The complete guide to becoming ISO 27001 certified

Developed by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), ISO 27001 provides guidance to businesses aiming to maintain a high level of control and trust over their data and IT systems. 

While you can’t hide your business from security risks, you can take practical action to prevent unplanned downtime and other preventable issues – and that’s where ISO 27001 can help. 

The process of gaining ISO 27001 accreditation revolves around implementing an Information Security Management System (ISMS). 

Put simply, an ISMS comprises policies, procedures and controls spanning technology, processes and people. 

As the world's most widely recognised information security standard, ISO 27001 accreditation provides trust and assurance to organisations of every size, and across every industry and jurisdiction. 

This is a guide to becoming ISO 27001 accredited.

ISO 27001 was first published in 2005, essentially replacing the British Standard BS 7799-2, and was later revised in 2013 and 9 years later, in 2022.

The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) developed the standard as part of ISO/IEC 27000.

ISO 27001 is not mandatory, but the benefits of robust information, data, and cybersecurity standards are ever-increasing.

From network-wide ransomware attacks to Denial of Service (DoS) and phishing scams, the consensus is that risks are proliferating.

There are over 2,000 cyber attacks daily. Some 43% of targets are SMBs, so risks are far from exclusive to larger businesses. Around 60% of SMBs that suffer data breaches go bust in 6 months, so the stakes are high. 

ISO 27001 accreditation is a decisive step in the right direction for any organisation wishing to protect itself from becoming one of these statistics. 

Further, for businesses aiming to meet industry standards such as the Data Protection Directive (DPP) in Europe and the Payment Card Industry Data Security Standard (PCI DSS), ISO 27001 is a useful step towards compliance.

Here are some of the many benefits of becoming ISO 27001 certified:

• Improved information security: Implementing an Information Security Management System (ISMS) helps organisations identify and manage risks to their information and operational assets, reducing the likelihood of data breaches, ransomware and other security incidents. This is imperative to protecting operations and avoiding unplanned downtime, costing up to $5,600 a minute. 

• Compliance with regulations: Compliance with ISO 27001 helps organisations meet legal, regulatory, and contractual requirements related to data protection and information security. Regulations vary from sector to sector, but ISO 27001 is designed to be as specific or generalist as it needs to be.

• Trust and confidence: Accreditation demonstrates that an organisation takes information security seriously and has implemented a robust system to protect sensitive data. This helps organisations build trust with clients, customers and regulatory organisations such as the FCA and ICO. 

• Competitive advantage: ISO 27001 accreditation can differentiate an organisation from competitors, increasing business opportunities. There may be situations where businesses are asked whether they hold ISO 27001 accreditation – and having to decline could cost clients and customers.

• Streamlined processes: Implementing an ISMS can lead to more efficient and effective processes. The process of accreditation unlocks tangible business value beyond accreditation itself.

Organisations are ISO 27001 accredited based on how well they implement, manage and run their risk management systems, not on their overall risk level. 

In other words, identifying and actively managing risk is sufficient, and accepting some risks is part of this process. 

As such, if an organisation’s risk management is sound, it can achieve ISO 27001 certification even if there are some IT security controls gaps.

This contrasts with other frameworks like SOC 2, which prescribes specific controls and requirements.

Phase 1 is an investigatory exercise that involves planning, communication and research.

First, it’s necessary to determine which part of the organisation will be accredited, such as the entire organisation, specific departments, or business units. 

This involves considering the types of information to be protected, the systems and processes involved, and the boundaries of the accreditation.

For instance, targeting the scope of ISO 27001 to specific operations may be beneficial if complete business-wide accreditation isn’t required. That’s ideal for businesses targeting cyber security investment at business-critical workloads. 

Here’s an example:

Example 

A courier or delivery company that provides services to third parties may seek accreditation only for the operational departments and those that handle customer data, not their central functions like finance, HR, etc. 

This will allow them to assure their customers that their data is secure and delivery services cyber-resilient, as well as focusing on the part of the business where an incident could be most significant.

Gap analysis involves reviewing the organisation's current information security and risk management, identifying existing controls, and determining areas where improvements or additional controls are needed.

This typically involves interviews with key personnel, reviewing documentation, and assessing any policies and controls already in place.

The output of gap analysis is a plan that describes how to address gaps in order to achieve ISO 27001. 

This fact-finding mission sets the scene for designing and implementing controls and provides an initial project plan for achieving ISO 27001 certification.

Phase 2 puts research into motion by choosing controls and implementing the ISMS.

The ISMS policy serves as the top-tier internal document for ISO 27001. 

While it needn’t be overly detailed, the policy should establish the organisation's fundamental applicability and requirements for information security, as well as senior management ownership of information security risks.

After developing the high-level ISMS policy, risk assessment and management processes are designed and mapped to the business and its various functions. 

These processes should be aligned and integrated with the organisation’s existing process landscape. Implementing off-the-shelf and un-customised processes will lead to poor performance or complete process failure. Moreover, badly designed processes can seriously impact business agility by being overburdensome and overly bureaucratic. 

Risk assessment is a methodology for identifying risks, their likelihoods and impacts, and delivering a risk rating as an output.   It’s generally recommended to use a qualitative approach for risk assessment, providing outputs like HIGH, MEDIUM and LOW risks allow easy prioritisation.

Risk management broadly defines the processes for reporting and managing risks within the business.

ISO 27001 defines four treatment actions as part of risk management.

Risk assessment involves running the process described in the previous section. 

The risk assessment process is carried out across the in scope parts of the organisation. This is to discover the cyber business risks that the business faces, and then to rate those risks so they can be properly managed. It's essential to consider risks in the business context, not the technical context.  This means that risks are rated by their impact on the business, not on their impact to just the technical sphere.

The gap analysis from Phase 1 is a critical input into this step, and further investigatory work is carried out if required.

The ultimate aim of the risk assessment process is to identify risks, define Risk Treatment Plans and put them into the Risk Register. 

Example

In the case of the courier company, a typical cyber business risk would be disruption to their delivery operations by a ransomware attack. This could prevent customer deliveries from arriving on time, impacting their revenue, and in turn, negatively affecting the courier’s reputation. This could also result in having to pay customers compensation. 

Once identified, this risk would be given a rating compared to other cyber business risks, and prioritised.

In parallel with defining Risk Treatment Plans controls are selected from Annex A of ISO 27001 and other sources to manage the identified cyber business risks. 

Like controls for other cyber security frameworks, ISO 27001 is relevant to people, processes and technology.

Annex A contains an extensive list of controls across 14 domains. Businesses can pick or choose exactly which controls they need to mitigate the cyber business risks and exclude those they don’t. This is excellent news, as it enables targeted investment – no need to waste time and money on irrelevant controls just to tick boxes. 

In addition, businesses can include controls from other frameworks if required. For instance if Annex A hasn’t been updated for some time, and newer, more effective controls have been developed since.  

As mentioned previously, flexibility is built into ISO 27001, and businesses are free to choose what controls they need to manage risk.

Control selection is one of the most critical parts of implementing ISO 27001 and should be carried out by someone who is an expert in the fields of both cyber security and risk management. 

This ensures controls are selected which deliver effective cyber risk management and fit within cyber security investment budgets.

Once control selection has been carried out, it’s documented in the Statement of Applicability (SoA), which is a core ISO 27001 document. 

Example

For our courier example, given one of the primary risks is a ransomware attack which disrupts the delivery services, controls should be selected specifically to decrease or mitigate this risk. 

This could include protective controls such as vulnerability management, detective controls such as endpoint detection and response (EDR) and recovery controls such as backup and restore.

At this stage, risks have been identified and assessed, and targeted with risk treatment plans and controls. 

Low-level policy documentation delves into the nuances of the ISMS, and elaborates on those controls to provide guidance on their implementation across the whole in-scope organisation.

As such these policies, as ISO 27001 requirements, are unique and tailored to each business – there’s no need to write up policies which aren’t explicitly relevant to the organisation.

Examples of low-level policies include:

Drawing up accurate and relevant low-level policies helps communicate strategies with managers and employees.

People are absolutely integral to managing cyber business risks.

ISO 27001 requires training employees on information security awareness, the organisation's specific ISMS policies and procedures, relevant legal and regulatory requirements, and incident response procedures.

Training can be handled internally or outsourced. If certain policies need to be implemented across the entire organisation (e.g. device policies), training must be put into action before any auditing takes place.

At this stage, the ISMS is fully operational. 

ISO 27001 should have become an integral part of the organisation's daily operations – and accreditation is almost in sight. 

Once systems are online, processes should be monitored and recorded. For example as new controls are implemented and improved, the Risk Register and Risk Treatment Plans will need to be updated. 

Keeping well documented records of these activities is crucial for the next steps, internal and external audit.

Audits collect and analyse evidence about the ISMS and its effectiveness. Systems are analysed with all their parts moving in unison.

Audits first take place internally. Internal audits ensure the ISMS runs appropriately, compiling evidence that risks are identified, assessed, and managed effectively. 

This typically involves reviewing documentation, interviewing personnel, and testing controls to ensure they function as intended. Discovering some shortfalls is normal – it’s easier to address them now than wait for external auditors to find them.

Additionally, the evidence collected here will help external audits run smoothly. Seizing the opportunity to collect in-depth insights will accelerate the external audit and certification process. 

In the first audit, the ISO Certification body reviews the ISMS documentation to determine if it is fit for purpose. The focus here is on written policies and statements.

During the first ISO 27001 certification audit (sometimes called the document review), the auditor will review decisions pertaining to each identified risk. Various paperwork is requested, such as the Statement of Applicability and a Risk Treatment Plan. 

The Statement of Applicability summarises the purpose of implementing ISO 27001 controls and policies, whereas the Risk Treatment Plan outlines the response to the threats identified during the risk assessment process.

This includes examining the scope, policies, procedures, risk assessment and treatment documentation, and other relevant documents to ensure they meet ISO 27001 requirements.

The ISO Certification body examines the internal audit and risk register to determine if the ISMS is functioning properly and managed effectively. 

This may involve on-site visits, interviews with staff, and testing controls to verify that they align with the documented ISMS. 

The Stage 2 audit will contain minor nonconformities, major nonconformities and potential areas of improvement. Working with experienced ISO 27001 consultants will vastly reduce the chance of having to make serious retrospective changes.

If everything is in order and the organisation successfully passes the Stage 2 audit and addresses any identified non-conformities, the ISO Certification body will give the thumbs up. 

They’ll then issue the ISO 27001 certificate, valid for three years. However, it’s not quite over at this point, as regular surveillance audits are required to maintain the certification during this period.

Accreditation doesn’t last forever and needs to be renewed. Once accredited, organisations must fulfil regular responsibilities and conditions to maintain ISO 27001 accreditation, including:

• At least one internal audit per year: Conduct an internal audit to ensure the ISMS is functioning correctly and that there is evidence of risks being identified, assessed, and managed.

• Management review: Conduct a periodic management review to assess the ISMS's effectiveness and identify improvement areas.

• Continuous improvement: Implement improvements to the ISMS based on the results of the internal audits and management reviews.

• Surveillance audits: Organisations undergo periodic surveillance audits by the certification body to ensure ongoing compliance with the standard. These audits typically occur at the end of Year 1 and Year 2

• Recertification audit: Organisations must undergo a full recertification audit every three years to maintain their accreditation. This audit involves a comprehensive review of the ISMS, similar to the initial stage 2 external audit.

During a two-stage audit process, an external auditor from an ISO Certification body evaluates an organisation's ISMS against the ISO 27001 requirements, ensuring they’ve implemented the necessary policies, procedures, and controls to protect sensitive information.

The duration of the ISO 27001 certification process varies depending on the organisation's size, complexity, and readiness. Generally, certification can take anywhere from 6 to 18 months.

ISO 27001 certification is valid for three years. During this period, regular surveillance audits are required to maintain the certification and ensure that the ISMS remains effective and up-to-date.

Yes, small businesses can achieve ISO 27001 certification. The standard is applicable to organisations of all sizes and sectors. The certification process can be scaled to suit the organisation's size and needs.

Hiring an external consultant is not mandatory but can be helpful for organisations that lack in-house expertise or resources to navigate the certification process. A consultant can provide guidance, support, and training to help your organisation meet ISO 27001 requirements.

To verify a company's ISO 27001 certification, you can visit the company's website and look for the ISO 27001 certification logo or a statement about their certification. You can also ask the company to provide a copy of their certification. In addition, some certification bodies, such as BSI in the UK, maintain publicly accessible databases of certified organisations, where you can search for the company.

To obtain ISO 27001 certification, businesses must plan, develop and implement an Information Security Management System (ISMS) in line with the standard. This involves implementing security controls and processes and training staff on information security practices. 

ISO 27001 certification offers various benefits, such as enhanced credibility and trust with customers, partners, and stakeholders, improved information security risk management, and compliance with legal and regulatory responsibilities. 

ISO 27001 certification is a globally recognised information security standard. It provides a framework for organisations to establish, implement, maintain, and continually improve their information security management. The certification demonstrates an organisation's commitment to information security.

The process for obtaining ISO 27001 certification in the UK is similar to the general process used by organisations worldwide. It starts with planning and gap analysis and progresses to risk assessment, treatment, control implementation and auditing. Finally, a certifying body will perform an external audit and grant certification or request additional changes.