ISO 27001 Certification Guide: What You Need to Know

What is ISO 27001 certification?

ISO 27001 is an international standard that specifies the requirements for an ISMS (information security management system). An ISMS is a framework of policies, processes and procedures that helps an organisation manage its information security risks.

ISO 27001 certification provides independent, third-party verification that an organisation’s ISMS meets the requirements of the ISO 27001 standard. Certification is granted by an accredited certification body following a successful audit of the organisation’s ISMS.

Organisations that are certified to ISO 27001 can use the certification to demonstrate to their customers and other stakeholders that they have implemented an ISMS that meets international best practice.

Purchase your copy of the standard today

ISO 27001 and ISO 27002 2022 updates

ISO/IEC 27001:2022 – the newest version of ISO 27001 – was published in October 2022.

Organisations that are certified to ISO/IEC 27001:2013 have a three-year transition period to make the necessary changes to their ISMS (information security management system).

For more information about ISO 27001:2022 and its companion standard, ISO 27002:2022, and what they mean for your organisation, please visit ISO 27001 and ISO 27002: 2022 updates

Download your copy of ISO 27001:2022 here

Download your copy of ISO 27002:2022 here

Get ISO 27001 certified with IT Governance

IT Governance is the leader in ISO 27001 implementations. We’ve helped more than 800 organisations achieve compliance with the Standard since our management team led the world’s first ISO 27001 certification project. Contact us now for advice or a quote.

Contact us

How long does ISO 27001 certification last?

Once certification is achieved, it is valid for three years. However, the ISMS must be managed and maintained throughout that period. Auditors from the certification body will conduct annual surveillance visits while the certification is valid.

What are the benefits of ISO 27001 certification?

Achieving ISO 27001 certification demonstrates that an organisation follows international best practices for information security management. This can give customers and partners confidence that their data is safeguarded and help an organisation win new business.

ISO 27001 certification can also help an organisation streamline its information security processes, making them more efficient and effective.

Free pdf download: Information Security & ISO 27001: An introduction

Explore the benefits of achieving ISO 27001 certification

Download this free green paper now to learn about the benefits of implementing an ISMS and achieving certification to ISO 27001, as well as more about the Standard itself and some of its key implementation points.

Download now

How to get ISO 27001 certification

To achieve ISO 27001 certification, an organisation must first develop and implement an ISMS that meets all the requirements of the Standard. Once the ISMS is in place, the organisation can then register for certification with an accredited certification body.

The certification body will carry out an audit of the ISMS to ensure it meets the requirements of ISO 27001. If the ISMS is found to be compliant, the certification body will issue an ISO 27001 certificate.

We’ve outlined the basic recommended routes in a helpful PDF guide.

Download your copy today

How to prepare for ISO 27001 certification

There is no one-size-fits-all answer to this question, as the amount of preparation required will vary depending on the size and complexity of your organisation, as well as your current level of compliance with the Standard. However, some tips on how to prepare for ISO 27001 certification include the following:

  1. Perform a gap analysis to identify any areas where your organisation does not meet the requirements of the Standard.
  2. Develop an implementation plan that outlines how you will close any gaps identified in the gap analysis.
  3. Train your staff on the requirements of the Standard and on your implementation plan.
  4. Create or update your organisation’s ISMS documentation, including policies, procedures, and other supporting documents.
  5. Conduct internal audits to verify that your ISMS is functioning as intended and that all employees are following the required procedures.
  6. Schedule and complete an external certification audit with a certification body.

The ISO 27001 certification process

Once you are ready for certification, you will need to engage the services of an independent, accredited certification body. These certification bodies have been assessed by the relevant national authority based on their competence, impartiality and performance capability through a rigorous assessment process.

The ISO 27001 accreditation process consists of two stages and is conducted by a qualified auditor.

Stage 1

The auditor will review your documentation to check that the ISMS has been developed in accordance with the Standard. You will be expected to present evidence of all critical aspects of the ISMS, but how much depends on the certification body’s requirements.

Stage 2

If you pass the first stage, the auditor will conduct a more thorough assessment. This assessment will involve reviewing the activities that support the development of the ISMS. The auditor will analyse your policies and procedures in greater depth and check how the ISMS works in practice with an on-site investigation. The auditor will also interview key staff members to verify that all activities are undertaken following the specifications of ISO 27001.

Considering implementing ISO 27001? Download your free project checklist.

How much does ISO 27001 certification cost?

The cost of ISO 27001 certification usually depends on the number of employees working for the organisation. Certification for an organisation with up to 500 employees could cost in the region of £10,450.

Can you get certified to ISO 27001 with IT Governance?

IT Governance is not a certification body. Instead, we specialise in helping organisations like yours to prepare for certification fully. We do this by providing any combination of training, consultancy, tools, books and advice so that you are ready by the time you engage a certification body.

We support the concept of independent, accredited certification, which means that we do not audit our own work. For the same reason, certification bodies are not permitted to provide consultancy and advice to their clients before conducting a certification audit.

Through our years of experience assisting more than 600 organisations with ISO 27001 implementation and certification projects, we know precisely what certification bodies expect. As a result, we can offer you unrivalled expertise.

Download our consultancy brochure to find out more information

Ready to simplify your security? Let’s get started

Having led the world’s first ISO 27001 certification project, we are the global pioneer of the Standard. Let us share our expertise and support you on your journey to ISO 27001 compliance.

Why choose IT Governance for ISO 27001 certification?

  • Our implementation methodology has been honed over more than 15 years.
  • We are the global authority on ISO 27001 – our management team led the world’s first ISO 27001 (formerly known as BS 7799) certification project.
  • We offer everything you need to implement an ISO 27001-compliant ISMS – you don’t need to go anywhere else.
  • We guarantee certification (provided you follow our advice!).
  • We have trained more than 7,000 professionals on ISO 27001 implementations and audits worldwide. We’ve also helped more than 800 clients achieve certification to and compliance with ISO 27001.
  • Our technical expertise, combined with our management system standards track record, puts us in a different class from other consultancy providers.
  • Our pricing and proposals are transparent so that you won’t get any surprises.
  • We can help small organisations prepare for ISO 27001 certification in just three months.
PROTECT YOUR
BUSINESS
THIS WINTER