The complete guide to getting your business ISO 27001 certified

The complete guide to getting your business ISO 27001 certified

Published on

Bob Nicolson | Head of Consultancy

bob.nicolson@nicolsonbray.com

Developed by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), ISO 27001 provides guidance to businesses aiming to maintain a high level of security control over their data and IT systems. 

The process of gaining ISO 27001 centres around implementing an Information Security Management System (ISMS). 

Put simply, an ISMS comprises the policies, procedures and controls needed within an organisation to manage information security risk.

As the world's most widely recognised information security standard, ISO 27001 provides trust and assurance to organisations of every size, and across every industry and jurisdiction. 

This is a guide to becoming ISO 27001 certified.

Benefits of ISO 27001

The benefits of robust information, data, and cybersecurity controls are ever-increasing.

From network-wide ransomware attacks to Denial of Service (DoS) and phishing scams, information security and cyber risks are proliferating daily.

There are over 2,000 cyber attacks daily. Some 43% of targets are SMBs, so risks are far from exclusive to larger businesses. Around 60% of SMBs that suffer data breaches go bust within 6 months, so the stakes are high. 

ISO 27001 is a decisive step in the right direction for any organisation wishing to ensure it doesn't become a statistic or tomorrow's headline. 

Furthermore, for businesses aiming to meet industry standards such as the General Data Protection Regulation (GDPR) and the Payment Card Industry Data Security Standard (PCI DSS), ISO 27001 is a significant and useful step towards compliance.

Broadly the benefits of being ISO 27001 certified cover the following areas:

  • Improved information security: Implementing an Information Security Management System (ISMS) helps organisations identify and manage risks to their information and operational assets, reducing the likelihood of data breaches, ransomware and other security incidents.  

  • Regulatory compliance: To gain ISO 27001 organisations need to be aware of and incorporate their legal, regulatory, and contractual obligations. Regulations vary from sector to sector, but ISO 27001 is designed to be both flexible and adaptable, and to drive compliance whatever the regulation.

  • Trust and confidence: Certification demonstrates that an organisation takes information security seriously and has implemented robust systems to protect sensitive data. This helps organisations build trust with clients, customers and regulatory organisations such as the FCA and ICO. 

  • Competitive advantage: ISO27001 certification can differentiate an organisation from competitors, increasing business opportunities. In addition businesses may be asked whether they hold ISO 27001 – and a negative answer cost a client and customer.

  • Streamlined processes: Implementing an ISMS can lead to more efficient and effective processes. The process of certification unlocks tangible business value beyond ISO 27001 itself.

ISO 27001 is based on sound risk management

Organisations are ISO 27001 certified based on how well they implement, manage and run their risk management systems, not on their overall risk level. 

Ultimately the goal is identifying and actively managing risk, and accepting some risks is part of this process. 

As such, if an organisation’s risk management is sound, it can achieve ISO 27001 certification even if there are some IT security controls gaps and related risks.

This contrasts with other frameworks like SOC 2, which prescribe specific controls and requirements.

Phase 1: ISO 27001 planning and scoping

Phase 1 is an investigatory exercise that involves planning, communication and research.

1: Gain management buy-in

From my experience this is a crucial part of any ISO 27001 implementation. As inevitably implementing the standard will require both time and investment, it is critical that senior management support and where necessary drive its roll out throughout the organisation.

2: Define the scope of ISO 27001 for the organisation

Next it’s necessary to determine which part of the organisation will be certified, such as the entire organisation, specific departments, or business units. 

This involves considering the types of information to be protected, the systems and processes involved, and the boundaries of the certification.

For instance, for larger businesses, targeting the scope of ISO 27001 to specific operations may be beneficial if complete business-wide certification isn’t required. This is ideal for businesses targeting cyber security investment at business-critical workloads. 

For smaller businesses it is often easier to keep it simple and include the whole organisation in scope.

Example 

A courier or delivery company that provides services to third parties may seek certification only for the operational departments and those that handle customer data, not their central functions like finance, HR, etc. 

This will allow them to assure their customers that their data is secure and delivery services cyber-resilient, as well as focusing on the part of the business where an incident could be most significant.

3: Gap analysis

The gap analysis involves reviewing the organisation's current information security and risk management processes, identifying existing controls, and documenting the output. It is a gap analysis against the entire ISO/IEC 27001:2013 or ISO/IEC 27001:2022 standard.

This typically involves interviews with key personnel, reviewing documentation, and assessing any policies and controls already in place.

The output of the gap analysis is an understanding of an organisation's current information security framework, and is an important input into the implementation process.

This fact-finding mission sets the scene for designing and implementing controls in the later phases, and can provide an initial project plan for achieving ISO 27001 certification.

Phase 2: Design and implementation of the ISMS

Phase 2 puts research into motion by choosing controls and implementing the ISMS.

1: Write the ISMS policy

The ISMS policy serves as the top-tier internal document for ISO 27001. 

While it needn’t be overly detailed, the policy should establish the organisation's fundamental applicability and requirements for information security, as well as senior management ownership of information security risks.

2: Define risk assessment and management processes

After developing the high-level ISMS policy, cyber risk management and risk assessment processes are designed and mapped to the business and its various functions. 

These processes should be aligned and integrated with the organisation’s existing process landscape. Implementing off-the-shelf and un-customised processes will lead to poor performance or complete process failure. Moreover, badly designed processes can seriously impact business agility by being overburdensome and overly bureaucratic. 

Risk assessment is a methodology for identifying risks, their likelihoods and impacts, and delivering a risk rating as an output. I generally recommend the use of a blend of quantitative and qualitative risk assessment, providing outputs like HIGH, MEDIUM and LOW risk, which facilitate easy prioritisation. However it is up to each organisation to determine which assessment methodology to use, and in ISO 27001 there is no prescribed approach.

Risk management broadly defines the processes for reporting and overseeing risk treatment within the business.

ISO 27001 defines four treatment actions as part of risk management:

  • Decrease or mitigate the risk by implementing controls that decrease the likelihood or impact of its occurrence. For example, implementing redundancy systems and backups. 
  • Avoid the risk by preventing situations where it could arise. For example, the business could prevent employees from using their company devices on public WiFi. 
  • Share or transfer the risk with a third party, typically transferring risk to an insurer. This reduces the financial impact of incidents without necessarily addressing their cause. 
  • Accept or retain the risk if it is within the organisation's risk profile or if the cost of mitigation outweighs the risk reduction benefit.

3: Risk assessment

Following the process defined in the previous step, an information security risk assessment is carried out across the in scope parts of the organisation. This is to discover the cyber risks that the business faces, and to assign them ratings so they can be properly managed. It's essential to consider risks in the business context, not just the technical context.  In practice this means that risks are rated by their impact on the business, not necessarily on their impact to the technical sphere.

The gap analysis from Phase 1 is a critical input into this step as it is a record of the current control environment. In addition further investigatory work may be carried out if required.

The ultimate aim of the risk assessment is to identify risks, define Risk Treatment Plans, and choose mitigating controls from Annex A to be implemented across the organisation. Additionally risks should be recorded in the Risk Register.  

Example

In the case of the courier company, a typical cyber business risk would be disruption to their delivery operations by a ransomware attack. This could prevent customer deliveries from arriving on time, impacting their revenue, and in turn, negatively affecting the courier’s reputation. This could also result in having to pay customers compensation. 

Once identified, this risk would be given a rating compared to other cyber business risks, and prioritised.

4: Control selection

In parallel with defining Risk Treatment Plans, controls are selected from Annex A of ISO 27001 and other sources to manage the identified risks. 

Like controls for other cyber security frameworks, ISO 27001 is relevant to people, processes and technology.

Annex A contains an extensive list of controls across 14 domains. Businesses can choose exactly those controls they need to manage their cyber risks and exclude those they don’t. This is excellent news, as it enables targeted investment – no need to waste time and money on irrelevant controls just to tick boxes. 

In addition, businesses can include controls from other frameworks if required. For instance if Annex A hasn’t been updated for some time, and newer, more effective controls have been developed since.  

As mentioned previously, flexibility is built into ISO 27001, and businesses are free to choose exactly the controls they need to manage their risks.

The role of cyber security professionals

Control selection is one of the most critical parts of implementing ISO 27001 and should be carried out by someone who is an expert in the fields of both cyber security and risk management. 

This ensures controls are selected which deliver effective cyber risk management and fit within cyber security investment budgets.

Once control selection has been carried out, it’s documented in the Statement of Applicability (SoA), which is a mandatory ISO 27001 document. 

Example

For our courier example, given one of the primary risks is a ransomware attack which disrupts the delivery services, controls should be selected specifically to decrease or mitigate this risk. 

This could include protective controls such as vulnerability management, detective controls such as endpoint detection and response (EDR) and recovery controls such as backup and restore.

5: Write low-level policy documentation

At this stage, risks have been identified and assessed, and targeted with risk treatment plans and controls. 

Low-level policy documentation elaborates on those controls to provide guidance on their implementation across the whole in-scope organisation.

As such these policies, as ISO 27001 requirements, are unique and tailored to each business – there’s no need to write up policies which aren’t explicitly relevant to your organisation.

Examples of low-level policies include:

  • Access Control Policy
  • Backup Policy
  • Bring Your Own Device (BYOD) Policy
  • Change Management Policy
  • Clear Desk and Clear Screen Policy
  • Disaster Recovery Plan
  • Disposal and Destruction Policy
  • Encryption Policy
  • Information Classification Policy
  • Information Transfer Policy
  • Mobile Device, Teleworking, and Work from Home Policy
  • Password Policy
  • Supplier Security Policy

Drawing up accurate and relevant low-level policies helps communicate risk mitigation strategies with managers and employees.

6: Implement controls

Once controls have been selected and polices defined, it is time to implement those controls. This is often the most difficult and time consuming part of certification as it involves both technology and behavioural change.

To implement technology controls will likely involve investment, which is where management buy in from Phase 1 becomes critical.

Implementing process and behavioural change will require good communication and training as described in the next step.

7: Training

A business's employees, its people, are absolutely integral to managing cyber security risk.

ISO 27001 requires training employees on information security awareness, the organisation's specific ISMS policies and procedures, relevant legal and regulatory requirements, and incident response procedures.

Training can be handled internally or outsourced. If certain policies need to be implemented across the entire organisation (e.g. device policies), training must be put into action before any auditing takes place.

8: Operate the ISMS

At this stage the ISMS is fully operational. 

ISO 27001 should have become an integral part of the organisation's daily operations – and certification is almost in sight. 

Once the ISMS is "online", processes should be monitored and recorded. For example as new controls are implemented and improved, the Risk Register and Risk Treatment Plans will need to be updated. 

In addition methods for measuring the effectiveness of controls should be implemented and monitored. For instance where a patch management schedule has been defined, there should be a method for monitoring if that schedule is met, such as a weekly report.

Keeping well documented records of these activities is crucial for the next steps, internal and certification audits.

Phase 3: Internal and certification audits

Audits collect and analyse evidence about the ISMS and its effectiveness.

1: Internal audit

Audits first take place internally. Internal audits assure that the ISMS has been implemented and is running effectively. Risks and risk treatment plans are reviewed, and controls are assessed.

This typically involves reviewing documentation, interviewing personnel, and testing controls to ensure they function as intended. Discovering some shortfalls is normal – it’s easier to address them now than wait for external auditors to find them.

Additionally, the evidence collected here will help external audits run smoothly. Seizing the opportunity to collect in-depth insights will accelerate the external audit and certification process. 

2: Stage 1 external audit

In the first audit, the ISO Certification body reviews the ISMS documentation to determine if it is fit for purpose. The focus here is on written policies and statements.

During the first ISO 27001 certification audit (sometimes called the document review), the auditor will review decisions pertaining to each identified risk. Various paperwork is requested, such as the Statement of Applicability and a Risk Treatment Plan. 

The Statement of Applicability summarises the purpose of implementing ISO 27001 controls and policies, whereas the Risk Treatment Plan outlines the response to the threats identified during the risk assessment process.

This includes examining the scope, policies, procedures, risk assessment and treatment documentation, and other relevant documents to ensure they meet ISO 27001 requirements.

3: Stage 2 external audit

The ISO Certification body examines the internal audit and risk register to determine if the ISMS is functioning properly and managed effectively. 

This may involve on-site visits, interviews with staff, and testing controls to verify that they align with the documented ISMS. 

The Stage 2 audit will contain minor nonconformities, major nonconformities and potential areas of improvement. Working with experienced ISO 27001 consultants will vastly reduce the chance of having to make serious retrospective changes.

4: Certification is awarded

If everything is in order and the organisation successfully passes the Stage 2 audit and addresses any identified non-conformities, the ISO Certification body will give the thumbs up. 

They’ll then issue the ISO 27001 certificate, valid for three years. However, it’s not quite over at this point, as regular surveillance audits are required to maintain the certification during this period.

Phase 4: Maintaining ISO 27001 certification

Certification doesn’t last forever and needs to be renewed. Once certified, organisations must fulfil regular responsibilities and conditions to maintain ISO 27001, including:

  • At least one internal audit per year: Conduct an internal audit to ensure the ISMS is functioning correctly and that there is evidence of risks being identified, assessed, and managed.

  • Management review: Conduct a periodic management review to assess the ISMS's effectiveness and identify improvement areas.

  • Continuous improvement: Implement improvements to the ISMS based on the results of the internal audits and management reviews.

  • Surveillance audits: Organisations undergo periodic surveillance audits by the certification body to ensure ongoing compliance with the standard. These audits typically occur at the end of Year 1 and Year 2

  • Recertification audit: Organisations must undergo a full recertification audit every three years to maintain their certification. This audit involves a comprehensive review of the ISMS, similar to the initial stage 2 external audit.

FAQ

What is the role of an auditor in the certification process?

During a two-stage audit process, an external auditor from an ISO Certification body evaluates an organisation's ISMS against the ISO 27001 requirements, ensuring they’ve implemented the necessary policies, procedures, and controls to protect sensitive information.

How long does the certification process take?

The duration of the certification process varies depending on the organisation's size, complexity, and readiness. Generally, certification can take anywhere from 6 to 18 months.

How long is ISO 27001 valid?

ISO 27001 is valid for three years. During this period, regular surveillance audits are required to maintain the certification and ensure that the ISMS remains effective and up-to-date.

Can small businesses achieve ISO 27001?

Yes, small businesses can achieve ISO 27001. The standard is applicable to organisations of all sizes and sectors. The certification process can be scaled to suit the organisation's size and needs.

Do I need to hire an external consultant to achieve ISO 27001?

Hiring an external consultant is not mandatory but can be helpful for organisations that lack in-house expertise or resources to navigate the certification process. A consultant can provide guidance, support, and training to help your organisation meet ISO 27001 requirements.

How to check if a company is ISO 27001 certified

To verify a company's ISO 27001 status you can visit the company's website and look for the ISO 27001 logo or a statement about their certification. You can also ask the company to provide a copy of their certification. In addition, some certification bodies, such as BSI in the UK, maintain publicly accessible databases of certified organisations, where you can search for the company.

How to get ISO 27001

To obtain ISO 27001, businesses must plan, develop and implement an Information Security Management System (ISMS) in line with the standard. This involves implementing security controls and processes and training staff on information security practices. 

What benefit does ISO 27001 bring to an organisation

ISO 27001 certification offers various benefits, such as enhanced credibility and trust with customers, partners, and stakeholders, improved information security risk management, and compliance with legal and regulatory responsibilities. 

What is ISO 27001?

ISO 27001 is a globally recognised information security standard. It provides a framework for organisations to establish, implement, maintain, and continually improve their information security management. The certification demonstrates an organisation's commitment to information security.

How to get ISO 27001 in the UK

The process for obtaining ISO 27001 in the UK is similar to the general process used by organisations worldwide. It starts with planning and gap analysis and progresses to risk assessment, treatment, control implementation and auditing. Finally, a certifying body will perform an external audit and grant certification or request additional changes.

Summary: The complete guide to becoming ISO 27001 certified

ISO 27001 is globally recognised. Obtaining it requires a complex process of planning, implementation and internal and external auditing. 

While certification is an essential step towards compliance, the process also creates tangible business value and isn’t merely a box-ticking exercise. 

Nicolson Bray emphasises that there’s no one-size-fits-all approach to ISO 27001 certification.

We help clients build bespoke, tailored strategies that align with goals and objectives. The process illuminates risks and provides a strong foundation for a business to grow and thrive, regardless of its size. 

Learn more about our ISO 27001 consultancy services, or contact us today to learn more about how we can help you.

Published on

Bob Nicolson | Head of Consultancy

bob.nicolson@nicolsonbray.com