ISO/IEC 27001 •

ISO 27001 Certification, Simplified

See how ISMS.online can help you get certified 5 x faster

Book a platform demo
By Mark Sharron | Updated 12 March 2024

Achieving ISO 27001 Certification acts as a business differentiator, affirming to suppliers, stakeholders and clients that your business takes information security management seriously. Here we will explain what it means to be ISO 27001 certified, the benefits, and what might be involved.

Jump to topic

ISO 27001 Certification

Certification demonstrates an organisations commitment to continual improvement, development, and protection of information assets/sensitive data by implementing appropriate risk assessments, appropriate policies and controls.

An ISO 27001 Certified organisation is advertising to the world they are trusted, have implemented an Information Security Management System (ISMS) in line with Clause 4.4 of the standard and have demonstrated compliance to an external auditor/independent ISO certification body, e.g. UKAS.

ISO 27001 Certification is a business differentiator and demonstrates to other business they can trust your organisation to manage valuable third party information assets/data and intellectual property; this fosters a wealth of new opportunities whilst protecting your business from exposure to risk.

ISO 27001 standard is the internationally recognised best practice framework for an ISMS

ISO 27001 recognition is most valuable for organisations in the United Kingdom when you get certified by a UKAS (United Kingdom Accreditation Service) accredited certification body that will independently audit your organisation and provide you with ISO 27001 certification.

Other certification bodies comparable to UKAS exist internationally, which helps maintain the ISO/IEC 27001 Information Security Management standard wherever an organisation aims to achieve ISO 27001 certification. ISO 27001 certification is not only about what technical measures you put in place. ISO 27001 is about ensuring the business controls and the management processes you have in place are adequate and proportionate for the information security threats and opportunities you have identified and evaluated in your risk assessment. And that should all be done with a business-led approach to the information security management process.


ISO 27001 Certification vs Compliance

Organisations new to information security management systems often ask about the difference between ISO 27001 certification and compliance, especially when following recognised standards like ISO 27001.

In simple terms, compliance might mean that the organisation follows the ISO 27001 standard (or parts of it). ISO 27001 certification means that the organisation’s ISO 27001 Information Security Management System has been certified in compliance with the standard by auditors known as Certification Bodies.


Why do you need ISO 27001 certification?

ISO 27001 certification applies to any organisation that wishes or is required to formalise and improve business processes around information security, privacy and securing its information assets.

The size/turnover of a business does not dictate the need for ISO 27001 of an organisation; even the smallest of companies may have influential customers or other stakeholders, such as investors, who look for the intrinsic assurances from having UKAS ISO 27001 certification offers.

As a result of ISO 27001 Certification, your organisation can demonstrate that its people, processes, tools, and systems adhere to a recognised framework. Imagine a world of financial reporting or health and safety without standards. Information security is a bit behind those areas from certification and independent audit perspectives. Still, with the pace of change accelerating for almost everything, more innovative organisations are getting ahead internally, particularly with their supply chain. So you can look at ISO 27001 certification through two lenses;

Confidence in your suppliers

As a customer, you need confidence that your suppliers are certified to help mitigate your business risks and exploit opportunities, e.g. from more consistent, higher standards and lower total cost and risk of work you encounter from them.

Building trust in your business

Your customers are getting smarter; they like you need to know that the supply chain is protected adequately. Influential customers are simply mandating ISO 27001 certification and transferring the risk management process down the supply chain. There are other spinoff benefits, too, let alone all the extra business you’ll win from being certified to ISO 27001 versus laggards who are not. For example, well-informed staff will want to work for trusted brands. As insurers catch up with better working practices, it should also mean lower premiums for organisations with independently certified ISO 27001 Information Management System.

Free download

Get your guide to
ISO 27001 success

Everything you need to know about achieving ISO 27001 first time

Get your free guide

The benefits of ISO 27001 Certification

For all stakeholders, the key message is trust and assurance gained from externally audited information security management. ISO 27001 Certification offers multiple benefits – for example:

Benefits to you

  • Protect IP, brand & reputation
  • Win more business from new & existing customers
  • Reduce the cost of sale
  • Retain more business
  • Improved processes leading to cost & time savings
  • Avoid fines from regulatory non-compliance (such as GDPR)
  • Avoid civil suits resulting from a data breach
  • Avoid costs of remedial action resulting from incidents and/or breaches
  • Attract better staff

Benefits to your staff

  • Trust in the organisation’s sustainability
  • Training for work (and home security)
  • Clarity through policies & procedures
  • Pride in the organisation and their role in protecting it

Benefits to your customers

  • Trust and assurance in you and your supply chain
  • Less likelihood of a costly breach
  • Reduced cost of supplier onboarding

Doing nothing is probably not an option if you access and manage valuable information assets owned by others. For some organisations, their whole business is built on developing or managing information assets.

So, in that case, losing some or all of that business or not winning more in future probably means it’s worth investing in becoming certified to ISO 27001, especially if customers or other stakeholders like investors perceive a risk.

Achieving ISO 27001 certification is not as complicated or expensive as it used to be because of innovative solutions like ISMS.online. And, despite many of the strategic and financial benefits, some leaders still consider it a ‘grudge’ purchase and another bureaucratic tick box exercise. To achieve certification typically means a time and cost investment; like most strategic investments, it is worth considering the return and broader benefits.

Download our whitepaper

The return on investment from an ISO 27001 ISMS can be more fully explored in our whitepaper; Planning the Business Case for an ISMS.

The whitepaper further explores the opportunities and threats, benefits and consequences, and also offers up a range of tools and exercises to help.

Download whitepaper

What's involved in ISO 27001 Implementation?

To implement ISO 27001 you need to develop a ‘management system’, made up of people, processes and technology.

For the people part, you need leadership to guide the implementation to meet the business goals, cultural norms, regular reviews and show the organisation is taking it seriously. Auditors will want to see ‘the spirit of ISO 27001’ applied as well as the documents at this senior level, so a director waltzing into an audit and pretending to understand the ISO 27001 Information Security Management System is also a recipe for disaster.

You’ll also need people who understand your business with the capability, capacity and confidence to address the requirements. The ‘people’ investment is determined by the technology used to implement and maintain the ISO 27001 Information Security Management System (ISMS).

For example, you’ll need:

  • A digital or paper-based solution for describing how you meet the core requirements of ISO 27001 and how that is managed over time (you are audited at least annually – see further below).
  • It is a similar environment to document and manage all the Annex A controls & policies developed and then ensure they are made available to the people they apply to. You can prove that they are aware of them and engaged (remember, these people might be staff and suppliers). Don’t just write controls and policies for the sake of it, either. They should all be based on the issues facing your organisation, your interested parties expectations, your scope and boundaries (e.g. products, locations, etc.) and the information assets you want to protect. You have to ‘show your working’ here too and document all that. It gets hard to do that well and maintain it over time with just word documents, spreadsheets, and a shared drive.
  • Your management system will have all the tools underpinning that work, documented and easily followed by the auditor.
    These activities all get risk assessed (with your risk management tool) to help you then determine which of the Annex A control objectives you need to implement, which without getting too technical at this stage, leads to your Statement of Applicability. Did I already say you need to demonstrate this to an auditor to get certified to ISO 27001?
  • A document set might help if it’s actionable, i.e. you can practically use it, and it is easy to adopt, adapt and add to. It should integrate within that technology solution too.
  • If you rely on the supply chain, you need to show how you control those suppliers and, in particular, their contracts (it’s also a fundamental requirement of GDPR compliance!)
  • The control objectives and requirements expect the description of the approach (e.g. policy on how to address security incidents) and its demonstration (i.e. the security incident tracker with all its incidents, events and weaknesses detail and evidence easily accessible too).

Recognised approaches to implementing a system include the PDCA (Plan, Do, Check, Act) approach. It was a standard quality management approach but perhaps is a bit passé in its literal form.

The 2013/17 version of ISO 27001 facilitated a more agile and dynamic process that supports continuous evaluation and improvement of the management system, so more of a real-time PDCA and mixing up the PDCA order too for a pragmatic agile approach. Organisations commonly have this sort of dynamic approach for their operational security systems, e.g. firewalls, network scanners etc. It is more suitable to the ever-changing modern risk landscape. A well-managed Information Security Management System will be a much more agile, dynamic, and continuously monitored ISMS in the future.

1. Plan for ISO 27001 implementation

When adding more context and structure to your ISO 27001 implementation plan, The lead implementer should consider the following aspects:

  • Be clear on the goals, compelling reasons to act and any deadlines you want to hit – as well as the consequences if that drifts.
  • Identify the headline RoI so you can apply the right people and leadership – it will help budget development, too, if that is required.
  • If the team is new to ISO 27001, buy the ISO standards and ISO 27002 guidance, and read it – comparing your current internal environment to what is required for success (a light gap analysis). Many of the requirements, processes, and controls may already be in place and need formalising. You may not need external training or lead auditor implementer programmes – these can be wasteful and negatively affect how you want your Information Security Management System to work as a practical ISMS.
  • Consider pre-configured technology solutions and tools to compare whether that is better than what you have internally already and better use of your valuable resources. Some of these solutions, like ISMS.online, already have all the tools you need and include actionable documentation you can adopt, adapt and add to for a massive head start, and offer virtual coaching and training on achieving certification.
  • Get started… and break all the work down into bite-size chunks and celebrate the power of small wins. Seeing frequent progress towards 100% completeness is infectious, so remember to find a visible, transparent, and collaborative solution to share those little successes!

2. Address the key elements of the ISO 27001 standard

ISO 27001 can be done bottom-up by taking a policy-led approach, simply creating documentation for Annex A controls. However, the more strategic and business-led approach broadly follows the way ISO 27001 is written and logical. We’ve summarised it simply as follows:

  • Look at the issues facing your organisation and understand the needs of interested parties (stakeholders); in particular, identify the information assets as early as possible too (you’ll get more detailed with those later).
  • Set the boundaries and scope of the ISMS.
  • Define your organisation’s security objectives from its ISMS.
  • Put in place the capability for regular implementation reviews, audits, and evaluations to show you are in control and document (briefly) from day 1 of the implementation to share that journey with the auditor and for lessons learned.
  • Identify the risks to those information assets and conduct risk assessments – if short of resources, we recommend you prioritise the higher risk information assets and more significant threats to the CIA based on likelihood and impact.
  • Create a risk treatment plan for each risk. Where appropriate, choose Annex A control objectives and controls to be implemented and address those risks – ideally, link that up so you know your assets, risks, and controls fit together. If you change or review one part, you see the impact on the related parts.
  • Prepare your Statement of Applicability – this catches out many people, but it’s a mandatory requirement and can waste lots of time.

Remember to document everything and show the whole system is working with that regular evaluation.

3. Evaluate your ISO 27001 in accordance with the standard and its readiness to achieve certification

It is crucial to have measurements and reviews in place to ensure your ISMS is meeting its objectives. ISO 27001 includes requirements for planned evaluation to take place in the form of:

  • Management reviews
  • Internal audits
  • External audits – where appropriate, this could be from an ISO 27001 certification body or customers, or consultants

4. Improve your ISMS as necessary and organise the stage 1 audit by the external certification body

The continual improvement process is key to ISO 27001 success and is something that auditors will look to see evidence of this.

Security threats and vulnerabilities change rapidly as, in many cases, do organisations growth or goals. A business must demonstrate its commitment to taking corrective actions and making improvements to its ISMS. Implemented correctly, your ISMS will be a business enabler rather than restricting how you want to run your business.


How do I get ISO 27001 certified?

Having implemented your Information Security Management System and conducted the first management reviews of the ISMS, and starting to live the approach in practice, you’ll be well on the path to get certified to ISO 27001.

It is a two-stage process to get certified with the United Kingdom Accreditation Service’s accredited standard:

Stage 1 Audit

In simple terms, the certification body auditor will want to see the Information Security Management System documentation and that you’ve got the requirements met, at least in theory! It’s more a desktop review of the ISMS with the auditor at this stage, covering the mandatory areas and ensuring that the spirit of the standard is being applied. Forward-thinking certification bodies are starting to do those remotely, which drives down costs and speeds up the process.

The outcome from this exercise is a recommendation for Stage 2 audit readiness (perhaps with observations to reassess during the Stage 2 audit) or a need to address any non-conformities identified before further progress can happen.

Depending on your status of internal audits, you may be required to complete a full internal audit before stage 2. We suggest you agree on specifics with your auditors as some look for slightly different things – it’s a bit like football rules where referees interpret them differently. Make sure you ask them! A good auditor will want you to succeed and help you understand what they expect to see for a Stage 2 audit.

Many organisations fail at Stage 1, and it’s for a common set of reasons that are generally easily addressed with a good Information Security Management System solution (unless your leadership are not engaged, then nothing will help with the ISMS!)

Stage 2 Audit

This is where the auditors will start to look for the evidence that the documented Information Security Management System is being lived and breathed in practice. Your staff will be engaged, interviewed; the ISO 27001 auditor will assess your scope around the physical location, systems, processes, and procedures. Like most audits, it will be a sample size, and if you can lead the auditor with a joined-up system, they will take great confidence from that.

The outcome of this exercise is either a pass or a fail. If you pass, you have that highly valued certificate, fail, and you will have work left to do around non-conformities before you can re-submit for another audit or a specific review of the non-conformity.

Get certified first-time with ISMS.online

The simplest way to achieve ISO 27001 certification is by following our Assured Results Method. This step-by-step guidance is built into our platform, and guides you all the way from initial setup, to audits, certification and beyond.

Book a platform demo

How much does ISO 27001 certification cost?

Certification auditing is not the headline cost you need to consider. The highest cost is the time and effort for achieving certification from the people involved in initially building your Information Security Management System and maintaining the ISMS year on year after that.

It could have opportunity costs of income loss from senior resources, core competencies distraction for the business and higher costs of consulting if you bring in outside help without a strong technology starting point.

However, certification costs are still worth considering and are based on your organisation’s size, scope, processes, etc. Most certification bodies will give either a quick quote online or a follow-up.

ISO 27001 certification costs should be considered over a 3-year certification cycle:

  • Initial audit and certification audit – stage 1 and 2
  • Surveillance audits for Year 1 & 2
  • Then the cycle continues again, with re-certification every three years.

Audit fees are typically around £1,000 per day (excl Vat), and the number of days needed varies by the size of the organisation and the scope of the management system. For example, a small business with a simple scope (e.g. one product, few processes, one Head Office etc.) might need one day for a Stage 1 audit, two days for a Stage 2 audit, and an additional day per annual surveillance.

It’s also worth looking out for more innovative audit bodies prepared to look at remote stage 1 audits. This is likely to be considered only where the management system is held entirely digital, as it is with ISMS.online. This means it is easier for them as auditors to see the implementation at work. This will save costs on the inevitable travel expenses and time.


Maintaining your ISO 27001 certification

ISO 27001 Certification is done over a 3-year cycle:

  • Stage 1 and 2 then awards of the certificate
  • Surveillance audit 1 (usually annually or may be more frequent based on scope, risk, and size)
  • Surveillance audit 2
  • Third-year re-certification and more detailed evaluation

It can take 4-6 weeks to book up with an audit body, so bear that lead time in mind, and we recommend finding an auditor well-versed in your sector and size of business. Otherwise, they may be more or less expensive, but crucially if they don’t understand your Information Security Management System challenges from a business perspective, it might be a painful process. Remember, the auditor is generally always right (although you can more easily demonstrate why you have done something and explained your risk appetite, control selection etc., if you have a well managed ISMS.)

We'll guide you every step of the way

Our built-in tool takes you from set-up to certification with a 100% success rate.

Book a demo

ISO 27001:2022 requirements


ISO 27001:2022 Annex A Controls

Organisational Controls


People Controls


Physical Controls


Technological Controls


About ISO 27001


ISMS.online launches a new Public API. Click here to find out more