ISO 27001 for Croatian and US-bound B2B companies — a practical guide

A typical Tuesday email: your largest client, the one carrying 40% of revenue, asks for an ISO 27001 certificate before signing next year's contract. You have 6 months. This scenario keeps repeating in the Croatian B2B market, especially in fintech, SaaS, and any company selling into US or EU enterprise procurement processes.

An ISO 27001 certificate demonstrates that your company runs a working Information Security Management System (ISMS) recognized globally. Preparation typically takes 4 to 9 months with an external consultant, covers 93 Annex A controls (2022 version), and overlaps with most NIS2 requirements if both are on your plate.

The difference between companies that pass and companies that burn revenue is not expertise. It is planning. ISO 27001 preparation is not a stack of policies you print and frame on a wall. It is a working system you design, implement, document, and learn to self-audit before someone external comes to verify whether it runs.

Below: the 2013 vs 2022 difference, all 93 Annex A controls, a 6-month roadmap, the internal audit that often decides whether you pass, qualitative cost drivers, and the seven most common reasons first audits fail.

Key takeaways

• ISO 27001:2022 has 93 Annex A controls in 4 groups (Organizational 37, People 8, Physical 14, Technological 34). The 2013 version (114 controls) is no longer certifiable after October 2025.
• Preparation typically takes 4 to 9 months. Past 9 months usually means scope is not realistic or internal resources are not engaged.
• The Statement of Applicability (SoA) is the document that decides whether you pass. Generic "not applicable" labels without justifications equal automatic non-conformity.
• You must run at least one internal audit before the external audit. Your certification body cannot run it; that is a conflict prohibited by ISO/IEC 17021-1.
• ISO 27001 overlaps with SOC 2 by roughly 50-80% depending on which Trust Services Criteria you scope, making it a strong starting point for US-bound SaaS.

What is ISO 27001 and why it matters now

ISO 27001 is the international standard for an Information Security Management System (ISMS). The current version is ISO/IEC 27001:2022, published October 2022. In Croatia it is available through national transposition via the Croatian Standards Institute (HZN).

What makes ISO 27001 different from other security frameworks: it is not a shopping list of tools, and it is not a one-day certificate. It is a documented system describing how your organization identifies, evaluates, and treats information security risks. An external auditor shows up and verifies whether that system actually works in practice, not whether you only wrote it down.

Who is who in the process (a common point of confusion): certification bodies (TÜV NORD, DNV, Bureau Veritas, others) issue the certificate. Consultants prepare the ISMS and guide you through the process. You need both, but they cannot be the same firm. ISO/IEC 17021-1 explicitly prohibits the combination.

Who actually needs ISO 27001

Not everyone. Contrary to what certification body sales reps tend to say, ISO 27001 is not universally required. Three types of companies for whom the cost and effort are legitimately justified:

B2B companies selling to enterprise. If you sell to Fortune 500, EU banks, telco operators, or US-listed companies, their procurement process will ask for either ISO 27001 or SOC 2 before signing. Not negotiable. This is by far the most common reason Croatian companies start the process.

Regulated sectors. Fintech (Croatian National Bank plus DORA), healthcare (HIPAA for the US market plus GDPR), public administration (NIS2 obligatory for essential entities). ISO 27001 makes compliance demonstration to regulators significantly easier.

B2B SaaS companies. If you sell software to other businesses and hold their data, ISO 27001 is a deal-breaker for enterprise sales. It also accelerates SOC 2 preparation for the US market: overlap is estimated at 50-80% depending on which Trust Services Criteria you scope.

Who does not need ISO 27001: D2C webshops without a B2B segment. Local services without sensitive data. Companies with fewer than 5 employees and no B2B sales. For them, lighter frameworks like CIS Controls, or simply consistent basic security hygiene, are sufficient.

A scenario that repeats in the Croatian SMB market: a 14-person fintech, EU bank client in procurement asks for ISO 27001 by end of Q3. First instinct is to put the entire company in scope. Wrong.

What is actually needed is the customer-facing fintech platform plus production environment. Scope limited to one-third of the office means cost halved, timeline cut from 8 to 5 months. The scope conversation before gap analysis is one of the biggest leverage points in the entire project. It shapes cost, duration, and the realism of the timeline.

Similar situation? Get in touch → We talk through your scope before you commit.

ISO 27001:2013 vs 2022 — the practical difference

The 2013 version (ISO/IEC 27001:2013) was the standard for a decade. It had 114 controls across 14 domains in Annex A. The 2022 version reduced the control count to 93, regrouped them into 4 logical categories, and added 11 entirely new controls covering cloud, threat intelligence, secure development, and data masking.

Characteristic	2013	2022
Annex A controls	114	93
Grouping	14 domains	4 groups (Organizational, People, Physical, Technological)
Cloud-specific controls	No	Yes (A.5.23)
Threat intelligence	Implicit	Explicit (A.5.7)
Transition deadline	n/a	October 2025 — after which 2013 certificates are no longer issued or renewed

Some consulting content you find online still describes the 2013 version as current. Check the publication date before using anything for planning. After October 2025 the 2013 certificate does not exist.

ISO 27001 and the EU regulatory layer (NIS2, DORA)

From a Croatian perspective, ISO 27001 was historically not a legal requirement, only a competitive differentiator for B2B sales. NIS2 changes that.

The Croatian Cybersecurity Act (Zakon o kibernetičkoj sigurnosti, ZKS) came into force on 15 February 2024, with implementing regulation on 22 November 2024. The act transposes the NIS2 Directive (EU 2022/2555) into Croatian law and obligates essential and important entities to implement the 10 security measures from Article 21 of NIS2.

An ISO 27001 ISMS covers most NIS2 requirements (industry estimates run 60-80% depending on interpretation; no official 1:1 mapping has been published). In practice, a functional ISMS gives you governance, risk management, incident handling, supply chain security, and most technical measures. What remains are NIS2-specific obligations: incident reporting to CERT.hr and registration with the regulator. Detailed mapping is covered in our NIS2 guide for Croatia (Croatian-language).

For EU finance, DORA (Digital Operational Resilience Act) applies from January 17, 2025 and overlaps significantly with ISO 27001 in ICT risk management and third-party risk. If you are an EU regulated financial entity, DORA and ISO 27001 ship together, in the same project.

All 93 Annex A controls (2022) at a glance

ISO/IEC 27001:2022 has 93 controls in Annex A, grouped into 4 logical categories. This is the structure you will see in every document, Statement of Applicability, and internal audit.

Group	Controls	What it covers	Example controls
A.5 Organizational	37	Policies, organizational structure, vendor management, information classification, incident management	A.5.1 Information security policies, A.5.7 Threat intelligence, A.5.23 Information security for use of cloud services
A.6 People	8	Employee screening, awareness training, disciplinary processes, remote work	A.6.1 Screening (pre-employment background checks), A.6.3 Information security awareness, A.6.7 Remote working
A.7 Physical	14	Physical office security, equipment, cabling, clean desk	A.7.1 Physical security perimeters, A.7.10 Storage media, A.7.14 Secure disposal
A.8 Technological	34	Technical controls, monitoring, secure development, backup, cryptography	A.8.16 Monitoring activities, A.8.25 Secure development life cycle, A.8.28 Secure coding

The 11 entirely new controls in the 2022 version, worth flagging if you are transitioning from 2013:

1. A.5.7 Threat intelligence — collecting and using current threat information
2. A.5.23 Information security for use of cloud services — explicit cloud controls
3. A.5.30 ICT readiness for business continuity — IT continuity as a subset of BCM
4. A.7.4 Physical security monitoring — access surveillance systems
5. A.8.9 Configuration management — secure baseline configurations
6. A.8.10 Information deletion — secure deletion
7. A.8.11 Data masking — anonymization and pseudonymization
8. A.8.12 Data leakage prevention — DLP controls
9. A.8.16 Monitoring activities — security monitoring and log analysis
10. A.8.23 Web filtering — web access controls
11. A.8.28 Secure coding — secure software development standards

You do not have to implement all 93 controls. The Statement of Applicability (SoA) is the document where you justify why a particular control does not apply to your scope. The SoA is the document most deeply scrutinized during the external audit. Generic "not applicable" without justification equals automatic non-conformity.

Preparation — a 6-month roadmap

This is the typical timeline for an SMB with 20-50 employees, scope limited to one service line or production environment, and an external consultant leading the process. Outside this size range, add or subtract roughly 2 months.

Month 1: Scoping and leadership commitment

The most important step most people skip. Scope is the boundary of your ISMS — what is in, what is out, and why. A poorly defined scope means one of two things: either you are trying to certify the entire company (expensive, slow, often unnecessary) or scope does not cover what the client is actually asking about (incomplete signal, lost business).

Leadership commitment is not a ceremonial CEO signature on the document cover. It is a formally defined Top Management role in the ISMS (using ISO 27001 terminology), with authority, resources, and an annual obligation to review how the system functions. If management does not understand its role, the audit fails on Clause 5 before you even get to Annex A.

Months 1-2: Gap analysis

An external consultant or internal team maps the current state against the 93 controls. Output: a clear list of what you already have implemented, what is partially covered, and what needs to be built from scratch. In practice, most SMBs already have some controls partially implemented (password policy, backups, basic access control) but not documented in ISMS format. You learn the real baseline only after gap analysis.

Months 2-3: Risk assessment

You identify all information assets in scope (servers, applications, documents, people), threats acting on them, and quantify the risk. The methodology has to be consistent. Most teams use the ISO 27005 framework or a qualitative 5×5 matrix (impact × probability). What the auditor looks for: methodology documented, applied consistently, and the results feeding into a risk treatment plan.

Months 3-5: Control implementation

The longest phase. You write policies, configure technical controls, train people. Typically 15-25 documents: information security policy, access control policy, acceptable use policy, incident response procedure, change management, supplier security, business continuity, and others.

Months 4-5: Documentation and SoA

The Statement of Applicability is a document where, for each Annex A control, you record: whether it is included in the ISMS, justification for inclusion, implementation status (implemented / in progress / not implemented), and justification for excluding any excluded controls — these are the requirements from ISO 27001:2022 clause 6.1.3 d). In practice you also add a link to evidence. SoA is built in parallel with implementation, not at the end.

Months 5-6: Internal audit

Dedicated section below. Do not skip — this is what decides whether you pass or fail.

Month 6: External audit (Stage 1 + Stage 2)

The certification body comes in two phases. Stage 1 is the readiness review — documentation plus interview with management, typically 1-2 days. Stage 2 is the operational audit, 3-5+ days depending on scope. Between them you usually have 2-12 weeks to fix Stage 1 findings.

Internal audit — what, who, when, and how not to fail

The internal audit is the section your competition covers worst. Nobody explains who can run it, what to check, and which mistakes to avoid. From practice, the internal audit is one of two or three factors that separate "passed first time" from "failed Stage 1".

What the internal audit is

ISO 27001:2022 clause 9.2 requires the organization to conduct internal audits at planned intervals to verify whether the ISMS conforms to the standard and to internal policies. In practice: at least once a year, plus every time there is a major change in scope or controls.

Difference from the external audit: the external is performed by an independent certification body (TÜV NORD, DNV, Bureau Veritas, others). The internal you run yourself, or someone you engage. The external one issues the certificate. The internal one prepares you to actually receive it.

Who can run it

Three options:

1. Internal resources. An employee of your company with auditor authority. The person must be independent from the audited area — the person who implemented the controls cannot audit their own work. Practically, this only works in medium and larger companies with multiple independent departments.

2. An external consultant as auditor. A consultant who was not involved in preparation (or only in a part they are not auditing). The most common option for SMBs. If I have run your preparation, I engage an independent ISO 27001 lead auditor from a partner network for the internal audit — someone who had no input into the prep — which satisfies the 9.2 independence requirement.

3. The certification body as auditor. No. This is a conflict of interest. The certification body that will do your external audit cannot do your internal audit. Any "all-in-one" offering from a certification body suggesting otherwise is a red flag — ISO/IEC 17021-1 prohibits combining consulting (including internal audit) and certification for the same client within 2 years.

When to run it

At least 4-6 weeks before the external Stage 1 audit. Reason: you need time to fix findings before the external auditor arrives. If the internal audit finds 8 non-conformities and you enter the external next week, failure is almost guaranteed.

After the first certification, annually. That is a hard requirement, not a recommendation.

Audit checklist table

This checklist covers the most commonly problematic controls that trigger findings in SMB ISMSs. Other Croatian and EU consultants do not publish this publicly.

Annex A group	Controls to focus on	Evidence type	Frequent fail signal
A.5 Organizational	A.5.7 Threat intelligence, A.5.23 Cloud security, A.5.34 PII protection	Documented threat feed sources, cloud vendor due diligence, PII registry	"We use cloud, we know it is secure" without vendor SOC 2 or ISO certificate evidence
A.5 Organizational	A.5.30 ICT readiness for business continuity	BCP test report, RTO/RPO definitions	BCP test not conducted in the last 12 months
A.6 People	A.6.1 Screening, A.6.3 Awareness training	Pre-employment background check, training attendance log, training quiz results	Training was delivered but no evidence of attendance or comprehension
A.7 Physical	A.7.10 Storage media, A.7.14 Secure disposal	Media inventory, disposal certificate, asset destruction log	Hard disks "thrown out" without secure wipe or shred certificate
A.8 Technological	A.8.16 Monitoring activities	SIEM logs, monitoring playbooks, alert thresholds	Logs are collected but nobody acts on alerts, or thresholds are not defined
A.8 Technological	A.8.9 Configuration management	Baseline configurations, drift detection report	"Server is set up, it works" without a baseline document or periodic check

5 typical SMB mistakes in internal audits

1. Audit window too small. The entire scope covered in one day. Audit has the depth of a centimeter and the width of a kilometer. The auditor should be able to write 15-30 specific findings, not 3 generic ones.
2. The auditor reviews their own work. The person who wrote the incident response policy cannot audit how the policy is implemented.
3. No evidence trail. The auditor reports "I checked the access logs, everything is fine" without documentation of which logs they examined and on which dates. That is an assertion, not evidence.
4. Does not cover all controls in SoA. If a control is marked "applicable" in SoA, the internal audit must cover it at least once per cycle (annually for most organizations).
5. No action plan with ownership and deadline. A finding without "who fixes, by when" is just a list of complaints. The external auditor will look for corrective action records.

Need an independent internal audit before Stage 1? 30-minute call. No obligations, no PowerPoint.

Bonus checklist. The table above is an excerpt. The extended internal audit checklist with 40+ additional controls across all 4 Annex A groups (including config baselines, threat-intel feed validation, BCP test artifacts, supplier security review, cryptography key management, secure SDLC, and others) is available as a PDF →.

What drives the cost — anatomy of pricing

Concrete numbers depend on scope. The factors that most influence the final cost:

Scope size. A single service line with 20 employees is a different project from the entire company with 200. Larger scope means more documents, more controls to implement, longer audit. The biggest lever you can pull.

Number of physical locations. Multi-location organizations require either including all locations in scope (expensive) or explicitly excluding them with justification in SoA. The certification body may require visits to additional locations, increasing the external audit cost.

Existing documentation. If you already have basic security policies, incident response procedure, asset inventory, the saving in preparation is significant. Greenfield ISMS construction from scratch takes 50-100% longer.

Number of employees. Awareness training, screening processes, access management and offboarding — everything scales with people. 200 people is not 10× 20 people in complexity, but it is roughly 3-4× in effort.

Sector. Fintech, healthcare, public administration come with additional regulatory requirements that must be mapped into the ISMS. Cost is meaningfully higher compared to a generic SaaS scenario — additional framework mapping, more documentation, more frequent touch-points with the regulator.

Structure of external cost (public market)

What is publicly known about certification body pricing:

• Stage 1 + Stage 2 audit is charged by auditor day, typically 3-6 days total for an SMB scope
• Surveillance audits annually (years 1 and 2 post-certification), typically 2-3 days per visit
• Recertification is performed every 3 years and is roughly comparable to the original Stage 2

Concrete EUR figures vary across certification bodies. From experience, budget mid four-figure euro costs for the Stage 1 + Stage 2 combination as an orientation signal, plus smaller annual surveillance.

Consultant fees for preparation are not publicly listed because they depend directly on scope. Get in touch for a concrete quote based on your situation.

The 7 most common reasons first audits fail

From experience with the ISMS I built as CISO at a Croatian bank (annual audits passed plus a Croatian central bank supervision passed without sanctions) and current CISO work where we passed SOC 2 Type 1 and HIPAA audits on first attempt, the seven most common reasons for first audit failure:

1. Inconsistent Statement of Applicability. SoA with 30 controls marked "not applicable" without justification, or with justifications like "we don't think we need this". The auditor expects clear rationale based on risk assessment output.
2. Risk register too small. 5-10 generic risks ("data breach", "ransomware") for an organization with 50 services, 200 employees, 3 locations. The depth of the risk assessment directly signals how serious the ISMS is.
3. Controls written but not implemented. Policy says "we conduct background checks", actual evidence: zero background checks in the last 12 months. The auditor tests samples, not policies.
4. Internal audit too late or too shallow. Covered above. Internal audit done 2 weeks before Stage 1, with 3 findings, signals insufficient seriousness.
5. Leadership commitment only on paper. Top management review not actually held, or held as a formal email with no agenda or actions. Clause 5 fail.
6. Document control chaos. Document versions are not tracked, ownership unclear, updates ad hoc. The auditor will check the document register and verify that the current version of a policy matches what people actually use in practice.
7. Awareness training not practiced. "We sent an email to employees" without evidence of attendance, quiz scores, or recordings.

A classic post-fail pattern that repeats with SaaS startups: the CISO calls three weeks after a Stage 1 failure. The risk register had 8 risks for a 35-person engineering team. The internal audit was a "verbal sign-off" with no document. Awareness training: "lunch-and-learn last year, we don't have recordings."

Three months until Stage 2. Fixable, but at significant additional cost and stress for the team. All of the above should have been caught during the internal audit in Month 5, not at Stage 1.

ISO 27001 versus other frameworks

Which framework do you actually need?

Framework	Market	Type	Preparation time	Audit cycle
ISO 27001:2022	Global B2B	Voluntary (until regulator requires)	4-9 months	3-year cycle + 2 surveillance
SOC 2 Type II	US enterprise	Voluntary, US-dominant	6-12 months (Type II)	Annual
NIS2 / Croatian ZKS	EU / Croatia	Mandatory for essential and important entities	3-6 months (preparation), ongoing maintenance	n/a (regulator audits)
HIPAA	US healthcare	Mandatory for PHI handling	3-6 months	n/a (regulator audits)
DORA	EU finance	Mandatory from 17 January 2025 for financial sector	6-12 months	n/a (regulator audits)

For Croatian SaaS selling to the US: ISO 27001 first, then SOC 2 Type II layered on top. A good ISO 27001 ISMS gives you most of the SOC 2 Common Criteria, but Trust Services for availability, confidentiality, processing integrity, and privacy require additional work. The reverse order (SOC 2 first then ISO) does not work nearly as well.

For NIS2 specifics, our NIS2 Croatia guide covers the 10 Article 21 measures, penalties, and DORA + HIPAA mapping (Croatian-language).

How to pick a consultant for preparation

What to actually ask when shortlisting:

Practical experience, not just certificates. A consultant who only has a "Lead Implementer" certificate, with no real ISMS implementation that passed an external audit, is not enough. Ask: "How many ISMSs have you taken to certification? Which certification bodies? Which sectors?"

Industry fit. A fintech ISMS is different from a SaaS ISMS. A consultant who has never worked with your industry will recognize problems only at Stage 1, not before.

Communication with leadership. ISO 27001 is not just an IT project. Management must be an active participant. A consultant who "only works with the IT team" does not finish the project at the level the auditor expects.

The job does not end at the certificate. Surveillance audits require ISMS maintenance. A consultant who helps you get certified and disappears is half the story.

Transparency about limits. Stage 2 cannot be guaranteed by anyone except the certification body that conducts it. A consultant who promises that without a detailed gap analysis either creates false expectations or does not understand how external audits work. Either way, a signal of weak process understanding. A consultant can guarantee their own work, not the audit outcome.

Big 4 versus boutique consultant

The most common alternatives are a Big 4 firm (Deloitte, KPMG, PwC, EY) or an established Croatian consultancy with 10+ ISMS implementations. Each comes with different trade-offs.

Big 4 has brand recognition that helps a CFO approve in procurement. Cost is typically 2-3× higher than a boutique consultant; the project is usually taken by a senior plus a team of juniors doing most of the operational work. A boutique consultant is cheaper, but the risk is "a one-person firm that disappears mid-project". A founder-led shop running CISO-as-a-Service is in between: senior-only engagement, formal company with contracts, focused.

Fifteen years in security and IT across three roles: Head of DevOps at a telecom (security-driven infrastructure, not in a CISO capacity), then CISO at a Croatian bank where I built an ISMS per the Croatian National Bank's framework for IT governance. Annual external audits passed plus a Croatian National Bank supervision passed without sanctions or measures. Currently CISO at a US SaaS startup where we passed SOC 2 Type 1 and HIPAA audits on first attempt. Ctrl Alt Grow is a consultancy applying the same methodology. Founder-led, I run every engagement; for internal audits I engage independent partners with ISO 27001 lead auditor certifications. If that fits, let's talk.

FAQ

How many controls are in ISO 27001:2022?

ISO 27001:2022 has 93 Annex A controls grouped into 4 categories: Organizational (37), People (8), Physical (14), Technological (34). The 2013 version had 114 controls in 14 domains. Transition to the 2022 version ends in October 2025, after which 2013 certificates are no longer renewed.

How long does ISO 27001 preparation take?

Typically 4 to 9 months depending on scope and company size. A smaller SMB with a single service line and existing security practices can finish in 4-5 months. Larger organizations or greenfield ISMS construction take 8-12 months. Past 12 months, seriously reconsider scope or internal engagement.

Does a small company really need ISO 27001?

Not legally (in Croatia). But if you sell to B2B enterprise clients, if you are in a regulated sector, or if the US market is relevant, ISO 27001 (or SOC 2) is probably a deal-breaker for sales. For a D2C webshop without sensitive data, probably not.

Can I run the internal audit myself?

Technically yes, if the person has independence from the audited function. Practically, most SMBs lack the time plus experience to do it efficiently 4-6 weeks before Stage 1. An external internal audit from a consultant gives you two or three days of focused gap detection with an evidence trail the external auditor accepts more easily.

What if the audit fails?

A Stage 1 failure means findings to fix before Stage 2, typically 4-8 weeks of extra work. A Stage 2 failure is rarer and more serious, meaning major non-conformities. Typically 3-6 months of additional work plus an extra audit fee. The best way to avoid this is a thorough internal audit before Stage 1.

Is ISO 27001 worth it if we already have SOC 2?

Yes, but for different purposes. SOC 2 is a US-centric trust framework; ISO 27001 is a globally recognized compliance standard. EU enterprise clients and regulators tend to ask for ISO 27001; US enterprise tends to ask for SOC 2. If you sell to both markets, it is worth having both.

What is the difference between a consultant and a certification body?

A consultant prepares the ISMS and runs preparation for the external audit. The certification body conducts the external audit and issues the certificate. The certification body cannot do your preparation, nor your internal audit. This is a hard rule from ISO/IEC 17021-1 which prohibits the same certification body from combining consulting and certification within 2 years.

Conclusion

ISO 27001 in Croatia in 2026 is not what it was 5 years ago. NIS2 and ZKS have made compliance a top-level business concern; the market no longer distinguishes between "we have security policies" and "we have a certified ISMS". You either have a certificate or you do not.

Preparation is achievable in 4-9 months with the right structure. The biggest risks are not technical complexity (controls are defined) but planning: scope, leadership commitment, internal audit timing. The mistakes that cause failure are predictable and well-known.

If you sell to B2B enterprise clients, if you are in a regulated sector, or if the US market matters to you, ISO 27001 is an investment that returns through smoother sales processes.

Already have the trigger (a client is asking, a regulator is pinging)? → 30-minute scope call. We talk specifics, no PowerPoint.

Thinking about ISO 27001 but not sure now is the time? → Send an enquiry with 2-3 sentences about your situation. You'll get a written "go / not yet / wait" recommendation within 24 hours.