ISO 27001 CertificationWhat is it, why you need it and what's involved
ISO 27001 is especially useful because there is currently no independent and universally accepted GDPR certification. It will also demonstrate to your powerful external stakeholders that you take information security seriously and can be trusted with their valuable information assets as well as your own internal ones.
What is ISO 27001 Certification?
ISO 27001:2013 is the internationally recognised best practice framework for an Information Security Management System (ISMS).
For organisations in the UK, ISO 27001 recognition is at its most valuable when certified by a UKAS accredited certification body who will independently audit your organisation and provide you with ISO 27001 certification. Other organisations comparable to UKAS exist internationally too which helps maintain the standard wherever an organisation is being certified.
ISO 27001 is not only about what technical measures you put in place. It’s about ensuring the business controls and management processes you have in place are adequate and proportionate for the information security threats and opportunities you have identified and evaluated in your risk assessment. And that should all be done with a business-led approach to information security.
An explicit CIA approach to risk also meets the requirements of The General Data Protection Regulations (GDPR) and the Data Protection Act 2018 which refers to this method in Article 32 on ‘Security’. It is just one of the reasons that many organisations are looking at ISO 27001 certification to help them demonstrate some of the GDPR requirements at the same time.
ISO 27001 is the only internationally recognised and trusted information security management standard that can be independently certified to cover People, Process and Technology. It also addresses many of the requirements of other regulations and frameworks, such as GDPR, The Network and Information Systems (NIS) Regulations 2018, and the NHS Data Security and Protection (DSP) Toolkit (where exclusions exist for those holding a UKAS ISO 27001 certification). Other frameworks such as the NIST Cyber Security and PCI DSS, to name just two, also closely map to many of the requirements and Annex A controls of ISO 27001, which is why it is a great method for an overarching approach to an ISMS.
ISO 27001 Compliance vs Certification
Is a certificate worth the paper it’s written on?
Organisations that are new to information security management systems often ask about the difference between compliance and certification, especially when following recognised standards like ISO 27001:2013/17.
In simple terms, compliance might mean that the organisation is following the ISO 27001 standard (or parts of it.)
Trust, however, is low nowadays so switched on powerful stakeholders don’t automatically believe compliance is enough. They want to see a certificate!
However, not all certificates are the same. A consultant, software service provider or your own information security officer could neatly present their own certificate! Some consultants and software providers still do this today, simply certifying their own work, but its really not worth the paper it is written on. Customers that understand this subject will want to see some form of independent certification.
The most recognised and acceptable independent certificates are issued by UKAS* certified auditors known as Certification Bodies (and their equivalent internationally). They are organisations that have been evaluated by UKAS to be competent in delivering an independent external audit to an agreed standard and are authorised to issue ISO certificates that can be trusted.
Why You Need ISO 27001 Certification
ISO 27001 applies to any organisation who wishes or is required to, formalise and improve business processes around the securing of its information assets.
This is not dictated by the size or turnover of an organisation as even the smallest of organisations may have powerful customers or other stakeholders, such as investors, who look for the assurances a UKAS ISO 27001 certification will offer.
It really is about trust and demonstrating your organisation has put in place the people, processes, tools, and systems to a recognised standard. Imagine a world of financial reporting or health and safety without standards. Information security is a bit behind those areas from a certification and independent audit perspective but with the pace of change accelerating for almost everything, smarter organisations are getting ahead, internally and in particular with their supply chain too. So you can look at certification through two lenses;
1 – as a customer you’d want to take confidence that your relevant suppliers are certified, not least to help mitigate your business risks let alone exploit some of the opportunities e.g. from more consistent, higher standards along with lower total cost and risk of work you encounter from them.
2 – your customers are getting smarter; they like you need to know that the supply chain is protected adequately. Powerful customers are simply mandating ISO 27001 certification now and transferring all the risk they can down the supply chain. There are other spinoff benefits too let alone all the extra business you’ll win from being certified versus laggards who are not. For example, well-informed staff will want to work for trusted brands, and as insurers catch up with better ways of working it should also mean lower premiums for organisations with independently certified ISO 27001.
What are the benefits of ISO 27001 certification?
For all stakeholders, the key message is one of trust and assurance gained from an externally audited information security management. This offers multiple benefits – for example:
Benefits to your customers
- Trust and assurance in you and your
- Less likelihood of a costly breach
- Reduced cost of supplier onboarding
- Trust and assurance in you and your
Benefits to you
- Protect IP, brand & reputation
- Win more business from new & existing customers
- Reduce cost of sale
- Retain more business
- Improved processes leading to cost & time savings
- Avoid fines from regulatory non-compliance (such as GDPR)
- Avoid civil suits resulting from a data breach
- Avoid costs of remedial action resulting from incidents and/or breaches
- Attract better staff
Benefits to your staff
- Trust in the organisation’s sustainability
- Training for work (and home security)
- Clarity through policies & procedures
- Pride in the organisation and their role in protecting it
ISO 27001 Certification: Is it worth it?
Doing nothing is probably not an option if you are accessing and managing valuable information assets owned by others. For some organisations their whole business is built on developing or managing information assets. So in that case, losing some or all of that business, or not winning more in future probably means it’s worth investing in certification, especially if customers or other stakeholders like investors perceive a risk.
Achieving ISO 27001 certification is not as hard or as expensive as it used to be because of innovative solutions like ISMS.online. And, despite many of the strategic and financial benefits, some leaders still consider it a ‘grudge’ purchase and another bureaucratic tick box exercise. Whilst ISO 27001 certification traditionally represents a time and cost, like most strategic investments it is worth considering the return and broader benefits.
The return on investment (ROI) from an ISMS can be more fully explored in a recently published whitepaper, by Alliantist CEO Mark Darby, on Planning the business case for an ISMS
The whitepaper further explores the opportunities and threats, benefits and consequences, and also offers up up a range of tools and exercises to help:
- consider the RoI
- discover how to manage your ISMS in the future
Ready to fast-track your implementation using ISMS.online?
What is Involved in an ISO 27001 Implementation?
There is a lot to an ISO 27001 implementation if you are starting from zero. In fact, to have a chance of receiving that coveted certification, there are about 136 activities to consider when planning the implementation, developing the core requirements and addressing all the Annex A control objectives. Some activities might take a few minutes, others might take weeks or months depending on your starting point and goals.
There are options on how to achieve certification but whatever you do, we strongly suggest you purchase the standards from ISO for both ISO 27001:2013/17 and the Annex A controls guidance for ISO 27002 which gives more insight into the large number of controls you need to consider.
Going out and simply buying an ISO 27001 document set from a provider is also not going to help much and could waste money, confuse staff and delay your ability to run the business the way you want to, securely. Independent auditors in a certification body would stop their audit inside 5 minutes if that is all you did too, so you’d also put yourself on the back foot with the auditor thereafter and need to redo the first (Stage 1) audit.
You need to develop a ‘management system’, which is generally made up of people and technology.
For the people part you need leadership to guide the implementation to meet the business goals, cultural norms, regular reviews and show the organisation is taking it seriously. Auditors will want to see ‘the spirit of the standard’ being applied as well as the documents at this senior level, so a director waltzing into an audit and pretending to understand the ISMS is also a recipe for disaster.
You’ll also need people who understand your business with the capability, capacity and confidence to address the requirements. The people investment is very much also determined by the technology used to implement and maintain the ISMS too. For example, you’ll need:
- A digital or paper-based solution to describe and demonstrate how you meet the core requirements of ISO 27001 and can show how that is managed as changes happen over time (you get audited at least annually too – see further below).
- A similar environment to document and manage all the Annex A controls & policies that are developed – then ensure they are made available to the people they apply to, and you can prove that they are aware of them and engaged (remember these people might be staff and suppliers). Don’t just write controls and policies for the sake of it either. They should all be based on the issues facing your organisation, your interested parties expectations, your scope and boundaries (e.g. products, locations etc) and the assets you want to protect. You have to ‘show your working’ here too and document all that. It gets hard to do that well and maintain it over time with just word documents, spreadsheets, and a shared drive.
- These activities all get risk assessed (with your risk tool) to then help you determine what of the Annex A control objectives you need to implement, which without getting too technical at this stage, leads to your Statement of Applicability. Did I already say you need to demonstrate this to an auditor to get certified?!
- Your management system will have all the tools underpinning that work, documented and easily followed by the auditor.
- A document set might be of help if it’s actionable i.e. you can practically use it and it is easy to adopt, adapt and add to. It should integrate within that technology solution too.
- If you rely on the supply chain, then you need to show how you are in control of those suppliers and in particular their contracts (it’s also a key requirement of GDPR!).
- The control objectives and requirements expect the description of the approach (e.g. a policy on how to address security incidents) and its demonstration (i.e. the security incident tracker with all its incidents, events and weaknesses detail and evidence easily accessible too).
Recognised approaches to implementing a system include the PDCA (Plan, Do, Check, Act) approach. It was a standard quality management approach but perhaps is a bit passe in its literal form.
The 2013/17 version of ISO 27001 facilitated a more agile and dynamic approach that supports continuous evaluation and improvement of the management system so more of a real-time PDCA and mixing up of the PDCA order too for a pragmatic agile approach.
Organisations commonly have this sort of dynamic real approach for their operational security systems e.g. firewalls, network scanners etc. It is more suitable to the ever-changing modern risk landscape and a well managed ISMS will be much more agile, dynamic and continuously monitored.
Services like ISMS.online make life much easier and faster to achieve certification with almost everything you need in one place.
The only other things you need are:
- some leadership time to align the implementation to the business objectives, and maintain it thereafter, and
- people that understand how you work and can define that in policies, controls and processes to meet the standard
- a certification body that understands your organisation sector, size, and way of working.
1. Plan for ISO 27001
Adding more context and structure to your implementation plan, the following aspects should be considered:
Be clear on the goals, compelling reasons to act and any deadlines you want to hit – as well as the consequences if that drifts
Identify the headline RoI so you can apply the right people and leadership – it will also help budget development too if that is required
If the team are new to ISO 27001, buy the standards and guidance, and read it – comparing your internal current environment to what is required for success (a light gap analysis). Many of the requirements, processes, and controls may already be in place and simply need formalising. You may not need external training or lead auditor implementer programmes – these can be wasteful and negatively affect how you want your ISMS to work
Consider preconfigured technology solutions and tools to compare whether that is better than what you have internally already and a better use of your valuable resources. Some of these solutions, like ISMS.online, already have all the tools you need and include actionable documentation you can adopt, adapt and add to for a massive head start, and offer virtual coaching and training on how to achieve certification too.
Get started……and break all the work down into bite-size chunks and celebrate the power of small wins. Seeing frequent progress towards 100% completeness is infectious so remember to find a solution that is visible, transparent and collaborative to share those little successes!
2. Address the key elements of ISO 27001
- Look at the issues facing your organisation and understand the needs of interested parties (stakeholders), in particular, identify the information assets as early as possible too (you’ll get more detailed with those later).
- Set the boundaries and scope of the ISMS.
- Define your organisation’s security objectives from its ISMS.
- Put in place the capability for regular implementation reviews, audits, and evaluations to show you are in control and document (briefly) from day 1 of the implementation to share that journey with the auditor and for lessons learned too.
- Identify the risks to those assets and conduct risk assessments – if short of resources we recommend you prioritise around the higher risk assets and bigger threats to CIA based on probability and likelihood.
- Create a risk treatment plan for each risk and where appropriate choose Annex A control objectives and controls that are to be implemented to help address those risks – ideally link that up so you know your assets, risks, and controls fit together and that if you change or review one part you see the impact on the related parts.
- Prepare your Statement of Applicability – this catches out a lot of people but its a mandatory requirement and can waste lots of time.
Remember to document everything and show the whole system is working with that regular evaluation.
3. Evaluate your ISO 27001
External audits – where appropriate this could be from an ISO 27001 certification body or customers, or consultants.
4. Improve your ISMS
It is critical that you can demonstrate your commitment to taking corrective actions and making improvements to your ISMS.
Done properly, your ISMS will be a business enabler rather than restricting the way you want to run your business. If it becomes the ‘ISO 27001 tail’ wagging the ‘business-as-usual’ dog you are doing it all wrong.
Ready to fast-track your implementation using ISMS.online?
How to Get Certified to ISO/IEC 27001
Having implemented your ISMS and conducted the first management reviews, and starting to live the approach in practice, you’ll be well on the path to get certified.
There is a two-stage process for getting certified to UKAS accredited standards:
- Stage 1 audit – in simple terms the certification body auditor will want to see the ISMS documentation and that you’ve got the requirements met, at least in theory! It’s more of a desktop review with the auditor at this stage, covering the mandatory areas and ensuring that the spirit of the standard is being applied. Forward-thinking certification bodies are starting to do those remotely which drives down cost and can speed up the process too.
- The outcome from this exercise is a recommendation for Stage 2 audit readiness (perhaps with observations to reassess during the Stage 2 audit) or a need to address any non-conformities identified before further progress can happen.
Many organisations fail at Stage 1 and it’s for a very common set of reasons that are generally easily addressed with a good ISMS solution (unless your leadership really is not engaged then nothing will help!)
Depending on your status of internal audits, you may be required to complete a full internal audit before a stage 2 as well, but we suggest you agree that with your auditors as some look for slightly different things – it’s a bit like football rules where there are laid down rules, but referees interpret them differently. A good auditor will want you to succeed and should help you understand what they expect to see for a Stage 2 audit session. Make sure you ask them!
- Stage 2 audit – This is where the auditors will start to look for the evidence that the documented ISMS is being lived and breathed in practice. If your policies are off the shelf from a dodgy document toolkit and not fit for your practical purpose this is really where the wheels fall off. Your staff will be engaged, interviewed, your scope will be assessed around the physical location, systems, processes, and procedures. Like most audits, it will be a sample size and if you are able to lead the auditor with a joined-up system they will take great confidence from that.
The outcome from this exercise is either a pass or fail. Pass and you have that highly valued certificate, fail and you will have work left to do around non-conformities before you can re-submit for another audit or a specific review of the nonconformity.
Certification is done over a 3-year cycle so it generally operates as follows:
- Stage 1 and 2 then award of certificate
- Surveillance audit 1 (usually annually or may be more frequent based on scope, risk, and size)
- Surveillance audit 2
- Third-year recertification and more detailed evaluation
It can take 4-6 weeks to book up with an audit body so bear that lead time in mind and we recommend finding an auditor that is well versed in your sector and size of business. Otherwise they may be more or less expensive, but crucially if they don’t understand your ISMS challenges from a business perspective it might be a painful process. Remember, the auditor is generally always right (although you can more easily demonstrate why you have done something and explained your risk appetite, control selection etc if you have a well managed ISMS.)
Mandatory Requirements for Certification
Sometimes we get asked about the mandatory requirements that need to be in place before an external ISO 27001 certification audit should take place. This question is raised either because firms want to:
- Complete the minimum amount of work and treat it like a tick box exercise. When we see this happen we typically see that the organisation has not got leadership buy-in, is unwilling to devote the time to the exercise and either needs an external driver (e.g. powerful customer) to focus its efforts or should not really bother starting.
- Prioritise focus on the must-have areas first and evolve the ISMS over time. A sensible approach.
ISO 27001 is made up of two parts; the main requirements, and the Annex A controls.
Everyone must meet the main requirements which cover 4.1 – 10.2. Included are18 key activities that drive the broader investment in the Annex A controls. There are also some mandatory controls from Annex A that an auditor will expect to see too (some want more or less so be sure to check with your auditor in advance).
It is worth noting that no two organisations are the same and neither will their ISMS’s be. The Annex A controls are only required where there are risks which require their implementation. The below, therefore, should be used as a set of guidelines only.
Here is an overview of the minimum evidence you need to produce if you want to be compliant with ISO 27001 and have a chance of getting certified:
- Documented internal and external issues, interested parties (4.1 and 4.2)
- Scope of the ISMS (clause 4.3)
- Information security policy and objectives (clauses 5.2 and 6.2)
- Risk assessment and risk treatment methodology (clause 6.1.2)
- Statement of Applicability (clause 6.1.3 d)
- Risk treatment plan (clauses 6.1.3 e and 6.2)
- Procedure for document control (clause 7.5)
- Controls for managing records (clause 7.5)
- Risk assessment report (clause 8.2)
- Definition of security roles and responsibilities (clauses A.7.1.2 and A.13.2.4)
- Inventory of assets (clause A.8.1.1)
- Acceptable use of assets (clause A.8.1.3)
- Access control policy (clause A.9.1.1)
- Operating procedures for IT management (clause A.12.1.1)
- Secure system engineering principles (clause A.14.2.5)
- Supplier security policy (clause A.15.1)
- Incident management (clause A.16.)
- Business continuity (clause A.17.1.2)
- Statutory, regulatory, and contractual requirements (clause A.18.1.1)
- Procedure for internal audit (clause 9.2)
- Procedure for corrective action (clause 10.1)
- Records of training, skills, experience and qualifications (clause 7.2)
- Monitoring and measurement results (clause 9.1)
- Internal audit program (clause 9.2)
- Results of internal audits (clause 9.2)
- Results of the management review (clause 9.3)
- Results of corrective actions (clause 10.1)
- Logs of user activities, exceptions, and security events (clauses A.12.4.1 and A.12.4.3)
Other documentation that is common and most likely to be needed for organisations based on the risks and issues facing them
- Bring your own device (BYOD) policy (clause A.6.2.1)
- Mobile device and teleworking policy (clause A.6.2.1)
- Information classification policy (clauses A.8.2.1, A.8.2.2, and A.8.2.3)
- Password policy (clauses A.9.2.1, A.9.2.2, A.9.2.4, A.9.3.1, and A.9.4.3)
- Disposal and destruction policy (clauses A.8.3.2 and A.11.2.7)
- Procedures for working in secure areas (clause A.11.1.5)
- Clear desk and clear screen policy (clause A.11.2.9)
- Change management policy (clauses A.12.1.2 and A.14.2.4)
- Backup policy (clause A.12.3.1)
- Information transfer policy (clauses A.13.2.1, A.13.2.2, and A.13.2.3)
- Business impact analysis (clause A.17.1.1)
- Exercising and testing plan (clause A.17.1.3)
- Maintenance and review plan (clause A.17.1.3)
- Business continuity strategy (clause A.17.2.1)
ISMS.online is one secure, online environment for describing and demonstrating your complete ISMS and comes with pre-configured frameworks, tools, and content to accelerate your ISO 27001 certification.
How Much Does Certification Cost
Certification auditing is not actually the headline cost you need to consider. The biggest cost is the time and effort for achieving certification from the people involved in building your ISMS initially, then maintaining it year on year thereafter. It could have opportunity costs of income loss from senior resources, core competencies distraction for the business and higher costs of consulting if you bring in outside help without a strong technology starting point.
Certification costs are still worth considering, however, and are based on your organisation’s size, scope, and processes etc. Most certification bodies will give either a quick quote online or follow-up.
Actual certification costs should be considered over a 3-year certification cycle:
- Initial audit and certification audit – stage 1 and 2
- Surveillance audits for Year 1 & 2
- Then the cycle continues again, with recertification every three years.
Audit fees are typically around £1,000 per day (excl Vat) and the number of days needed varies by size of organisation and the scope of the management system. For example, a small business with a simple scope (eg one product, few processes, one HeadOffice etc.) might need 1 day for a Stage 1 audit, 2 days for a Stage 2 audit, and then 1 day per annum surveillance.
It’s also worth looking out for more innovative audit bodies who are prepared to look at remote stage 1 audits. This is likely to be considered only where the management system is held completely digitally, as it is with ISMS.online. This means it is easier for them as auditors to see the implementation working. This will save costs on the inevitable travel expenses and time.
How Long Does Certification Take?
- Executive / management buy-in
- Starting point
We also know that the likelihood of achieving the standard diminishes exponentially the longer the implementation takes. There is a high failure rate at the Stage 1 audit, although failure can occur at different stages. Failure is normally indicative that one or more of the factors above is missing. If you don’t have the commitment to get started then don’t. You will likely suffer from lack of investment in the tools and resources to succeed, and you will get caught out sooner or later as the ISMS objectives will be opposed to the wider strategic objectives of the organisation.
ISMS.online is the solution. We’ll help with the starting point, giving you a massive head start including actionable policies and controls you can adopt, adapt and add to, together with pre-configured workspaces and all the tools you will need to reduce the administrative burden and keep you focused.
You will also have a risk management policy, methodology, tool, and even a risk bank to draw down risks and their common controls to save you weeks of work. And the dreaded Statement of Applicability? That’s dynamically produced and updated from directly within each control, with links that will lead your auditor right through all the evidence he needs that your ISMS is being managed well.
Add on our unique ISO 27001 Virtual Coach for saving your resource time, pointing them in the right direction, and giving them that all-important confidence, capability, and capacity to succeed quickly at every stage.