ISO 27001 CertificationWhat is it, why you need it and what's involved
ISO 27001 certification will also demonstrate to your influential external stakeholders that you take information security seriously and can be trusted with their valuable information assets as well as your own.
ISO 27001:2013 standard is the internationally recognised best practice framework for an Information Security Management System (ISMS).
For organisations in the United Kingdom, ISO 27001 recognition is at its most valuable when you get certified by a UKAS (United Kingdom Accreditation Service) accredited certification body who will independently audit your organisation and provide you with ISO 27001 certification. Other certification bodies comparable to UKAS exist internationally too, which helps maintain the ISO/IEC 27001 Information Security Management standard consistently wherever an organisation is aiming to achieve ISO 27001 certification.
The method of evaluating risk for ISO 27001:2013/17 is to consider the impact on Confidentiality, Integrity, and Availability (CIA) of the information asset. Understanding that risks are not just about the potential theft of data (confidentiality) but also how information could be wrongfully manipulated (integrity), or even rendered inaccessible (availability), will help you build the necessary controls in your organisation.
An explicit CIA approach to the information risk management process also meets the requirements of the General Data Protection Regulations (GDPR compliance) and the Data Protection Act 2018 which refers to this method in Article 32 on ‘Security’. It is just one of the reasons that many organisations look to get certified to ISO 27001 helps them demonstrate some of the GDPR compliance requirements at the same time.
ISO 27001 certification is the only internationally recognised and trusted information security management standard that can be independently certified to cover People, Process and Technology.
ISO IEC 27001 and ISO IEC 27002 also create the foundations of a more holistic and integrated approach to many other information security and privacy standards. For example, other frameworks such as the NIST Cyber Security and PCI DSS, to name just two, also carefully map to many of the requirements and Annex A controls of ISO 27001.
The Network and Information Systems (NIS) Regulations 2018, and the NHS Data Security and Protection (DSP) Toolkit requirements are other examples where holding UKAS ISO 27001 certification and ICO GDPR checklist compliance would make sense too.
In summary, ISO 27001 is an excellent method for an overarching approach to an Information Security Management System that can be built on easily as future compliance demands emerge and business practices change.
ISO 27001 Certification vs Compliance
In simple terms, compliance might mean that the organisation is following the ISO 27001 standard (or parts of it).
While ISO 27001 certification means that the organisation’s ISO 27001 Information Security Management System has been certified in compliance with the standard by certified auditors known as Certification Bodies.
Why You Need ISO 27001 Certification
ISO 27001 certification applies to any organisation that wishes or is required to, formalise and improve business processes around the securing of its information assets.
ISO 27001 certification is not dictated by the size or turnover of an organisation as even the smallest of organisations may have influential customers or other stakeholders, such as investors, who look for the assurances from having UKAS ISO 27001 certification offers.
It is about trust and demonstrating your organisation has put in place the people, processes, tools, and systems to a recognised standard. Imagine a world of financial reporting or health and safety without standards. Information security is a bit behind those areas from certification and independent audit perspective, but with the pace of change accelerating for almost everything, smarter organisations are getting ahead, internally and in particular with their supply chain too. So you can look at ISO 27001 certification through two lenses;
1. As a customer you’d want to take confidence that your relevant suppliers are certified, not least to help mitigate your business risks let alone exploit some of the opportunities, e.g. from more consistent, higher standards along with lower total cost and risk of work you encounter from them.
2. Your customers are getting smarter; they like you need to know that the supply chain is protected adequately. Influential customers are simply mandating ISO 27001 certification now and transferring the risk management process down the supply chain. There are other spinoff benefits too let alone all the extra business you’ll win from being certified to ISO 27001 versus laggards who are not. For example, well-informed staff will want to work for trusted brands, and as insurers catch up with better ways of working it should also mean lower premiums for organisations with independently certified ISO 27001 Information Management System
What are the benefits of ISO 27001 certification?
For all stakeholders, the key message is one of trust and assurance gained from an externally audited information security management. This offers multiple benefits – for example:
Benefits to you
- Protect IP, brand & reputation
- Win more business from new & existing customers
- Reduce the cost of sale
- Retain more business
- Improved processes leading to cost & time savings
- Avoid fines from regulatory non-compliance (such as GDPR)
- Avoid civil suits resulting from a data breach
- Avoid costs of remedial action resulting from incidents and/or breaches
- Attract better staff
Benefits to your staff
- Trust in the organisation’s sustainability
- Training for work (and home security)
- Clarity through policies & procedures
- Pride in the organisation and their role in protecting it
Benefits to your customers
- Trust and assurance in you and your supply chain
- Less likelihood of a costly breach
- Reduced cost of supplier onboarding
ISO 27001 Certification: Is it worth it?
Achieving ISO 27001 certification is not as hard or as expensive as it used to be because of innovative solutions like ISMS.online. And, despite many of the strategic and financial benefits, some leaders still consider it a ‘grudge’ purchase and another bureaucratic tick box exercise. To achieve certification typically means a time and cost investment, like most strategic investments it is worth considering the return and broader benefits.
The return on investment (ROI) from an ISO 27001 Information Security Management System (ISMS) can be more fully explored in a recently published whitepaper, by Alliantist CEO Mark Darby, on Planning the business case for an ISMS.
The whitepaper further explores the opportunities and threats, benefits and consequences, and also offers up up a range of tools and exercises to help:
- Consider the RoI
- Discover how to manage your Information Security Management System in the future
Ready to fast-track your implementation using ISMS.online?
What is Involved in an ISO 27001 Implementation?
You need to develop a ‘management system’, which is generally made up of people and technology.
For the people part, you need leadership to guide the implementation to meet the business goals, cultural norms, regular reviews and show the organisation is taking it seriously. Auditors will want to see ‘the spirit of ISO 27001’ being applied as well as the documents at this senior level, so a director waltzing into an audit and pretending to understand the ISO 27001 Information Security Management System is also a recipe for disaster.
You’ll also need people who understand your business with the capability, capacity and confidence to address the requirements. The ‘people’ investment is very much also determined by the technology used to implement and maintain the ISO 27001 Information Security Management System (ISMS) too. For example, you’ll need:
- A digital or paper-based solution to describe and demonstrate how you meet the core requirements of ISO 27001 standard and can show how that is managed as changes happen over time (you get audited at least annually too – see further below).
- A similar environment to document and manage all the Annex A controls & policies that are developed – then ensure they are made available to the people they apply to, and you can prove that they are aware of them and engaged (remember these people might be staff and suppliers). Don’t just write controls and policies for the sake of it either. They should all be based on the issues facing your organisation, your interested parties expectations, your scope and boundaries (e.g. products, locations, etc.) and the information assets you want to protect. You have to ‘show your working’ here too and document all that. It gets hard to do that well and maintain it over time with just word documents, spreadsheets, and a shared drive.
- These activities all get risk assessed (with your risk management tool) to help you then determine what of the Annex A control objectives you need to implement, which without getting too technical at this stage, leads to your Statement of Applicability. Did I already say you need to demonstrate this to an auditor to get certified to ISO 27001.
- Your management system will have all the tools underpinning that work, documented and easily followed by the auditor.
- A document set might be of help if it’s actionable, i.e. you can practically use it, and it is easy to adopt, adapt and add to. It should integrate within that technology solution too.
- If you rely on the supply chain, then you need to show how you are in control of those suppliers and in particular their contracts (it’s also a fundamental requirement of GDPR compliance!).
- The control objectives and requirements expect the description of the approach (e.g. policy on how to address security incidents) and its demonstration (i.e. the security incident tracker with all its incidents, events and weaknesses detail and evidence easily accessible too).
The 2013/17 version of ISO 27001 facilitated a more agile and dynamic approach that supports continuous evaluation and improvement of the management system so more of a real-time PDCA and mixing up of the PDCA order too for a pragmatic agile approach.
Organisations commonly have this sort of dynamic approach for their operational security systems, e.g. firewalls, network scanners etc. It is more suitable to the ever-changing modern risk landscape and a well managed Information Security Management System will be a much more agile, dynamic, and continuously monitored ISMS in the future.
Services like ISMS.online make life much easier and faster to achieve ISO 27001 certification with almost everything you need in one place.
- Some leadership time to align the implementation to the business objectives, and maintain it thereafter
- People that understand how you work and can define that in policies, controls and processes to meet the ISO 27001 requirements
- A certification body that understands your organisation sector, size, and way of working.
1. Plan for ISO 27001 implementation
Adding more context and structure to your implementation plan, the following aspects should be considered:
- Be clear on the goals, compelling reasons to act and any deadlines you want to hit – as well as the consequences if that drifts
- Identify the headline RoI so you can apply the right people and leadership – it will also help budget development too if that is required
- If the team is new to ISO 27001, buy the ISO standards and ISO 27002 guidance, and read it – comparing your current internal environment to what is required for success (a light gap analysis). Many of the requirements, processes, and controls may already be in place and simply need formalising. You may not need external training or lead auditor implementer programmes – these can be wasteful and negatively affect how you want your Information Security Management System to work as a practical ISMS.
- Consider pre-configured technology solutions and tools to compare whether that is better than what you have internally already and better use of your valuable resources. Some of these solutions, like ISMS.online, already have all the tools you need and include actionable documentation you can adopt, adapt and add to for a massive head start, and offer virtual coaching and training on how to achieve certification too.
- Get started…and break all the work down into bite-size chunks and celebrate the power of small wins. Seeing frequent progress towards 100% completeness is infectious so remember to find a solution that is visible, transparent and collaborative to share those little successes!
2. Address the key elements of the ISO 27001 standard
ISO 27001 can be done bottom-up by taking a policy-led approach, simply creating documentation for all the Annex A controls. However, the more strategic and business-led approach broadly follows the way ISO 27001 is written and is logical too. We’ve summarised it simply as follows:
- Look at the issues facing your organisation and understand the needs of interested parties (stakeholders), in particular, identify the information assets as early as possible too (you’ll get more detailed with those later).
- Set the boundaries and scope of the ISMS.
- Define your organisation’s security objectives from its ISMS.
- Put in place the capability for regular implementation reviews, audits, and evaluations to show you are in control and document (briefly) from day 1 of the implementation to share that journey with the auditor and for lessons learned too.
- Identify the risks to those information assets and conduct risk assessments – if short of resources we recommend you prioritise around the higher risk information assets and bigger threats to CIA based on likelihood and impact.
- Create a risk treatment plan for each risk and where appropriate choose Annex A control objectives and controls that are to be implemented to help address those risks – ideally link that up so you know your assets, risks, and controls fit together and that if you change or review one part, you see the impact on the related parts.
- Prepare your Statement of Applicability – this catches out many people but its a mandatory requirement and can waste lots of time.
Remember to document everything and show the whole system is working with that regular evaluation.
3. Evaluate your ISO 27001 in accordance with the standard and its readiness to achieve certification
It is crucial to have measurement and reviews in place to ensure your ISMS is meeting its objectives. ISO 27001 includes requirements for planned evaluation to take place in the form of:
- Management reviews
- Internal audits
- External audits – where appropriate, this could be from an ISO 27001 certification body or customers, or consultants.
4. Improve your ISMS as necessary and organise the stage 1 audit by the external certification body
The process of continual improvement is key to ISO 27001 success and is something that auditors will look to see evidence of this. Security threats and vulnerabilities change rapidly as, in many cases, do organisations growth or goals. It is critical that you can demonstrate your commitment to taking corrective actions and making improvements to your ISMS. Done properly, your ISMS will be a business enabler rather than restricting the way you want to run your business. If it becomes the ‘ISO 27001 tail’ wagging the ‘business-as-usual’ dog, you are doing it all wrong.
How Do I Get Certified to ISO/IEC 27001 Standards?
It is a two-stage process to get certified with the United Kingdom Accreditation Service’s accredited standard:
- Stage 1 audit – in simple terms the certification body auditor will want to see the Information Security Management System documentation and that you’ve got the requirements met, at least in theory! It’s more of a desktop review of the ISMS with the auditor at this stage, covering the mandatory areas and ensuring that the spirit of the standard is being applied. Forward-thinking certification bodies are starting to do those remotely, which drives down cost and can speed up the process too.
- The outcome from this exercise is a recommendation for Stage 2 audit readiness (perhaps with observations to reassess during the Stage 2 audit) or a need to address any non-conformities identified before further progress can happen.
- Many organisations fail at Stage 1, and it’s for a very common set of reasons that are generally easily addressed with a good Information Security Management System solution (unless your leadership really is not engaged then nothing will help with the ISMS!)
- Depending on your status of internal audits, you may be required to complete a full internal audit before a stage 2 as well, but we suggest you agree that with your auditors as some look for slightly different things – it’s a bit like football rules where there are laid down rules, but referees interpret them differently. A good auditor will want you to succeed and should help you understand what they expect to see for a Stage 2 audit session. Make sure you ask them!
- Stage 2 audit – This is where the auditors will start to look for the evidence that the documented Information Security Management System is being lived and breathed in practice. If your policies are off the shelf from a dodgy document toolkit and not fit for your practical purpose, this is really where the wheels fall off. Your staff will be engaged, interviewed, your scope will be assessed around the physical location, systems, processes, and procedures. Like most audits, it will be a sample size, and if you are able to lead the auditor with a joined-up system, they will take great confidence from that.
- The outcome of this exercise is either a pass or fail. If you pass, you have that highly valued certificate, fail and you will have work left to do around non-conformities before you can re-submit for another audit or a specific review of the non-conformity.
- Stage 1 and 2 then awards of the certificate
- Surveillance audit 1 (usually annually or may be more frequent based on scope, risk, and size)
- Surveillance audit 2
- Third-year re-certification and more detailed evaluation
It can take 4-6 weeks to book up with an audit body so bear that lead time in mind, and we recommend finding an auditor that is well versed in your sector and size of business. Otherwise, they may be more or less expensive, but crucially if they don’t understand your Information Security Management System challenges from a business perspective, it might be a painful process. Remember, the auditor is generally always right (although you can more easily demonstrate why you have done something and explained your risk appetite, control selection etc. if you have a well managed Information Security Management System.)
A Typical ISO/IEC 27001 Certification Journey
When using it with our Virtual Coach, ARM gives you a better starting point, as it uses a hybrid approach, rather than a ‘top-down’ or ‘bottom-up’ approach respectively. This makes ARM the most efficient and effective way to achieve certification.
Mandatory Requirements for ISO 27001 Certification
- Complete the minimum amount of work and treat it like a tick box exercise. When we see this happen we typically see that the organisation has not got leadership buy-in, is unwilling to devote the time to the task and either needs an external driver (e.g. powerful customer) to focus its efforts or should not really bother starting.
- Prioritise focus on the must-have areas first and evolve the Information Security Management System over time. A sensible approach.
The ISO 27001 Standard is made up of two parts; the main requirements, and the Annex A controls.
Everyone must meet the main requirements which cover 4.1 – 10.2. Included are 18 key activities that drive the broader investment in the Annex A controls. There are also some mandatory controls from Annex A that an auditor will expect to see too (some want more or less, so be sure to check with your auditor in advance).
It is worth noting that no two organisations are the same, and neither will their ISMS’s be.
The Annex A controls are only required where there are risks which require their implementation. The below, therefore, should be used as a set of guidelines only.
Here is an overview of the minimum evidence you need to produce if you want to be compliant with the ISO/IEC 27001 Information Security Management standard and have a chance to get certified:
- Documented internal and external issues, interested parties (clauses 4.1 and 4.2)
- Scope of the ISMS (clause 4.3)
- Information security policy and objectives (clauses 5.2 and 6.2)
- Risk assessment and risk treatment methodology (clause 6.1.2)
- Statement of Applicability (clause 6.1.3 d)
- Risk treatment plan (clauses 6.1.3 e and 6.2)
- Procedure for document control (clause 7.5)
- Controls for managing records (clause 7.5)
- Risk assessment report (clause 8.2)
- Definition of security roles and responsibilities (clauses A.7.1.2 and A.13.2.4)
- Inventory of assets (clause A.8.1.1)
- Acceptable use of assets (clause A.8.1.3)
- Access control policy (clause A.9.1.1)
- Operating procedures for IT management (clause A.12.1.1)
- Secure system engineering principles (clause A.14.2.5)
- Supplier security policy (clause A.15.1)
- Incident management (clause A.16.)
- Business continuity (clause A.17.1.2)
- Statutory, regulatory, and contractual requirements (clause A.18.1.1)
- Procedure for internal audit (clause 9.2)
- Procedure for corrective action (clause 10.1)
- Records of training, skills, experience and qualifications (clause 7.2)
- Monitoring and measurement results (clause 9.1)
- Internal audit program (clause 9.2)
- Results of internal audits (clause 9.2)
- Results of the management review (clause 9.3)
- Results of corrective actions (clause 10.1)
- Logs of user activities, exceptions, and security events (clauses A.12.4.1 and A.12.4.3)
Other documentation that is common and most likely to be needed for organisations based on the risks and issues facing them
- Bring your own device (BYOD) policy (clause A.6.2.1)
- Mobile device and teleworking policy (clause A.6.2.1)
- Information classification policy (clauses A.8.2.1, A.8.2.2, and A.8.2.3)
- Password policy (clauses A.9.2.1, A.9.2.2, A.9.2.4, A.9.3.1, and A.9.4.3)
- Disposal and destruction policy (clauses A.8.3.2 and A.11.2.7)
- Procedures for working in secure areas (clause A.11.1.5)
- Clear desk and clear screen policy (clause A.11.2.9)
- Change management policy (clauses A.12.1.2 and A.14.2.4)
- Backup policy (clause A.12.3.1)
- Information transfer policy (clauses A.13.2.1, A.13.2.2, and A.13.2.3)
- Business impact analysis (clause A.17.1.1)
- Exercising and testing plan (clause A.17.1.3)
- Maintenance and review plan (clause A.17.1.3)
- Business continuity strategy (clause A.17.2.1)
How Much Does ISO 27001 Certification Cost?
Certification costs are still worth considering, however, and are based on your organisation’s size, scope, and processes etc. Most certification bodies will give either a quick quote online or follow-up.
- Initial audit and certification audit – stage 1 and 2
- Surveillance audits for Year 1 & 2
- Then the cycle continues again, with re-certification every three years.
Audit fees are typically around £1,000 per day (excl Vat), and the number of days needed varies by the size of the organisation and the scope of the management system. For example, a small business with a simple scope (e.g. one product, few processes, one Head Office etc.) might need one day for a Stage 1 audit, two days for a Stage 2 audit, and then one day per annual surveillance.
It’s also worth looking out for more innovative audit bodies which are prepared to look at remote stage 1 audits. This is likely to be considered only where the management system is held completely digitally, as it is with ISMS.online. This means it is easier for them as auditors to see the implementation at work. This will save costs on the inevitable travel expenses and time.
ISMS.online is the solution. We’ll help with the starting point, giving you a massive head start including actionable policies and controls you can adopt, adapt and add to, together with pre-configured workspaces and all the tools you will need to reduce the administrative burden and keep you focused.
You will also have a risk management policy, methodology, tool, and even a risk bank to draw down risks and their common controls to save you weeks of work. And the dreaded Statement of Applicability? That’s dynamically produced and updated from directly within each control, with links that will lead your auditor right through all the evidence that they will need to see that your ISMS is being managed well.
Add on our unique ISO 27001 standard Virtual Coach for saving your resource time, pointing them in the right direction, and giving them that all-important confidence, capability, and capacity to succeed quickly at every stage. Our Assured Results Method will also assist in delivering the pragmatic approach to implementing your information security system.
*ISO 27001 certification is especially useful for GDPR because there is currently no independent and universally accepted certification for that. Compliance around GDPR is, therefore, subjective. Until recognised and independent certification schemes are implemented, we recommend that organisations comply with the information commissioner’s office checklists for GDPR. Read more about that here.
InfoSec & Infrastructure Manager, CommonTIme
ISO 27001 is about ensuring that the business controls and management processes you have in place are adequately robust to address the risks to information security to opportunities you found in your risk assessment. To achieve ISO 27001 certification, you will take a business-led approach to the process of managing information security.
- Keeping customers and attracting new business,
- Mitigating reputation loss and fines,
- Optimising processes and strategies,
- Compliance with commercial, contractual and legal obligations.
- the size and complexity of the organisation,
- the capability, capacity and availability of resources.
Certification then usually lasts for three years. To achieve an accredited certification, you must be audited by an accredited Certification Body. Typically, to gain certification (e.g. under UKAS), this is done through a Stage 1 and Stage 2 audit and the awarding of the certificate.
After this, it is about maintaining the certification. For UKAS accredited ISO 27001 certificates, several periodic surveillance audits are required over the 3-year lifecycle followed by a re-certification audit before the expiry of a certificate. Surveillance audits for a UKAS certification are typically conducted annually. However, they can be more regular depending on the ISMS size, scope, risk and complexity.
You’ll get your certificate issued for one year after ISO 27001 certification before re-certification. Other accrediting bodies may vary how long certificates are valid for and what needs to be done to maintain & renew them.