ISO 27001 CertificationWhat is it, why you need it and what's involved
The security of information should be a top priority for any organisation, not least because of growing cyber and other crime. New regulations such as the GDPR make it a legal requirement to protect personal data too. Becoming ISO 27001 certified will give you a great framework for building your Information Security Management System (ISMS) and help you address the relevant compliance requirements too*.
ISO 27001 certification will also demonstrate to your powerful external stakeholders that you take information security seriously and can be trusted with their valuable information assets as well as your own.
What is ISO 27001 Certification?
ISO 27001:2013 standard is the internationally recognised best practice framework for an Information Security Management System (ISMS).
For organisations in the UK, ISO 27001 recognition is at its most valuable when certified by a UKAS accredited certification body who will independently audit your organisation and provide you with ISO 27001 certification. Other certification bodies comparable to UKAS exist internationally too which helps maintain the ISO 27001 standard consistently wherever an organisation is aiming to achieve certification.
ISO 27001 certification is not only about what technical measures you put in place. ISO 27001 is about ensuring the business controls and management processes you have in place are adequate and proportionate for the information security threats and opportunities you have identified and evaluated in your risk assessment. And that should all be done with a business-led approach to information security management.
The method of evaluating risk for ISO 27001:2013/17 is to consider the impact on Confidentiality, Integrity, and Availability (CIA) of the information asset. Understanding that risks are not just about the potential theft of data (confidentiality) but also how information could be wrongly manipulated (integrity), or even rendered inaccessible (availability), will help you build the necessary controls in your organisation.
An explicit CIA approach to information risk also meets the requirements of The General Data Protection Regulations (GDPR compliance) and the Data Protection Act 2018 which refers to this method in Article 32 on ‘Security’. It is just one of the reasons that many organisations are looking at becoming ISO 27001 certified to help them demonstrate some of the GDPR compliance requirements at the same time.
ISO 27001 certification is the only internationally recognised and trusted information security management standard that can be independently certified to cover People, Process and Technology.
ISO 27001 and ISO 27002 also creates the foundations of a more holistic and integrated approach to many other information security and privacy standards. For example other frameworks such as the NIST Cyber Security and PCI DSS, to name just two, also closely map to many of the requirements and Annex A controls of ISO 27001.
The Network and Information Systems (NIS) Regulations 2018, and the NHS Data Security and Protection (DSP) Toolkit requirements are other examples where holding UKAS ISO 27001 certification and ICO GDPR checklist compliance would make sense too.
In summary ISO 27001 is a great method for an overarching approach to an Information Security Management System that can be built on easily as future compliance demands emerge and business practices change.
ISO 27001 Compliance vs Certification
Is a certificate worth the paper it’s written on?
Organisations that are new to information security management systems often ask about the difference between compliance and certification, especially when following recognised standards like ISO 27001:2013/17.
In simple terms, compliance might mean that the organisation is following the ISO 27001 standard (or parts of it.)
Trust, however, is low nowadays so switched on powerful stakeholders don’t automatically believe compliance is enough. They want to see a certificate!
However, not all certificates are the same. A consultant, software service provider or your own information security officer could neatly present their own certificate! Some consultants and software providers still do this today, simply certifying their own work, but it’s really not worth the paper it is written on. Customers that understand this subject will want to see some form of independent certification.
The most recognised and acceptable independent certificates are issued by UKAS* certified auditors known as Certification Bodies (and their equivalent internationally). They are organisations that have been evaluated by UKAS to be competent in delivering an independent external audit to an agreed standard and are authorised to issue ISO certificates that can be trusted.
Why You Need ISO 27001 Certification
ISO 27001 certification applies to any organisation that wishes or is required to, formalise and improve business processes around the securing of its information assets.
This is not dictated by the size or turnover of an organisation as even the smallest of organisations may have powerful customers or other stakeholders, such as investors, who look for the assurances from being UKAS ISO 27001 certified offer.
It really is about trust and demonstrating your organisation has put in place the people, processes, tools, and systems to a recognised standard. Imagine a world of financial reporting or health and safety without standards. Information security is a bit behind those areas from a certification and independent audit perspective but with the pace of change accelerating for almost everything, smarter organisations are getting ahead, internally and in particular with their supply chain too. So you can look at certification through two lenses;
1 – as a customer you’d want to take confidence that your relevant suppliers are certified, not least to help mitigate your business risks let alone exploit some of the opportunities e.g. from more consistent, higher standards along with lower total cost and risk of work you encounter from them.
2 – your customers are getting smarter; they like you need to know that the supply chain is protected adequately. Powerful customers are simply mandating ISO 27001 certification now and transferring all the risk they can down the supply chain. There are other spinoff benefits too let alone all the extra business you’ll win from being certified versus laggards who are not. For example, well-informed staff will want to work for trusted brands, and as insurers catch up with better ways of working it should also mean lower premiums for organisations with independently certified ISO 27001.
What are the benefits of ISO 27001 certification?
For all stakeholders, the key message is one of trust and assurance gained from an externally audited information security management. This offers multiple benefits – for example:
Benefits to your customers
- Trust and assurance in you and your
- Less likelihood of a costly breach
- Reduced cost of supplier onboarding
- Trust and assurance in you and your
Benefits to you
- Protect IP, brand & reputation
- Win more business from new & existing customers
- Reduce cost of sale
- Retain more business
- Improved processes leading to cost & time savings
- Avoid fines from regulatory non-compliance (such as GDPR)
- Avoid civil suits resulting from a data breach
- Avoid costs of remedial action resulting from incidents and/or breaches
- Attract better staff
Benefits to your staff
- Trust in the organisation’s sustainability
- Training for work (and home security)
- Clarity through policies & procedures
- Pride in the organisation and their role in protecting it
ISO 27001 Certification: Is it worth it?
Doing nothing is probably not an option if you are accessing and managing valuable information assets owned by others. For some organisations their whole business is built on developing or managing information assets. So in that case, losing some or all of that business, or not winning more in future probably means it’s worth investing in becoming certified, especially if customers or other stakeholders like investors perceive a risk.
Achieving ISO 27001 certification is not as hard or as expensive as it used to be because of innovative solutions like ISMS.online. And, despite many of the strategic and financial benefits, some leaders still consider it a ‘grudge’ purchase and another bureaucratic tick box exercise. Whilst ISO 27001 certification traditionally represents a time and cost, like most strategic investments it is worth considering the return and broader benefits.
The return on investment (ROI) from an ISMS can be more fully explored in a recently published whitepaper, by Alliantist CEO Mark Darby, on Planning the business case for an ISMS
The whitepaper further explores the opportunities and threats, benefits and consequences, and also offers up up a range of tools and exercises to help:
- consider the RoI
- discover how to manage your Information Security Management System in the future
Ready to fast-track your implementation using ISMS.online?
What is Involved in an ISO 27001 Implementation?
There is a lot to an ISO 27001 implementation if you are starting from zero. In fact, to have a chance of receiving that coveted certification, there are about 136 activities to consider when planning the implementation, developing the core requirements and addressing all the Annex A control objectives. Some activities might take a few minutes, others might take weeks or months depending on your starting point and goals.
There are options on how to achieve certification but whatever you do, we strongly suggest you purchase the standards from ISO for both ISO 27001:2013/17 and the Annex A controls guidance for ISO 27002 which gives more insight into the large number of controls you need to consider.
Going out and simply buying an ISO 27001 document set from a provider is also not going to help much and could waste money, confuse staff and delay your ability to run the business the way you want to, securely. Independent auditors in a certification body would stop their audit inside 5 minutes if that is all you did too, so you’d also put yourself on the back foot with the auditor thereafter and need to redo the first (Stage 1) audit.
You need to develop a ‘management system’, which is generally made up of people and technology.
For the people part you need leadership to guide the implementation to meet the business goals, cultural norms, regular reviews and show the organisation is taking it seriously. Auditors will want to see ‘the spirit of the standard’ being applied as well as the documents at this senior level, so a director waltzing into an audit and pretending to understand the Information Security Management System is also a recipe for disaster.
You’ll also need people who understand your business with the capability, capacity and confidence to address the requirements. The people investment is very much also determined by the technology used to implement and maintain the ISMS too. For example, you’ll need:
- A digital or paper-based solution to describe and demonstrate how you meet the core requirements of ISO 27001 standard and can show how that is managed as changes happen over time (you get audited at least annually too – see further below).
- A similar environment to document and manage all the Annex A controls & policies that are developed – then ensure they are made available to the people they apply to, and you can prove that they are aware of them and engaged (remember these people might be staff and suppliers). Don’t just write controls and policies for the sake of it either. They should all be based on the issues facing your organisation, your interested parties expectations, your scope and boundaries (e.g. products, locations etc) and the assets you want to protect. You have to ‘show your working’ here too and document all that. It gets hard to do that well and maintain it over time with just word documents, spreadsheets, and a shared drive.
- These activities all get risk assessed (with your risk tool) to then help you determine what of the Annex A control objectives you need to implement, which without getting too technical at this stage, leads to your Statement of Applicability. Did I already say you need to demonstrate this to an auditor to get certified?!
- Your management system will have all the tools underpinning that work, documented and easily followed by the auditor.
- A document set might be of help if it’s actionable i.e. you can practically use it and it is easy to adopt, adapt and add to. It should integrate within that technology solution too.
- If you rely on the supply chain, then you need to show how you are in control of those suppliers and in particular their contracts (it’s also a key requirement of GDPR compliance!).
- The control objectives and requirements expect the description of the approach (e.g. a policy on how to address security incidents) and its demonstration (i.e. the security incident tracker with all its incidents, events and weaknesses detail and evidence easily accessible too).
Recognised approaches to implementing a system include the PDCA (Plan, Do, Check, Act) approach. It was a standard quality management approach but perhaps is a bit passe in its literal form.
The 2013/17 version of ISO 27001 facilitated a more agile and dynamic approach that supports continuous evaluation and improvement of the management system so more of a real-time PDCA and mixing up of the PDCA order too for a pragmatic agile approach.
Organisations commonly have this sort of dynamic approach for their operational security systems e.g. firewalls, network scanners etc. It is more suitable to the ever-changing modern risk landscape and a well managed Information Security Management System will be a much more agile, dynamic and continuously monitored ISMS in the future.
Services like ISMS.online make life much easier and faster to achieve certification with almost everything you need in one place.
The only other things you need are:
- some leadership time to align the implementation to the business objectives, and maintain it thereafter, and
- people that understand how you work and can define that in policies, controls and processes to meet the standard
- a certification body that understands your organisation sector, size, and way of working.
1. Plan for ISO 27001 implementation
Adding more context and structure to your implementation plan, the following aspects should be considered:
Be clear on the goals, compelling reasons to act and any deadlines you want to hit – as well as the consequences if that drifts
Identify the headline RoI so you can apply the right people and leadership – it will also help budget development too if that is required
If the team are new to ISO 27001, buy the ISO standards and ISO 27002 guidance, and read it – comparing your internal current environment to what is required for success (a light gap analysis). Many of the requirements, processes, and controls may already be in place and simply need formalising. You may not need external training or lead auditor implementer programmes – these can be wasteful and negatively affect how you want your Information Security Management System to work as a practical ISMS.
Consider preconfigured technology solutions and tools to compare whether that is better than what you have internally already and a better use of your valuable resources. Some of these solutions, like ISMS.online, already have all the tools you need and include actionable documentation you can adopt, adapt and add to for a massive head start, and offer virtual coaching and training on how to achieve certification too.
Get started……and break all the work down into bite-size chunks and celebrate the power of small wins. Seeing frequent progress towards 100% completeness is infectious so remember to find a solution that is visible, transparent and collaborative to share those little successes!
2. Address the key elements of the ISO 27001 standard
ISO 27001 can be done bottom up by taking a policy led approach, simply creating documentation for all the Annex A controls. However, the more strategic and business-led approach broadly follows the way the standard is written and is logical too. We’ve summarised it simply as follows:
- Look at the issues facing your organisation and understand the needs of interested parties (stakeholders), in particular, identify the information assets as early as possible too (you’ll get more detailed with those later).
- Set the boundaries and scope of the ISMS.
- Define your organisation’s security objectives from its ISMS.
- Put in place the capability for regular implementation reviews, audits, and evaluations to show you are in control and document (briefly) from day 1 of the implementation to share that journey with the auditor and for lessons learned too.
- Identify the risks to those assets and conduct risk assessments – if short of resources we recommend you prioritise around the higher risk assets and bigger threats to CIA based on likelihood and impact.
- Create a risk treatment plan for each risk and where appropriate choose Annex A control objectives and controls that are to be implemented to help address those risks – ideally link that up so you know your assets, risks, and controls fit together and that if you change or review one part you see the impact on the related parts.
- Prepare your Statement of Applicability – this catches out a lot of people but its a mandatory requirement and can waste lots of time.
Remember to document everything and show the whole system is working with that regular evaluation.
3. Evaluate your ISO 27001 in accordance with the standard and its readiness for certification
To ensure your ISMS is meeting its objectives it crucial to have measurement and reviews in place. ISO 27001 includes requirements for planned evaluation to take place in the form of:
External audits – where appropriate this could be from an ISO 27001 certification body or customers, or consultants.
4. Improve your ISMS as necessary and organise the stage 1 audit by the external certification body
The process of continual improvement is key to ISO 27001 success and is something that auditors will look to see evidenced. Security threats and vulnerabilities change rapidly as, in many cases, do an organisations growth or goals. It is critical that you can demonstrate your commitment to taking corrective actions and making improvements to your ISMS. Done properly, your ISMS will be a business enabler rather than restricting the way you want to run your business. If it becomes the ‘ISO 27001 tail’ wagging the ‘business-as-usual’ dog you are doing it all wrong.
Ready to fast-track your implementation using ISMS.online?
How to Get Certified to ISO/IEC 27001 Standards
Having implemented your Information Security Management System and conducted the first management reviews of the ISMS, and starting to live the approach in practice, you’ll be well on the path to get certified.
There is a two-stage process for getting certified to UKAS accredited standards:
- Stage 1 audit – in simple terms the certification body auditor will want to see the Information Security Management System documentation and that you’ve got the requirements met, at least in theory! It’s more of a desktop review of the ISMS with the auditor at this stage, covering the mandatory areas and ensuring that the spirit of the standard is being applied. Forward-thinking certification bodies are starting to do those remotely which drives down cost and can speed up the process too.
- The outcome from this exercise is a recommendation for Stage 2 audit readiness (perhaps with observations to reassess during the Stage 2 audit) or a need to address any non-conformities identified before further progress can happen.
Many organisations fail at Stage 1 and it’s for a very common set of reasons that are generally easily addressed with a good Information Security Management System solution (unless your leadership really is not engaged then nothing will help with the ISMS!)
Depending on your status of internal audits, you may be required to complete a full internal audit before a stage 2 as well, but we suggest you agree that with your auditors as some look for slightly different things – it’s a bit like football rules where there are laid down rules, but referees interpret them differently. A good auditor will want you to succeed and should help you understand what they expect to see for a Stage 2 audit session. Make sure you ask them!
- Stage 2 audit – This is where the auditors will start to look for the evidence that the documented Information Security Management System is being lived and breathed in practice. If your policies are off the shelf from a dodgy document toolkit and not fit for your practical purpose this is really where the wheels fall off. Your staff will be engaged, interviewed, your scope will be assessed around the physical location, systems, processes, and procedures. Like most audits, it will be a sample size and if you are able to lead the auditor with a joined-up system they will take great confidence from that.
The outcome from this exercise is either a pass or fail. Pass and you have that highly valued certificate, fail and you will have work left to do around non-conformities before you can re-submit for another audit or a specific review of the nonconformity.
Certification is done over a 3-year cycle so it generally operates as follows:
- Stage 1 and 2 then award of certificate
- Surveillance audit 1 (usually annually or may be more frequent based on scope, risk, and size)
- Surveillance audit 2
- Third-year recertification and more detailed evaluation
It can take 4-6 weeks to book up with an audit body so bear that lead time in mind and we recommend finding an auditor that is well versed in your sector and size of business. Otherwise they may be more or less expensive, but crucially if they don’t understand your Information Security Management System challenges from a business perspective it might be a painful process. Remember, the auditor is generally always right (although you can more easily demonstrate why you have done something and explained your risk appetite, control selection etc if you have a well managed Information Security Management System.)
Mandatory Requirements for Certification
Sometimes we get asked about the mandatory requirements that need to be in place before an external ISO 27001 certification audit should take place. This question is raised either because firms want to:
- Complete the minimum amount of work and treat it like a tick box exercise. When we see this happen we typically see that the organisation has not got leadership buy-in, is unwilling to devote the time to the exercise and either needs an external driver (e.g. powerful customer) to focus its efforts or should not really bother starting.
- Prioritise focus on the must-have areas first and evolve the Information Security Management System over time. A sensible approach.
The ISO 27001 Standard is made up of two parts; the main requirements, and the Annex A controls.
Everyone must meet the main requirements which cover 4.1 – 10.2. Included are18 key activities that drive the broader investment in the Annex A controls. There are also some mandatory controls from Annex A that an auditor will expect to see too (some want more or less so be sure to check with your auditor in advance).
It is worth noting that no two organisations are the same and neither will their ISMS’s be. The Annex A controls are only required where there are risks which require their implementation. The below, therefore, should be used as a set of guidelines only.
Here is an overview of the minimum evidence you need to produce if you want to be compliant with the ISO 27001 standard and have a chance of getting certified:
- Documented internal and external issues, interested parties (clauses 4.1 and 4.2)
- Scope of the ISMS (clause 4.3)
- Information security policy and objectives (clauses 5.2 and 6.2)
- Risk assessment and risk treatment methodology (clause 6.1.2)
- Statement of Applicability (clause 6.1.3 d)
- Risk treatment plan (clauses 6.1.3 e and 6.2)
- Procedure for document control (clause 7.5)
- Controls for managing records (clause 7.5)
- Risk assessment report (clause 8.2)
- Definition of security roles and responsibilities (clauses A.7.1.2 and A.13.2.4)
- Inventory of assets (clause A.8.1.1)
- Acceptable use of assets (clause A.8.1.3)
- Access control policy (clause A.9.1.1)
- Operating procedures for IT management (clause A.12.1.1)
- Secure system engineering principles (clause A.14.2.5)
- Supplier security policy (clause A.15.1)
- Incident management (clause A.16.)
- Business continuity (clause A.17.1.2)
- Statutory, regulatory, and contractual requirements (clause A.18.1.1)
- Procedure for internal audit (clause 9.2)
- Procedure for corrective action (clause 10.1)
- Records of training, skills, experience and qualifications (clause 7.2)
- Monitoring and measurement results (clause 9.1)
- Internal audit program (clause 9.2)
- Results of internal audits (clause 9.2)
- Results of the management review (clause 9.3)
- Results of corrective actions (clause 10.1)
- Logs of user activities, exceptions, and security events (clauses A.12.4.1 and A.12.4.3)
Other documentation that is common and most likely to be needed for organisations based on the risks and issues facing them
- Bring your own device (BYOD) policy (clause A.6.2.1)
- Mobile device and teleworking policy (clause A.6.2.1)
- Information classification policy (clauses A.8.2.1, A.8.2.2, and A.8.2.3)
- Password policy (clauses A.9.2.1, A.9.2.2, A.9.2.4, A.9.3.1, and A.9.4.3)
- Disposal and destruction policy (clauses A.8.3.2 and A.11.2.7)
- Procedures for working in secure areas (clause A.11.1.5)
- Clear desk and clear screen policy (clause A.11.2.9)
- Change management policy (clauses A.12.1.2 and A.14.2.4)
- Backup policy (clause A.12.3.1)
- Information transfer policy (clauses A.13.2.1, A.13.2.2, and A.13.2.3)
- Business impact analysis (clause A.17.1.1)
- Exercising and testing plan (clause A.17.1.3)
- Maintenance and review plan (clause A.17.1.3)
- Business continuity strategy (clause A.17.2.1)
ISMS.online is one secure, online environment for describing and demonstrating your complete ISMS and comes with pre-configured frameworks, tools, and content to accelerate your ISO 27001 certification.
How Much Does Certification Cost
Certification auditing is not actually the headline cost you need to consider. The biggest cost is the time and effort for achieving certification from the people involved in building your Information Security Management System initially, then maintaining the ISMS year on year thereafter. It could have opportunity costs of income loss from senior resources, core competencies distraction for the business and higher costs of consulting if you bring in outside help without a strong technology starting point.
Certification costs are still worth considering, however, and are based on your organisation’s size, scope, and processes etc. Most certification bodies will give either a quick quote online or follow-up.
Actual certification costs should be considered over a 3-year certification cycle:
- Initial audit and certification audit – stage 1 and 2
- Surveillance audits for Year 1 & 2
- Then the cycle continues again, with recertification every three years.
Audit fees are typically around £1,000 per day (excl Vat) and the number of days needed varies by size of organisation and the scope of the management system. For example, a small business with a simple scope (eg one product, few processes, one Head Office etc.) might need 1 day for a Stage 1 audit, 2 days for a Stage 2 audit, and then 1 day per annum surveillance.
It’s also worth looking out for more innovative audit bodies who are prepared to look at remote stage 1 audits. This is likely to be considered only where the management system is held completely digitally, as it is with ISMS.online. This means it is easier for them as auditors to see the implementation working. This will save costs on the inevitable travel expenses and time.
How Long Does Certification Take?
It depends on your starting point of course. If starting from ‘zero’ then ISO 27001 certification certainly isn’t going to be an overnight achievement. For some organisations, it can be just weeks but for others, it can take twelve months plus, especially if not a priority for resource focus. A recent Case Study revealed how an SME achieved ISO 27001 certification, whilst still doing the day job, in less than eight weeks elapsed time using ISMS.online. How long your organisation takes will depend on a number of factors:
- Executive / management buy-in
- Starting point
We also know that the likelihood of achieving the standard diminishes exponentially the longer the implementation takes. There is a high failure rate at the Stage 1 audit, although failure can occur at different stages. Failure is normally indicative that one or more of the factors above is missing. If you don’t have the commitment to get started then don’t. You will likely suffer from lack of investment in the tools and resources to succeed, and you will get caught out sooner or later as the ISMS objectives will be opposed to the wider strategic objectives of the organisation.
If your organisation takes information security seriously then you will be looking for a faster, better and easier way to achieve ISO 27001 certification and maintain it!
ISMS.online is the solution. We’ll help with the starting point, giving you a massive head start including actionable policies and controls you can adopt, adapt and add to, together with pre-configured workspaces and all the tools you will need to reduce the administrative burden and keep you focused.
You will also have a risk management policy, methodology, tool, and even a risk bank to draw down risks and their common controls to save you weeks of work. And the dreaded Statement of Applicability? That’s dynamically produced and updated from directly within each control, with links that will lead your auditor right through all the evidence that they will need to see that your ISMS is being managed well.
Add on our unique ISO 27001 standard Virtual Coach for saving your resource time, pointing them in the right direction, and giving them that all-important confidence, capability, and capacity to succeed quickly at every stage.
ISMS online is allowing us to build an ISO 27001 compliance framework quickly and with minimal resources. Its structure, the tools and templates it contains are proving critical in our mission to provide top-tier Confidentiality, Integrity and Availability to our clients. It works in a logical and uncomplicated way meaning even people without ISO 27001 training can be using the system immediately.J. Worsfold
Discover the simplest and fastest route to ISO 27001 certification
*ISO 27001 certification is especially useful for GDPR because there is currently no independent and universally accepted certification for that. Compliance around GDPR is therefore subjective. Until recognised and independent certification schemes are implemented we recommend organisations comply with the information commissioner’s office checklists for GDPR. Read more about that here.