What you actually get, and what it takes to keep it.
Not every framework here is a certificate you hang on a wall - some are ongoing regulatory obligations. We say which is which up front, because that changes how you should scope and budget for it.
| Framework | What it is | Typical timeline | Issued by | Renewal |
|---|---|---|---|---|
| ISO 27001 | ISMS certification | 3-4 months to Stage 1, longer for a first-time ISMS | Accredited certification body | Annual surveillance audit, full recertification every 3 years |
| ISO 27017 | Cloud security controls (27001 extension) | Add-on scope to an existing or parallel 27001 engagement | Same certification body as 27001 | Same cycle as the underlying 27001 certificate |
| ISO 27018 | PII protection in public cloud (27001 extension) | Add-on scope to an existing or parallel 27001 engagement | Same certification body as 27001 | Same cycle as the underlying 27001 certificate |
| SOC 2 Type I | Point-in-time control design attestation | 4-6 weeks readiness, then a single audit date | Licensed CPA firm | One report; most buyers expect Type II to follow within a year |
| SOC 2 Type II | Control operating-effectiveness attestation | 3, 6, or 12-month observation window, plus reporting | Licensed CPA firm | New report each observation period, typically annual |
| PCI-DSS v4.0 | Payment card data security standard | Scope-dependent - CDE reduction usually shortens it the most | QSA (Report on Compliance) or self-assessment (SAQ) | Annual RoC/SAQ, quarterly ASV scans |
| GDPR | EU data protection regulation - not a certificate | Ongoing program, not a one-time engagement | Self-attested, enforced by national Data Protection Authorities | Continuous - DPIAs and RoPA reviewed as processing changes |
| HIPAA | US healthcare data protection rule - not a certificate | Ongoing program | Self-attested, enforced by HHS OCR | Continuous - annual risk analysis expected |
| DPDPA | India's Digital Personal Data Protection Act - not a certificate | Ongoing program | Self-attested, enforced by the Data Protection Board of India | Continuous |
# exit 0 - full scope and pricing discussed on a call, not published as a rate card
How we run a certification engagement.
Scope, implement, pentest before the auditor does, then certify - the same four-phase model regardless of which framework you're after.
See the full approach-
One team, every framework
The same engineers who scope your ISMS also run the pentest and sit on the audit call. No handoff to a separate vendor mid-engagement.
-
Evidence as code
Control evidence is generated from your actual Terraform, CI, and IdP state where possible - not hand-typed into a spreadsheet the week before the audit.
Ask us which framework you actually need first.
Most companies over-scope their first certification. A 30-minute call usually saves months of unnecessary work.