ISO 27001 in Morocco: certification, steps, cost and timeline

In Morocco, demand for ISO 27001 certification almost never comes from the inside. It comes from a large client that requires proof before signing, a European partner extending its own obligations — GDPR, NIS 2, DORA — to its Moroccan suppliers, a tender that calls for a certified management system, or a board that wants assurance that security is actually governed. The standard has become a commercial passport as much as a security framework.

This guide explains what ISO 27001 really is, what the 2022 version contains, how certification works in Morocco, what it costs and how long it takes — from the point of view of a firm that prepares Moroccan organizations for the audit, not a body that sells the certificate.

What is the ISO 27001 standard?

In one sentence: ISO/IEC 27001 is the international standard that certifies an information security management system (ISMS) — the organized set of processes, responsibilities and evidence through which an organization manages its security risks over time.

The point most projects miss: the standard does not ask for a binder of policies. It asks for a system that runs. A scope that reflects what you actually do, a risk assessment whose treatment someone has decided, controls with named owners, evidence that accumulates as a by-product of normal work, and a management cadence — internal audit, management review, continual improvement — that runs whether or not an audit is scheduled. That is exactly what an auditor samples, and exactly what a document set assembled the week before cannot fake.

The standard has two parts. Clauses 4 to 10 set out the requirements of the management system itself — context, leadership, planning, support, operation, performance evaluation, improvement. They are mandatory and non-negotiable. Annex A is the catalogue of security controls from which you justify those that apply to your real risk.

What is the difference between ISO 27001 and ISO 27002?

Direct answer: you get certified to ISO 27001; you draw on ISO 27002. ISO 27001 is the certifiable standard — the one an accredited body audits you against. ISO 27002 is a companion guide describing in detail how to implement each control listed in Annex A. No organization is certified to “ISO 27002”: it is an implementation manual, not an audit framework. Both were republished in 2022 and are read together.

What is in Annex A? The 93 controls of the 2022 version

Direct answer: Annex A of ISO 27001:2022 has 93 controls, down from 114 in the previous version, reorganized into four themes instead of the former fourteen domains.

• Organizational controls — 37 controls: policies, roles, supplier management, incident management, continuity, compliance.
• People controls — 8 controls: recruitment, awareness, remote work, handling departures.
• Physical controls — 14 controls: premises access, equipment security, physical monitoring.
• Technological controls — 34 controls: hardening, logging, cryptography, development security, cloud security.

The consolidation did more than reduce the count: the 2022 version introduced eleven new controls that reflect the modern attack surface — threat intelligence, information security for cloud services, ICT readiness for business continuity, physical security monitoring, configuration management, information deletion, data masking, data leakage prevention, monitoring activities, web filtering and secure coding.

You do not implement all 93 controls blindly. You decide, control by control, which apply to your risk, and you record those decisions — inclusions and exclusions alike — in the Statement of Applicability (SoA). That is the document the auditor reads to understand the logic of your scope.

What changed with ISO 27001:2022 — and can you still certify to 2013?

Direct answer: no, the 2013 version is no longer certifiable. The transition period ended on 31 October 2025; since then, every first certification and every recertification is exclusively against ISO 27001:2022, and any 2013 certificates still in circulation are no longer valid.

In practice, for a Moroccan organization starting today, the “2013 or 2022?” question no longer arises: it is 2022. Be wary of policy templates, guides and providers still talking about the “114 controls” and the fourteen domains — they describe a withdrawn standard. If you hold a 2013 certificate that was not transitioned, you are no longer certified, and that is the first gap to address.

How does ISO 27001 certification work? The steps

Direct answer: certification always follows the same sequence — internal preparation, then a two-stage external audit by an accredited body, then a three-year surveillance cycle.

1. Gap assessment. We measure your real state against clauses 4 to 10 and the 2022 Annex A, and produce a prioritized picture of the distance to certifiability — with an honest estimate of timeline and effort before you commit to a date.
2. Building the ISMS. Scope, risk assessment, Statement of Applicability, policies and controls — designed around your real operations so your team can actually run them.
3. Evidence preparation. We set up the records, logs and artefacts an auditor will ask for, produced by normal work rather than reconstructed under deadline.
4. Internal audit and management review. The standard requires both before the certification audit. They surface non-conformities while they are still cheap to fix.
5. Certification audit — Stage 1 (documentation review). The certification body checks that the ISMS exists and that the documentation holds together.
6. Certification audit — Stage 2 (implementation audit). The auditor samples evidence to verify the controls actually work. The certificate is issued at the end — it is valid for three years.
7. Surveillance audits and recertification. A surveillance audit takes place each year (year 1 and year 2); a full recertification happens in year 3, which renews the certificate for a further three-year cycle.

One structural point: the certificate is issued by an accredited certification body, independent of whoever prepares you. A consultant cannot audit themselves. Staying outside the audit is precisely what lets a preparer be candid about your real situation.

How much does ISO 27001 certification cost in Morocco?

Direct answer: the cost splits into two distinct budgets, and any single figure quoted without knowing your scope is a guess.

• The certification body’s fees — the Stage 1 + Stage 2 audit, then the annual surveillance audits. They are billed by the accredited body, usually per audit day, and depend mainly on your headcount and number of sites.
• The preparation cost — building the ISMS, the controls and the evidence up to an auditable state. That is where a consultant comes in.

The factors that actually move the bill: the size of the scope (one product and one team, or the whole company), your starting maturity (a non-existent ISMS costs more than a drifted one that needs tightening), the number of sites and headcount, and how much tooling is already in place.

At HackingByte, preparation is scoped as a fixed fee, in a range communicated during the scoping call — no day rate, no quote before we understand your scope. It is also the honest answer to the “iso 27001 cost” search: the range is set after the gap assessment, not before.

How long does it take to get certified?

Direct answer: expect between 3 and 12 months from kickoff to the Stage 2 audit, depending on two variables — your starting maturity and the size of the scope.

An organization that already logs, manages access cleanly and documents its processes moves fast. One starting from a blank page spends most of the time building the evidence routines, not writing policies. The gap assessment is what turns that range into a realistic timeline for your case — that is precisely its job.

Is ISO 27001 mandatory in Morocco?

Direct answer: no, not in general — but two pressures often make it unavoidable in practice.

First, sectoral regulation: Law 05-20 on cybersecurity and the DGSSI reference frameworks impose security obligations on administrations, vital infrastructure and the operators in scope. ISO 27001 is not the law, but it is the management framework that makes those obligations demonstrable. Second, market pressure, often the most immediate: large clients, banks, insurers and European partners that require a certified system before referencing a supplier.

Not to be confused: ISO 27001 addresses information security; personal data protection falls under Law 09-08, supervised by the CNDP, and under the GDPR for your EU-facing activities. The two overlap but do not replace each other. We do not provide legal advice — interpreting Law 05-20 or Law 09-08 is for your counsel — but we make your security demonstrable against these frameworks.

Do you need an ISO 27001 consultant?

Direct answer: an ISO 27001 consultant is not mandatory, but it shortens the path and avoids the most common pitfall — a template ISMS that describes a company nobody recognizes and does not survive an auditor’s sampling.

A good consultant does four things: an honest gap assessment, the construction of an ISMS fitted to the way you work, the setup of evidence that produces itself, and the preparation of your leadership for the internal audit and management review they must personally own. Because HackingByte is first an offensive security firm, this is preparation read through the lens of attack: each Annex A control is read not as “does a policy exist?” but as “would this control hold against someone actively trying to bypass it?”. A system aligned with real risk is harder to topple — and it is the one an auditor accepts.

A useful distinction for your searches: PECB certifications (Lead Implementer, Lead Auditor) are certifications of people — they attest that a practitioner has mastered the standard. The certification of the organization is issued by the accredited body at the end of the audit. You need the latter; a consultant who holds the former gets you there.

Where to start

If a client, a tender or a board has set the ISO 27001 requirement, the proportionate first step is a gap assessment: it locates your real distance to certifiability and sets a timeline and a range before any commitment. In Morocco, we run ISO 27001 preparation as part of our GRC advisory, where ISO 27001 overlaps with your SOC 2, NIS 2 or GDPR work and the evidence is reused rather than rebuilt. Where the Statement of Applicability needs real evidence behind it, a security assessment or a penetration test backs the technical controls of Annex A.

Request a scoping call · See GRC advisory

Frequently asked questions

Is ISO 27001 mandatory in Morocco?

No, not in general. Law 05-20 and the DGSSI frameworks impose security obligations on certain entities (vital infrastructure, operators in scope), and large clients as well as European partners frequently require it by contract. ISO 27001 is the framework that makes those obligations demonstrable, without being a law itself.

How much does ISO 27001 certification cost in Morocco?

The cost splits in two: the certification body’s fees (initial audit then annual surveillance, a function of headcount and sites) and the cost of preparing the ISMS. It depends on scope and your starting maturity; the range is set after the gap assessment, not before.

How long does ISO 27001 certification take?

Generally 3 to 12 months to the Stage 2 audit, depending on your starting maturity and the size of the scope. The gap assessment turns that range into a realistic timeline for your situation.

What is the difference between ISO 27001 and ISO 27002?

You certify to ISO 27001, the auditable standard. ISO 27002 is the guide explaining how to implement the Annex A controls: an implementation manual, not a certification framework.

How many controls are in the 2022 Annex A?

93 controls, in four themes — Organizational (37), People (8), Physical (14) and Technological (34) — down from 114 in the 2013 version, with eleven new controls.

Can you still certify to ISO 27001:2013?

No. The transition ended on 31 October 2025; since then, only certifications against ISO 27001:2022 are valid.

Does HackingByte issue the ISO 27001 certificate?

No. The certificate is issued by an independent accredited certification body. We prepare you, can point you to accredited bodies, and stay outside the audit so we can be candid about your real situation.

Related services

• GRC advisory — ISO 27001, SOC 2, NIS 2, DORA and GDPR preparation, senior-led.
• Security assessments — to back the technical controls of Annex A with evidence.
• Penetration testing — the attack proof behind the Statement of Applicability.

Read next: Ransomware in Morocco: what to do and how to protect. Operating in Morocco? See how we work: Cybersecurity in Morocco.