The complete guide to becoming ISO 27001 certified

04 May 2023

The complete guide to becoming ISO 27001 accredited

digital security lock

ISO 27001 – are you looking to get your organisation accredited?

Developed by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), ISO 27001 provides guidance to businesses aiming to maintain a high level of control and trust over their data and IT systems. 

While you can’t hide your business from security risks, you can take practical action to prevent unplanned downtime and other preventable issues – and that’s where ISO 27001 can help. 

The process of gaining ISO 27001 accreditation revolves around implementing an Information Security Management System (ISMS). 

Put simply, an ISMS comprises policies, procedures and controls spanning technology, processes and people. 

As the world's most widely recognised information security standard, ISO 27001 accreditation provides trust and assurance to organisations of every size, and across every industry and jurisdiction. 

This is a guide to becoming ISO 27001 accredited.

Brief history of ISO 27001

ISO 27001 was first published in 2005, essentially replacing the British Standard BS 7799-2, and was later revised in 2013 and 9 years later, in 2022.

The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) developed the standard as part of ISO/IEC 27000.

Benefits of ISO 27001 accreditation

ISO 27001 is not mandatory, but the benefits of robust information, data, and cybersecurity standards are ever-increasing.

From network-wide ransomware attacks to Denial of Service (DoS) and phishing scams, the consensus is that risks are proliferating.

There are over 2,000 cyber attacks daily. Some 43% of targets are SMBs, so risks are far from exclusive to larger businesses. Around 60% of SMBs that suffer data breaches go bust in 6 months, so the stakes are high. 

ISO 27001 accreditation is a decisive step in the right direction for any organisation wishing to protect itself from becoming one of these statistics. 

Further, for businesses aiming to meet industry standards such as the Data Protection Directive (DPP) in Europe and the Payment Card Industry Data Security Standard (PCI DSS), ISO 27001 is a useful step towards compliance.

Here are some of the many benefits of becoming ISO 27001 certified:

  • Improved information security: Implementing an Information Security Management System (ISMS) helps organisations identify and manage risks to their information and operational assets, reducing the likelihood of data breaches, ransomware and other security incidents. This is imperative to protecting operations and avoiding unplanned downtime, costing up to $5,600 a minute

  • Compliance with regulations: Compliance with ISO 27001 helps organisations meet legal, regulatory, and contractual requirements related to data protection and information security. Regulations vary from sector to sector, but ISO 27001 is designed to be as specific or generalist as it needs to be.

  • Trust and confidence: Accreditation demonstrates that an organisation takes information security seriously and has implemented a robust system to protect sensitive data. This helps organisations build trust with clients, customers and regulatory organisations such as the FCA and ICO. 

  • Competitive advantage: ISO 27001 accreditation can differentiate an organisation from competitors, increasing business opportunities. There may be situations where businesses are asked whether they hold ISO 27001 accreditation – and having to decline could cost clients and customers.

  • Streamlined processes: Implementing an ISMS can lead to more efficient and effective processes. The process of accreditation unlocks tangible business value beyond accreditation itself.

Overall approach of ISO 27001

Organisations are ISO 27001 accredited based on how well they implement, manage and run their risk management systems, not on their overall risk level. 

In other words, identifying and actively managing risk is sufficient, and accepting some risks is part of this process. 

As such, if an organisation’s risk management is sound, it can achieve ISO 27001 certification even if there are some IT security controls gaps.

This contrasts with other frameworks like SOC 2, which prescribes specific controls and requirements.

Phase 1: Planning and ISO 27001 scoping

Phase 1 is an investigatory exercise that involves planning, communication and research.

1: Define the scope of ISO 27001 for the organisation

First, it’s necessary to determine which part of the organisation will be accredited, such as the entire organisation, specific departments, or business units. 

This involves considering the types of information to be protected, the systems and processes involved, and the boundaries of the accreditation.

For instance, targeting the scope of ISO 27001 to specific operations may be beneficial if complete business-wide accreditation isn’t required. That’s ideal for businesses targeting cyber security investment at business-critical workloads. 

Here’s an example:


A courier or delivery company that provides services to third parties may seek accreditation only for the operational departments and those that handle customer data, not their central functions like finance, HR, etc. 

This will allow them to assure their customers that their data is secure and delivery services cyber-resilient, as well as focusing on the part of the business where an incident could be most significant.

2: Gap analysis

Gap analysis involves reviewing the organisation's current information security and risk management, identifying existing controls, and determining areas where improvements or additional controls are needed.

This typically involves interviews with key personnel, reviewing documentation, and assessing any policies and controls already in place.

The output of gap analysis is a plan that describes how to address gaps in order to achieve ISO 27001. 

This fact-finding mission sets the scene for designing and implementing controls and provides an initial project plan for achieving ISO 27001 certification.

Phase 2: Design and implementation of the ISMS

Phase 2 puts research into motion by choosing controls and implementing the ISMS.

1: Write the ISMS policy

The ISMS policy serves as the top-tier internal document for ISO 27001. 

While it needn’t be overly detailed, the policy should establish the organisation's fundamental applicability and requirements for information security, as well as senior management ownership of information security risks.

2: Define risk assessment and management processes

After developing the high-level ISMS policy, risk assessment and management processes are designed and mapped to the business and its various functions. 

These processes should be aligned and integrated with the organisation’s existing process landscape. Implementing off-the-shelf and un-customised processes will lead to poor performance or complete process failure. Moreover, badly designed processes can seriously impact business agility by being overburdensome and overly bureaucratic. 

Risk assessment is a methodology for identifying risks, their likelihoods and impacts, and delivering a risk rating as an output.   It’s generally recommended to use a qualitative approach for risk assessment, providing outputs like HIGH, MEDIUM and LOW risks allow easy prioritisation.

Risk management broadly defines the processes for reporting and managing risks within the business.

ISO 27001 defines four treatment actions as part of risk management.

  • Decrease or mitigate the risk by implementing controls that decrease the likelihood or impact of its occurrence. For example, implementing redundancy systems and backups. 
  • Avoid the risk by preventing situations where it could arise. For example, the business could prevent employees from using their company devices on public WiFi. 
  • Share or transfer the risk with a third party, typically transferring risk to an insurer. This reduces the financial impact of incidents without necessarily addressing their cause. 

3: Risk assessment

Risk assessment involves running the process described in the previous section. 

The risk assessment process is carried out across the in scope parts of the organisation. This is to discover the cyber business risks that the business faces, and then to rate those risks so they can be properly managed. It's essential to consider risks in the business context, not the technical context.  This means that risks are rated by their impact on the business, not on their impact to just the technical sphere.

The gap analysis from Phase 1 is a critical input into this step, and further investigatory work is carried out if required.

The ultimate aim of the risk assessment process is to identify risks, define Risk Treatment Plans and put them into the Risk Register. 


In the case of the courier company, a typical cyber business risk would be disruption to their delivery operations by a ransomware attack. This could prevent customer deliveries from arriving on time, impacting their revenue, and in turn, negatively affecting the courier’s reputation. This could also result in having to pay customers compensation. 

Once identified, this risk would be given a rating compared to other cyber business risks, and prioritised.

4: Control selection

In parallel with defining Risk Treatment Plans controls are selected from Annex A of ISO 27001 and other sources to manage the identified cyber business risks. 

Like controls for other cyber security frameworks, ISO 27001 is relevant to people, processes and technology.

Annex A contains an extensive list of controls across 14 domains. Businesses can pick or choose exactly which controls they need to mitigate the cyber business risks and exclude those they don’t. This is excellent news, as it enables targeted investment – no need to waste time and money on irrelevant controls just to tick boxes. 

In addition, businesses can include controls from other frameworks if required. For instance if Annex A hasn’t been updated for some time, and newer, more effective controls have been developed since.  

As mentioned previously, flexibility is built into ISO 27001, and businesses are free to choose what controls they need to manage risk.

The role of cyber security professionals

Control selection is one of the most critical parts of implementing ISO 27001 and should be carried out by someone who is an expert in the fields of both cyber security and risk management. 

This ensures controls are selected which deliver effective cyber risk management and fit within cyber security investment budgets.

Once control selection has been carried out, it’s documented in the Statement of Applicability (SoA), which is a core ISO 27001 document. 


For our courier example, given one of the primary risks is a ransomware attack which disrupts the delivery services, controls should be selected specifically to decrease or mitigate this risk. 

This could include protective controls such as vulnerability management, detective controls such as endpoint detection and response (EDR) and recovery controls such as backup and restore.

5: Write low-level policy documentation

At this stage, risks have been identified and assessed, and targeted with risk treatment plans and controls. 

Low-level policy documentation delves into the nuances of the ISMS, and elaborates on those controls to provide guidance on their implementation across the whole in-scope organisation.

As such these policies, as ISO 27001 requirements, are unique and tailored to each business – there’s no need to write up policies which aren’t explicitly relevant to the organisation.

Examples of low-level policies include:

  • Access Control Policy
  • Backup Policy
  • Bring Your Own Device (BYOD) Policy
  • Change Management Policy
  • Clear Desk and Clear Screen Policy
  • Disaster Recovery Plan
  • Disposal and Destruction Policy
  • Encryption Policy
  • Information Classification Policy
  • Information Transfer Policy
  • Mobile Device, Teleworking, and Work from Home Policy
  • Password Policy
  • Supplier Security Policy

Drawing up accurate and relevant low-level policies helps communicate strategies with managers and employees.

6: Training

People are absolutely integral to managing cyber business risks.

ISO 27001 requires training employees on information security awareness, the organisation's specific ISMS policies and procedures, relevant legal and regulatory requirements, and incident response procedures.

Training can be handled internally or outsourced. If certain policies need to be implemented across the entire organisation (e.g. device policies), training must be put into action before any auditing takes place.

7: Operate the ISMS

At this stage, the ISMS is fully operational. 

ISO 27001 should have become an integral part of the organisation's daily operations – and accreditation is almost in sight. 

Once systems are online, processes should be monitored and recorded. For example as new controls are implemented and improved, the Risk Register and Risk Treatment Plans will need to be updated. 

Keeping well documented records of these activities is crucial for the next steps, internal and external audit.

Phase 3: Audits

Audits collect and analyse evidence about the ISMS and its effectiveness. Systems are analysed with all their parts moving in unison.

1: Internal audit

Audits first take place internally. Internal audits ensure the ISMS runs appropriately, compiling evidence that risks are identified, assessed, and managed effectively. 

This typically involves reviewing documentation, interviewing personnel, and testing controls to ensure they function as intended. Discovering some shortfalls is normal – it’s easier to address them now than wait for external auditors to find them.

Additionally, the evidence collected here will help external audits run smoothly. Seizing the opportunity to collect in-depth insights will accelerate the external audit and certification process. 

2: Stage 1 external audit

In the first audit, the ISO Certification body reviews the ISMS documentation to determine if it is fit for purpose. The focus here is on written policies and statements.

During the first ISO 27001 certification audit (sometimes called the document review), the auditor will review decisions pertaining to each identified risk. Various paperwork is requested, such as the Statement of Applicability and a Risk Treatment Plan. 

The Statement of Applicability summarises the purpose of implementing ISO 27001 controls and policies, whereas the Risk Treatment Plan outlines the response to the threats identified during the risk assessment process.

This includes examining the scope, policies, procedures, risk assessment and treatment documentation, and other relevant documents to ensure they meet ISO 27001 requirements.

3: Stage 2 external audit

The ISO Certification body examines the internal audit and risk register to determine if the ISMS is functioning properly and managed effectively. 

This may involve on-site visits, interviews with staff, and testing controls to verify that they align with the documented ISMS. 

The Stage 2 audit will contain minor nonconformities, major nonconformities and potential areas of improvement. Working with experienced ISO 27001 consultants will vastly reduce the chance of having to make serious retrospective changes.

4: Certification is awarded

If everything is in order and the organisation successfully passes the Stage 2 audit and addresses any identified non-conformities, the ISO Certification body will give the thumbs up. 

They’ll then issue the ISO 27001 certificate, valid for three years. However, it’s not quite over at this point, as regular surveillance audits are required to maintain the certification during this period.

Maintaining ISO 27001

Accreditation doesn’t last forever and needs to be renewed. Once accredited, organisations must fulfil regular responsibilities and conditions to maintain ISO 27001 accreditation, including:

  • At least one internal audit per year: Conduct an internal audit to ensure the ISMS is functioning correctly and that there is evidence of risks being identified, assessed, and managed.

  • Management review: Conduct a periodic management review to assess the ISMS's effectiveness and identify improvement areas.

  • Continuous improvement: Implement improvements to the ISMS based on the results of the internal audits and management reviews.

  • Surveillance audits: Organisations undergo periodic surveillance audits by the certification body to ensure ongoing compliance with the standard. These audits typically occur at the end of Year 1 and Year 2

  • Recertification audit: Organisations must undergo a full recertification audit every three years to maintain their accreditation. This audit involves a comprehensive review of the ISMS, similar to the initial stage 2 external audit.

ISO 27001 FAQ

What is the role of an auditor in the ISO 27001 certification process?

During a two-stage audit process, an external auditor from an ISO Certification body evaluates an organisation's ISMS against the ISO 27001 requirements, ensuring they’ve implemented the necessary policies, procedures, and controls to protect sensitive information.

How long does the ISO 27001 certification process take?

The duration of the ISO 27001 certification process varies depending on the organisation's size, complexity, and readiness. Generally, certification can take anywhere from 6 to 18 months.

How long is ISO 27001 certification valid?

ISO 27001 certification is valid for three years. During this period, regular surveillance audits are required to maintain the certification and ensure that the ISMS remains effective and up-to-date.

Can small businesses achieve ISO 27001 certification?

Yes, small businesses can achieve ISO 27001 certification. The standard is applicable to organisations of all sizes and sectors. The certification process can be scaled to suit the organisation's size and needs.

Do I need to hire an external consultant for ISO 27001 certification?

Hiring an external consultant is not mandatory but can be helpful for organisations that lack in-house expertise or resources to navigate the certification process. A consultant can provide guidance, support, and training to help your organisation meet ISO 27001 requirements.

How to check if a company is ISO 27001 certified

To verify a company's ISO 27001 certification, you can visit the company's website and look for the ISO 27001 certification logo or a statement about their certification. You can also ask the company to provide a copy of their certification. In addition, some certification bodies, such as BSI in the UK, maintain publicly accessible databases of certified organisations, where you can search for the company.

How to get ISO 27001 certification

To obtain ISO 27001 certification, businesses must plan, develop and implement an Information Security Management System (ISMS) in line with the standard. This involves implementing security controls and processes and training staff on information security practices. 

What ISO 27001 certification brings to the organisation

ISO 27001 certification offers various benefits, such as enhanced credibility and trust with customers, partners, and stakeholders, improved information security risk management, and compliance with legal and regulatory responsibilities. 

What is ISO 27001 certification?

ISO 27001 certification is a globally recognised information security standard. It provides a framework for organisations to establish, implement, maintain, and continually improve their information security management. The certification demonstrates an organisation's commitment to information security.

How to get ISO 27001 certification in the UK

The process for obtaining ISO 27001 certification in the UK is similar to the general process used by organisations worldwide. It starts with planning and gap analysis and progresses to risk assessment, treatment, control implementation and auditing. Finally, a certifying body will perform an external audit and grant certification or request additional changes.

Summary: The complete guide to becoming ISO 27001 accredited

ISO 27001 accreditation is globally recognised. Obtaining it requires a complex process of planning, implementation and internal and external auditing. 

While accreditation is an essential step towards compliance, the process also creates tangible business value and isn’t merely a box-ticking exercise. 

Nicolson Bray emphasises that there’s no one-size-fits-all approach to ISO 27001 accreditation.

We help clients build bespoke, tailored strategies that align with goals and objectives. The process illuminates risks and provides a strong foundation for a business to grow and thrive, regardless of its size. 

Learn more about our ISO 27001 consultancy services, or contact us today to learn more about how we can help you.

Bon Nicoslon

Published on

Bob Nicolson | Head of Consultancy