the ultimate ISO 27001 guide
By the time you reach the bottom of this page, you’ll understand what ISO 27001 is, why you need it, how to implement it quickly and affordably.
Whether you’re a complete novice or just need clarity in certain areas, it’s all here.
Want to know everything there is to know about ISO 27001 (including the stuff the industry doesn’t want you to know)?
Let’s get into it…
What is ISO 27001?
ISO 27001 is an internationally recognised standard for information security that provides guidelines for creating and maintaining an effective information security management system (ISMS).
An ISMS is a framework of policies, procedures and controls designed to monitor and protect your business’s sensitive data – basically, a big, hairy bodyguard for information.
By implementing an ISMS, you can better protect your information and assets from cyber threats, data breaches, and other security risks.
What is ISO 27001:2022?
In October 2022 the ISO 27001 standard changed. ISO 27001:2022 is the updated version of the internationally recognised ISMS standard.
From security changes to new clauses, if you want the full lowdown on what changed for the 2022 update, we’ve listed each change along with a full comparison of each version of the standard.
DO IT YOURSELF ISO 27001
STOP SPANKING £10,000s on CONSULTANTS and ISMS ONLINE PLATFORMS
Who Needs ISO 27001?
Any organisation that handles personal information, financial data or intellectual property should implement ISO 27001. The bottom line is, if you handle any kind of confidential information (and let’s be real, who doesn’t these days?) getting your ISO 27001 certificate is a must.
What does ISO 27001 certification mean for your business?
ISO 27001 certification offers an impartial, external validation that a company’s ISMS fulfils the ISO 27001 standard criteria.
Put simply, ISO 27001 is your badge of honour.
ISO 27001 Benefits
- It shows your clients that you’re fully compliant, serious about meeting information security standards and follow best practices to keep their confidential data secure. They want to know that you give a sh*t about protecting their business.
- ISO 27001 certification could save you millions in the long run. Data breeches are expensive and don’t just cause financial damage – they can cost you your reputation.
- It gives you a competitive edge. A company is more likely to choose a provider who is ISO 27001 certified over one that isn’t. It’s a no brainer!
- Many of the ISO 27001 conditions also satisfy GDPR and data protection requirements, showing regulatory bodies that you mean business when it comes to risk management. Happy days.
- If you’re a small business and want to bid for those bigger tenders and win meatier clients (and who doesn’t!?), ISO 27001 is your route to success.
These days, many companies expect their providers to be ISO 27001 certified, so we’re going to break the ISO 27001 certification process down step-by-step. Then, we’re going to let you in on you how to nail your certification, without breaking the bank.
How to get ISO 27001 certified quickly and easily
The easiest and fastest way to achieve ISO 27001 accreditation is to download the ISO 27001 toolkit and follow the How to Implement ISO 27001: A Step-By-Step Guide.
Another option is to bring in a trusted ISO 27001 expert (like the ISO 27001 Ninja) who will coach you through the process, without dragging it out or overcharging. Why not book a free call?
ISO 27001 secrets uncovered
This is the part where we told you we’d dish the dirt on the industry. Greedy consultants will tell you that you need to hire them to get certified, which will cost you a fortune and take much longer than it should. (Because they want you to part with as much of your hard-earned cash as possible!)
Why do we know this? Full disclosure: we’ve been those consultants (hey, it was our job!).
High Table have transformed the ISO 27001 process. We decided to do things differently and combine 20 years’ experience, knowledge and wisdom and offer something unheard of in the ISO 27001 space: value.
Why? Because we’re the ISO 27001 people, and we’re done with other providers alienating smaller businesses like yours by charging daft money for something that can be done on a budget.
Can you implement ISO 27001 yourself?
Hell to the YES you can DIY your ISO 27001 certification. Don’t listen to anyone who tells you otherwise. Granted, it’s a slog, but the great news is: there is a shortcut. You can get certified yourself, with a little help from High Table. All you need is the ISO 27001 Toolkit. This toolkit is designed to save businesses like yourstime, money and stress. We’ve perfected the certification process to empower you to do it yourself – genius, isn’t it? Goodbye money-grabbing consultants. Hello new business!
What is the ISO 27001 certification process?
To get certified you must follow these steps:
- Identify the information assets that need protection and the processes that need to be included in the Information Security Management System (ISMS).
- Identify the risks to the information assets and evaluate their impact. This helps to prioritise which risks to address first and what controls to implement.
- Once the controls have been identified, the organisation needs to implement them.
- Conduct internal audits to make sure that the ISMS is operating properly and meets the ISO 27001 standard.
- Conduct a management review of the ISMS to make sure it’s meeting the organisation’s goals and objectives.
- An external certification body will perform an audit to determine whether the ISMS meets the ISO 27001 standard. If it does, ISO 27001 certificate granted. Done and dusted.
Have we lost you? It’s dull, we know. Of course, by downloading and following this ISO 27001 Toolkit, or bringing in the ISO 27001 Ninja, you can dodge the hard work, because we’ve already done it for you. Hey, don’t mention it!
How much does ISO 27001 certification cost?
The cost of getting ISO 27001 certified completely depends on how you want to play it.
You’ll need to cover two sets of costs in the certification process:
- The cost to implement and run the ISO 27001 ISMS
- The cost to take the certification audit
What you end up paying depends on these factors:
- How big your business is
- How risky you are seen to be
- The UKAS accredited certification body you decide to go with
Do you want to do it yourself? Employ someone full-time? Hire a contractor? Or instruct a consultant?
The problem is, most of the time, people don’t know what their options are and end up getting stung.
A Comparison of ISO 27001 Implementation Options and Costs
Considering the approaches of doing it yourself, getting a contractor or employing High Table let us compare typical expected costs side by side.
Do It Yourself
£500
30 to 90 days duration
Comes with all templates, policies, guides
Track record of delivery and certification
Consultant
£5k to £15k
5 to 15 days duration
Comes with all policies
Track record of delivery and certification
Employee
£40k+ per year
6 to 12 months duration
Needs to write all policies
Contractor
£39k to £160k
3 to 12 months duration
Will write all policies
Let’s be upfront about this.
If you have time on your side, the cheapest and easiest way for a small business like yours to get ISO 27001 certification is by choosing the High Table ISO 27001 Toolkit route.
DO IT YOURSELF ISO 27001
STOP SPANKING £10,000s on CONSULTANTS and ISMS ONLINE PLATFORMS
But, if you’re time-poor and need someone to take it completely off your hands, or coach you through the process – MAKE SURE YOU DO YOUR RESEARCH! Consultants don’t have to cost the earth. (If they do, you’re not choosing wisely!)
How long does it take to get ISO 27001 certified?
How long’s a piece of string? The ISO 27001 certification process is different for every business and takes as long as it takes. As a rough guide, factor in around 3 months: 30 days to implement the information security management system and ISO 27001 itself, plus a further 60 days to implement and evidence the required controls.
Here are some stumbling blocks that can impact the process:
- Your ability to book a certification audit based on their availability
- Your ability to implement and evidence the required ISO 27001 controls
Does ISO 27001 expire?
Unfortunately, nothing lasts forever. Sorry to burst your ISO 27001 bubble! Once you’ve been accredited, your certification will last three years. But next time around, you should be much more familiar with the process.
ISO 27001 certification: a complete breakdown
We said we’d tell you everything you need to know about ISO 27001, but we also told you we’d keep it simple and talk to you like a human – so here goes.
You’re probably wondering where to begin…
First up… let’s start with policies!
ISO 27001 Policies
ISO 27001 policies are used to explain to people what is expected of them.
Here are the most important elements of creating winning ISO 27001 policies:
Quality
Once upon a time, re-using policies from your previous job or cobbling together some rubbish you found on the internet was acceptable. Not anymore. That’s a sure-fire way to fail your certification.
Quality is king. Creating decent policy content isn’t easy, but luckily, there’s no longer a need to create your own policies from scratch. At High Table, we’ve created a policy toolkit brimming with ready-to-edit policies that will save you up to 240 hours of work. Genius, we know.
Intent
ISO 27001 puts a lot of emphasis on intent. It wants the reader of policies to understand exactly what is required of them when they read the policy.
As the policy writer, you need to know your sh*t. For example, you cannot create a policy about acceptable use and then include network cryptography. It doesn’t make sense as network cryptography doesn’t apply to normal people using systems.
ISO 27001 Controls
To get certified, you will need to implement ISO 27001 Controls.
First, you will need to create a Statement of Applicability (SOA). The SOA is the list of ISO 27001 controls that apply to your business.
There are many things to include and consider in ISO 27001 controls, but here are some you should prioritise:
Documentation
ISO 27001 relies heavily on documentation. If it isn’t written down, it does not exist.
Across the entire management system and in particular with controls, you must document what you do and your documents need to follow a predefined mark-up structure.
As a process writer, you need to understand that documents will evolve. They will have version control to track the changes and they will have mark-up. Documents will be reviewed, approved and signed off. They will be communicated to those that need to understand them.
Meet your individual needs
It can be confusing to work out how strong a particular control should be. For example, should our password be 18 characters with a mix of upper and lower case and with at least one special character?
The answer is it depends on your need.
You will have to have to work out what the needs of the business are and what the risks are. The controls that you implement that are a direct result of that business need and those risks.
As a control owner, you are responsible for working out what is reasonable and proportionate, and then documenting, implementing and running that control.
If your controls are deemed too weak and you don’t have an adequate justification and risk management in place – you will fail your certification.
ISO 27001 document markup
Your documents are an important piece of the ISO 27001 puzzle. Without the correct documents, policies, processes and procedures you will not get ISO 27001 certified.
It is not enough to just have the documents, they must also have the correct markup.
Once you know what is needed, it is simply a case of either creating a template that you can reuse or cutting and pasting between documents.
Let’s take a look at the common elements of documents:
Version Control
A document for ISO 27001 is a living document and is always evolving. In the ISO 27001 certification process, the auditor will want to see that it is an active document along with the changes that have been made.
Done properly, this forms part of an effective management system.
As the version control writer, you need to capture the version number, the date of the change, who did the change and detail what the change was.
It is good practice to include document approval as part of your version control to clearly evidence when the document was last reviewed and approved – even if that step did not include any actual changes.
Classification
Classification is the process of saying how important a document is to us. The more important a document is, the more protection we are going to put around it.
Would we want our wage slips and payroll information publishing on the internet? Probably not.
So, for important information we classify it as confidential.
An Owner
Keeping documents up to date is going to require some work.
When it comes to the audit, someone is going to be interviewed and audited.
The question is who?
The answer is the document owner.
As a document owner you are responsible for keeping all documents up to date.
Last Reviewed Date
ISO 27001 sets out the specification for an Information Security Management System (ISMS). It IS a management system. A way to manage information security. It includes an annex, called Annex A which is a list of technical controls that you must consider and implement.
The standard has very specific requirements when it comes to document markup. This means is that the documents that you produce should have version control, a classification, an owner, and a last reviewed date as a minimum. The standard lays out clearly what is required.
ISO 27001 Risk Management
ISO 27001 is a risk-based management system. The controls that you have and the level of control that you put in place is down to you, and the risk you are trying to mitigate.
Compare this to a rule-based system such as PCI DSS that tells you exactly what controls you MUST have in place and the exact level of that control.
You have much more flexibility in a risk-based system. Applying controls that you don’t need, or implementing to a level that exceeds the risk can cost you some serious money. You do not want to screw this part up.
ISO 27001 Continual Improvement
Continual improvement is the process by which your organisation continues to improve its approach to information security. It is baked into the standard. It understands that you won’t get everything right at the beginning, but that as time goes on, you’ll work out a system of doing things better.
You can spot these opportunities for continual improvement as part of the standard by identifying them during internal audits, when incidents occur, or just by brainstorming them.
ISO 27001 Internal Audit
When you embark on your ISO 27001 journey, you make a commitment to being audited… a HELL of a lot.
You will need to appoint an independent, internal auditor who will constantly check that what you are doing meets the requirements of the standard. The output of this is continual improvement. For example, at any stage in the certification process, It may be flagged by the auditor that changes must be made in order to meet the standard, but because it’s an internal appointment, it won’t put your ISO 27001 certification at risk.
Many companies outsource internal auditors, and this could potentially be one of the biggest costs. You must internally audit everything at least once every year and the usual approach is to break it down into chunks that you tackle each month over 12 months.
Compare this with the external audit which is the certification audit. This does the same thing but is much more formal, and getting it wrong can put your hard-earned ISO 27001 certification at risk.
Everything you need to know to get started with ISO 27001: the video
Watch this video before you start your ISO 27001 certification journey. The ISO 27001 Ninja will guide you through the whole process and save you thousands in costly mistakes!
ISO 27001 Clauses
Every ISO 27001 clause is covered, by clause in this ultimate ISO 27001 Reference Guide Clause by Clause.
Every ISO 27001 Annex A control is covered, by control in this Ultimate ISO 27001 Annex A Reference Guide.
Your ISO 27001 certification solution awaits
Are you still breathing?
We told you this was a dry subject. It’s a complicated process that can cost you a fortune and take months of your time.
Now that we’ve told you everything there is to know about ISO 27001, we know what you’re thinking. WTF!?
That’ll take me years!
Where do I even begin?
Don’t sweat it. We’ve got you and we’re here to take the stress away. We can help you get certified 10x faster and 30x cheaper than anyone else.
If you want to know more about the ISO toolkit that will change the game for your business, or want to be coached through the process (without getting ripped off) book your free strategy call.
ISO 27001 FAQ
ISO 27001 is the name and designation given to the international standard for information security. It is an information security management system. It is a series of information security policies, information security documents, information security controls and processes for the management of information security. As a standard you can be assessed against it and a certificate can be issued to demonstrate that you meet the requirements of the standard.
There are two goals for the ISO 27001 standard. The first goal is to provide a bench mark and frame work against which businesses can operate for best practice of information security protection. The second goal is to be able to demonstrate through independent ISO 27001 certification that business meets the requirements of the international standard for information security and there by provide assurance that the business is operating to a certain level.
ISO 27001 can provide a framework to satisfy aspects of GDPR, especially around principle 6 maintain adequate security. It does not make you GDPR compliant and it does not satisfy all of the requirements of the GDPR. Consider it as a complimentary standard and complimentary framework.
At the time of writing ISO/IEC 27001:2022 is the most current version of the standard and incorporates changes made in 2022.
The easiest way is to request a copy of their most up to date certificate and scope statement. You can check the date of the certificate to ensure that it is valid. The certificate will tell you the name of the certification body. You can then search the certification body website for a register of companies that they have certified.
In general no. It can be a requirement of a regulatory body or of a contract but it is not a legal requirement in the widest sense of law. Unlike the GDPR which is a law.
ISO 27001 is only mandatory if an industry regulator mandates it or a contract between you and a customer or supplier mandates it. It is a framework based on risk and as such even the controls within the standard are not mandatory.
The ISO 27001 standard and ISO 27001 certification apply to any business that wants to operate to it and demonstrate best practice for information security management. The number one reason we see a business adopt the ISO 27001 certification is for commercial gain and as a result of being asked for it by a customer on which a commercial contract rests.
Yes. ISO 27001 is a framework made up of policies, documents, controls and processes. It is a risk based framework with continual improvement at it’s heart. It requires top level, leadership commitment.
ISO 27001 certifications costs start at £3,600 and increase based on your company risk and company size.
You can find an ISO 27001 consultant at High Table – The ISO 27001 Company
ISO 27001 certification takes 3 months from start to finish.
Yes, it can be. It is all relative. What is expensive for you may not be expensive for someone else. Expect the total cost of everything to come in at around £20,0000 to £25,0000.
ISO 27001 Annex A changed in 2022. For a list of the changes see the Ultimate Guide to the ISO 27001 Changes
ISO 27001 is a management system and you can certify to ISO 270001.
ISO 27002 is a control set to be considered as part of your implementation and you cannot certify to ISO 27002.
There is an annex to the ISO 27001 called Annex A. Annex A is actually a standard in it’s own right called ISO 27002. ISO 27002 is a list of the technical controls that your organisation has implemented. You record this list of controls in your Statement of Applicability.
The Statement of Applicability is a mandatory document of the ISO 27001 standard. It lists out the controls of ISO 27001 Annex A / ISO 27002 and it records whether the control is applicable to you or not. If not it includes a reason why it does not apply to you.
The ISO 27001 Mandatory Documents are the documents that are required by the ISO 27001 standard. ISO 27001 works on the premise that if it is not written down, it does not exist. It is documentation heavy.
You will need to document all of the processes that are going to be audited for your ISO 27001 certification. The list of controls is Annex is a great starting point for the required processes on top of which the processes for your product or service will also require documenting.
