ISO 27001 Explained Simply

Home / ISO 27001 / ISO 27001 Explained Simply

the ultimate ISO 27001 guide

By the time you reach the bottom of this page, you’ll understand what ISO 27001 is, why you need it, how to implement it quickly and affordably.

Whether you’re a complete novice or just need clarity in certain areas, it’s all here.

Want to know everything there is to know about ISO 27001 (including the stuff the industry doesn’t want you to know)?

Let’s get into it…

What is ISO 27001?

ISO 27001 is an internationally recognised standard for information security that provides guidelines for creating and maintaining an effective information security management system (ISMS). 

An ISMS is a framework of policies, procedures and controls designed to monitor and protect your business’s sensitive data – basically, a big, hairy bodyguard for information.

By implementing an ISMS, you can better protect your information and assets from cyber threats, data breaches, and other security risks. 

What is ISO 27001:2022?

In October 2022 the ISO 27001 standard changed. ISO 27001:2022 is the updated version of the internationally recognised ISMS standard.

From security changes to new clauses, if you want the full lowdown on what changed for the 2022 update, we’ve listed each change along with a full comparison of each version of the standard


Stop Spanking £10,000’s on Consultants and Platforms

ISO 27001 Toolkit Business Edition

Who Needs ISO 27001?

Any organisation that handles personal information, financial data or intellectual property should implement ISO 27001. The bottom line is, if you handle any kind of confidential information (and let’s be real, who doesn’t these days?) getting your ISO 27001 certificate is a must.

What does ISO 27001 certification mean for your business?

ISO 27001 certification offers an impartial, external validation that a company’s ISMS fulfils the ISO 27001 standard criteria. 

Put simply, ISO 27001 is your badge of honour. 

ISO 27001 Benefits

  • It shows your clients that you’re fully compliant, serious about meeting information security standards and follow best practices to keep their confidential data secure. They want to know that you give a sh*t about protecting their business.
  • ISO 27001 certification could save you millions in the long run. Data breeches are expensive and don’t just cause financial damage – they can cost you your reputation.
  • It gives you a competitive edge. A company is more likely to choose a provider who is ISO 27001 certified over one that isn’t. It’s a no brainer!
  • Many of the ISO 27001 conditions also satisfy GDPR and data protection requirements, showing regulatory bodies that you mean business when it comes to risk management. Happy days.
  • If you’re a small business and want to bid for those bigger tenders and win meatier clients (and who doesn’t!?), ISO 27001 is your route to success. 

These days, many companies expect their providers to be ISO 27001 certified, so we’re going to break the ISO 27001 certification process down step-by-step. Then, we’re going to let you in on you how to nail your certification, without breaking the bank.

How to get ISO 27001 certified quickly and easily

The easiest and fastest way to achieve ISO 27001 accreditation is to download the ISO 27001 toolkit and follow the How to Implement ISO 27001: A Step-By-Step Guide

Another option is to bring in a trusted ISO 27001 expert (like the ISO 27001 Ninja) who will coach you through the process, without dragging it out or overcharging. Why not book a free call?

ISO 27001 secrets uncovered

This is the part where we told you we’d dish the dirt on the industry. Greedy consultants will tell you that you need to hire them to get certified, which will cost you a fortune and take much longer than it should. (Because they want you to part with as much of your hard-earned cash as possible!) 

Why do we know this? Full disclosure: we’ve been those consultants (hey, it was our job!).

High Table have transformed the ISO 27001 process. We decided to do things differently and combine 20 years’ experience, knowledge and wisdom and offer something unheard of in the ISO 27001 space: value.

Why? Because we’re the ISO 27001 people, and we’re done with other providers alienating smaller businesses like yours by charging daft money for something that can be done on a budget.

Can you implement ISO 27001 yourself?

Hell to the YES you can DIY your ISO 27001 certification. Don’t listen to anyone who tells you otherwise. Granted, it’s a slog, but the great news is: there is a shortcut. You can get certified yourself, with a little help from High Table. All you need is the ISO 27001 Toolkit. This toolkit is designed to save businesses like yours time, money and stress. We’ve perfected the certification process to empower you to do it yourself – genius, isn’t it? Goodbye money-grabbing consultants. Hello new business!

What is the ISO 27001 certification process?

To get certified you must follow these steps:

  1. Identify the information assets that need protection and the processes that need to be included in the Information Security Management System (ISMS).
  2. Identify the risks to the information assets and evaluate their impact. This helps to prioritise which risks to address first and what controls to implement.
  3. Once the controls have been identified, the organisation needs to implement them. 
  4. Conduct internal audits to make sure that the ISMS is operating properly and meets the ISO 27001 standard.
  5. Conduct a management review of the ISMS to make sure it’s meeting the organisation’s goals and objectives.
  6. An external certification body will perform an audit to determine whether the ISMS meets the ISO 27001 standard. If it does, ISO 27001 certificate granted. Done and dusted.

Have we lost you? It’s dull, we know. Of course, by downloading and following this ISO 27001 Toolkit, or bringing in the ISO 27001 Ninja, you can dodge the hard work, because we’ve already done it for you. Hey, don’t mention it!

Check out the ultimate list of Top 10 ISO 27001 Certification Companies / Bodies

How much does ISO 27001 certification cost?

The cost of getting ISO 27001 certified completely depends on how you want to play it. 

You’ll need to cover two sets of costs in the certification process:

  1. The cost to implement and run the ISO 27001 ISMS 
  2. The cost to take the certification audit 

What you end up paying depends on these factors:

  • How big your business is
  • How risky you are seen to be
  • The UKAS accredited certification body you decide to go with

Do you want to do it yourself? Employ someone full-time? Hire a contractor? Or instruct a consultant?

The problem is, most of the time, people don’t know what their options are and end up getting stung.

For a detailed breakdown on what you can expect read this ultimate guide to ISO 27001 Certification Cost.

A Comparison of ISO 27001 Implementation Options and Costs

Considering the approaches of doing it yourself, getting a contractor or employing High Table let us compare typical expected costs side by side.

Do It Yourself


30 to 90 days duration

Comes with all templates, policies, guides

Track record of delivery and certification


£5k to £15k

5 to 15 days duration

Comes with all policies

Track record of delivery and certification


£40k+ per year

6 to 12 months duration

Needs to write all policies


£39k to £160k

3 to 12 months duration

Will write all policies

Let’s be upfront about this.

If you have time on your side, the cheapest and easiest way for a small business like yours to get ISO 27001 certification is by choosing the High Table ISO 27001 Toolkit route.


Stop Spanking £10,000’s on Consultants and Platforms

ISO 27001 Toolkit Business Edition

But, if you’re time-poor and need someone to take it completely off your hands, or coach you through the process – MAKE SURE YOU DO YOUR RESEARCH! Consultants don’t have to cost the earth. (If they do, you’re not choosing wisely!)

This guide is ISO 27001 Certification Cost is invaluable.

How long does it take to get ISO 27001 certified?

How long’s a piece of string? The ISO 27001 certification process is different for every business and takes as long as it takes. As a rough guide, factor in around 3 months: 30 days to implement the information security management system and ISO 27001 itself, plus a further 60 days to implement and evidence the required controls.

Here are some stumbling blocks that can impact the process:

  • Your ability to book a certification audit based on their availability
  • Your ability to implement and evidence the required ISO 27001 controls

Does ISO 27001 expire?

Unfortunately, nothing lasts forever. Sorry to burst your ISO 27001 bubble! Once you’ve been accredited, your certification will last three years. But next time around, you should be much more familiar with the process.

ISO 27001 certification: a complete breakdown

We said we’d tell you everything you need to know about ISO 27001, but we also told you we’d keep it simple and talk to you like a human – so here goes. 

You’re probably wondering where to begin… 

First up… let’s start with policies!

ISO 27001 Policies

ISO 27001 policies are used to explain to people what is expected of them.

Here are the most important elements of creating winning ISO 27001 policies:


Once upon a time, re-using policies from your previous job or cobbling together some rubbish you found on the internet was acceptable. Not anymore. That’s a sure-fire way to fail your certification.

Quality is king. Creating decent policy content isn’t easy, but luckily, there’s no longer a need to create your own policies from scratch. At High Table, we’ve created a policy toolkit brimming with ready-to-edit policies that will save you up to 240 hours of work. Genius, we know.


ISO 27001 puts a lot of emphasis on intent. It wants the reader of policies to understand exactly what is required of them when they read the policy.

As the policy writer, you need to know your sh*t. For example, you cannot create a policy about acceptable use and then include network cryptography. It doesn’t make sense as network cryptography doesn’t apply to normal people using systems.

ISO 27001 Controls

To get certified, you will need to implement ISO 27001 Controls.

First, you will need to create a Statement of Applicability (SOA). The SOA is the list of ISO 27001 controls that apply to your business.

There are many things to include and consider in ISO 27001 controls, but here are some you should prioritise:


ISO 27001 relies heavily on documentation. If it isn’t written down, it does not exist.

Across the entire management system and in particular with controls, you must document what you do and your documents need to follow a predefined mark-up structure.

As a process writer, you need to understand that documents will evolve. They will have version control to track the changes and they will have mark-up. Documents will be reviewed, approved and signed off. They will be communicated to those that need to understand them.

Meet your individual needs

It can be confusing to work out how strong a particular control should be. For example, should our password be 18 characters with a mix of upper and lower case and with at least one special character?

The answer is it depends on your need.

You will have to have to work out what the needs of the business are and what the risks are. The controls that you implement that are a direct result of that business need and those risks.

As a control owner, you are responsible for working out what is reasonable and proportionate, and then documenting, implementing and running that control.

If your controls are deemed too weak and you don’t have an adequate justification and risk management in place – you will fail your certification.

ISO 27001 document markup

Your documents are an important piece of the ISO 27001 puzzle. Without the correct documents, policies, processes and procedures you will not get ISO 27001 certified.

It is not enough to just have the documents, they must also have the correct markup.

Once you know what is needed, it is simply a case of either creating a template that you can reuse or cutting and pasting between documents.

 Let’s take a look at the common elements of documents:

Version Control

A document for ISO 27001 is a living document and is always evolving. In the ISO 27001 certification process, the auditor will want to see that it is an active document along with the changes that have been made.

Done properly, this forms part of an effective management system.

As the version control writer, you need to capture the version number, the date of the change, who did the change and detail what the change was.

It is good practice to include document approval as part of your version control to clearly evidence when the document was last reviewed and approved – even if that step did not include any actual changes.


Classification is the process of saying how important a document is to us. The more important a document is, the more protection we are going to put around it.

Would we want our wage slips and payroll information publishing on the internet? Probably not.

So, for important information we classify it as confidential.

An Owner

Keeping documents up to date is going to require some work.

When it comes to the audit, someone is going to be interviewed and audited.

The question is who?

The answer is the document owner.

As a document owner you are responsible for keeping all documents up to date.

Last Reviewed Date

ISO 27001 sets out the specification for an Information Security Management System (ISMS). It IS a management system. A way to manage information security. It includes an annex, called Annex A which is a list of technical controls that you must consider and implement.

The standard has very specific requirements when it comes to document markup. This means is that the documents that you produce should have version control, a classification, an owner, and a last reviewed date as a minimum. The standard lays out clearly what is required.

ISO 27001 Risk Management

ISO 27001 is a risk-based management system. The controls that you have and the level of control that you put in place is down to you, and the risk you are trying to mitigate. 

Compare this to a rule-based system such as PCI DSS that tells you exactly what controls you MUST have in place and the exact level of that control.

You have much more flexibility in a risk-based system. Applying controls that you don’t need, or implementing to a level that exceeds the risk can cost you some serious money. You do not want to screw this part up.

ISO 27001 Continual Improvement

Continual improvement is the process by which your organisation continues to improve its approach to information security. It is baked into the standard. It understands that you won’t get everything right at the beginning, but that as time goes on, you’ll work out a system of doing things better. 

You can spot these opportunities for continual improvement as part of the standard by identifying them during internal audits, when incidents occur, or just by brainstorming them. 

ISO 27001 Internal Audit

When you embark on your ISO 27001 journey, you make a commitment to being audited… a HELL of a lot.

You will need to appoint an independent, internal auditor who will constantly check that what you are doing meets the requirements of the standard. The output of this is continual improvement. For example, at any stage in the certification process, It may be flagged by the auditor that changes must be made in order to meet the standard, but because it’s an internal appointment, it won’t put your ISO 27001 certification at risk.

Many companies outsource internal auditors, and this could potentially be one of the biggest costs. You must internally audit everything at least once every year and the usual approach is to break it down into chunks that you tackle each month over 12 months.

Compare this with the external audit which is the certification audit. This does the same thing but is much more formal, and getting it wrong can put your hard-earned ISO 27001 certification at risk.

Everything you need to know to get started with ISO 27001: the video

Watch this video before you start your ISO 27001 certification journey. The ISO 27001 Ninja will guide you through the whole process and save you thousands in costly mistakes!

ISO 27001 Clauses

Every ISO 27001 clause is covered, by clause in this ultimate ISO 27001 Reference Guide Clause by Clause.

Every ISO 27001 Annex A control is covered, by control in this Ultimate ISO 27001 Annex A Reference Guide.

Your ISO 27001 certification solution awaits

Are you still breathing?

We told you this was a dry subject. It’s a complicated process that can cost you a fortune and take months of your time.

Now that we’ve told you everything there is to know about ISO 27001, we know what you’re thinking. WTF!? 

That’ll take me years! 

Where do I even begin?

Don’t sweat it. We’ve got you and we’re here to take the stress away. We can help you get certified 10x faster and 30x cheaper than anyone else.

If you want to know more about the ISO toolkit that will change the game for your business, or want to be coached through the process (without getting ripped off) book your free strategy call.

ISO 27001 FAQ

What does ISO 27001 mean?

ISO 27001 is the name and designation given to the international standard for information security. It is an information security management system. It is a series of information security policies, information security documents, information security controls and processes for the management of information security. As a standard you can be assessed against it and a certificate can be issued to demonstrate that you meet the requirements of the standard.

What is the purpose of the ISO 27001 standard?

There are two goals for the ISO 27001 standard. The first goal is to provide a bench mark and frame work against which businesses can operate for best practice of information security protection. The second goal is to be able to demonstrate through independent ISO 27001 certification that business meets the requirements of the international standard for information security and there by provide assurance that the business is operating to a certain level.

Does ISO 27001 cover GDPR?

ISO 27001 can provide a framework to satisfy aspects of GDPR, especially around principle 6 maintain adequate security. It does not make you GDPR compliant and it does not satisfy all of the requirements of the GDPR. Consider it as a complimentary standard and complimentary framework.

What is the current version of ISO 27001?

At the time of writing ISO/IEC 27001:2022 is the most current version of the standard and incorporates changes made in 2022.

How do I check if a company is ISO 27001 certified?

The easiest way is to request a copy of their most up to date certificate and scope statement. You can check the date of the certificate to ensure that it is valid. The certificate will tell you the name of the certification body. You can then search the certification body website for a register of companies that they have certified.

Is ISO 27001 a legal requirement?

In general no. It can be a requirement of a regulatory body or of a contract but it is not a legal requirement in the widest sense of law. Unlike the GDPR which is a law.

Is ISO 27001 mandatory?

ISO 27001 is only mandatory if an industry regulator mandates it or a contract between you and a customer or supplier mandates it. It is a framework based on risk and as such even the controls within the standard are not mandatory.

Who does ISO 27001 apply to?

The ISO 27001 standard and ISO 27001 certification apply to any business that wants to operate to it and demonstrate best practice for information security management. The number one reason we see a business adopt the ISO 27001 certification is for commercial gain and as a result of being asked for it by a customer on which a commercial contract rests.

Is ISO 27001 a framework?

Yes. ISO 27001 is a framework made up of policies, documents, controls and processes. It is a risk based framework with continual improvement at it’s heart. It requires top level, leadership commitment.

How much does ISO 27001 certification cost?

ISO 27001 certifications costs start at £5,000 and increase based on your company risk and company size. Read the ultimate guide to ISO 27001 Certification Cost

Where do I find an ISO 27001 consultant?

You can find an ISO 27001 consultant at High Table – The ISO 27001 Company

How long does ISO 27001 take?

ISO 27001 certification takes 3 months from start to finish.

Is ISO 27001 expensive?

Yes, it can be. It is all relative. What is expensive for you may not be expensive for someone else. Expect the total cost of everything to come in at around £20,0000 to £25,0000.

What are the change to ISO 27001 in 2022?

ISO 27001 Annex A changed in 2022. For a list of the changes see the Ultimate Guide to the ISO 27001 Changes

What is the difference between ISO 27001 and ISO 27002?

ISO 27001 is a management system and you can certify to ISO 270001.
ISO 27002 is a control set to be considered as part of your implementation and you cannot certify to ISO 27002.

What is Annex A / ISO 27002?

There is an annex to the ISO 27001 called Annex A. Annex A is actually a standard in it’s own right called ISO 27002. ISO 27002 is a list of the technical controls that your organisation has implemented. You record this list of controls in your Statement of Applicability.

What is a Statement of Applicability (SoA)?

The Statement of Applicability is a mandatory document of the ISO 27001 standard. It lists out the controls of ISO 27001 Annex A / ISO 27002 and it records whether the control is applicable to you or not. If not it includes a reason why it does not apply to you.

What are the ISO 27001 Mandatory Documents?

The ISO 27001 Mandatory Documents are the documents that are required by the ISO 27001 standard. ISO 27001 works on the premise that if it is not written down, it does not exist. It is documentation heavy.

What ISO 27001 processes will I need?

You will need to document all of the processes that are going to be audited for your ISO 27001 certification. The list of controls is Annex is a great starting point for the required processes on top of which the processes for your product or service will also require documenting.

ISO 27001:2022 requirements

Organisational Controls - A5

ISO 27001 Annex A 5.1 Policies for information security

ISO 27001 Annex A 5.2 Information Security Roles and Responsibilities

ISO 27001 Annex A 5.3 Segregation of duties

ISO 27001 Annex A 5.4 Management responsibilities

ISO 27001 Annex A 5.5 Contact with authorities

ISO 27001 Annex A 5.6 Contact with special interest groups

ISO 27001 Annex A 5.7 Threat intelligence – new

ISO 27001 Annex A 5.8 Information security in project management

ISO 27001 Annex A 5.9 Inventory of information and other associated assets – change

ISO 27001 Annex A 5.10 Acceptable use of information and other associated assets – change

ISO 27001 Annex A 5.11 Return of assets

ISO 27001 Annex A 5.11 Return of assets

ISO 27001 Annex A 5.13 Labelling of information

ISO 27001 Annex A 5.14 Information transfer

ISO 27001 Annex A 5.15 Access control

ISO 27001 Annex A 5.16 Identity management

ISO 27001 Annex A 5.17 Authentication information – new

ISO 27001 Annex A 5.18 Access rights – change

ISO 27001 Annex A 5.19 Information security in supplier relationships

ISO 27001 Annex A 5.20 Addressing information security within supplier agreements

ISO 27001 Annex A 5.21 Managing information security in the ICT supply chain – new

ISO 27001 Annex A 5.22 Monitoring, review and change management of supplier services – change

ISO 27001 Annex A 5.23 Information security for use of cloud services – new

ISO 27001 Annex A 5.24 Information security incident management planning and preparation – change

ISO 27001 Annex A 5.25 Assessment and decision on information security events 

ISO 27001 Annex A 5.26 Response to information security incidents

ISO 27001 Annex A 5.27 Learning from information security incidents

ISO 27001 Annex A 5.28 Collection of evidence

ISO 27001 Annex A 5.29 Information security during disruption – change

ISO 27001 Annex A 5.31 Identification of legal, statutory, regulatory and contractual requirements

ISO 27001 Annex A 5.32 Intellectual property rights

ISO 27001 Annex A 5.33 Protection of records

ISO 27001 Annex A 5.34 Privacy and protection of PII

ISO 27001 Annex A 5.35 Independent review of information security

ISO 27001 Annex A 5.36 Compliance with policies and standards for information security

ISO 27001 Annex A 5.37 Documented operating procedures 

Technology Controls - A8

ISO 27001 Annex A 8.1 User Endpoint Devices

ISO 27001 Annex A 8.2 Privileged Access Rights

ISO 27001 Annex A 8.3 Information Access Restriction

ISO 27001 Annex A 8.4 Access To Source Code

ISO 27001 Annex A 8.5 Secure Authentication

ISO 27001 Annex A 8.6 Capacity Management

ISO 27001 Annex A 8.7 Protection Against Malware

ISO 27001 Annex A 8.8 Management of Technical Vulnerabilities

ISO 27001 Annex A 8.9 Configuration Management 

ISO 27001 Annex A 8.10 Information Deletion

ISO 27001 Annex A 8.11 Data Masking

ISO 27001 Annex A 8.12 Data Leakage Prevention

ISO 27001 Annex A 8.13 Information Backup

ISO 27001 Annex A 8.14 Redundancy of Information Processing Facilities

ISO 27001 Annex A 8.15 Logging

ISO 27001 Annex A 8.16 Monitoring Activities

ISO 27001 Annex A 8.17 Clock Synchronisation

ISO 27001 Annex A 8.18 Use of Privileged Utility Programs

ISO 27001 Annex A 8.19 Installation of Software on Operational Systems

ISO 27001 Annex A 8.20 Network Security

ISO 27001 Annex A 8.21 Security of Network Services

ISO 27001 Annex A 8.22 Segregation of Networks

ISO 27001 Annex A 8.23 Web Filtering

ISO 27001 Annex A 8.24 Use of CryptographyISO27001 Annex A 8.25 Secure Development Life Cycle

ISO 27001 Annex A 8.26 Application Security Requirements

ISO 27001 Annex A 8.27 Secure Systems Architecture and Engineering Principles

ISO 27001 Annex A 8.28 Secure Coding

ISO 27001 Annex A 8.29 Security Testing in Development and Acceptance

ISO 27001 Annex A 8.30 Outsourced Development

ISO 27001 Annex A 8.31 Separation of Development, Test and Production Environments

ISO 27001 Annex A 8.32 Change Management

ISO 27001 Annex A 8.33 Test Information

ISO 27001 Annex A 8.34 Protection of information systems during audit testing