ISO 27001 Certification at a glance
ISO 27001 Certification is a two stage process and takes on average 3 months. A beautifully crafted bespoke information security management system tailored to your exact needs with over 20 proven ISO 27001 policies and 30 industry best practice ISO 27001 documents.
Stage 1 is primarily a documentation audit. It checks that you have the policies, processes and documents in place. It focuses on the information security management. It may seek some initial evidence that the information security management system is implemented.
Stage 2 is primarily an evidence audit. It checks that what you say you do, you actually do. It will look for evidence of meetings, risk management, continual improvement and the effective working of processes. It is mainly focussed on ISO 27002 often referred to as Annex A.
ISO 27001 Policies
Information security management policies are a foundation of the information security management system and of achieving ISO 27001 certification. We have a complete set that we have crafted over 2 decades and the crucible of hundreds of audits. Based on your business you will need all or a combination of the following policies.
- Data protection Policy
- Data Retention Policy
- Information Security Policy
- Access Control Policy
- Asset Management Policy
- Risk Management Policy
- Information Classification and Handling Policy
- Information Security Awareness and Training Policy
- Acceptable Use Policy
- Clear Desk and Clear Screen Policy
- Mobile and Teleworking Policy
- Business Continuity Policy
- Backup Policy
- Malware and Antivirus Policy
- Change Management Policy
- Third Party Supplier Security Policy
- Continual Improvement Policy Logging and Monitoring Policy
- Network Security Management Policy
- Information Transfer Policy
- Secure Development Policy
- Physical and Environmental Security Policy
- Cryptographic Key Management Policy
- Cryptographic Control and Encryption Policy
- Document and Record Policy
The information security management system documentation is all the administrative documentation that demonstrates you are operating to the standard to meet the certification requirements. Based on your business it is likely that you will need
- Statement of Applicability
- Risk Management
- Context Of Organisation
- Information Security Management System
- Legal Register
- Asset Register
- Audit Mangement
- Supplier Management
- Plans and Logs
- Business Continuity
- Roles and Responsibilities
- Competency Matrix
- Information Classification
- Management Review Team Meeting
- Incident and Corrective Action Log
- Supplier Management
- Training and Awareness
- How to Guides
- And more
Frequently Asked Questions – FAQ
ISO 27001 is the international standard for information security. It has been around a long time. An ISO 27001 certification is usually a requirement of your clients and / or customers. It may be that they want you to have it before they will do business with you. That’s ok. We have your back. We have been doing this for over 20 years with hundreds of clients. Let us take care of it for you whilst you concentrate on running and building your awesome business.
Once you have chosen and engaged your accredited certification company they will operate a 2 stage process. They refer to this as Stage 1 and Stage 2. If all goes well then after Stage 2 they will issue you your certificate.
Stage 1 – is the information security management system in place. Typically this audit looks for the documentation, the policies and the processes and is looking at the administration. They will expect some operation but not all evidence of implementation will be covered.
Stage 2- is it operating and operating effectively. Typically this audit looks for evidence that what you said in stage 1 you are doing, you are actually doing. A more in depth audit that will review the 114 controls from the statement of applicability and wether they are effective or not.
The certification process is dependant on the availability of the certification body and these are in high demand. Book sooner rather than later to secure a date. If you are lucky you may get a date for your Stage 1 audit within 30 days but this can range from 3 to 12 months out. Your Stage 2 audit will then be between 30 and 90 days after the Stage 1 audit completes. Typically your audit dates will span 6 months from contact to certificate. This assumes that you have built your ISO 27001 implementation and are operating it effectively of course. You can explore more on what is involved on our ISO 27001 page.
In theory yes. The requirement is for a UKAS accredited certificate but all of the following are valid in certain circumstances
Anyone verifying you
An accredited company verifying you
A UKAS accredited body verifying you
The reason that you need this is that the people asking you for a certificate will expect it. The other options might work for your marketing team and website but to win work and tenders and to anyone that works in the industry then only a UKAS certificate for ISO 27001 certification will be accepted.
20+ Years Experience
Hundreds of audits
Hundreds of Implementations
ISO 27001 Lead Implementor
ISO 27001 Lead Auditor
PCI DSS QSA
The costs vary by certification body. Take a look at the ISO 27001 costs overview.