Certification Roadmap
Document ID: ISO-004
Classification: Confidential
Target: ISO/IEC 27001:2022 Certification by September 2026
SOC 2 Type I: Target Q4 2026
Phase Overview
April 2026 May 2026 July 2026 September 2026 Q4 2026
| | | | |
Phase 1 Phase 2 Phase 3 🎯 ISO SOC 2
ISMS Adopted Stage 1 Audit Stage 2 Audit Certificate Type I
IRP Complete Gap Remediation Evidence Pack Issued Report
ISO 27001 Roadmap
| Phase |
Activity |
Output |
Timeline |
Status |
| 1 |
Adopt ISMS documentation package v1.0 |
Signed & dated ISMS |
April 2026 |
🔄 In Progress |
| 1 |
Complete & test Incident Response Plan |
IRP approved + tabletop done |
April 2026 |
📋 Planned |
| 1 |
Formalise configuration management (Terraform IaC baseline) |
Config baseline doc |
May 2026 |
✅ Done |
| 1 |
Implement background check process for new hires |
HR process doc |
May 2026 |
📋 Planned |
| 2 |
Book Stage 1 Audit with certifier |
Confirmed audit date |
April 2026 |
📋 Planned |
| 2 |
Stage 1 Audit — document review |
Audit report + gap list |
May 2026 |
📋 Planned |
| 2 |
Remediate Stage 1 findings |
Evidence pack updated |
June 2026 |
📋 Planned |
| 2 |
Quarterly RBAC access review |
Access review record |
June 2026 |
📋 Planned |
| 3 |
Stage 2 Audit — on-site/remote evidence audit |
Certification decision |
July-Aug 2026 |
📋 Planned |
| 3 |
ISO 27001 Certificate issued |
Certificate + scope statement |
Sep 2026 |
🎯 Target |
| 4 |
Surveillance Audit 1 |
Continued certification |
Sep 2027 |
📋 Planned |
SOC 2 Roadmap
| Phase |
Activity |
Output |
Timeline |
Status |
| 1 |
Map existing controls to SOC 2 TSC |
Control Mapping |
March 2026 |
✅ Done |
| 1 |
Identify SOC 2 gaps beyond ISO 27001 |
Gap analysis |
Q2 2026 |
📋 Planned |
| 2 |
Implement additional SOC 2 controls |
Updated policies and evidence |
Q3 2026 |
📋 Planned |
| 2 |
Engage CPA firm for SOC 2 audit |
Engagement letter |
Q3 2026 |
📋 Planned |
| 3 |
SOC 2 Type I audit (point-in-time) |
Type I report |
Q4 2026 |
📋 Planned |
| 4 |
SOC 2 observation period (6-12 months) |
Continuous monitoring |
Q4 2026-Q2 2027 |
📋 Planned |
| 5 |
SOC 2 Type II audit |
Type II report |
Q2-Q3 2027 |
📋 Planned |
Post-Certification: Next Steps
After ISO 27001 and SOC 2, the recommended next certifications are:
- HIPAA (Q1 2027) — required for healthcare vertical
- eIDAS / QTSP (2027-2028) — for EU digital identity market expansion
Recommended Certifiers
ISO 27001 (Germany)
| Certifier |
Website |
Notes |
| TUV Rheinland |
tuv.com |
Well-known; strong enterprise recognition |
| DQS GmbH |
dqs.de |
German-origin; ISMS specialists |
| BSI Group |
bsigroup.com |
Strong international recognition |
| Bureau Veritas |
bureauveritas.com |
Good for global market recognition |
SOC 2 (CPA Firms)
| Firm |
Notes |
| Coalfire |
Established SOC 2 auditor; works with SaaS companies |
| A-LIGN |
Strong SOC 2 focus; efficient for startups |
| Schellman |
Specialist in SOC 2 for technology companies |
| Local CPA with AICPA accreditation |
Consider for cost efficiency |