Table of contents
- Company Buy In: Secure leadership and staff support by communicating the strategic benefits of certification, such as increased sales and improved bonus opportunities.
- Create Policies: Develop specific information security policies based on industry best practices that define what your organisation does rather than how it does it.
- Build the Information Security Management System: Establish a robust ISMS by addressing the standard’s requirements through documented processes or pre-built template toolkits to save time and training costs.
- Write Down Business Processes: Document your existing security workflows and compare them against Annex A controls to identify gaps and record necessary exceptions.
- Implement the Controls: Review the ISO 27001 Annex A controls to record your current compliance activities and improve any areas where protections are insufficient.
- Audit Yourself: Conduct a comprehensive internal audit using a dedicated spreadsheet to verify that your policies, systems, and controls are functioning as intended.
- Choose a Certification Body: Select an accredited and independent certification body to perform your audit, ensuring they have no conflict of interest in your implementation.
- Take the Stage 1 Audit: Complete the initial certification phase focused on your management system documentation, version control, and internal audit readiness.
- Take the Stage 2 Audit: Undergo the operational ‘show me’ phase where auditors observe your processes and controls in live action to confirm full compliance.
- Celebrate and Market Your Success: Receive your formal certification and update your marketing materials to demonstrate your commitment to information security to clients and partners.
1. Company Buy In
If you do not have buy in from the owners of the company and your colleagues, you won’t have a good starting point for ISO 27001 certification.
This sounds simple enough, but where do you start? By talking to people, understanding their concerns and creating a shared vision based on the benefit.
For instance you could ask them for their
- Vision
- Concerns
- Pain points
If the goal is to increase sales and win contracts you can share that information and show how an increase in sales can directly benefit both the employee in terms of wage and bonus opportunity and the company in terms of share price, company share price and dividend returns.
2. Create Policies
Information security policies have always been important in the world of information security, but they must be specific for the best results.
For example, they should reflect what you do and they should be based on best practice and industry standards.
You can research the information security standards that are out there and compile your own set of information security policies or you can purchased a trusted, proven pack of ISO 27001 Policy Templates that are pre written and ready to go.
Which ever route you take you want policies that set out what you do, not how you do it, and you want to agree them and share them throughout the business.
You can learn how to implement ISO 27001 Policies in this easy to follow guide: How to implement ISO 27001 Clause 5.2 Policy and Pass the Audit
3. Build the Information Security Management System
ISO 27001 is an information security management system. The standard is clear on what needs to be addressed but the art is in how you go about addressing it.
You can get a copy of the standard and work through the 114 points of the ISO 27001 ISMS and create documents and processes that satisfy the requirements. The benefit of this is that you will learn a lot about the standard, the downside is it is going to take you a long time to do it and most likely you or your staff will want to take expensive training as well.
You could purchased a trusted Information Security Management System with the Ultimate ISO 27001 Toolkit and save your self over a month of time and those expensive training costs to fast track this step.
You can learn how to implement and ISO 27001 Information Security Management System (ISMS) in this easy to follow guide: ISO 27001 The Information Security Management System (ISMS)
4. Write down the Business Processes
We can be a little more specific with this step. You want to write down the processes around information security that are required by the standard.
You will already be doing over 90% of what is required in one shape or form. You just need to write down what you do.
Then you need to compare it with the Annex A controls to see if there are any gaps or enhancements needed.
For small companies it is highly recommended to have one document, call it the Information Security Operations Manual and have all your processes recorded in here for ease and convenience.
Don’t forget when writing down the business process to include the exceptions step. The exceptions step is the step in the process when things do not go to plan. What happens if the process throws out and unexpected result? Write that down.
You can lean more about how to implement document information for ISO 27001 in this easy to follow guide: ISO 27001 Documented Information
5. Implement the Controls
The ISO 27001 controls are contained in the ISO 27001 Annex A. You can read a detailed reference guide on the ISO 27001:2002 Annex A controls that shows you exactly what you need to do and how to do it. The ANNEX A is a list of common ISO 27001 controls that companies are expected to have considered and implemented if appropriate.
There is nothing scary or hard in here.
Go through the ISO 27001 Annex A and record what you do to meet the control and if you do nothing, implement something. If you do something but you could do it better, improve it.
6. Audit Yourself
Audit is the act of checking that something is as it should be.
By this step you have your policies, your information security management system, your controls are in place and your processes are documented.
You have achieved a lot so far. Now it is time to check that it is all as it should be.
Using an ISO 27001 audit spreadsheet you now want to do the audit. You can read the guide on – How to Conduct an Internal Audit for the steps on how to do it.
7. Choose who will certify you
Certification cannot be performed by any Tom, Dick or Harry. Companies that certify you have to follow some basic rules
- They cannot implement or help you to build or run ISO 27001
- They have to be accredited
They are all regulated in how they certify you and whilst costs will differ, the end result is the same. Choose your certification body wisely. We know the good, the bad and the ugly. You can always ask us if you need a little help.
Most certification bodies use independent contractors to conduct the certification auditors.
Once you have your certification body they will give you a quote and the set the dates for certification audit.
8. Take the ISO 27001 Stage 1 Certification Audit
The certification audit is split over 2 audits, called Stage 1 and Stage 2.
When it comes to the Stage 1 audit, it is going to focus heavily on the information security management system. Make sure all your document versions and version control are correct, all comments have been removed from documents, documents have the correct classification and that you have conducted at least one internal audit.
Having people available for the audit will make things go a lot more smoothly. This part is more about planning and logistics than anything else.
Relax, you have worked hard to get to this point. The auditor is not out to fail you. They are on your side.
9. Take the ISO 27001 Stage 2 Certification Audit
The Stage 2 audit is all about you and how you operate. This part of the process is the ‘Show Me’ step.
The Show Me Step is where the auditor wants to see your processes and controls in action.
They are going to ask you to log into systems, walk them through steps, ask questions – all with the intent of seeing that things are working as they should be.
These are things you do day in day out. There is nothing to worry about. Have the people that do the work available and you will breeze through.
10 You are Certified – Celebrate
You successfully reached the end of the process. The auditor will issue a report and assuming you passed they will recommend that you are certified. You will receive your certificate in 6 to 8 weeks depending on how good their admin is.
What if you didn’t pass?
If you didn’t pass, don’t worry. Most certification bodies will give you a few weeks to fix the things that didn’t and when you show you fixed it they will recommend you for certification.
Now you have a picture of ISO 27001 certification and its benefits, let’s move on to the 10 steps that work.
It is now time to update your marketing and sales to show you are certified and tell the world, your clients and your potential new clients.
Well done. You did a great job.
What are the 10 steps to ISO 27001 certification?
The 10 steps to ISO 27001 certification involve a structured cycle of preparation, implementation, and audit: 1. Obtain management support, 2. Define ISMS scope, 3. Conduct a risk assessment, 4. Implement controls, 5. Document policies, 6. Employee training, 7. Internal audit, 8. Management review, 9. Selection of a certification body, and 10. External Stage 1 and 2 audits.
How long does it take to get ISO 27001 certified?
ISO 27001 certification typically takes 6 to 12 months for most SMEs. Organisations using automated compliance platforms can reduce this timeline by approximately 30%, whereas complex global enterprises may require 18 months or more to achieve full implementation across all business units and jurisdictions.
How much does ISO 27001 certification cost in the UK?
The average cost for ISO 27001 certification in the UK ranges from £5,000 to £15,000 for the initial audit. Total investment, including internal resource allocation and remedial security controls, often exceeds £25,000. Larger organisations should budget £40,000+ to account for increased complexity and larger audit day requirements.
What are the mandatory documents for ISO 27001 compliance?
ISO 27001:2022 requires several mandatory documents to satisfy Annex A and Clause requirements, specifically:
- The ISMS Scope Statement (Clause 4.3)
- Information Security Policy and Objectives (Clause 5.2 & 6.2)
- Risk Assessment and Treatment Methodology (Clause 6.1.2)
- The Statement of Applicability (SoA) (Clause 6.1.3)
- Evidence of Internal Audits and Management Reviews (Clause 9)
Is ISO 27001 worth it for small businesses?
Yes, ISO 27001 is highly valuable for small businesses, as 70% of enterprise procurement departments now require it as a prerequisite for vendors. Beyond market access, certification can reduce data breach impact costs by up to 45% through more effective incident response and preventative risk management controls.