ISO 27001 Guide for Beginners
- Guides
Whether you’ve never heard of ISO 27001, or you want to know more about the information security standard, this guide will tell you everything you need to know. Find out what ISO 27001 is, what it can do for your organisation, and how you go about getting it.

What is ISO 27001?
ISO 27001 is the standard created by the International Organisation for Standardization (ISO) which deals with Information Security Management. It is a way of making sure that you are managing information security risks and data effectively.
The ISO 27001 standard helps organisations to establish and maintain an effective Information Security Management System (ISMS), using a continual improvement approach. You will systematically assess any risks to the organisation’s information security and put in place policies and procedures to manage those risks.
What is an Information Security Management System (ISMS)?
An ISMS is a set of processes that help your organisation to handle sensitive information. Establishing these processes for your team reduces the chances that data will be mishandled, destroyed, or lost.
If a problem does occur, the processes mandated by an ISMS will outline what must be done to combat the error. They will also make it clear what must be done to analyse what happened to reduce the risk that it could happen again.
Why do you need ISO 27001?
The news media is filled with stories about organisations that have suffered data breaches, resulting in a loss of consumer confidence and potentially large fines thanks to the powers granted to the Information Commissioner’s Office (ICO) in the wake of the General Data Protection Regulation (GDPR).
This vulnerability isn’t limited to big corporations; both SMEs and charities are victims of cyber attacks too. As such, it’s vital that you take steps to protect your sensitive information and that of your staff, your customers, and your suppliers.
ISO 27001 doesn’t just help organisations to take care of essential data; it also demonstrates that they are taking their customer’s security concerns seriously.
That’s because ISO 27001 encourages a proactive, rather than reactive, attitude to information security risks. With your ISMS in place, you can anticipate and prevent cyber security threats before they strike, reassuring both potential and existing customers that you have a much better chance of staying one step ahead of any risks to their sensitive information.
Because ISO 27001 is an internationally-recognised standard when it comes to information security, it is particularly credible when tendering for public sector or large company work. ISO 27001 gives you a marketing edge over your competitors, putting your head and shoulders above your rivals and proving that you take a more serious and sensible attitude to information security. ISO 27001 could be the difference between winning and losing that vital contract.
What are the benefits of ISO 27001 certification?
There are a number of advantages for your business in achieving an ISO 27001 certification. Your organisation will enjoy the following benefits including:
- plug gaps and loopholes in your security
- reduce risks of cyber attacks
- easily demonstrate compliance with regulation
- gain an edge over your competitors
- win new business.
Plug gaps and loopholes in your security with ISO 27001
Part of the implementation of ISO 27001 includes a gap analysis to identify areas of the business that do not currently meet the standards of a quality ISMS. In addition, regular audits will assess your security and identify any areas that need improvement.
Together, these two factors help you find any weaknesses in your security and to take steps to strengthen your defences against an information security incident.
“The ISO 27001 process has really enhanced our existing data security controls and processes.”
Easily demonstrate compliance with ISO 27001
ISO 27001 certification is an internationally-recognised proof of your compliance with information security requirements.
Your certification can form part of your evidence to stakeholders and regulators that your organisation is compliant with legislation such as GDPR or the Data Protection Act (2018).
Or, if you’re bidding for contracts with the UK Government, your accredited ISO 27001 certification will prove your compliance with its new Minimum Cyber Security Standard, without the need to submit extensive evidence that you comply with each individual requirement of the standard.
“Our industry and reputation is built on trust, and ISO 27001 demonstrates our commitment to practising what we preach about internet security.”
Win new business with ISO 27001
No matter how much evidence your competitors provide in favour of their information security, it will struggle to rival your ISO 27001 certification.
That’s because ISO 27001 enjoys an international reputation of excellence. It also requires regular review by an independent body, so your new clients will know your information security is of the highest standards.
“Achieving ISO 27001 has been crucial for winning tenders in the government sector where data security is of paramount importance. Security is our most important feature and we take it very seriously.”
There are plenty more benefits to the ISO 27001 standard, and many more ways it can benefit your organisation. You’ll find more details in this article.
Will an ISMS help me comply with GDPR?
Yes, an ISMS will help you to implement the type of data security processes that are needed to prevent data breaches.
In fact, companies who use data handling or technology services often require their providers to be ISO 27001 certified so that they are compliant with GDPR.
However, ISO 27001 was not designed to make your organisation automatically compliant with any particular piece of information security legislation. Therefore, while an ISMS will help your organisation maintain top quality data security, GDPR places a few additional requirements upon your organisation.
We’ve written a guide on how to comply with GDPR that helps explain what you need to do.
How to get ISO 27001 certification
Achieving your certification involves demonstrating that you have put into place the necessary processes for an ISMS that meets the standards of ISO 27001.
Part of this involves providing your auditor with documented evidence of these processes. These documents include:
- Scope of the Information Security Management System
- Information security policy and objectives
- Risk assessment and risk treatment methodology
- Statement of Applicability
- Risk Treatment Plan
- Risk assessment and risk treatment report
- Definition of security roles and responsibilities
- Inventory of assets
- Acceptable use of assets
- Access control policy
- Operating procedures for IT management
- Secure system engineering principles
- Supplier security policy
- Incident management procedure
- Business continuity procedures
- Legal, regulatory, and contractual requirements
- Records of training, skills, experience and qualifications
- Monitoring and measurement of results
- Internal audit programme and results
- Results of the management review
- Non-conformities and results of corrective actions
- Logs of user activities, exceptions, and security events
If that seems like a daunting list, don’t worry. Most organisations are surprised at how much they already have in place. If you want to find out more about any of these documents, we’ve gone into more detail about the documentary requirements of ISO 27001 here.
You also don’t need to worry about having all of this documentation in place before you apply for ISO 27001, because our certification process will reveal any gaps in your processes and outline what you need to do in order to achieve your certification.
The ISO 27001 certification process
The ISO 27001 certification process involves two assessments: one to evaluate your existing processes and report on any areas of improvement; and a second to determine if those areas have been improved and your ISMS meets the standards of ISO 27001.
Stage 1 assessment
We refer to the first assessment as a “Stage 1” assessment. This involves a review of your documented processes to determine how much your organisation is already meeting the requirements of ISO 27001.
The length of the assessment depends on the size of your organisation and the industry you’re in. We’ll let you know in advance how long we expect your assessment to take.
Once the Stage 1 assessment is complete, there will be a closing meeting to round-up the findings. You will be provided with a report detailing what happened during the assessment, with an overview of any areas you’ll need to improve in order to achieve ISO 27001. We refer to these as “non-conformities”.
Much like a driving test, non-conformities are separated by minor and major variants. Whereas major variants need to be acted on immediately, minor non-conformities can be reviewed at the next assessment.
You’ll move onto the Stage 2 assessment once you confirm to us that you’ve addressed these non-conformities.
Stage 2 assessment
This assessment will confirm that you’ve addressed any non-conformities identified in the previous assessment. Your auditor will also take a look at your processes in action.
This will involve meeting with both managers and staff, and your auditor will also ask to see evidence of your internal audits and management reviews.
This allows the auditor to determine whether your processes are in place and understood, and ensure that you have in place the appropriate checks and controls to mitigate the risks of a data security breach, which are required by ISO 27001.
All being well, your auditor will recommend you for certification. Our compliance department will review their recommendation, as required by UKAS. If your auditor identified any further non-conformities, these will be included in a full report, and you will need to be acted on before you can receive your certification.
If our compliance department finds no areas of concern, they will confirm your ISMS meets the required standards.
Congratulations; you just achieved ISO 27001 certification!
How long does ISO 27001 certification last?
Your ISO 27001 certification will remain valid for three years. Maintaining your certification will require annual assessments and, after three years, you will recertify your ISMS to continue holding your ISO 27001 certificate.
Annual assessments
One of the reasons that ISO 27001 has such an excellent reputation is the requirement for ongoing improvement. As part of this, we’ll conduct annual assessments to ensure that your ISMS continues to meet the standards of ISO 27001.
Our auditors will cover all of the same areas they looked at during the Stage 2 assessment, as well as examining any changes or new elements in your ISMS.
Recertification
These annual assessments help you to prepare for recertification, a process you’ll undergo every three years to refresh your ISO 27001 certification and affirm to your customers that your UKAS-accredited certification is being regularly reviewed and maintained.
For more details, we’ve put together a more in-depth guide to the three-year ISO certification cycle here.
How much does ISO 27001 certification cost and how long does it take?
The cost of ISO 27001 certification is ultimately influenced by the time it takes for your auditor to assess your organisation. This time is derived from an industry-agreed calculator that takes into account the following:
- Staff numbers
- Industry
- Complexity and risk
- Number of sites
Therefore, a small company in the service industry may require just a few days of assessment for the whole certification process, thanks to the relative simplicity of its processes. On the other hand, large multi-site organisations are likely to require longer for this process, which could mean many days of assessment.
It is important to note that the organisation’s industry sector and complexity will mean only certain auditors have the appropriate knowledge, experience and qualifications to assess.
You can save money in multi-site organisations, however, as long as a site duplicates activities of another, it can be ‘sampled’. Rather than assess every site at great cost, visits can be rotated within the 3-year certification cycle.
Smaller SME businesses can certainly implement and achieve ISO 27001certification without external assistance, which will save money as a result. However, it’s important to assess the impact of the resources needed to achieve certification; a cost-benefit assessment is vital to balance the costs of certification against other potential initiatives and investments the organisation could be making.
In the case that a business wants to achieve ISO 27001 certification, but cannot commit the resources required, it might be advisable for the business to consider using third-party expertise. Find out more below about choosing an ISO 27001 consultant.
Finally, beware of the hidden and ongoing costs of some Certification Bodies. Some of them will add management and travel fees onto their initial quotations. It’s also important to check the length of a contract; where three years is typical, as it ties into the three-year certification cycle, some might offer a lower quote in exchange for a long contract, locking you in with a particular Certification Body longer than necessary.
If you want to know more about the costs of ISO 27001 certification, we’ve put together a guide to budgeting for your ISO certification.
Further considerations
Championing ISO 27001 within your organisation
As with most significant new initiatives in an organisation, it has to be driven from the top, so great leadership is necessary. You may choose to nominate an ‘ISO champion’ with a mandate to implement the ISMS, as directed by the senior management team.
You’ll need to make yourself aware of the requirements of information security legislation, such as the Data Protection Act (2018), as well as any other codes of practice and/or regulations for your industry. These are varied, but most will help you towards your ISMS and achieving ISO 27001.
You’ll also need to understand exactly what must be protected and why. Recent focus, from GDPR to new stories, might make you think that you only need to worry about customer data, but don’t forget your own information: intellectual property, internal processes, personal details of employees and customers, payments, and even trade secrets all need to be protected.
A commitment to ongoing improvement is also essential. It is critical that your business remains committed to the principles of ISO 27001 once you have your certificate. Failing to do so means you could run the risk of losing your certification.
Although the annual assessments will help keep your ISMS up to the ISO 27001 standard, don’t rely on it; make sure you’re constantly maintaining your ISMS even between assessments.
Should I use a consultant for my ISO 27001 certification?
A consultant is often used for very different reasons, depending on the size of the organisation. For instance, a small business may require a lot of hands-on help due to having limited in-house resource. Whereas a larger organisation may have the required manpower, but seek out third-party assistance to maximise efficiency opportunities and ensure the organisation meets more complex legal requirements.
Relying on third parties has its dangers. While a consultant may help overcome short-term challenges, there’s a risk that long-term dependency could negate the cost-benefit of implementing ISO 27001.
While it might seem easy to simply let your consultant handle everything related to information security management, this can leave your organisation at a disadvantage. You might meet the requirements of the standard, but you’ll fail to reap the rewards due to a lack of team participation and the proper embedding of cyber-security best practices into the mindsets of core staff.
If you do decide to look for a consultant, sector-specific experience is likely to be the key factor for choosing the most appropriate person for the job. In combination with an impressive CV and a collection of testimonials, it’s a notable advantage for the consultant to have auditing experience.
With some requirements of ISO 27001 coming down to interpretation, having a qualified consultant, or an appropriately-experienced in-house ISO 27001 champion, acting on your behalf means you can have confidence if challenged by the auditor of your Certification Body.
We maintain a list of experienced ISO consultants and we would be happy to provide you with some recommendations.
How do I choose an ISO 27001 Certification Body?
Choosing the right Certification Body doesn’t just make it easier to implement an ISMS and achieve ISO 27001; it also boosts the effectiveness of your certification when it comes to retaining existing customers and winning new business.
ISO 27001 certification issued by UKAS-accredited certification providers like British Assessment Bureau helps you to demonstrate a much higher level of information security than your competitors. That’s because your provider is being held to the highest standards and is independently verified to be both competent and capable.
By choosing a UKAS-accredited certification provider like British Assessment Bureau, your certification outweighs the self-certified or non-accredited certificates some of your competitors might hold because it proves that your ISMS is checked, verified, and held to the highest standard by an independent third party. This is one of the reasons that the government has issued a statement highlighting the importance and value of UKAS-accredited certification over non-accredited.
What can British Assessment Bureau do to help you achieve ISO 27001?
As experts in the industry, you can trust us to take you through the process in a professional and encouraging manner, so you can focus on achieving your ISO 27001 certificate as soon as possible.
UKAS-accredited, superior certification
We are one of the few certification providers that enjoy UKAS-accreditation, which makes the difference between an ISO 27001 certificate that will win you new business, and a piece of paper that fails to impress your potential new clients. That’s why you can be sure that an ISO 27001 certificate from British Assessment Bureau will put you ahead of the competition.
Find out more about how UKAS-accreditation makes your ISO 27001 certificate stand out.
Expertise on tap
Trying to see where your business needs to improve in order to achieve your ISO 27001 certificate can be a daunting task.
When our auditors visit you, they’ll identify gaps and areas of improvement that would stand in your way. Even better, they’ll provide you with a comprehensive report filled with recommendations that you can start working on straightaway.
Customer satisfaction
You can tell that we put our customers first because of the reviews we receive from them. In fact, 97% of our customers have left us reviews of 4 or 5 stars and we are a Platinum Trusted Partner Award winner.
Flexible payment options
We offer the option to spread your payments over six equal monthly instalments, so you can pay for your ISO 27001 certification in the way that makes most sense for your business.
Next steps
Whether you want to get started or if you still have questions, the next step is to get in touch with one of our expert advisers. Enter your details below and we’ll be in touch shortly, ready to answer any of your questions or kickstart your ISO 27001 journey.