the ultimate ISO27001 guide

By the time you reach the bottom of this page, you’ll understand what ISO27001 is, why you need it, how to implement it quickly and affordably.

Whether you’re a complete novice or just need clarity in certain areas, it’s all here.

Want to know everything there is to know about ISO27001 (including the stuff the industry doesn’t want you to know)?

Let’s get into it…

What is ISO27001?

ISO27001 is an internationally recognised standard for information security that provides guidelines for creating and maintaining an effective information security management system (ISMS). 

An ISMS is a framework of policies, procedures and controls designed to monitor and protect your business’s sensitive data – basically, a big, hairy bodyguard for information.

By implementing an ISMS, you can better protect your information and assets from cyber threats, data breaches, and other security risks. 

What is ISO27001:2022?

In October 2022 the ISO27001 standard changed. ISO27001:2022 is the updated version of the internationally recognised ISMS standard.

From security changes to new clauses, if you want the full lowdown on what changed for the 2022 update, we’ve listed each change along with a full comparison of each version of the standard

DO IT YOURSELF ISO27001

STOP SPANKING £10,000s

ISO 27001 Toolkit

Who Needs ISO27001?

Any organisation that handles personal information, financial data or intellectual property should implement ISO27001. The bottom line is, if you handle any kind of confidential information (and let’s be real, who doesn’t these days?) getting your ISO27001 certificate is a must.

What does ISO27001 certification mean for your business?

ISO27001 certification offers an impartial, external validation that a company’s ISMS fulfils the ISO27001 standard criteria. 

Put simply, ISO27001 is your badge of honour. 

ISO27001 Benefits

  • It shows your clients that you’re fully compliant, serious about meeting information security standards and follow best practices to keep their confidential data secure. They want to know that you give a sh*t about protecting their business.
  • ISO27001 certification could save you millions in the long run. Data breeches are expensive and don’t just cause financial damage – they can cost you your reputation.
  • It gives you a competitive edge. A company is more likely to choose a provider who is ISO27001 certified over one that isn’t. It’s a no brainer!
  • Many of the ISO27001 conditions also satisfy GDPR and data protection requirements, showing regulatory bodies that you mean business when it comes to risk management. Happy days.
  • If you’re a small business and want to bid for those bigger tenders and win meatier clients (and who doesn’t!?), ISO27001 is your route to success. 

These days, many companies expect their providers to be ISO27001 certified, so we’re going to break the ISO27001 certification process down step-by-step. Then, we’re going to let you in on you how to nail your certification, without breaking the bank.

How to get ISO27001 certified quickly and easily

The easiest and fastest way to achieve ISO27001 accreditation is to download the ISO27001 toolkit and follow the How to Implement ISO27001: A Step-By-Step Guide

Another option is to bring in a trusted ISO27001 expert (like the ISO27001 Ninja) who will coach you through the process, without dragging it out or overcharging. Why not book a free call?

ISO27001 secrets uncovered

This is the part where we told you we’d dish the dirt on the industry. Greedy consultants will tell you that you need to hire them to get certified, which will cost you a fortune and take much longer than it should. (Because they want you to part with as much of your hard-earned cash as possible!) 

Why do we know this? Full disclosure: we’ve been those consultants (hey, it was our job!).

High Table have transformed the ISO27001 process. We decided to do things differently and combine 20 years’ experience, knowledge and wisdom and offer something unheard of in the ISO27001 space: value.

Why? Because we’re the ISO27001 people, and we’re done with other providers alienating smaller businesses like yours by charging daft money for something that can be done on a budget.

Can you implement ISO27001 yourself?

Hell to the YES you can DIY your ISO27001 certification. Don’t listen to anyone who tells you otherwise. Granted, it’s a slog, but the great news is: there is a shortcut. You can get certified yourself, with a little help from High Table. All you need is the ISO27001 Toolkit. This toolkit is designed to save businesses like yourstime, money and stress. We’ve perfected the certification process to empower you to do it yourself – genius, isn’t it? Goodbye money-grabbing consultants. Hello new business!

What is the ISO27001 certification process?

To get certified you must follow these steps:

  1. Identify the information assets that need protection and the processes that need to be included in the Information Security Management System (ISMS).
  2. Identify the risks to the information assets and evaluate their impact. This helps to prioritise which risks to address first and what controls to implement.
  3. Once the controls have been identified, the organisation needs to implement them. 
  4. Conduct internal audits to make sure that the ISMS is operating properly and meets the ISO27001 standard.
  5. Conduct a management review of the ISMS to make sure it’s meeting the organisation’s goals and objectives.
  6. An external certification body will perform an audit to determine whether the ISMS meets the ISO27001 standard. If it does, ISO27001 certificate granted. Done and dusted.

Have we lost you? It’s dull, we know. Of course, by downloading and following this ISO27001 Toolkit, or bringing in the ISO27001 Ninja, you can dodge the hard work, because we’ve already done it for you. Hey, don’t mention it!

How much does ISO27001 certification cost?

The cost of getting ISO27001 certified completely depends on how you want to play it. 

You’ll need to cover two sets of costs in the certification process:

  1. The cost to implement and run the ISO27001 ISMS 
  2. The cost to take the certification audit 

What you end up paying depends on these factors:

  • How big your business is
  • How risky you are seen to be
  • The UKAS accredited certification body you decide to go with

Do you want to do it yourself? Employ someone full-time? Hire a contractor? Or instruct a consultant?

The problem is, most of the time, people don’t know what their options are and end up getting stung.

A Comparison of ISO27001 Implementation Options and Costs

Considering the approaches of doing it yourself, getting a contractor or employing High Table let us compare typical expected costs side by side.

Do It Yourself

£500

30 to 90 days duration

Comes with all templates, policies, guides

Track record of delivery and certification

Consultant

£5k to £15k

5 to 15 days duration

Comes with all policies

Track record of delivery and certification

Employee

£40k+ per year

6 to 12 months duration

Needs to write all policies

Contractor

£39k to £160k

3 to 12 months duration

Will write all policies

Let’s be upfront about this.

If you have time on your side, the cheapest and easiest way for a small business like yours to get ISO27001 certification is by choosing the High Table ISO27001 Toolkit route.

DO IT YOURSELF ISO27001

STOP SPANKING £10,000s

ISO 27001 Toolkit

But, if you’re time-poor and need someone to take it completely off your hands, or coach you through the process – MAKE SURE YOU DO YOUR RESEARCH! Consultants don’t have to cost the earth. (If they do, you’re not choosing wisely!)

How long does it take to get ISO27001 certified?

How long’s a piece of string? The ISO27001 certification process is different for every business and takes as long as it takes. As a rough guide, factor in around 3 months: 30 days to implement the information security management system and ISO27001 itself, plus a further 60 days to implement and evidence the required controls.

Here are some stumbling blocks that can impact the process:

  • Your ability to book a certification audit based on their availability
  • Your ability to implement and evidence the required ISO27001 controls

Does ISO27001 expire?

Unfortunately, nothing lasts forever. Sorry to burst your ISO27001 bubble! Once you’ve been accredited, your certification will last three years. But next time around, you should be much more familiar with the process.

ISO27001 certification: a complete breakdown

We said we’d tell you everything you need to know about ISO27001, but we also told you we’d keep it simple and talk to you like a human – so here goes. 

You’re probably wondering where to begin… 

First up… let’s start with policies!

ISO27001 Policies

ISO27001 policies are used to explain to people what is expected of them.

Here are the most important elements of creating winning ISO27001 policies:

Quality

Once upon a time, re-using policies from your previous job or cobbling together some rubbish you found on the internet was acceptable. Not anymore. That’s a sure-fire way to fail your certification.

Quality is king. Creating decent policy content isn’t easy, but luckily, there’s no longer a need to create your own policies from scratch. At High Table, we’ve created a policy toolkit brimming with ready-to-edit policies that will save you up to 240 hours of work. Genius, we know.

Intent

ISO27001 puts a lot of emphasis on intent. It wants the reader of policies to understand exactly what is required of them when they read the policy.

As the policy writer, you need to know your sh*t. For example, you cannot create a policy about acceptable use and then include network cryptography. It doesn’t make sense as network cryptography doesn’t apply to normal people using systems.

ISO27001 Controls

To get certified, you will need to implement ISO27001 Controls.

First, you will need to create a Statement of Applicability (SOA). The SOA is the list of ISO27001 controls that apply to your business.

There are many things to include and consider in ISO27001 controls, but here are some you should prioritise:

Documentation

ISO27001 relies heavily on documentation. If it isn’t written down, it does not exist.

Across the entire management system and in particular with controls, you must document what you do and your documents need to follow a predefined mark-up structure.

As a process writer, you need to understand that documents will evolve. They will have version control to track the changes and they will have mark-up. Documents will be reviewed, approved and signed off. They will be communicated to those that need to understand them.

Meet your individual needs

It can be confusing to work out how strong a particular control should be. For example, should our password be 18 characters with a mix of upper and lower case and with at least one special character?

The answer is it depends on your need.

You will have to have to work out what the needs of the business are and what the risks are. The controls that you implement that are a direct result of that business need and those risks.

As a control owner, you are responsible for working out what is reasonable and proportionate, and then documenting, implementing and running that control.

If your controls are deemed too weak and you don’t have an adequate justification and risk management in place – you will fail your certification.

ISO27001 document markup

Your documents are an important piece of the ISO27001 puzzle. Without the correct documents, policies, processes and procedures you will not get ISO27001 certified.

It is not enough to just have the documents, they must also have the correct markup.

Once you know what is needed, it is simply a case of either creating a template that you can reuse or cutting and pasting between documents.

 Let’s take a look at the common elements of documents:

Version Control

A document for ISO27001 is a living document and is always evolving. In the ISO27001 certification process, the auditor will want to see that it is an active document along with the changes that have been made.

Done properly, this forms part of an effective management system.

As the version control writer, you need to capture the version number, the date of the change, who did the change and detail what the change was.

It is good practice to include document approval as part of your version control to clearly evidence when the document was last reviewed and approved – even if that step did not include any actual changes.

Classification

Classification is the process of saying how important a document is to us. The more important a document is, the more protection we are going to put around it.

Would we want our wage slips and payroll information publishing on the internet? Probably not.

So, for important information we classify it as confidential.

An Owner

Keeping documents up to date is going to require some work.

When it comes to the audit, someone is going to be interviewed and audited.

The question is who?

The answer is the document owner.

As a document owner you are responsible for keeping all documents up to date.

Last Reviewed Date

ISO27001 sets out the specification for an Information Security Management System (ISMS). It IS a management system. A way to manage information security. It includes an annex, called Annex A which is a list of technical controls that you must consider and implement.

The standard has very specific requirements when it comes to document markup. This means is that the documents that you produce should have version control, a classification, an owner, and a last reviewed date as a minimum. The standard lays out clearly what is required.

ISO27001 Risk Management

ISO27001 is a risk-based management system. The controls that you have and the level of control that you put in place is down to you, and the risk you are trying to mitigate. 

Compare this to a rule-based system such as PCI DSS that tells you exactly what controls you MUST have in place and the exact level of that control.

You have much more flexibility in a risk-based system. Applying controls that you don’t need, or implementing to a level that exceeds the risk can cost you some serious money. You do not want to screw this part up.

ISO27001 Continual Improvement

Continual improvement is the process by which your organisation continues to improve its approach to information security. It is baked into the standard. It understands that you won’t get everything right at the beginning, but that as time goes on, you’ll work out a system of doing things better. 

You can spot these opportunities for continual improvement as part of the standard by identifying them during internal audits, when incidents occur, or just by brainstorming them. 

ISO27001 Internal Audit

When you embark on your ISO27001 journey, you make a commitment to being audited… a HELL of a lot.

You will need to appoint an independent, internal auditor who will constantly check that what you are doing meets the requirements of the standard. The output of this is continual improvement. For example, at any stage in the certification process, It may be flagged by the auditor that changes must be made in order to meet the standard, but because it’s an internal appointment, it won’t put your ISO27001 certification at risk.

Many companies outsource internal auditors, and this could potentially be one of the biggest costs. You must internally audit everything at least once every year and the usual approach is to break it down into chunks that you tackle each month over 12 months.

Compare this with the external audit which is the certification audit. This does the same thing but is much more formal, and getting it wrong can put your hard-earned ISO27001 certification at risk.

Everything you need to know to get started with ISO27001: the video

Watch this video before you start your ISO27001 certification journey. The ISO27001 Ninja will guide you through the whole process and save you thousands in costly mistakes!

ISO27001 Clauses

Every ISO27001 clause is covered, by clause in this ultimate ISO27001 Reference Guide Clause by Clause.

Every ISO27001 Annex A control is covered, by control in this Ultimate ISO27001 Annex A Reference Guide.

Your ISO27001 certification solution awaits

Are you still breathing?

We told you this was a dry subject. It’s a complicated process that can cost you a fortune and take months of your time.

Now that we’ve told you everything there is to know about ISO27001, we know what you’re thinking. WTF!? 

That’ll take me years! 

Where do I even begin?

Don’t sweat it. We’ve got you and we’re here to take the stress away. We can help you get certified 10x faster and 30x cheaper than anyone else.

If you want to know more about the ISO toolkit that will change the game for your business, or want to be coached through the process (without getting ripped off) book your free strategy call.

ISO27001 FAQ

What does ISO27001 mean?

ISO27001 is the name and designation given to the international standard for information security. It is an information security management system. It is a series of information security policies, information security documents, information security controls and processes for the management of information security. As a standard you can be assessed against it and a certificate can be issued to demonstrate that you meet the requirements of the standard.

What is the purpose of the ISO27001 standard?

There are two goals for the ISO27001 standard. The first goal is to provide a bench mark and frame work against which businesses can operate for best practice of information security protection. The second goal is to be able to demonstrate through independent ISO27001 certification that business meets the requirements of the international standard for information security and there by provide assurance that the business is operating to a certain level.

Does ISO27001 cover GDPR?

ISO27001 can provide a framework to satisfy aspects of GDPR, especially around principle 6 maintain adequate security. It does not make you GDPR compliant and it does not satisfy all of the requirements of the GDPR. Consider it as a complimentary standard and complimentary framework.

What is the current version of ISO27001?

At the time of writing ISO/IEC 27001:2022 is the most current version of the standard and incorporates changes made in 2022.

How do I check if a company is ISO27001 certified?

The easiest way is to request a copy of their most up to date certificate and scope statement. You can check the date of the certificate to ensure that it is valid. The certificate will tell you the name of the certification body. You can then search the certification body website for a register of companies that they have certified.

Is ISO27001 a legal requirement?

In general no. It can be a requirement of a regulatory body or of a contract but it is not a legal requirement in the widest sense of law. Unlike the GDPR which is a law.

Is ISO27001 mandatory?

ISO27001 is only mandatory if an industry regulator mandates it or a contract between you and a customer or supplier mandates it. It is a framework based on risk and as such even the controls within the standard are not mandatory.

Who does ISO27001 apply to?

The ISO27001 standard and ISO27001 certification apply to any business that wants to operate to it and demonstrate best practice for information security management. The number one reason we see a business adopt the ISO27001 certification is for commercial gain and as a result of being asked for it by a customer on which a commercial contract rests.

Is ISO27001 a framework?

Yes. ISO27001 is a framework made up of policies, documents, controls and processes. It is a risk based framework with continual improvement at it’s heart. It requires top level, leadership commitment.

How much does ISO27001 certification cost?

ISO27001 certifications costs start at £3,600 and increase based on your company risk and company size.

Where do I find an ISO27001 consultant?

You can find an ISO27001 consultant at High Table – The ISO27001 Company

How long does ISO27001 take?

ISO27001 certification takes 3 months from start to finish.

Is ISO27001 expensive?

Yes, it can be. It is all relative. What is expensive for you may not be expensive for someone else. Expect the total cost of everything to come in at around £20,0000 to £25,0000.

What are the change to ISO27001 in 2022?

ISO27001 Annex A changed in 2022. For a list of the changes see the Ultimate Guide to the ISO27001 Changes

What is the difference between ISO27001 and ISO27002?

ISO27001 is a management system and you can certify to ISO270001.
ISO27002 is a control set to be considered as part of your implementation and you cannot certify to ISO27002.

What is Annex A / ISO27002?

There is an annex to the ISO27001 called Annex A. Annex A is actually a standard in it’s own right called ISO27002. ISO27002 is a list of the technical controls that your organisation has implemented. You record this list of controls in your Statement of Applicability.

What is a Statement of Applicability (SoA)?

The Statement of Applicability is a mandatory document of the ISO27001 standard. It lists out the controls of ISO27001 Annex A / ISO27002 and it records whether the control is applicable to you or not. If not it includes a reason why it does not apply to you.

What are the ISO27001 Mandatory Documents?

The ISO27001 Mandatory Documents are the documents that are required by the ISO27001 standard. ISO27001 works on the premise that if it is not written down, it does not exist. It is documentation heavy.

What ISO27001 processes will I need?

You will need to document all of the processes that are going to be audited for your ISO27001 certification. The list of controls is Annex is a great starting point for the required processes on top of which the processes for your product or service will also require documenting.