This comprehensive guide will help you to understand more about ISO 27001, including the reasons for certification and the steps to becoming certified.
ISO 27001 And Your Business – An Introduction
Take a moment to think about your business: the service you provide to your customers, and the customer data you hold. Think about the information that is entrusted to you and your business by your internal and external stakeholders. This information may be your own company records and employee health or financial details, supplier contractual agreements and bank account information, customer data, code, and even information on their own end users.
If your approach to information security is not aligned with good practice, let alone best practice, your business may become a risk to others because you could be a gateway for malicious actors.
Now, think about the cost of a security incident to your business and potentially to your clients: loss of business, brand impact, loss of customer trust and the financial repercussions in compensations and fines.
Thinking this way is a sobering exercise – especially if you are debating the cost of ISO 27001 implementation. Good cyber hygiene and information security management is a low cost to pay when compared to the potential financial consequences of a high-profile security incident.
What Is ISO 27001?
ISO 27001 is the international standard for the implementation, maintenance and continual improvement of an Information Security Management System (ISMS). To learn more, visit our ‘What are ISO standards?’ knowledge hub.
We’ll explain the makeup of an ISMS in the next section, but for now, it’s worth understanding that an ISMS requires a process-led approach to identifying and managing information risks affecting your organisation. The ISO 27001 standard sets out the framework for how to plan, establish, maintain, monitor and improve an ISMS.
ISO 27001 is not an IT security standard. This is a common misconception but unlike something like Cyber Essentials (which is an IT security standard), ISO 27001 is focused on the management (or, if you prefer, the governance) of information security based on risk.
Because of this ISO 27001 will apply right across your organisation in one way or another. Whilst IT is clearly going to be a key consideration, other areas touched by your ISMS will include human resources, facilities, procurement, development, compliance and business continuity.
ISO 27001 is supported by a family of information security guidance and associated documents. The family includes but is not limited to:
- ISO 27000: Terms and definitions used in the ISMS family of standards
- ISO 27001: Standard for an Information Security Management System
- ISO 27002: Techniques – Information Security Controls
- ISO 27005: Techniques – Information Security Risk Management
- ISO 27017: Techniques – Information Security Controls for Cloud Services
- ISO 27018: Techniques – Protection of PII in Public Clouds
- ISO 27701: Techniques – Privacy Information Management
Of these – ISO 27001 is the standard against which organisations are audited and, if successful, certified. The supporting documents are guides/codes of practice (e.g. ISO 27002, ISO 27005) industry-specific control recommendations (e.g. ISO 27017, ISO 27018) and extensions to ISO 27001 (e.g. ISO 27701 which extends ISO 27001 to cover privacy information management as well as information security management).
Certifying to ISO 27001 will require a systematic approach to information security risk management including ongoing assurance activities and commitment to continual improvement.
ISO 27001 is not prescriptive in the sense that it dictates WHAT requirements must be met but leaves out the HOW this is going to be achieved. This ensures that certification can be achieved by any organisation, big or small, whatever their location, whatever their industry.
An example of how this works is to look at an organisation’s risk appetite and its management of risks. One business may evaluate a risk as unacceptable unless it is reduced through the implementation of specific controls. Conversely, another organisation may consider the exact same risk and deem it acceptable and therefore may be happy to just monitor it.
What Is An ISMS?
An ISMS is a set of policies, processes, procedures and records designed to maintain the confidentiality, integrity and availability of information and systems via the identification and management of information security risks in a manner that is commensurate with the requirements of the organisation and its interested parties (including customers, employees, regulators and others).
The records are a critical part of an ISMS, as they enable measurement against objectives, provide key information to learn from and help evidence that you are following your own policies, processes and procedures (which is important when being audited for certification).
An ISO 27001 certified ISMS is evidence that all requirements of the standard have been met. These are the management (or what you might consider the ‘governance’) requirements set out in clauses 4-10 of ISO 27001. If these are satisfied the organisation will have assessed and planned to apply controls to reduce information security risks to an acceptable level.
The security controls typically implemented are those set out in Annex A of the ISO 27001 standard. The current version of the standard dates back to 2013 but the document from which the Annex A controls are drawn, ISO 27002, has been updated in 2022 to make them more applicable to the ways in which organisations now work with information and systems.
Mandatory ISO 27001 Documents
The ISO 27001 standard sets out several mandatory documents that must be in place as a prerequisite to successful certification. In truth, your ISMS will consist of many more documents (most policies) which are not mandatory but are necessary to control risks in a consistent manner.
Some of these other documents will be important security policies, but it is critical to get the mandatory documents in place and some can be easy to miss because they are unfamiliar, like the Statement of Applicability.
Not having all the mandatory documents in place for the stage 2 certification audit would result in a major non-conformity, meaning your organisation will not be recommended for certification by the auditor until the gap has been addressed.
There are several resources on the internet that list all the mandatory ISO 27001 documents in full, but the following list covers some of the key documents and their purpose:
- Scope of the ISMS: The scope is vital to the management of the ISMS. It is an organisational decision on what will be included, this could be the headquarters or headquarters and a select number of offices, for example. Your scope will be stated on your ISO 27001 certificate.
- Information Security Policy and Objectives: This high-level document will typically include top management commitment to the ISMS and information security objectives, which should align with the business objectives. During management reviews (which are required to occur periodically (often interpreted as at least annually), progress against these objectives should be reviewed, and new ones should be set as the ISMS matures.
- Risk Assessment and Risk Treatment Methodology: This sets out the defined approach to be used by the organisation to assess and treat risks to information security. During the certification audit, the auditor will look for evidence that the assessment and treatment methodology has been followed.
- Inventory of Assets: You will need to identify information assets, list them in an inventory (or register) and account for them. This inventory must cover information assets, not IT assets, and whilst there will be overlap between the two, it is important to capture data categories and not just systems.
- Definition of Security Roles and Responsibilities: Assigning security roles and responsibilities within the organisation means that individuals will take on certain tasks relating to the ISMS. This should provide reassurance that progression is always made. In smaller organisations, this might be as simple as listing key roles, whereas in bigger organisations a RACI matrix (or similar) may be appropriate. It is important to note that every employee within an organisation should have roles and responsibilities in relation to the protection of information within the organisation.
- Statement of Applicability (SoA): The SoA lists the controls applicable to your information security risk. This means the controls listed in Annex A which were 114 controls under the 2013 standard but is expected to change to 93 controls following the updates made to ISO 27002 (from which Annex A takes the controls). You can use other controls and include those listed in other ISO documents (e.g. ISO 27017 and ISO 27018) but most organisations rely on the Annex A controls. Some of the controls may not apply- for example, secure software development controls can be excluded if you don’t develop applications. If a control is excluded, justification for its exclusion must be documented to prove compliance.
- Records of Employee Skills, Training, Experience and Qualifications: Your HR team may already have suitable records in place which you can rely upon or you may need to create them but either way you will need competence records.
- Logs of User Activities, Exceptions and Security Events: Recording security incidents can help you prove what actions you’ve taken or are going to take to prevent the same event from happening again. Far from showing weakness, it demonstrates continuous learning and your commitment to improvement.
What Are The Benefits Of Being Certified To ISO 27001?
There are many business benefits to being certified to ISO 27001 certification and one very common reason behind the business case for certification in most organisations.
The benefits include:
An effective ISMS will help improve your ability to withstand and respond to cyber-attacks and information security breaches. Security roles and responsibilities will be defined, senior management engaged, incident response plans tested and business continuity procedures in place. Your employees will be trained and better prepared for dealing with risks.
ISO 27001 certification won’t make you compliant with GDPR or the NIS Regulations, but the disciplines embedded by a certified ISMS will certainly help you meet critical obligations under both and other regulations. These include leadership commitment and engagement, risk-led decision making, implementation of organisational and technical controls to reduce security risks and continuous evaluation and improvement.
Likewise, another benefit of ISO 27001 is that it will help you meet information security contractual obligations. Sometimes these may require you to become certified within an agreed period of time and we also regularly see contracts that list minimum security controls which are aligned to ISO 27001. Certification will help you satisfy such obligations.
Continuous Security Improvement
Information security management isn’t a ‘set and forget’ topic. Threats evolve, new vulnerabilities arise constantly, and risk appetites change. For these reasons and more, it is essential to keep your security posture under continuous review and improvement.
An ISMS will help ensure continuous review and improvement of the way your business manages security, proportionate to the risks faced.
Market Credibility & Supply Chain Requirements
In truth, most of the organisations that ask us to help them certify to ISO 27001 do so because a customer they sell to or a market in which they operate now requires it. This might be the result of an explicit pre-qualification requirement for new business, a renewal expectation from an existing client or it might simply have become an unspoken expectation because your competitors are all certified.
As supply chain expectations have hardened around information security, ISO 27001 certification has gone from being niche to commonplace. Organisations know their supply chain can be a weak link. Likewise, the introduction of GDPR has meant data controllers are looking to work with processors with security best practices in place.
The organisations we work with start by certifying for supply chain reasons and later come to appreciate the other benefits listed above, as the ISMS become embedded into their organisation.
How Do You Certify To ISO 27001?
Certification is in two stages:
The stage 1 certification audit is conducted by an auditor assigned by a certification body (more on this later). The auditor uses it to verify that the organisation is on track for certification and that the mandatory documentation (policies, records) is being implemented, and that mandatory requirements are being addressed. Upon completion of the Stage 1 audit, the auditor will issue a report in which they will highlight areas where the organisation fails to meet the requirements of the standard (referred to as non-conformities) or suggest ‘Opportunities For Improvement’ (OFI), which are suggestions that the organisation must consider but is not obliged to implement.
The Stage 2 certification audit typically takes place 2 to 8 weeks after the Stage 1 audit, on a date that has been pre-agreed between the client and the certification body.
This second audit is a much more in-depth exercise and may last from 3 to 15 days, depending on a combination of:
- Number of employees
- The complexity of products and services offered
- Geographical locations, including the number of countries involved
- Dependency on on-premise and cloud technology
- Dependency on outsourced development
During the Stage 2 audit, the certification auditor will not only want to validate that the mandatory requirements of the ISO 27001 standard have been addressed but will go one step further and want to see that the organisation does indeed do what it says it does in its policies and processes.
This means that the organisation will need to share records, logs, reports, meeting minutes, and other relevant artefacts to demonstrate evidence of compliance. Sharing does not necessarily mean handing over sensitive documentation, even though the certification body will have signed a Non-Disclosure Agreement (NDA) but can be achieved through screen sharing on the onsite review of paper-based documentation.
Upon completion of the Stage 2 certification audit, the auditor will hopefully be able to recommend the organisation for certification. This means that their report and associated findings will be submitted to the certification body’s compliance officer to verify that UKAS guidelines have been adhered to, UKAS being the National Accreditation Body for the United Kingdom.
If non-conformities have been identified by the auditor, certification will be withheld until such a time that the organisation can demonstrate that the non-conformities have been addressed. This may be achieved by submitting evidence via email within a timeframe agreed with the auditor, or possibly by a follow-up visit from the auditor.
If an auditor finds a major non-conformity at the Stage 2 audit you will have three months to rectify it, at the end of which you will be subject to a ‘special’ audit to confirm the matter has been successfully addressed. If not, you will not be recommended for certification and you will need to go through the full audit process again if you wish to certify.
As previously stated, certification is not a one-off exercise. One year after certification, and again one year after that, the certification body will conduct ‘sample’ audits. These are referred to as Surveillance Audits or Continual Assessment Visits (CAV) and typically focus on a handful of clauses and controls. Again, the certification auditor will document their findings and recommendation in a report and will, hopefully, reconfirm certification.
Three years after the original certificate of compliance was issued, the organisation will go through a full certification audit, similar to the previous Stage 2 audit. It is assumed that, if the ISMS has been maintained appropriately, this should be reasonably straightforward. Bear in mind, though, that a lot can change in three years meaning your scope may need to be updated or previously out-of-scope controls need to be evidenced to address new risks which have arisen during that period.
How Long Will It Take To Gain ISO 27001 Certification?
The short answer to this question is, that it depends! There are many factors affecting the time that an organisation will take to be ready for the certification audit. These include the time and skills the organisation has available to commit to the project, the scope of certification and management commitment to project success. While some organisations may choose to handle the implementation process internally, an external ISO consultant can offer a range of benefits that may not be available otherwise such as resource and time management issues.
That last point is critical. At times the project will get stuck, and people will prioritise other activities or not buy into the requirements and simply slow things down. At this point, you will need someone with senior management authority to remove the hurdles and prioritise work in favour of the certification project.
A well-resourced project supported by senior management could take as little time as 6 months but is typically going to take nearer to 9 months in our experience. Some organisations take longer due to competing demands and organisational changes.
Whatever you plan for, don’t think that you can be certified in weeks. Some consultancy providers promise this but cutting corners will not embed the ISMS properly and may set you up for failure after initial certification (causing issues at the time of your surveillance audit).
Our advice is to be realistic about being ready and establishing your ISMS. If you are under customer pressure, be careful not to commit to a target that is too aggressive. We also recommend working with a UKAS-accredited certification body.
As mentioned above, the UK Accreditation Service (UKAS) is the UK national accreditation body recognised by the government to assess organisations that provide certification, testing, inspection and related services. We always recommend that you select a UKAS-accredited certification body for ISO 27001.
Any organisation can ‘certify’ you to ISO 27001 (certification bodies are not regulated) and plenty of non-UKAS accredited certification bodies exist and typically help organisations to implement ISO 27001 and then audit their own consultant work (UKAS accredited certification bodies cannot implement and audit ISO 27001).
These certification bodies may offer to do the work more quickly or cheaply and the certificate they offer may be good enough for marketing purposes, but in truth, a UKAS-endorsed certificate will carry more weight and some organisations in your supply chain may insist on UKAS accredited certification.
Download the PDF version of the guide to ISO 27001: