Build or upgrade your ISMS on our platform

ISO 27001 Certification Simplified

What is it, why you need it and what’s involved

Introducing ISO 27001 Certification

Achieving ISO 27001 Certification acts as a business differentiator. Certification demonstrates an organisations commitment to continual improvement, development, and protection of information assets/sensitive data by implementing appropriate risk assessments, appropriate policies and controls. Here we will explain what it means to be ISO 27001 certified, the benefits, and what might be involved.

An ISO 27001 Certified organisation is advertising to the world they are trusted, have implemented an Information Security Management System (ISMS) in line with Clause 4.4 of the standard and have demonstrated compliance to an external auditor/independent ISO certification body, e.g. UKAS.

Certification affirms to suppliers, stakeholders and clients that your business takes information security management seriously. ISO 27001 Certification is a business differentiator and demonstrates to other business they can trust your organisation to manage valuable third party information assets/data and intellectual property; this fosters a wealth of new opportunities whilst protecting your business from exposure to risk.

ISO 27001 standard is the internationally recognised best practice framework for an ISMS

ISO 27001 recognition is most valuable for organisations in the United Kingdom when you get certified by a UKAS (United Kingdom Accreditation Service) accredited certification body that will independently audit your organisation and provide you with ISO 27001 certification. Other certification bodies comparable to UKAS exist internationally, which helps maintain the ISO/IEC 27001 Information Security Management standard wherever an organisation aims to achieve ISO 27001 certification.

ISO 27001 certification is not only about what technical measures you put in place. ISO 27001 is about ensuring the business controls and the management processes you have in place are adequate and proportionate for the information security threats and opportunities you have identified and evaluated in your risk assessment. And that should all be done with a business-led approach to the information security management process.

ISMS-CERTIFICATION-ISO-27001

ISO 27001 Certification vs Compliance

Organisations new to information security management systems often ask about the difference between ISO 27001 certification and compliance, especially when following recognised standards like ISO 27001.

In simple terms, compliance might mean that the organisation follows the ISO 27001 standard (or parts of it).

ISO 27001 certification means that the organisation’s ISO 27001 Information Security Management System has been certified in compliance with the standard by auditors known as Certification Bodies.

Why You Need ISO 27001 Certification

ISO 27001 certification applies to any organisation that wishes or is required to formalise and improve business processes around information security, privacy and securing its information assets.

The size/turnover of a business does not dictate the need for ISO 27001 of an organisation; even the smallest of companies may have influential customers or other stakeholders, such as investors, who look for the intrinsic assurances from having UKAS ISO 27001 certification offers.

As a result of ISO 27001 Certification, your organisation can demonstrate that its people, processes, tools, and systems adhere to a recognised framework. Imagine a world of financial reporting or health and safety without standards. Information security is a bit behind those areas from certification and independent audit perspectives. Still, with the pace of change accelerating for almost everything, more innovative organisations are getting ahead internally, particularly with their supply chain. So you can look at ISO 27001 certification through two lenses;

  1. As a customer, you need confidence that your suppliers are certified to help mitigate your business risks and exploit opportunities, e.g. from more consistent, higher standards and lower total cost and risk of work you encounter from them.
  2. 2. Your customers are getting smarter; they like you need to know that the supply chain is protected adequately. Influential customers are simply mandating ISO 27001 certification and transferring the risk management process down the supply chain. There are other spinoff benefits, too, let alone all the extra business you’ll win from being certified to ISO 27001 versus laggards who are not. For example, well-informed staff will want to work for trusted brands. As insurers catch up with better working practices, it should also mean lower premiums for organisations with independently certified ISO 27001 Information Management System.

What are the benefits of ISO 27001 certification?

For all stakeholders, the key message is trust and assurance gained from externally audited information security management. ISO 27001 Certification offers multiple benefits – for example:

Benefits to you

  • Protect IP, brand & reputation
  • Win more business from new & existing customers
  • Reduce the cost of sale
  • Retain more business
  • Improved processes leading to cost & time savings
  • Avoid fines from regulatory non-compliance (such as GDPR)
  • Avoid civil suits resulting from a data breach
  • Avoid costs of remedial action resulting from incidents and/or breaches
  • Attract better staff

Benefits to your staff

  • Trust in the organisation’s sustainability
  • Training for work (and home security)
  • Clarity through policies & procedures
  • Pride in the organisation and their role in protecting it

Benefits to your customers

  • Trust and assurance in you and your supply chain
  • Less likelihood of a costly breach
  • Reduced cost of supplier onboarding

ISO 27001 Certification: Is it worth it?

Doing nothing is probably not an option if you access and manage valuable information assets owned by others. For some organisations, their whole business is built on developing or managing information assets.

So, in that case, losing some or all of that business or not winning more in future probably means it’s worth investing in becoming certified to ISO 27001, especially if customers or other stakeholders like investors perceive a risk.

Achieving ISO 27001 certification is not as complicated or expensive as it used to be because of innovative solutions like ISMS.online. And, despite many of the strategic and financial benefits, some leaders still consider it a ‘grudge’ purchase and another bureaucratic tick box exercise. To achieve certification typically means a time and cost investment; like most strategic investments, it is worth considering the return and broader benefits.

office-workers-meeting-around-a-laptop

The return on investment (ROI) from an ISO 27001 Information Security Management System (ISMS) can be more fully explored in a recently published whitepaper, by Alliantist CEO Mark Darby, on Planning the business case for an ISMS.

The whitepaper further explores the opportunities and threats, benefits and consequences, and also offers up a range of tools and exercises to help:

  • Consider the ROI
  • Discover how to manage your Information Security Management System in the future

Ready to fast-track your implementation using ISMS.online?

Book your demo

What is Involved in an ISO 27001 Implementation?

You need to develop a ‘management system’, made up of people, processes and technology.

For the people part, you need leadership to guide the implementation to meet the business goals, cultural norms, regular reviews and show the organisation is taking it seriously. Auditors will want to see ‘the spirit of ISO 27001’ applied as well as the documents at this senior level, so a director waltzing into an audit and pretending to understand the ISO 27001 Information Security Management System is also a recipe for disaster.

You’ll also need people who understand your business with the capability, capacity and confidence to address the requirements. The ‘people’ investment is determined by the technology used to implement and maintain the ISO 27001 Information Security Management System (ISMS).

For example, you’ll need:

  • A digital or paper-based solution for describing how you meet the core requirements of ISO 27001 and how that is managed over time (you are audited at least annually – see further below).
  • It is a similar environment to document and manage all the Annex A controls & policies developed and then ensure they are made available to the people they apply to. You can prove that they are aware of them and engaged (remember, these people might be staff and suppliers). Don’t just write controls and policies for the sake of it, either. They should all be based on the issues facing your organisation, your interested parties expectations, your scope and boundaries (e.g. products, locations, etc.) and the information assets you want to protect. You have to ‘show your working’ here too and document all that. It gets hard to do that well and maintain it over time with just word documents, spreadsheets, and a shared drive.
  • Your management system will have all the tools underpinning that work, documented and easily followed by the auditor.
  • These activities all get risk assessed (with your risk management tool) to help you then determine which of the Annex A control objectives you need to implement, which without getting too technical at this stage, leads to your Statement of Applicability. Did I already say you need to demonstrate this to an auditor to get certified to ISO 27001?
  • A document set might help if it’s actionable, i.e. you can practically use it, and it is easy to adopt, adapt and add to. It should integrate within that technology solution too.
  • If you rely on the supply chain, you need to show how you control those suppliers and, in particular, their contracts (it’s also a fundamental requirement of GDPR compliance!)
  • The control objectives and requirements expect the description of the approach (e.g. policy on how to address security incidents) and its demonstration (i.e. the security incident tracker with all its incidents, events and weaknesses detail and evidence easily accessible too).

Plan, Do, Check, Act

Recognised approaches to implementing a system include the PDCA (Plan, Do, Check, Act) approach. It was a standard quality management approach but perhaps is a bit passe in its literal form. The 2013/17 version of ISO 27001 facilitated a more agile and dynamic process that supports continuous evaluation and improvement of the management system, so more of a real-time PDCA and mixing up the PDCA order too for a pragmatic agile approach. Organisations commonly have this sort of dynamic approach for their operational security systems, e.g. firewalls, network scanners etc. It is more suitable to the ever-changing modern risk landscape. A well-managed Information Security Management System will be a much more agile, dynamic, and continuously monitored ISMS in the future.

We make achieving ISO 27001 easy

Get a 77% headstart

Get a 77% headstart

Our ISMS comes pre-configured with tools, frameworks and documentation you can Adopt, Adapt or Add to. Simple.  
Your path to success

Your path to success

Our Assured Results Method is designed to get you certified on your first attempt. 100% success rate.  
Watch and learn

Watch and learn

Forget about time consuming and costly training. Our Virtual Coach video series is available 24/7 to guide you through.  

Services like ISMS.online make life much easier and faster to achieve ISO 27001 certification with almost everything you need in one place

1. Plan for ISO 27001 implementation

When adding more context and structure to your ISO 27001 implementation plan, The lead implementer should consider the following aspects:

  • Be clear on the goals, compelling reasons to act and any deadlines you want to hit – as well as the consequences if that drifts.
  • Identify the headline RoI so you can apply the right people and leadership – it will help budget development, too, if that is required.
  • If the team is new to ISO 27001, buy the ISO standards and ISO 27002 guidance, and read it – comparing your current internal environment to what is required for success (a light gap analysis). Many of the requirements, processes, and controls may already be in place and need formalising. You may not need external training or lead auditor implementer programmes – these can be wasteful and negatively affect how you want your Information Security Management System to work as a practical ISMS.
  • Consider pre-configured technology solutions and tools to compare whether that is better than what you have internally already and better use of your valuable resources. Some of these solutions, like ISMS.online, already have all the tools you need and include actionable documentation you can adopt, adapt and add to for a massive head start, and offer virtual coaching and training on achieving certification.
  • Get started…and break all the work down into bite-size chunks and celebrate the power of small wins. Seeing frequent progress towards 100% completeness is infectious, so remember to find a visible, transparent, and collaborative solution to share those little successes!

2. Address the key elements of the ISO 27001 standard

ISO 27001 can be done bottom-up by taking a policy-led approach, simply creating documentation for Annex A controls. However, the more strategic and business-led approach broadly follows the way ISO 27001 is written and logical. We’ve summarised it simply as follows:

  • Look at the issues facing your organisation and understand the needs of interested parties (stakeholders); in particular, identify the information assets as early as possible too (you’ll get more detailed with those later).
  • Set the boundaries and scope of the ISMS.
  • Define your organisation’s security objectives from its ISMS.
  • Put in place the capability for regular implementation reviews, audits, and evaluations to show you are in control and document (briefly) from day 1 of the implementation to share that journey with the auditor and for lessons learned.
  • Identify the risks to those information assets and conduct risk assessments – if short of resources, we recommend you prioritise the higher risk information assets and more significant threats to the CIA based on likelihood and impact.
  • Create a risk treatment plan for each risk. Where appropriate, choose Annex A control objectives and controls to be implemented and address those risks – ideally, link that up so you know your assets, risks, and controls fit together. If you change or review one part, you see the impact on the related parts.
  • Prepare your Statement of Applicability – this catches out many people, but it’s a mandatory requirement and can waste lots of time.

Remember to document everything and show the whole system is working with that regular evaluation.

3. Evaluate your ISO 27001 in accordance with the standard and its readiness to achieve certification

It is crucial to have measurements and reviews in place to ensure your ISMS is meeting its objectives. ISO 27001 includes requirements for planned evaluation to take place in the form of:

  • Management reviews
  • Internal audits
  • External audits – where appropriate, this could be from an ISO 27001 certification body or customers, or consultants

4. Improve your ISMS as necessary and organise the stage 1 audit by the external certification body

The continual improvement process is key to ISO 27001 success and is something that auditors will look to see evidence of this. Security threats and vulnerabilities change rapidly as, in many cases, do organisations growth or goals. A business must demonstrate its commitment to taking corrective actions and making improvements to its ISMS. Implemented correctly, your ISMS will be a business enabler rather than restricting how you want to run your business. If it becomes the ‘ISO 27001 tail’ wagging the ‘business-as-usual dog’, you are doing it all wrong.

Achieve ISO 27001 first time

Download our guide

How Do I Get Certified to ISO/IEC 27001 Standards?

Having implemented your Information Security Management System and conducted the first management reviews of the ISMS, and starting to live the approach in practice, you’ll be well on the path to get certified to ISO 27001.

It is a two-stage process to get certified with the United Kingdom Accreditation Service’s accredited standard:

  • Stage 1 audit – in simple terms, the certification body auditor will want to see the Information Security Management System documentation and that you’ve got the requirements met, at least in theory! It’s more a desktop review of the ISMS with the auditor at this stage, covering the mandatory areas and ensuring that the spirit of the standard is being applied. Forward-thinking certification bodies are starting to do those remotely, which drives down costs and speeds up the process.
  • The outcome from this exercise is a recommendation for Stage 2 audit readiness (perhaps with observations to reassess during the Stage 2 audit) or a need to address any non-conformities identified before further progress can happen.
  • Depending on your status of internal audits, you may be required to complete a full internal audit before stage 2. We suggest you agree on specifics with your auditors as some look for slightly different things – it’s a bit like football rules where referees interpret them differently. Make sure you ask them! A good auditor will want you to succeed and help you understand what they expect to see for a Stage 2 audit.
  • Many organisations fail at Stage 1, and it’s for a common set of reasons that are generally easily addressed with a good Information Security Management System solution (unless your leadership are not engaged, then nothing will help with the ISMS!)
  • Stage 2 audit – This is where the auditors will start to look for the evidence that the documented Information Security Management System is being lived and breathed in practice. If your policies are off the shelf from a dodgy document toolkit and not fit for your practical purpose, this is really where the wheels fall off. Your staff will be engaged, interviewed; the ISO 27001 auditor will assess your scope around the physical location, systems, processes, and procedures. Like most audits, it will be a sample size, and if you can lead the auditor with a joined-up system, they will take great confidence from that.
  • The outcome of this exercise is either a pass or a fail. If you pass, you have that highly valued certificate, fail, and you will have work left to do around non-conformities before you can re-submit for another audit or a specific review of the non-conformity.

Maintaining your ISO-27001 Certification

ISO 27001 Certification is done over a 3-year cycle:

  • Stage 1 and 2 then awards of the certificate
  • Surveillance audit 1 (usually annually or may be more frequent based on scope, risk, and size)
  • Surveillance audit 2
  • Third-year re-certification and more detailed evaluation

It can take 4-6 weeks to book up with an audit body, so bear that lead time in mind, and we recommend finding an auditor well-versed in your sector and size of business. Otherwise, they may be more or less expensive, but crucially if they don’t understand your Information Security Management System challenges from a business perspective, it might be a painful process. Remember, the auditor is generally always right (although you can more easily demonstrate why you have done something and explained your risk appetite, control selection etc., if you have a well managed Information Security Management System.)

ISMS-ISO_27001-2

Build your business case for an ISMS

Download our free white paper

A Typical ISO/IEC 27001 Certification Journey

Another path to achieving ISO 27001 certification success is adopting our Assured Results Methodology (ARM). ARM provides you with a proven path to success, focussing on pragmatism over perfection for implementing your ISMS.

ARM gives you a better starting point when using it with our Virtual Coach, as it uses a hybrid approach rather than a ‘top-down’ or ‘bottom-up’ approach, respectively. This makes ARM the most efficient and effective way to achieve certification.

Mandatory Requirements for ISO 27001 Certification

We’ve incorporated the Corrigendum items in ISMS.online, both responding to the guidance and creating tools to help you with it. They’ll help you fast track your ISO 27001 implementation and reduce the ongoing management time of your Information Security Management System.

Sometimes we get asked about the mandatory requirements that need to be in place before an external ISO 27001 certification audit. This question is raised either because firms want to::

  • Complete the minimum amount of work and treat it like a tick box exercise. When we see this happen, it suggests an organisation has not got leadership buy-in, is unwilling to devote the time to the task, and either needs an external driver (e.g. powerful customer) to focus its efforts or should not bother starting.
  • Prioritise focus on the must-have areas first and evolve the Information Security Management System over time. A sensible approach.

The ISO 27001 Standard is composed of two parts; the main requirements and the Annex A controls.

Everyone must meet the main requirements, which cover 4.1 – 10.2. Included are 18 key activities that drive the broader investment in the Annex A controls. There are also some mandatory controls from Annex A that an auditor will expect to see, too (some want more or less, so be sure to check with your auditor in advance).

It is worth noting that no two organisations are the same; the same will be true for each businesses ISMS. The Annex A controls are only required where there are risks that require their implementation. The below, therefore, should be used as a set of guidelines only.

The Annex A controls are only required where there are risks which require their implementation. The below, therefore, should be used as a set of guidelines only.

Here is an overview of the minimum evidence you need to produce if you want to be compliant with the ISO/IEC 27001 Information Security Management standard and have a chance to get certified:

How Much Does ISO 27001 Certification Cost?

Certification auditing is not the headline cost you need to consider. The highest cost is the time and effort for achieving certification from the people involved in initially building your Information Security Management System and maintaining the ISMS year on year after that. It could have opportunity costs of income loss from senior resources, core competencies distraction for the business and higher costs of consulting if you bring in outside help without a strong technology starting point.

However, certification costs are still worth considering and are based on your organisation’s size, scope, processes, etc. Most certification bodies will give either a quick quote online or a follow-up.

ISO 27001 certification costs should be considered over a 3-year certification cycle:

  • Initial audit and certification audit – stage 1 and 2
  • Surveillance audits for Year 1 & 2
  • Then the cycle continues again, with re-certification every three years.
ISMS-ISO_27001

Audit fees are typically around £1,000 per day (excl Vat), and the number of days needed varies by the size of the organisation and the scope of the management system. For example, a small business with a simple scope (e.g. one product, few processes, one Head Office etc.) might need one day for a Stage 1 audit, two days for a Stage 2 audit, and an additional day per annual surveillance.

It’s also worth looking out for more innovative audit bodies prepared to look at remote stage 1 audits. This is likely to be considered only where the management system is held entirely digital, as it is with ISMS.online. This means it is easier for them as auditors to see the implementation at work. This will save costs on the inevitable travel expenses and time.

Fast-track ISO 27001 Certification Simplified

If your organisation takes information security seriously, you will be looking for a faster, better and easier way to achieve ISO 27001 certification and maintain it!

ISMS.online is the solution. Starting from a position of strength, we’ll give you an advantage, such as actionable policies and controls. We provide you with pre-configured workspaces, a comprehensive set of tools and a variety of tools that will reduce your administrative burden and keep you focused.

You will also have a risk management policy, methodology, tool, and even a risk bank to draw down risks and their standard controls to save you weeks of work. And the dreaded Statement of Applicability? That’s dynamically produced and updated from directly within each control, with links that will lead your auditor right through all the evidence that they will need to see that your ISMS is being managed well.

Add on our unique ISO 27001 standard Virtual Coach for saving your resource time, pointing them in the right direction, and giving them that all-important confidence, capability, and capacity to succeed quickly at every stage. Our Assured Results Method will also assist in delivering the pragmatic approach to implementing your information security system.

*ISO 27001 certification is beneficial for GDPR compliance because there is currently no independent and universally accepted certification for the regulation. Compliance around GDPR is, therefore, subjective. Until recognised and independent certification schemes are implemented, we recommend that organisations comply with the information commissioner’s office checklists for GDPR. Read more about that here.

We make achieving ISO 27001 easy

Get a 77% headstart

Get a 77% headstart

Our ISMS comes pre-configured with tools, frameworks and documentation you can Adopt, Adapt or Add to. Simple.  
Your path to success

Your path to success

Our Assured Results Method is designed to get you certified on your first attempt. 100% success rate.  
Watch and learn

Watch and learn

Forget about time consuming and costly training. Our Virtual Coach video series is available 24/7 to guide you through.  

Frequently asked questions

What is ISO 27001 Certification?

ISO 27001 is an internationally recognised specification for an Information Security Management System, or ISMS. It’s the only auditable standard that deals with the overall management of information security, rather than just which technical controls to implement. Achieving ISO 27001 certification means that you’ve:
  • Created an ISO 27001 compliant information security management system
  • Had it certified by an accredited certification body
  • Are ready to maintain and continually improve it
To achieve certification, you need to choose an accredited certification body with knowledge of your size and type of organisation. They’ll take you through a two stage audit process. Stage 1 looks at your ISMS’ documentation. Stage 2 examines how it works in practice. We’ve helped a wide range of organisations find the right certification body for them. And every organisation that’s followed our Assured Results Method has passed their Stage 1 and 2 audits first time.

What Are the Benefits of ISO 27001 Compliance or Certification?

Being ISO 27001 compliant or certified helps you show your customers and stakeholders that you take information security seriously. They’ll see that they can trust you with their critical information assets. That’ll help you:
  • Give your customers and stakeholders infosec certainty
  • Win new business, enter new markets and grow your organisation
  • Safeguard your organisation’s brand, results and stakeholders
Working through ISO 2700 can also be an excellent way of fine tuning your organisational and supply chain processes. Although it’s an infosec standard, it’s about far more than just IT systems. That’s something we know very well. Our all-in-one, cloud-based platform will help you achieve all the benefits of ISO 27001 compliance or certification. We’ll help you boost your information security while also building the resilience and efficiency of your organisation.

How Long Does ISO 27001 Compliance or Certification Take?

The time you’ll need to achieve ISO 27001 compliance or certification depends on:
  • The size and complexity of your organisation
  • Your infosec resource capability, capacity and availability
Most of that time will go into creating your ISMS. Once it’s up and running, the audit process that will get you compliant or certified is quite speedy. Usually it only takes a month or so. ISO 27001 compliance is open-ended, though you’ll have to run regular internal audits of your organisation to maintain it. Full certification usually lasts for three years. That includes regular internal audits, two annual surveillance audits and a three-year recertification audit. Our all-in-one, cloud-based platform will guide you through all of those audits, so nothing takes you by surprise. We’ll also accelerate your ISMS creation. Clients have achieved an audit-ready ISMS in as little as two weeks of resource time.

Why Choose ISMS.online?

We’re the most practical, easy-to-use, comprehensive path to ISMS success. We offer an all-in-one-place, cloud-based platform that’ll help you achieve all your information security and other compliance goals, with certainty. Everything you need to design, build and implement your certification-ready ISMS will be ready and waiting when you first log in to ISMS.online. It’s a true all-in-one solution. We’ll help you achieve first time certification Our Assured Results Method lays out a clear, practical, tried-and-tested path to first-time ISO 27001 success. It’s also a firm foundation for sustainable recertification. We offer a 77% head start on your ISMS documentation Our built-in tools, templates and actionable documents give you a 77% head start on your certification documentation. And then they’ll guide you through the other 23%. We’re on hand to help whenever you need us Our Virtual Coach offers 24/7 context-specific support. And you can chat with us from within our platform. So you’ll never take the wrong step or lose your way. And that’s just for starters. Visit our Overview page to find out more about how we can help you.

ISMS.online features and capabilities