We Just Got Asked for ISO 27001 in a Security Questionnaire. What Now?

If you are reading this, the email has already arrived. A buyer, whether a bank, an insurer, an NHS trust, or a global SaaS company, has sent you a vendor security questionnaire. Within the first few questions, there is one line that matters: "Do you hold ISO/IEC 27001 certification?" You do not. The deal is real, the procurement team is waiting, and every consultant you have spoken to today has told you it takes six to nine months. This is where most companies lose the deal. This guide shows you exactly what to do next, and how to stay in the deal without ISO 27001 today.

First, do not lie on the questionnaire. This is the most common and most damaging mistake. Founders write phrases like "ISO 27001 in progress" or "aligned with ISO 27001 principles." Procurement teams see this every day and it raises immediate red flags. It triggers follow-up questions you cannot answer, it becomes a contractual risk if inaccurate, and it can be verified externally through the IAF CertSearch database. The correct response is precise and credible: "We have appointed an ISO 27001 implementation partner and our certification project has commenced. Stage 2 audit is scheduled within the next 10 weeks. Supporting documentation (risk register and Statement of Applicability) can be provided under NDA." This keeps you in the deal.

Contrary to popular belief, buyers do not need the certificate immediately. They need confidence that it is coming. What procurement teams actually want is a named implementation partner, a defined project timeline, and a realistic audit date. If your timeline is within 90 days, most buyers will proceed. Beyond that, risk increases and the deal starts to slip.

The 72-hour action plan is where deals are won or lost. On Day 1, acknowledge and control the timeline by replying within 24 hours confirming you are initiating ISO 27001 certification and that a partner will be appointed immediately. On Day 2, get a real gap analysis: book a call that produces a written gap report, a fixed cost, and a target audit date. Avoid generic consultancy conversations. On Day 3, commit and start: sign the engagement, lock the project start date, and secure the audit window. Until this is done, you do not have a credible answer for the buyer.

The "six to nine months" timeline that most consultancies quote reflects slow consultancy models with weekly check-ins and delayed audit booking. It is not a requirement of ISO 27001. A structured model delivers certification in 8 to 10 weeks for most technology companies. The difference is execution: pre-built frameworks, parallel workflows, and early audit booking rather than sequential waterfall delivery.

Let us be direct about what this decision is really about. You are not deciding whether to spend ten to twenty thousand pounds. You are deciding whether to lose one hundred thousand to one million pounds or more in contracts. ISO 27001 is not compliance. It is a revenue unlock mechanism. If you have a live deal, a questionnaire on your desk, and procurement pressure, there is only one decision: start now or lose the deal.