to audit-ready in 4 months. Astra runs the controls and tracks every gap.

OperationsStrategy16-week prep cycle. Weekly progress reports. Quarterly re-audit prep after certification.
Try this with AstraSee all things to ask
Free to startNo credit card requiredUpdated Apr 2026

You'd think this needs a $40K compliance consultant and 9 months — Astra runs the prep playbook in chat with Vanta or Drata as the system of record.

The short answer

Astra walks you through ISO 27001 prep in 4 months using a structured 6-phase playbook. Phase 1 (week 1-2): scope definition — which products, teams, and data are in scope; she drafts the Statement of Applicability mapping the 93 Annex A controls to your environment. Phase 2 (week 3-6): policies — she generates 14 required policies (information security, access control, incident response, BCP, etc.) tailored to your stack and team size, reviewed against current ISO 27001:2022 standards. Phase 3 (week 7-10): controls implementation — she runs the gap analysis via Vanta or Drata, prioritizes remediation by audit risk, opens Linear tickets for each gap, and tracks completion weekly. Phase 4 (week 11-12): risk assessment + treatment plan. Phase 5 (week 13-14): internal audit dry-run. Phase 6 (week 15-16): external Stage 1 audit. Weekly Lark report shows % controls passing, top 5 gaps, and ETA to audit-ready. Target audit pass rate: 100%.

How Astra actually does it

  1. 1
    Define scope + Statement of Applicability

    Map 93 Annex A controls to your stack. Identify which apply, which are excluded with justification. Draft the SoA in Notion for legal review.

    Notion
  2. 2
    Draft 14 required policies

    Information security, access control, change management, incident response, BCP/DR, supplier security, asset management, etc. Tailored to your team size and tech stack.

    Notion
  3. 3
    Run gap analysis via Vanta/Drata

    Connect Vanta or Drata to AWS/GCP, GitHub, Okta, HRIS, etc. Auto-detect failing controls. Open Linear tickets per gap with auditor-grade descriptions.

    VantaDrataLinear
  4. 4
    Prioritize and remediate weekly

    Risk-weighted prioritization (high-impact gaps first). Weekly Lark report on % controls passing, top 5 gaps, ETA to audit ready. She nudges owners on stuck tickets.

    LinearLark
  5. 5
    Internal audit + Stage 1 prep

    Run mock audit covering all 93 controls. Generate evidence package (logs, screenshots, signed policies). Brief team on auditor interview prep. Schedule Stage 1 audit.

    VantaDrataNotion

What it looks like in chat

We need ISO 27001 for a big enterprise deal. Where do we start?
Astra
16-week plan. First 3 decisions: **1. Scope.** Are we certifying just the production product or the whole company? Recommendation: just product (faster, cheaper, satisfies most enterprise buyers). Locks in 60% smaller audit scope. **2. Platform.** Vanta ($16K/yr) or Drata ($14K/yr) for control automation. Both connect to AWS, GitHub, Okta. I recommend Vanta if you have 50+ employees, Drata if smaller. They cut prep time from 9 months to 4. **3. Auditor.** Schedule with Schellman, A-LIGN, or BSI. Stage 1 audit at week 15. They book 8-12 weeks out so we'd start procurement Week 6. **This week I'll:** - Draft the SoA mapping all 93 controls to your stack (you review Friday) - Set up Vanta connectors to GitHub, AWS, Google Workspace - Generate the 14 required policies, tailored to your 22-person team **Next 4 weeks:** policies signed, Vanta gap analysis live, ~30-50 Linear tickets opened. By week 8 we should be at 80% controls passing. Go?
What you get back

Audit-ready stack: SoA, 14 signed policies, 100% controls passing in Vanta/Drata, internal audit complete, Stage 1 audit scheduled. Weekly Lark report on progress.

Cadence

16-week prep cycle. Weekly progress reports. Quarterly re-audit prep after certification.

Ask Astra this right now

We'll spin up your workspace, hand the prompt to Astra, and you see the answer in 60 seconds. Free.

Try this with Astra

Frequently asked questions

Can I do ISO 27001 without Vanta or Drata?

Yes — but it adds 4-6 weeks. Without automation she has to manually evidence each of 93 controls quarterly. With Vanta/Drata it's automated and continuous. The $14-16K platform cost typically pays for itself in saved audit prep + ongoing compliance staff hours within 6 months.

What's the difference between ISO 27001 and SOC 2?

SOC 2 is US-focused (Type I = point-in-time, Type II = 6+ months observed); ISO 27001 is international, requires a formal management system (ISMS), and renews every 3 years with annual surveillance audits. Most enterprise buyers want SOC 2 Type II + ISO 27001. Astra can prep both in parallel — 70% of controls overlap.

What if we fail Stage 1 audit?

Stage 1 is documentation review, not pass/fail. Auditor returns a findings list (typically 5-15 minor nonconformities). Astra opens Linear tickets for each finding, runs remediation in 2-4 weeks, and prepares Stage 2 (the real audit). 95%+ of teams that complete Stage 1 prep pass Stage 2 on first try.

How much does the whole certification cost?

Typical breakdown: Vanta/Drata platform $14-16K/yr, external auditor $15-25K Stage 1+2, Astra's prep work runs in chat (no separate cost). Year 1 total: ~$30-45K. Year 2-3: ~$20K (just platform + surveillance audit). Compare to consultant-led prep: $80-120K year 1.

Run your one-person company.

Hire your AI team in 30 seconds. Start for free.

Sign up / Sign inLearn the category

Free to start · No credit card required · Set up in 30 seconds