Let's get certified
ISO 27001 Certification
We look at what is ISO 27001 certification, how much does ISO 27001 certification cost, how long will it take you and what are your options for getting ISO 27001 certified.
What is ISO 27001 certification
ISO 27001 certification is the process of an independent third party verifying that you meet the requirements of the standard.
Can anyone verify you meet the requirements?
In theory yes. The requirement is for a UKAS accredited certificate but all of the following are valid in certain circumstances
- Anyone verifying you
- An accredited company verifying you
- A UKAS accredited body verifying you
You need a UKAS accredited body verifying you
The reason that you need this is that the people asking you for a certificate will expect it. The other options might work for your marketing team and website but to win work and tenders and to anyone that works in the industry then only a UKAS certificate for ISO 27001 certification will be accepted.
How much does ISO 27001 certification cost
For the certification itself you are looking at Year 1 costs from the certification company of around £8000 plus VAT. We covered a breakdown of cost in our post How much does ISO 27001 cost.
What is the ISO 27001 certification process
Once you have chosen and engaged your accredited certification company they will operate a 2 stage process. They refer to this as Stage 1 and Stage 2. If all goes well then after Stage 2 they will issue you your certificate.
Stage 1 – is the information security management system in place. Typically this audit looks for the documentation, the policies and the processes and is looking at the administration. They will expect some operation but not all evidence of implementation will be covered.
Stage 2- is it operating and operating effectively. Typically this audit looks for evidence that what you said in stage 1 you are doing, you are actually doing. A more in depth audit that will review the 114 controls from the statement of applicability and wether they are effective or not.
How long does ISO 27001 certification take
The certification process is dependant on the availability of the certification body and these are in high demand. Book sooner rather than later to secure a date. If you are lucky you may get a date for your Stage 1 audit within 30 days but this can range from 3 to 12 months out. Your Stage 2 audit will then be between 30 and 90 days after the Stage 1 audit completes. Typically your audit dates will span 6 months from contact to certificate.
This assumes that you have built your ISO 27001 implementation and are operating it effectively of course. You can explore more on what is involved on our ISO 27001 page.