10 Steps to ISO 27001 Certification

10 Steps to ISO 27001 Certification
10 Steps to ISO 27001 Certification

The 10 steps to ISO 27001 certification is a guide to how to go about it and what needs to be done.

Time needed: 90 days.

  1. Buy In

    In a meeting secure agreement from the leadership team and a budget to proceed. ISO 27001 certification needs the full backing and support of the board of directors and senior management team.

  2. Create Policies

    Using Microsoft Word create ISO 27001 policies. Policies are needed to define what needs to be done to secure information. There are 23 core policies that are needed. Create your policies.

  3. Build the Information Security Management System (ISMS)

    The information security management system needs building and writing and there are 27 core documents that are needed. Build the ISMS.

  4. Build the processes

    Business processes that document how you run your business are needed. If it isn’t written down it doesn’t exist. Document your business processes.

  5. Implement the controls

    ISO 27001 refers to Annex A / ISO 27002 which suggests 114 business wide controls that need to be implemented. Select which controls are relevant, record them in the Statement of Applicability and implement them.

  6. Conduct internal audit

    Internal audit is required on an on going basis and before you undertake the certification. Perform an audit of the ISO 27001 policies, the information security management system and the 114 controls of Annex A / ISO 27002.

  7. Choose your Certification body

    The certification is performed by a UKAS accredited Certification Body. There are several to choose from.

  8. Take the Stage 1 Audit

    The cerfitication body will perform a 2 stage audit visiting you on 2 occasions to check things are in place. Stage 1 mainly looks at the Information Security Management System including policies and documentation.

  9. Take the Stage 2 Audit

    Stage 2 is your second and final visit and audit by the certification body. Stage 2 mainly looks at the processes and the effective operation of the Annex A / ISO 27002 114 controls. Book your Stage 2 audit and make sure you can evidence the operation of processes and controls. Make people available as required.

  10. Certificaiton

    Congratulations! You followed the 10 steps to ISO 27001 certification and all that hard work has paid off and you are now UKAS Certified to ISO 27001. Print your certificate and display it with pride on your website and in your marketing materials. You will now have opened the door to new commercial opportunities and clients.

Scroll to Top