In 2021, ISO certifications like 27001, 27017, and 27701 were still largely considered European territory. U.S. firms, especially in the mid-tier market, were hesitant to embrace them—not because they lacked value, but because they lacked localized expertise. That’s the challenge I decided to tackle head-on.
At the time, I was leading cybersecurity and compliance efforts at Armanino LLP, one of the top 20 accounting and consulting firms in the United States. While Armanino had a robust SOC 2 program in place, it lacked any formal infrastructure to deliver ISO audits or certifications. Clients who asked about ISO were typically referred out to European firms. I believed we could change that—not only for Armanino, but for the broader U.S. market.
Turning a U.S. Firm into a Certification Body
Becoming an ISO certification body is no small task, especially in the United States. As of 2025, only 39 companies in the entire country have received ANAB accreditation to certify against ISO 27001. In California, where there are over 50,000 eligible firms, only seven hold that distinction. Armanino became one of them—and I was proud to lead that transformation.
The process involved more than passing an audit. It required building an entire internal ISO ecosystem from the ground up: audit methodologies, policy libraries, control testing tools, internal training, conflict-of-interest frameworks, and auditor assignment protocols.
I personally:
- Developed Armanino’s ISO-aligned audit methodology and control matrix
- Trained internal staff on ISO 27001, 27017, 27018, and 27701 standards
- Built automation-ready audit checklists for AWS, Azure, and SaaS clients
- Created client-facing education programs, including live webinars and implementation workshops
One of our earliest success stories was PrinterLogic. They publicly acknowledged our support in achieving ISO 27001, a milestone that helped prove our internal certification process could stand up to global scrutiny.
Why This Was a First in the Market
Most U.S.-based consulting firms—even those with compliance practices—do not serve as ISO certification bodies. It requires both deep technical credibility and rigorous third-party oversight. Instead, they act as readiness consultants and outsource final certification to overseas entities.
At Armanino, we flipped that script. By certifying in-house, we reduced audit timelines, lowered costs for startups, and created a new recurring revenue model based on certifications instead of just hourly consulting.
Within a year:
- We certified 20+ clients
- Generated over $1 million in ISO-specific revenue
- Earned ANAB accreditation across ISO 27001 and 27701
Our model was repeatable, scalable, and purpose-built for startups needing lightweight but credible audits. The entire ISO program we built is now integrated into Armanino’s service portfolio and continues to grow.
Making ISO American
My larger vision was to make ISO standards not just “imported” frameworks, but deeply embedded in U.S. cybersecurity culture. I viewed this as more than technical enablement—it was regulatory translation.
For example:
- ISO 27017 provided cloud-specific controls that mapped better to SaaS environments than legacy NIST frameworks
- ISO 27701 became a privacy certification that startups could use to demonstrate CCPA and GDPR readiness
- ISO 42001 (on AI governance) was on the horizon, and our practice was ready for it long before its release
By localizing these global frameworks—adapting their language, mapping them to DevSecOps workflows, and training internal and external stakeholders—we didn’t just implement ISO. We naturalized it.
Why It Matters
This story isn’t just about me or Armanino. It’s about what happens when you stop waiting for others to set the standard and start building it yourself.
Today, I continue to advocate for integrated compliance frameworks, especially as U.S. startups seek both SOC 2 and ISO certifications to win trust in global markets. The foundation we built at Armanino has already enabled that shift.
Becoming an ISO certification body is rare. But replicating the path we took shouldn’t be. I hope our success becomes a blueprint—not an anomaly.
