ISO 27001 can be confusing. Before you embark on your journey, read this ISO 27001 definitive guide to the 25 things that you must know before you spend a single coin of your hard earned money. It is a minefield out there. Designed, mostly, to part you from your hard earned cash.
#1 What is ISO 27001?
ISO 27001 is the international standard for information security. It is a management system that is aligned with the other ISO standards and their approach to management systems. It is comprised of the ISO 27001 standard that you can certify against and also Annex A, also know as ISO 27002, that is a list of common controls that the standard wants you to implement based on need. In this article you can read what is the difference between ISO 27001 and ISO 27002. It provides a valuable comparison of the two standards. If you have standards such as ISO 9001 already then you will be familiar with the management system approach as they share many commonalities.
It has been around a long time. An ISO 27001 certification is usually a requirement of your clients and / or customers. It may be that they want you to have it before they will do business with you.
#2 What is ISO 27001 Certification?
ISO 27001 certification is the process of being audited and assessed by a qualified third party against the standard. If you meet the requirements of the standard based on their certification audit process then you will be issued with an ISO 27001 certificate.
#3 Can anyone certify you to ISO 27001?
The shocking truth is yes. It doesn’t play to the narrative of the behemoth organisations that have built up around this to literally farm cash but in theory, yes, anyone can ceritfy you to ISO 27001 as long as they are independent of you. The requirement for a UKAS or accredited certificate is driven only by what your customers are asking you for. But all of the following are valid in certain circumstances
- Anyone verifying you
- An accredited company verifying you
- A UKAS or accredited body verifying you
#4 Why do I need a UKAS / accredited body to certify me?
You don’t. Unless you are being asked specifically for it. The reason that you need this is that the people asking you for a certificate have asked you for it.
The bigger the player / client / potential client then the more likely they will specify only a UKAS or accredited certificate for ISO 27001 certification will be accepted. But check.
#5 How long does ISO 27001 certification take?
The process of ISO 27001 certification takes as long as it takes. As a guide you can work to 30 days to implement the information security management system and ISO 27001 itself and 60 days to implement and evidence the required controls. A 3 month time frame from starting to taking the audit is not uncommon. The things that influence your timelines are
- Your ability to book a certification audit based on their availability
- Your ability to implement and evidence the required Annex A / ISO 27001 controls
#6 How long does ISO 27001 certification last?
Technically ISO 27001 certification lasts for 3 years. The caveat on that is that it is an ongoing process and each year you will be audit on a subset of the standard to ensure that it wasn’t just a one and done for you and that you are still operating the Information Security Management System effectively and as intended. In theory, if you are not, then your certificate can be revoked.
#7 How to get ISO 27001 Certification
The best way to go about getting ISO 27001 certification is to either purchase an ISO 27001 toolkit and follow the How to Implement ISO 27001 a step by step guide or to bring in external help such as ourselves here at High Table.
#8 The ISO 27001 Certification Process
The process of ISO 27001 certification is simple. You implement the information security management system. You implement and evidence the Annex A / ISO 27002 controls. You book and take your ISO 27001 certification with a UKAS or equivalent ISO 27001 certification body.
#9 How much does ISO 27001 certification cost?
There are two types of costs that you will incur. The cost to implement and run the ISO 27001 Information Security Management System and the cost to take the certification audit which is the actual ISO 27001 certification cost. You can read more about how much does ISO 27001 certification cost in the blog. The actual ISO 27001 certification cost is dependant on many factors such as
- How big you are
- How risky you are seen to be
- The UKAS accredited certification body that you choose
For a small business you can estimate typical ISO 27001 certification costs of around £5,000 and for a medium size business you can estimate ISO 27001 certification costs of around £10,000.
#10 Can you do ISO 27001 certification yourself?
People often considering doing the ISO 27001 certification themselves without help, without consultants and just going it alone.
It is possible and you can. You are going to trade your time for your money. It is a seesaw and balance. What do you have more of – time? or money?
#11 A free step by step ISO 27001 Implementation Guide
If you are going to implement ISO 27001 yourself then you won’t go wrong with this this free, step by step guide.
Practical real world videos from a real life implementation walk you through exactly what needs to be done.
#12 Should you employ someone full time to do ISO 27001?
People often consider employing someone full time to ISO 27001 and take them through ISO 27001 certification. It is an option but in reality this is not a full time job. It is an expensive option, but it is an option.
Unless you are a multinational or have over 250 employees or are particularly complex then employing someone full time is very likely going to be overkill.
There are other, better options, such as brining in a consultant.
#13 Should I hire a contractor to get us ISO 27001 certified?
A contractor has the same pitfalls of a full time employ but at about 5x the cost. This is the most expensive and least effective way to get ISO 27001 certification.
As with considering a full time employee, unless you are cash rich, complex or a very large organisation then this is going to be overkill and very expensive.
The better option would be brining in a qualified, experienced consultant. It is going to be cheaper, faster and more effective.
#14 What are the ISO 27001 Certification Stages?
ISO 27001 Stage 1 Audit
is primarily a documentation audit. The ISO 27001 Stage 1 audit checks that you have the policies, processes and documents in place. It focuses on the information security management. It may seek some initial evidence that the information security management system is implemented.
ISO 27001 Stage 2 Audit
is primarily an evidence audit. The ISO 27001 Stage 2 audit checks that what you say you do, you actually do. It will look for evidence of meetings, risk management, continual improvement and the effective working of processes. It is mainly focussed on ISO 27002 often referred to as Annex A.
#15 What is the total cost of ISO 27001 certification?
Taking both the implementation cost and the certification cost into account then the actual cost to implement ISO 27001 and to certify is going to be in the region of £15 – £20,000 for a small business and £20-£40,000 for a medium sized business. In addition you have the lost opportunity costs of staff that will be involved in the process. It is not cheap and most of the costs will be hidden in labour and time.
#16 What are the benefits of ISO 27001 certification?
There are many benefits of an ISO 27001 certification but the main ones are financial. It is a cost of doing business and without it you will loose, or not win clients. No one does it for the sake of doing it. Way up what the commercial return is for you verses the cost of doing it. If it doesn’t make you money, consider working towards it and not going for ISO 27001 certification.
#17 What happens once you are ISO 27001 certified?
Once you have achieved the ISO 27001 certification you will be issued with a certificate that you can share widely with clients and prospective clients. You can update your marketing materials and website to show that you have it. It is not the end of the process and in 9 to 12 months the auditors will be back again to check that things are still working. The certificate will last you for 3 years if you evidence in the yearly audits that things are still working as intended. At that point you will go through the whole process again from the beginning with all the same associated costs.
#18 Who can certify you to ISO 27001?
The requirement is for a UKAS accredited certificate but all of the following are valid in certain circumstances
- Anyone verifying you
- An accredited company verifying you
- A UKAS accredited body verifying you
#19 Why is ISO 27001 certification required?
It can be argued that it is required to make your business more secure and protect your most valuable assets. Many of the controls are requirements of laws and regulations. The reality is that the reason that ISO 27001 certification is required is because your clients and / or potential clients are asking you for it and there is a commercial benefit in having it.
#20 What does ISO 27001 certification mean?
ISO 27001 certification means the process of third party, independent audit and assessment of your ability to meet the requirements of the ISO 27001 standard and the associated Annex A / ISO 27001 controls.
#21 What does ISO 27001 certified mean?
ISO 27001 certified means that you have been through he process of ISO 27001 certification and can evidence it.
#22 How do you maintain ISO 27001 certification?
To main the ISO 27001 certification you are going to have to operate the required and mandatory processes of the ISO 27001 on an ongoing basis and collect evidence that you have done so. Each year you are going to be audited to show that you are doing so and that the process of continually improvement is operating and effective.
#23 How many companies have ISO 27001 certification?
There is no central register of ISO 27001 certifications so it is not clear how many companies have ISO 27001 certification. You can be assured that the list is those that need it and gain commercial benefits by having it.
#24 What is the scope of ISO 27001 certification?
The scope of ISO 27001 certification is determined by you. It should ideally cover the things that the client or customer is buying from you and as a minimum it should cover what you have been asked by clients and potential clients for it to cover. Spend time to get the scope right.
#25 ISO 27001 Certification – Everything You Need to Know to get Started
This is everything you need to know to get started with ISO 27001. These are all the questions that we get asked when starting an engagement and answers everything that you need to know. Taken from a real world training session to give you the deep, detailed, real world insights.
What mandatory ISO 27001 documents do I need?
ISO 27001 Policies
Information security management policies are a foundation of the information security management system and of achieving ISO 27001 certification. You are going to need the following ISO 27001 policies:
- Data protection Policy
- Data Retention Policy
- Information Security Policy
- Access Control Policy
- Asset Management Policy
- Risk Management Policy
- Information Classification and Handling Policy
- Information Security Awareness and Training Policy
- Acceptable Use Policy
- Clear Desk and Clear Screen Policy
- Mobile and Teleworking Policy
- Business Continuity Policy
- Backup Policy
- Malware and Antivirus Policy
- Change Management Policy
- Third Party Supplier Security Policy
- Continual Improvement Policy
- Logging and Monitoring Policy
- Network Security Management Policy
- Information Transfer Policy
- Secure Development Policy
- Physical and Environmental Security Policy
- Cryptographic Key Management Policy
- Cryptographic Control and Encryption Policy
- Document and Record Policy
The information security management system documentation is all the administrative documentation that demonstrates you are operating to the standard to meet the certification requirements. Based on your business it is likely that you will need
- Statement of Applicability
- Risk Management
- Context Of Organisation
- Information Security Management System
- Legal Register
- Asset Register
- Audit Management
- Supplier Management
- Plans and Logs
- Business Continuity
- Roles and Responsibilities
- Competency Matrix
- Information Classification
- Management Review Team Meeting
- Incident and Corrective Action Log
- Supplier Management
- Training and Awareness
- How to Guides
- And more
ISO 27001 FAQ
ISO 27001 is the international standard for information security. It has been around a long time. An ISO 27001 certification is usually a requirement of your clients and / or customers. It may be that they want you to have it before they will do business with you. That’s ok. We have your back. We have been doing this for over 20 years with hundreds of clients. Let us take care of it for you whilst you concentrate on running and building your awesome business.
Once you have chosen and engaged your accredited certification company they will operate a 2 stage process. They refer to this as Stage 1 and Stage 2. If all goes well then after Stage 2 they will issue you your certificate.
Stage 1 – is the information security management system in place. Typically this audit looks for the documentation, the policies and the processes and is looking at the administration. They will expect some operation but not all evidence of implementation will be covered.
Stage 2- is it operating and operating effectively. Typically this audit looks for evidence that what you said in stage 1 you are doing, you are actually doing. A more in depth audit that will review the 114 controls from the statement of applicability and wether they are effective or not.
The certification process is dependant on the availability of the certification body and these are in high demand. Book sooner rather than later to secure a date. If you are lucky you may get a date for your Stage 1 audit within 30 days but this can range from 3 to 12 months out. Your Stage 2 audit will then be between 30 and 90 days after the Stage 1 audit completes. Typically your audit dates will span 6 months from contact to certificate. This assumes that you have built your ISO 27001 implementation and are operating it effectively of course. You can explore more on what is involved on our ISO 27001 page.
In theory yes. The requirement is for a UKAS accredited certificate but all of the following are valid in certain circumstances
Anyone verifying you
An accredited company verifying you
A UKAS accredited body verifying you
The reason that you need this is that the people asking you for a certificate will expect it. The other options might work for your marketing team and website but to win work and tenders and to anyone that works in the industry then only a UKAS certificate for ISO 27001 certification will be accepted.
20+ Years Experience
Hundreds of audits
Hundreds of Implementations
ISO 27001 Lead Implementor
ISO 27001 Lead Auditor
PCI DSS QSA
The costs vary by certification body. Take a look at the ISO 27001 costs overview.
8 Steps to ISO 27001 Certification
Time needed: 90 days.
How to get ISO 27001 certified
- Implement ISO 27001 policies
Information security policies are required that set out what the business does when it comes to information security. The information security policies can be downloaded here: https://hightable.io/product/iso-27001-policy-template-bundle/
- Implement an Information Security Management System
ISO 27001 is an information security management system. Implement an information security management system that meets the requirements of the ISO 27001 standard. The Information Security Management System can be downloaded here: https://hightable.io/product/iso-27001-templates-toolkit/
- Implement the required controls of Annex A/ ISO 27002
- Perform an internal audit to ensure it is working effectively
- Book your UKAS accredited ISO 27001 certification audit
Choose your preferred UKAS accredited or similar audit company and book your ISO 27001 certification as early as you can to give yourself the best chance of securing the dates and timeframes that you need.
- Take your ISO 27001 stage 1 audit
Take the stage 1 audit which is primarily a documentation audit against the ISO 27001 standard.
- Take your ISO 27001 stage 2 audit
Take the stage 2 audit which is primarily an evidence based audit against ISO 27001 and the controls of Annex A/ ISO 27001.
- Display your ISO 27001 certificate with pride
Once issued with your ISO 27001 certificate display your certificate with pride and share it with clients and potential clients as mark of your solid approach to information security.
A Trusted Partner, A Safe Pair of Hands
We are with you every step of the way. As a safe pair of hands we have been through this many many times. We know what is expected. Our process is simple, streamlined and cost effective.
To date we have never had a client fail ISO 27001 certification when fully managed.