Compliance & AI Governance

What is ISO 27001?

The international, certifiable standard for running a real information-security management system.

Talk to usFree to start - no card required.

ISO 27001: definition

Where SOC 2 is common in the US, ISO 27001 is the globally recognized standard, often required by international and enterprise buyers. It is certifiable: an accredited body audits your ISMS and issues a certificate valid for three years with surveillance audits. It is risk-based - you assess information-security risks and apply controls (from Annex A) to treat them - and emphasizes continual improvement.

  • Requires a documented, risk-based ISMS
  • Annex A provides a catalog of security controls to select from
  • Accredited certification (3-year cycle with surveillance audits)
  • Widely recognized internationally, often required by enterprise buyers

How Fintra handles it

Fintra supports an ISO 27001 program by maintaining the control set, mapping evidence to Annex A controls, and keeping a live risk register - and because it also maps the same evidence to SOC 2, you satisfy overlapping requirements once rather than twice. Continuous evidence collection keeps the ISMS audit-ready between surveillance audits.

Worked example

Frequently asked questions

What is the difference between ISO 27001 and SOC 2?

ISO 27001 is an international, certifiable standard for an information security management system; SOC 2 is a US-centric auditor’s report on controls against Trust Services Criteria. ISO issues a certificate; SOC 2 issues an attestation report. Many companies pursue both, and the controls largely overlap.

What is an ISMS?

An Information Security Management System is the documented set of policies, processes, risk assessments, and controls a company uses to manage information security systematically. ISO 27001 certifies that your ISMS meets the standard’s requirements.

How long is ISO 27001 certification valid?

A certificate is typically valid for three years, with annual surveillance audits to confirm the ISMS continues operating, and a recertification audit at the end of the cycle. Continuous evidence collection keeps you ready between audits.

Can Fintra support both ISO 27001 and SOC 2?

Yes. Fintra maps a single evidence set to both frameworks’ overlapping controls, maintains a live risk register, and collects evidence continuously - so you satisfy shared requirements once and stay audit-ready across both.

Stay in the loop

One practical finance briefing a week - new guides, checklists, and benchmarks.

 

See how Fintra handles the numbers behind this term

Fintra is the AI Finance Operating System for SMBs - accounting, planning, payroll, equity, and AI governance on one shared data model, with a named human approving anything consequential. Free to start, no card required.

Talk to us