It’s always nice to add more credentials to your company name – especially something as prestigious as an ISO certification. It sets you apart from your competitors and provides customers with all important peace of mind. However, achieving the certification takes time, effort and resources, so you want to ensure you pass with confidence. In this article, we explain how to obtain the ISO 27001 certification, why you may benefit from the process and what the accreditation process involves.
What is ISO 27001 certification?
“The requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organisation.” ISO/IEC 27001:2013
The international standard for information security, the ISO 27001 certification, is a framework that supports organisations in creating an information security management system (ISMS) that:
- Uses clear objectives to define what is expected from the company regarding information security.
- Identifies what the risks are and how they can be appropriately mitigated.
- Measures each control’s effectiveness with steps for continuous improvement.
ISO 27001 certification addresses people, processes and technology, with the rules applicable to any organisation – regardless of size, status or sector.
What are the benefits of the ISO 27001 certification?
The ISO 27001 certification exists to secure information in three distinct ways:
- Confidentiality: who has authority to access information.
- Integrity: who has the authority to change/amend information.
- Availability: ensuring those with authority can access information when needed.
Therefore, the main reason organisations choose to become certified is to improve their information security posture by ensuring they continue to follow the latest best practice principles.
However, the added benefit of a strong security posture is that it reflects positively on your brand reputation. Certification demonstrates an ongoing commitment to information security, covering everything from your risk assessment process to access control mechanisms, physical and technical safeguards, as well as policies, procedures, monitoring and reporting guidelines. Apply an ISO 27001 certification to your brand, and your customers feel assured that their data is always safe in your hands.
Additionally, an ISO 27001 certification can give you a competitive edge. Some organisations choose to include certifications as a legal requirement in their contracts and service agreements, while 7 in 10 request evidence of security controls when new providers tender for business. If you don’t have ISO 27001 or an equivalent, you could be immediately ineligible to bid. But if you do, it will make the preparation of any tender process much simpler because all the information is readily available.
Today, there are an increasing number of laws that relate to information security and privacy, such as the EU and UK GDPR, California CCPA and China PIPL. With an ISO 27001 certification under your belt, it makes compliance much easier. In the event of a breach, you can prove you’ve taken appropriate action to mitigate risk, which can reduce your exposure to fines and penalties. Furthermore, because you have well-documented information security policies and procedures, it’s much easier to scale your business because everyone is aware of what needs to be done, when, and by whom.
How to obtain the ISO 27001 certification, step-by-step:
Technically, the ISO 27001 certification takes place in two parts:
- Part 1: an auditor will review your documentation against the standard’s requirements.
- Part 2: the auditor performs a more thorough assessment of your business activities that support your ISMS.
Well, once you look into the detail of what’s involved in each step, you quickly see there’s a more significant piece of work to complete before you even get started.
The ISO 27001 certification is a framework for managing your information security risks, which means you must first be able to identify those risks, and then take appropriate action to mitigate them through controls that can be technical, organisational, legal, physical or people-based.
There are several mandatory documents that you must present to the auditor, which include:
- Scope of the ISMS.
- Information security policy.
- Risk assessment.
- Inventory of assets.
- Definition of security roles and responsibilities.
- Access control policy.
- Operating procedures.
- Supplier security policy.
- Incident management procedure.
- Business continuity procedure.
Additionally, there are mandatory records that must be maintained and submitted, which include:
- Records of training, skills, experience and qualifications.
- Results of internal audits.
- Results of the management reviews.
- Logs of corrective actions taken.
- Logs of user activities, exceptions, and security events.
Without having everything in place before you engage an official auditor, you’re unlikely to achieve your certification and waste valuable time, effort and expense in the process.
How long is it likely to take to become ISO 27001 certified?
As the saying goes, “how long is a piece of string?” ISO 27001 certification is specifically designed to apply to every business, and since every business is unique, there can be no standard answer. However, we can provide some rough guidance based on the ISO 27001 consultancy we have previously performed.
Part 1 – the documentation review – should be relatively straightforward and likely to take 1-3 days.
However, that assumes you have everything in place and ready for the audit. In our experience, getting prepared for an audit can take months, depending on your starting position. For companies that are more mature in their approach to information security, either because they specialise in that field or need to be for compliance purposes, the exercise is more tweaking and updating policies that already exist. Whereas at the other end of the spectrum, we may need to build from the foundations upwards, which is more labour and time intensive.
Once you’ve moved past the review into the audit stage, the certification process can take up to 10-days – again, this assumes that everything goes according to plan. If your auditor identifies any problem areas where you’ve missed a requirement, you will need to address the issue before you can refer it back for review.
When you have been granted the ISO 27001 certification, it’s valid for 3-years. But that doesn’t mean the hard work stops. Your auditor will conduct a surveillance visit to ensure your continued compliance every year. It would help if you switched to ‘maintenance mode’ where you continually monitor and improve your ISMS, so it remains fit for purpose.
How can I get support with my ISO 27001 certification?
Do not underestimate the effort required to achieve the ISO 27001 certification. Go into it unprepared, and you risk wasting significant resources for no guarantee of even passing the mark.
To apply for certification with confidence, it pays to consider getting some ISO 27001 consultancy. Experienced consultants, such as those at CyPro, can accelerate your path to achieving the ISO 27001 certification and avoid wasted effort, time or resources.
If you want to find out more, please contact us here.