ISO 27001 Beginners Guide

The Ultimate Guide to ISO 27001 in 2023

ISO/IEC 27001: 2022 The International Standard for Information Security

In this article we lay bare ISO27001 the International Standard for Information Security.Exposing the insider trade secrets, giving you the templates that will save you hours of your life and showing you exactly what you need to do to satisfy it for ISO27001 certification. We show you exactly what changed in the ISO27001:2022 update. I am Stuart Barker the ISO27001 Ninja and this is ISO27001

What is ISO 27001?

ISO 27001 is the international standard for information security.

ISO 27001 is the process of implementing information security so that an organisation can get ISO 27001 certification.

ISO 27001 certification is the process of taking steps to help your organisation get an ISO 27001 certificate.

The key difference between ISO 27001 and other information security standards is that it is based on risk, not rules. To make it a bit simpler, ISO 27001 means implementing information security to meet the needs of your organisation and the risks you face rather than meeting specific rules.

Look at this way. When you implement a security control you decide the control and the level of the control. An example would be when setting password strength. ISO 27001 wont tell you how strong your password needs to be, just that it needs to be strong.

Let’s break it down even further. You have control over how secure your organisation is and you can still get ISO 27001 certification.

Core Elements of ISO 27001: ISO 27001 and ISO 27002

When it comes to ISO 27001 the International Standard For Information Security, there are two equally important paths: ISO 27001 and ISO 27002.

ISO 27001 is about building the management system to run your information security. This comes down to incorporating policies into your organisation and processes. Policies tell people what is expected. Processes make sure your information security is implemented consistently.

ISO 27002 is about security controls such as antivirus. This part of the equation involves choosing the controls you need from a pre defined list implementing them to the right level for you. Though it takes some legwork, it is integral to ISO 27001 certification success.

The new ISO/IEC 27001:2022 with changes listed

In October 2022 the ISO27001 Standard changed. If you are interested in exactly what changed in ISO27001 for the 2022 update we listed each change and provide a full comparison of each version of the standard in our article ISO27001:2000 Everything You Need To Know.

ISO 27001 2013 V ISO 27001 2022

This is a detailed guide of a direct comparison of ISO 27001: 2013 verses ISO 27001:2022

The new ISO/IEC 27002:2022 with changes listed

In this section we list all of the ISO 27002: 2022 controls and compare it to the previous control set. We show if it is a new control or the control has changed.

ISO 27001 Strategies: Software Vs. Consultant

I’ve always played the long-term entrepreneurial game, and I believe that is the way to go. However, this isn’t the case with everyone. Some people want quick gains and move onto something else.

When it comes ISO 27001, going for quick gains is often referred to as ‘black hat ISO 27001’.

There are companies out there who’s entire marketing is aimed at these people with the huge costs associated. People who use software tend to have more money than time. It might work in the short-term and you get some quick gains, but after a while, you will still have the work to do and you will have paid these costs on in addition to what you would have paid.

On the other hand, white hat ISO 27001 is using templates and doing it yourself or using consultants as a way to build a sustainable ISO 27001 certification at a fraction of the costs.

If you do ISO 27001 this way, you will focus on your business and the people in your business.

You will give them information security without the burden and overhead and bureaucracy and make it seamless and pain free.

ISO 27001 Basics: The Complete Breakdown

Now it’s time to learn how to do ISO 27001. Understanding it is one thing but ISO 27001 requires a lot of action and time. This is not something that you can make a change today and expect to see an ISO 27001 certificate tomorrow. ISO 27001 is going to take 3 months with the goal of ISO 27001 certification success.

ISO 27001 Policies

You are probably wondering where do you even start? You start with policies.

Why?

ISO 27001 policies are statements of what you do. They are not statements of how you do it. How you do it is covered in process documents. You use policies to explain to people what is expected of them.

People need to know what is expected of them.

They are mandatory for ISO 27001 and the value is in setting out what you want to happen for information security.

Elements of ISO 27001 Policies

There are a lot of elements that go into create high quality policies; here are a few of the most crucial ones:

Quality

Once, taking policies from your old place of work or scraping a mixed bag of free information security policies from the internet was the standard.

Coming up with great policies isn’t easy, but the good news is, you don’t always have to create your own policies from scratch. You can piggyback off what others have created but simply add more value and make your policy more in-depth.

These ISO 27001 polices from a proven trusted source get the job done.

The bottom lines is that your ISO 27001 policies need to solve a problem and tell people what is expected of them. If they don’t then people won’t follow them and you may as well have not bothered. You will fail ISO 27001 certification.

Intent

ISO 27001 puts a lot of emphasis on intent. It wants the reader of policies to understand exactly what is required of them when they read the policy.

As the policy writer you need to understand this as well. You cannot create a policy about acceptable use and then include network cryptography. It doesn’t make sense as network cryptography doesn’t apply to normal people using systems.

4 tips for Creating Quality ISO 27001 Policies

Here are my best tips for creating policies people will read that meet the ISO 27001 standard.

  1. Download trusted templates: You don’t need to reinvent the wheel when you can download prewritten ISO 27001 policies.
  2. What you do not how you do it: Separate out the process steps of how you do it into process documents and focus on what you do.
  3. Markup documents: Ensure documents have version control, classification and required markup.
  4. Leadership approved: Leadership should sign off policies so they are agreed at the highest level with top down leadership and buy in.

ISO 27001 Controls

There is no doubt that you already have security controls in place. You feel pretty confident you understand information security and could cite right now those headline controls like 2 factor authentication, anti virus, firewalls…

That is great for where you are but you if you want to get ISO 27001 certification you are going to have to implement the ISO 27001 Controls.

Coming up with the controls you need is simple and you are going to create a Statement of Applicability (SOA). The SOA is the list of ISO 27001 controls listed out with you making the decision whether they apply to you or not.

You can take a look at what those ISO 27001 controls are.

Elements of ISO 27001 Controls

There are lots of things to include and consider in ISO 27001 controls ere are priorities to focus on:

Documented

Even if you have controls the controls and the processes need documenting.

Why?

As a standard to be audited against, ISO 27001 relies heavily on documentation taking the position that, if it is not written down, it does not exist.

Across the entire management system and in particular with controls you have to document what you do and your documents have to follow a predefined mark up structure.

As a process writer you need to understand that documents will evolve. They will have version control to track the changes and they will have mark up. Documents will be reviewed, approved and signed off. They will be communicated to those that need to understand them.

Meet your needs

It can be confusing to work out how strong a particular control should be. For example should our password be 18 characters with a mix of upper and lower case and with at least one special character?

The answer is it depends on your need.

You are going to have to spend time to work out what the needs of the business are and what the risks are. The controls that you implement that are a direct result of that business need and those risks.

As a control owner you are going to be responsible for working out what is reasonable, proportionate and then documenting, implementing and running that control.

It can be fine art and you should rely on the specialist knowledge of those that run the control.

It can be easy to fail ISO 27001 certification if your controls are deemed to be too weak if you do not have an adequate justification and risk management in place.

4 Tips for Creating Effective ISO 27001 Controls

  1. Base controls on risk: Controls should be implemented to mitigate a risk so conduct your risk assessment and choose your controls appropriately.
  2. Have a Statement Of Applicability: The Statement of Applicability (SOA) is a mandatory document and lists out the controls that you have implemented. Be sure to list out all of the Annex A controls and if you have not implemented a control, still list it but provide a justification why you have not implemented it.
  3. Document what you do: Do not be tempted to write processes and document what you think the auditor wants to hear. Rather, document what you actually do. You will be audited on what you say you do not what you think is the correct answer.
  4. Evidence controls are working: Make sure you have reports that show that the control is operating. Spend time to decide what you should measure and then measure it. You will want to keep historic reports to show that things are working as expected.

ISO 27001 Document Markup

Your documents are an important piece of the ISO 27001 puzzle. Without the correct documents, policies, processes and procedures you will not pass ISO 27001 Certification.

It is not enough to just have the documents, they must also have the correct markup.

Elements of ISO 27001 Document Markup

People are often worried about document markup.

Once you know what is needed it is simply a case of either creating template that you can reuse or cutting and pasting between documents. Let’s take a look a the common elements of documents:

Version Control

A document for ISO 27001 is a living document and always evolving. For ISO 27001 certification the ISO 27001 auditor is going to want see that the document is an active document with the changes that have been made.

Some people will spoof this but done right it forms part of an effective management system.

As the person writing the version control you want to capture the version number, the date of the change, who did the change and what the change was.

It is good practice to include document approval as part of your version control to clearly evidence when the document was last reviewed and approved even if that step did not include any actual changes.

Classification

Classification is the process of saying how important a document is to us. The more important and document is the more protection we are going to put around it.

Would we want our wage slips and payroll information publishing on the internet? Probably not.

So for important information we classify it is confidential.

As a control owner you are going to make sure that confidential information is protected more than say, public information.

An Owner

Keeping documents up to date is going to require some work.

Also when it comes to audit someone is going to be interviewed and audited.

The question is who?
The answer is the document owner.

As a document owner you are responsible for keeping the documents up to date.

Last Reviewed Date

ISO 27001 sets out the specification for an Information Security Management System (ISMS). It IS a management system. A way to manage information security. It includes an annex, called Annex A which is a list of technical controls that you must consider and implement.

The standard has very specific requirements when it comes to document mark up. What this means is that the documents that you produce should have version control, a classification, an owner, a last reviewed date as a minimum. The standard lays out clearly what is required.

4 Tips For ISO 27001 Document Markup

Create document base templates: Base templates with the markup will save you a lot of time. Consider ISO 27001 document templates, ISO 27001 policy templates and ISO 27001 process templates.

Check before the audit: no matter how much you think everything is in order, it isn’t. You will have missed something, somewhere. So check. Better you find it than the auditor.

Classify documents appropriately: It goes without saying that documents should be classified appropriately. Let’s not classify confidential documents as public out of laziness. Invest a little time to work out the classification of documents and be prepared to justify your decision to an ISO 2001 auditor.

Align with a Quality Management System (QMS) / ISO 9001: It is great practice to align your documents with your quality management system. More and more these days ISO 27001 is asked for along with a QMS.

ISO 27001 Risk Management

ISO 27001 is a risk based management system. This a great system. In a risk based system the controls that you have and the level of control that you put in place is down to you and the risk you are trying to mitigate. Compare this to a rule based system such as PCI DSS that tells you exactly what controls you MUST have in place and the exact level of that control.

You have much more flexibility in a risk based system. Applying controls you do not need or implementing to a level that exceeds the risk can cost you a lot of money. You do not want to get this wrong.

ISO 27001 Continual Improvement

Continual improvement is the process by which your organisation continues to improve its approach to information security. It is baked into the standard. It knows you wont get everything right at the beginning, that things change and that as time goes by you will work out how to do things better. You can identify these opportunities for continual improvement as part of the standard by finding them doing internal audits, finding them when incidents occur and things go wrong or just brain storming them and coming up with new ideas.

ISO 27001 Internal Audit

When you embark on ISO 27001 you embark on a commitment to being audited a lot. Internal audit means that you appoint someone independent to audit, go through, the standard and check that what you are doing meets the requirements of the standard still. The out put of this is continual improvement, in that you may need to make changes to come back up to the level of the standard but as it is internal it wont put your ISO 27001 certification at risk. Many companies will outsource internal audit and this is one of the biggest costs that you will bare if you do. You have to internally audit everything at least once every year and the usual approach is to break it down into chunks that you tackle each month over 12 months.

Compare this with external audit which is the certification audit. This does the same thing, again, but is much more formal and getting it wrong can put your hard earned ISO 27001 certification at risk.

ISO 27001 Truth Bombs

At the end of the day it is a certificate.

A bit of paper that your clients are asking, demanding and expecting of you.

It is a condition of doing business.

If there is a commercial reason to do it, you will do it. If there isn’t, you won’t.

It won’t make you more secure. It can. But it likely won’t.

It won’t stop you getting hacked. It can. But it likely won’t.

But it will open doors to new business.

Everything you need to know to get started with ISO 27001: Video

This video is absolutely everything you need to know to get started with ISO 27001. Watch this before you engage anyone. This will save you tens of thousands of costly mistakes.

The ISO 27001 Laid Bare: A deep dive on the ISO 27001 Clauses

Here we will take a deep dive on the ISO 27001 standard and each of the clauses that you will need to satisfy.

ISO 27001 Clause 4.1 Understanding the organisation and its context

The ISO 27001 Clause 4.1 requirement is to understand your own context and document how it might impact your information security management system. Specifically how it might impact the outcomes of your information security management system. By and large this is a quick and easy win and it sets out exactly what it wants from you.

More detail is provided in the Essential Guide to ISO 27001 Clause 4.1 

ISO27001 Clause 4.1 Understanding The Organisation And Its Context Beginner’s Guide

ISO 27001 Clause 4.2 Understanding the needs and expectations of interested parties

The ISO 27001 clause 4.2 forms, as you would expect, part of ISO 27001 Clause 4 Context of Organisation. In clause 4.1 we looked at understanding the organisation and it’s context which broke down into identifying internal and external issues. Here we are going to look at the needs and the expectations of interested parties. Specifically we are looking at people that might have an interest in the effectiveness of the information security management and what their actual requirements are.

More detail is provided in the Essential Guide to IS 27001 Clause 4.2

ISO27001 Clause 4.2 Understanding The Needs And Expectations of Interested Parties Beginner’s Guide

ISO 27001 Clause 4.3 Determining the scope of the information security management system

This clause forms part of ISO 27001 Clause 4 Context of Organisation.  We have looked at ISO 27001 Clause 4.1 Understanding the Organisation and it’s context to identify internal issues, external issues in ISO 27001 Clause 4.2 we looked at interested parties and their needs. 

In ISO 27001 Clause 4.3 we are looking at determining the scope of the information security management system.

More detail is provided in the Essential Guide to ISO 27001 Clause 4.3

ISO27001 Clause 4.3 Determining The Scope Of The Information Security Management System Beginner’s Guide

ISO 27001 Clause 4.4 Information security management system

Clause 4.4 which basically says, have an information security management system.

More detail is provided in the Essential Guide to ISO 27001 Clause 4.4

ISO27001 Clause 4.4 Information Security Management System – Beginner’s Guide

ISO 27001 Clause 5.1 Leadership and Commitment

There are many aspects of ISO 27001 that ISO 27001 templates can help with and indeed there are many ISO 27001 mandatory documents. Leadership and commitment is one area that you will need both the templates and to actually get management and leadership buy in. This is a top down approach. It has to be seen as a top down approach.

More detail is provided in the Essential Guide to ISO 27001 Clause 5.1

ISO27001 Clause 5.1 Leadership And Commitment Beginner’s Guide

ISO 27001 Clause 5.2 Policy

The requirements is to have a set of information security policies which are provided in the ISO 27001 policy template bundle.

ISO27001 Toolkit Policy Ipad 3_Black_Square

ISO 27001 Clause 5.3 Organisational roles, responsibilities and authorities

The actual requirement is to make sure that roles, responsibilities and appropriate authority is assigned to people and that this is communicated. We document this as part of the communication plan and the requirement of the clause. 

We need to make sure that responsibility is assigned to someone for ensuring the standard is met and for reporting on the effectiveness and performance of the information security management system to the business leaders, which they refer to as ‘top management’.

More detail is provided in the Essential Guide to ISO 27001 Clause 5.3

ISO27001 Clause 5.3 Organisational Roles, Responsibilities And Authorities Beginner’s Guide

ISO 27001 Clause 6.1.1 Planning General

ISO 27001 Clause 6.1.1 comes under ISO 27001 Clause 6 and relates directly to planning. It is a relatively easy clause to satisfy with ISO 27001 templates.

More detail is provided in the Essential Guide to ISO 27001 Clause 6.1.1

ISO27001 Clause 6.1.1 Planning General Beginner’s Guide

ISO 27001 Clause 6.1.2 Information security risk assessment

The ISO 27001 standard requires an organisation to establish and maintain information security risk assessment processes that include the risk acceptance and assessment criteria.

This clause is all about risk assessment. The ISO 27001 standard for ISO 27001 certification wants you define and implement a risk assessment process. 

That risk assessment process has to set out risk criteria which are the parameters of your risk management.

More detail is provided in the Essential Guide to ISO 27001 Clause 6.1.2

ISO27001 Clause 6.1.2 Information Security Risk Assessment Beginner’s Guide

ISO 27001 Clause 6.1.3 Information Security Risk Treatment 

The ISO 27001 standard requires an organisation to select appropriate risk treatment options based on the risk assessment results. 

This clause is all about risk treatment. The ISO 27001 standard for ISO 27001 certification wants you define and implement a risk assessment process and to treat those risks appropriately. It is, after all, a risk based management system. Not a rule based system. 

That risk treatment process has to set out risk criteria which are the parameters of your risk management.

More detail is provided in the Essential Guide to ISO 27001 Clause 6.1.3

ISO27001 Clause 6.1.3 Information Security Risk Treatment Beginner’s Guide

ISO 27001 Clause 6.2 Information Security Objectives and Planning to Achieve Them

The ISO 27001 standard requires an organisation to establish information security objectives at relevant functions and levels.

This clause is all about information security objectives and planning to meet those objectives. The ISO 27001standard for ISO 27001 certification wants you define and achieve information security objectives.

More detail is provided in the Essential Guide to ISO 27001 Clause 6.2

ISO27001 Clause 6.2 Information Security Objectives And Planning To Achieve Them Beginner’s Guide

ISO 27001 Clause 7.1 Resources

The ISO 27001 standard requires an organisation to provide the resources needed to establish, implement, maintain and continually improve the information security management system.

This clause is all about people. The ISO 27001 standard for ISO 27001 certification wants you to have the right people available for running ISO 27001. It is one of the ISO 27001 controls.

More detail is provided in the Essential Guide to ISO 27001 Clause 7.1

ISO 27001 Clause 7.1 Resources Beginner’s Guide

ISO 27001 Clause 7.2 Competence 

The ISO 27001 standard requires an organisation to have people that are competent to do the work for information security. Simple. 

This clause is all about people and their skills, experience and competency. The ISO 27001 standard for ISO 27001 certification wants you to have the right people with the right skills for running ISO 27001. It is one of the ISO 27001 controls.

More detail is provided in the Essential Guide to ISO 27001 Clause 7.2

ISO 27001 Clause 7.2 Competence Beginner’s Guide

ISO 27001 Clause 7.3 Awareness

ISO 27001 Clause 7.3 Awareness is communicating and making people aware of the information security policy, how they contribute to information security and the consequences of not conforming to information security. The ISO 27001 standard for ISO 27001 certification wants you to let people know what you expect, educate them and processes in place for if things go wrong. It is one of the ISO 27001 controls.

More detail is provided in the Essential Guide to ISO 27001 Clause 7.3

ISO 27001 Clause 7.3 Awareness Beginner’s Guide

ISO 27001 Clause 7.4 Communication

The ISO 27001 standard requires an organisation to effectively communicate about Information Security. That feels a bit vague so it goes further. It wants you to set out the what, when, with whom, the process and method of communication and who will do it. 

More details is provided in the Essential Guide to ISO 27001 Clause 7.4

ISO27001 Clause 7.4 Communication Beginner’s Guide

ISO 27001 Clause 7.5.1 Documented Information

The ISO 27001 standard requires an organisation to document the information security management system. It works on the premise that if it is not written down then it does not exist. There is a lot of documentation required for ISO 27001. Compliance with the standard may not make you more secure. Often the ISO 27001 certification is about the minutia of documentation rather than whether you are actually secure. Unless you are buying an ISO 27001 document templates toolkit you are going to have a lot of ISO 27001 documents to create.

More detail is provided in the Essential Guide to ISO 27001 Clause 7.5.1

ISO27001 Clause 7.5.1 Documented Information Beginner’s Guide

ISO 27001 Clause 7.5.2 Creating and Updating Documented Information

The ISO 27001 standard requires an organisation to document the information security management system, that the documentation is marked up with document markup and that documents are reviewed and approved.

More detail is provided in the Essential Guide to ISO 27001 Clause 7.5.2

ISO 27001 Clause 7.5.2 Creating And Updating Documented Information Beginner’s Guide

ISO 27001 Clause 7.5.3 Control of Documented Information 

ISO 27001 Clause 7.5.3 Control of Documented Information is about ensuring that documents are available as needed are that they are appropriately protected.

More detail is provided in the Essential Guide to ISO 27001 Clause 7.5.3

ISO27001 Clause 7.5.3 Control Of Documented Information Beginner’s Guide

ISO 27001 Clause 8.1 Operational Planning and Control

The ISO 27001 standard requires an organisation to plan, implement and control the processes needed to meet the requirements of Information Security. 

So ISO 27001 Clause 8.1 Operational Planning and Control is all about processes.

More detail is provided in the Essential Guide to IS 27001 Clause 8.1

ISO27001 Clause 8.1 Operational Planning And Control Beginner’s Guide

ISO 27001 Clause 8.2 Information Security Risk Assessment

ISO 27001 Clause 8.2 Information Security Risk Assessment clause is all about risk assessment. Where we covered the planning in ISO 27001 Clause 6.1.2 here we look at the execution. The ISO 27001 standard for ISO 27001 certification wants you define and implement a risk assessment process and then execute it and make sure it gets done.

Mored detail is provided in the Essential Guide to ISO 27001 Clause 8.2

ISO27001 Clause 8.2 Information Security Risk Assessment Beginner’s Guide

ISO 27001 Clause 8.3 Information Security Risk Treatment 

ISO 27001 Clause 8.3 Information Security Risk Treatment requirement is for an organisation to implement the information security risk treatment plan and retain documented evidence of the results. It is all about risk treatment. Where we covered the risk treatment planning in ISO 27001 Clause 6.1.3 here we look at the execution. The ISO 27001 standard for ISO 27001 certification wants you to effectively treat and manage risks.

More details is provided in the Essential Guide to ISO 27001 Clause 8.3

ISO27001 Clause 8.3 Information Security Risk Treatment Beginner’s Guide

ISO 27001 Clause 9.1 Monitoring, Measurement, analysis, evaluation

ISO 27001 Clause 9.1 Monitoring, Measurement, analysis, evaluation requires an organisation to implement measures and monitors to evaluate the effectiveness of the information security management system. It is a requirement to maintain evidence of the results of measures and monitors.

More details is provided in the Essential Guide to ISO 27001 Clause 9.1 Monitoring, Measurement, analysis, evaluation 

ISO27001 Clause 9.1 Monitoring, Measurement, Analysis, Evaluation Beginner’s Guide

ISO 27001 Clause 9.2 Internal Audit

ISO 27001 Clause 9.2 Internal Audit requires an organisation to conduct internal audits at planned intervals to ensure it is operating effectively.

Learn more in the Essential Guide to ISO 27001 Clause 9.2 Internal Audit

ISO 27001 Clause 9.2 Internal Audit Beginner’s Guide

ISO 27001 Clause 9.3 Management Reviews

ISO 27001 Clause 9.3 Management Review requires an organisation to conduct a Management Review Meeting at regular intervals and follow a structure, defined agenda

Learn more in the Essential Guide to ISO 27001 Clause 9.3 Management Reviews

ISO27001 Clause 9.3 Management Review Beginner’s Guide

ISO 27001 Clause 10.1 Nonconformity and Corrective Action

ISO 27001 Clause 10.1 Nonconformity and Corrective Action is about effectively managing when things go wrong, correcting it and taking steps to make sure it does not happen again.

Learn more in the Essential Guide to ISO 27001 Clause 10.1 Nonconformity and Corrective Action

ISO 27001 Nonconformity And Corrective Action Beginner’s Guide

ISO 27001 Templates

ISO 27001 templates can be a great way to save a lot of time and a lot of money. These ISO 27001 templates are proven to do just that.

ISO27001 Policy Templates Pack Green
ISO 27001 Templates Toolkit Business Edition Black

ISO 27001 FAQ

What does ISO 27001 mean?

ISO 27001 is the name and designation given to the international standard for information security. It is an information security management system. It is a series of information security policies, information security documents, information security controls and processes for the management of information security. As a standard you can be assessed against it and a certificate can be issued to demonstrate that you meet the requirements of the standard.

What is the purpose of the ISO 27001 standard?

There are two goals for the ISO 27001 standard. The first goal is to provide a bench mark and frame work against which businesses can operate for best practice of information security protection. The second goal is to be able to demonstrate through independent certification that business meets the requirements of the international standard for information security and there by provide assurance that the business is operating to a certain level.

Does ISO 27001 cover GDPR?

ISO 27001 can provide a framework to satisfy aspects of GDPR, especially around principle 6 maintain adequate security. It does not make you GDPR compliant and it does not satisfy all of the requirements of the GDPR. Consider it as a complimentary standard and complimentary framework.

What is the current version of ISO 27001?

At the time of writing ISO/IEC 27001:2013 is the most current version of the standard and incorporates changes made in 2017.

How do I check if a company is ISO 27001 certified?

The easiest way is to request a copy of their most up to date certificate and scope statement. You can check the date of the certificate to ensure that it is valid. The certificate will tell you the name of the certification body. You can then search the certification body website for a register of companies that they have certified.

Is ISO 27001 a legal requirement?

In general no. It can be a requirement of a regulatory body or of a contract but it is not a legal requirement in the widest sense of law. Unlike the GDPR which is a law.

Is ISO 27001 mandatory?

ISO 27001 is only mandatory if an industry regulator mandates it or a contract between you and a customer or supplier mandates it. It is a framework based on risk and as such even the controls within the standard are not mandatory.

Who does ISO 27001 apply to?

The ISO 27001 standard and ISO 27001 certification apply to any business that wants to operate to it and demonstrate best practice for information security management. The number one reason we see a business adopt the ISO 27001 certification is for commercial gain and as a result of being asked for it by a customer on which a commercial contract rests.

Is ISO 27001 a framework?

Yes. ISO 27001 is a framework made up of policies, documents, controls and processes. It is a risk based framework with continual improvement at it’s heart. It requires top level, leadership commitment.

How much does ISO 27001 certification cost?

ISO 27001 certifications costs start at £3,600 and increase based on your company risk and company size.

Where do I find an ISO 27001 consultant?

You can find an ISO 27001 consultant at High Table – https://hightable.io/

How long does ISO 27001 take?

ISO 27001 certification takes 3 months from start to finish.

Is ISO 27001 expensive?

Yes, it can be. It is all relative. What is expensive for you may not be expensive for someone else. Expect the total cost of everything to come in at around £20,0000 to £25,0000.

What are the change changes to ISO 27001 in 2022?

ISO 27001 Annex A changed in 2022. For a list of the changes see here: https://hightable.io/the-ultimate-guide-to-iso-27002-changes-2022/

What is the difference between ISO 27001 and ISO 27002?

ISO 27001 is a management system and you can certify to ISO 270001.
ISO 27002 is a control set to be considered as part of your implementation and you cannot certify to ISO 27002.

What is Annex A / ISO 27002?

There is an annex to the ISO 27001 called Annex A. Annex A is actually a standard in it’s own right called ISO 27002. ISO 27002 is a list of the technical controls that your organisation has implemented. You record this list of controls in your Statement of Applicability.

What is a Statement of Applicability (SoA)?

The Statement of Applicability is a mandatory document of the ISO 27001 standard. It lists out the controls of ISO 27001 Annex A / ISO 27002 and it records whether the control is applicable to you or not. If not it includes a reason why it does not apply to you.

What are the ISO 27001 Mandatory Documents?

The ISO 27001 Mandatory Documents are the documents that are required by the ISO 27001 standard. ISO 27001 works on the premise that if it is not written down, it does not exist. It is documentation heavy.

What ISO 27001 processes will I need?

You will need to document all of the processes that are going to be audited for your ISO 27001 certification. The list of controls is Annex is a great starting point for the required processes on top of which the processes for your product or service will also require documenting.

ISO 27001 Templates Toolkit Business Edition Black
ISO27001 Policy Templates Pack Green

FREE 30 minute ISO27001 strategy session.

Claim your 100% FREE no-obligation 30 minute strategy session call (£1000 value). This is strictly for small businesses who are hungry to get ISO27001 certified up to 10x faster and 30x cheaper.

ISO27001 Certification Stragey Call
Shopping Cart