ISO 27001 Certification in 10 Simple Steps

Home / ISO 27001 / ISO 27001 Certification in 10 Simple Steps

ISO 27001 steps to certification

Need to achieve ISO 27001 certification? This article outlines 10 proven steps to help your business meet this growing industry standard. As a business owner, you know the importance of strong information security. While you may have implemented some measures, this guide will show you how to take your security to the next level.

1. Secure executive support

Gaining board approval is crucial for ISO 27001 certification. In your next leadership meeting, secure their support by outlining the benefits and securing a budget allocation. Remember, ISO 27001 certification requires the full backing of your board of directors and senior management team.

2. Create your policies

Strong information security policies are essential for protecting your data. These policies should be tailored to your specific organisation and based on industry best practices. Consider researching existing security standards or purchasing pre-written ISO 27001 policy templates. Your policies should define what you do, not how you do it. Once created, ensure they are agreed upon and shared throughout your company.

To learn how to effectively implement ISO 27001 policies, check out our guide: How to Implement ISO 27001 Clause 5.2 Policy and Pass the Audit.

3. Build your ISMS

ISO 27001 is a comprehensive information security management system (ISMS). While the standard outlines the requirements, implementing it effectively is the key. You can either purchase a copy of the standard and build your ISMS from scratch, which can be time-consuming and expensive. Or, you can speed up the process with a trusted ISO 27001 toolkit. Our guide, ISO 27001: The Information Security Management System (ISMS), provides step-by-step instructions to help you implement the standard efficiently.

ISO 27001 Toolkit

4. Document your processes

You’ll need to document the information security processes required by ISO 27001. Chances are, you’re already doing most of what’s necessary. Simply write down your existing processes and compare them to the Annex A controls to identify any gaps or areas for improvement.

For smaller companies, creating a comprehensive Information Security Operations Manual can streamline this process. This single document will house all your documented processes.

Remember to include an ‘exceptions’ step in each process. This outlines what happens when things don’t go as planned. By documenting exceptions, you’ll ensure a robust and resilient security system.

To learn more about documenting information for ISO 27001, check out our guide: ISO 27001 Documented Information.

5. Put controls in place

The ISO 27001 controls are outlined in ISO 27001 Annex A. Our detailed reference guide explains each control, providing step-by-step guidance on implementation. Annex A lists common security controls that most companies should consider. There’s no need to be intimidated. Simply review Annex A and assess your current practices. If you’re already doing something, document it. If not, implement a suitable control. And if you can improve your existing measures, do so.

6. Conduct an internal audit

An audit is a verification process to ensure everything is in place and functioning as it should. At this stage, you’ve established your policies, ISMS, controls, and documented processes. That’s a significant achievement.

Now, it’s time to audit your system. Use an ISO 27001 audit spreadsheet and follow our guide, How to Conduct an Internal Audit for detailed steps on conducting a thorough evaluation.

7. Choose a certification body

ISO 27001 certification is a rigorous process that requires a qualified certification body. These organisations are subject to strict regulations and cannot provide implementation assistance. While costs may vary, the end result is the same. Choose your certification body carefully and consider the list of Top 10 ISO 27001 Companies and Top 10 ISO 27001 Certification Bodies.

Once you’ve selected a body, they’ll provide a quote and schedule the certification audit.

8. Take the Stage 1 audit

The certification audit is split over 2 audits, called Stage 1 and Stage 2.

When it comes to the Stage 1 audit, it is going to focus heavily on the information security management system. Make sure all your document versions and version control are correct, all comments have been removed from documents, documents have the correct classification and that you have conducted at least one internal audit.

Having people available for the audit will make things go a lot more smoothly. This part is more about planning and logistics than anything else.

Relax, you have worked hard to get to this point. The auditor is not out to fail you. They are on your side.

9. Take the Stage 2 audit

The Stage 2 audit is all about you and how you operate. This part of the process is the ‘Show Me’ step.

The Show Me Step is where the auditor wants to see your processes and controls in action.

They are going to ask you to log into systems, walk them through steps, ask questions – all with the intent of seeing that things are working as they should be.

These are things you do day in day out. There is nothing to worry about. Have the people that do the work available and you will breeze through.

10. Certification

Congratulations! You’ve successfully completed the ISO 27001 certification process. The auditor will issue a report, and if you’ve passed, they’ll recommend certification. Your certificate should arrive within 6-8 weeks, depending on the certification body’s efficiency.

Now that you’re certified, it’s time to update your marketing and sales materials to showcase your achievement. Let the world know that you’ve implemented a robust information security management system. Well done!

FAQ

What if you didn’t pass?

If you didn’t pass, don’t worry. Most certification bodies will give you a few weeks to fix the things that didn’t work and when you show you fixed it they will recommend you for certification.

Does ISO 27001 Certification Work?

The short answer is a resounding “Yes”. The reason it works is because more and more potential clients will not sign a deal with you unless you have it. You wouldn’t be here if someone hadn’t asked you to have it.
ISO 27001 certification, or the fact of being certified can increase sales.
ISO 27001 certification offers multiple other benefits, too, such as
Significantly less time spent on security questionnaires
Higher customer satisfaction and confidence
A differentiator to your competitors
72 percent of business say they only engage with companies that are ISO 27001 certified, and most customers expect companies to understand their information security needs.

Share to...