ISO 27001 for Beginners

  • Guides

Because it is well recognised, ISO 27001 is particularly credible when tendering for public sector or large company work. Gaining ISO 27001 could be the difference between winning and losing that vital contract. In fact, ISO 27001 gives you a marketing edge over your competitors. Achieving certification to the standard puts you head and shoulders above most businesses.

What is ISO 27001?

ISO 27001 is the standard created by the International Organisation for Standardization (ISO) which deals with Information Security Management. It is a way of making sure that you are managing information security risks effectively.

ISO 27001, is not new. It can be traced back to the British Standard 7799, published in 1995. Originally written by the DTI, after several revisions ISO turned it into an internationally recognised standard.

The aim of the ISO 27001 standard is to help companies to establish and maintain an effective Information Security Management System (ISMS), using a continual improvement approach. You will systematically examine any risks to the organisation’s information security and put in place policies and procedures to manage those risks. The intention is that an organisation should design, implement, maintain and continually improve a set of controls and measures to manage any threats to its information assets.

What are the benefits of choosing ISO 27001?

Recent news stories; TalkTalk, Twitter and numerous government departments have brought information security into sharp focus for all businesses. Whilst news stories target the world’s biggest companies, SMEs are equally vulnerable. As more and more data is stored electronically, ISO 27001 allows businesses to take care of essential data and demonstrate they are taking their customer’s security threats seriously.

The idea is that you become a proactive, not a reactive business. Planning ahead means you reduce the risk of threats that could prove, at best embarrassing or, at worst, put your business at great risk, be it from legal, reputation or financial repercussions.

ISO 27001 has been implemented by thousands of organisations and is rapidly gaining popularity as more breaches are reported. The standard provides an organisation with assurance, knowing that their processes and controls are secure. It also helps to develop and enhance best practice.

Improved organisation is a massively underrated benefit of implementing ISO 27001. As businesses grow rapidly, it doesn’t take long before there is confusion with who decides what, who is responsible for certain information assets, and who has to authorise access to various systems. As a consequence, the standard can help you become a more productive, and profitable business.

READ MORE: Find out more about ISO 27001

Because it is well recognised, ISO 27001 is particularly credible when tendering for public sector or large company work. Gaining ISO 27001 could be the difference between winning and losing that vital contract. In fact, ISO 27001 gives you a marketing edge over your competitors. Achieving certification to the standard puts you head and shoulders above most businesses.

Of course, it is not all about winning new business, it’s important to retain existing clients too.

ISO 27001 is part of a group of management standards, which include Quality Management (ISO 9001), Environmental Management (ISO 14001), and Health and Safety Management (OHSAS 18001). They share many principles, so choosing an integrated management system can save you money as well as provide across-the-board benefits.

Do I have to use a consultant?

Using a consultant is not essential. If internal resources are tight, or you’d value a knowledgeable guide alongside you, then using an experienced consultant is a great idea. We know of a number of experienced ISO 27001 consultants across the UK. When using a consultant for any project, please make sure you check their references and understand what they will be doing for you and for what cost.

How do I choose a Certification Body?

By achieving ISO 27001 certification through a Certification Body, you have proven that an independent third party has verified that you meet all requirements of the standard. This is a powerful message to new clients and provides greater assurance to current clients too.

When comparing Certification Bodies, make sure you are comparing like-for-like costs and beware if you are being charged on-going fees. Whilst some Bodies charge ‘Annual Management’ or other administration fees, others do not. We do not charge management fees and you can decide who carries out your annual surveillance audit which are demanded by UKAS.

Certification Bodies carrying out certification to ISO management standards should be following ISO 17021 Requirements for bodies providing audit and certification of management systems. In order to remain objective and impartial, this means they cannot write documentation for you or provide consultancy in conjunction with certification. What they can do is provide ISO training, which can be a useful exercise before committing to the implementation of a standard.

Don’t forget to check that your Certification Body is accredited by UKAS, the only Accreditation Body appointed by Government. This will ensure your ISO 27001 certificate is recognised in tenders.

How long does ISO 27001 certification take?

It usually takes between three to six months, but this depends on the size of the organisation and how many sites they have. Smooth implementation is helped greatly by management’s buy-in and an ISO 27001 champion to take responsibility for achieving certification. Do not worry, in most cases the principles of ISO 27001 will soon become integrated within your business, and before you know it, it’ll just be the way you do things!

What is involved?

We will visit you twice. The first visit is called a ‘Stage 1 Audit’, where your Auditor will review your existing systems and give you a report which lists the actions required to meet the standard. Most businesses use this as their action plan, so do not worry if you think you are under prepared. Some organisations find they have already got required processes in place, they just need better documentation and communication of accountabilities and responsibilities.

Once you have completed the actions highlighted in the Stage 1 report, you Auditor will revisit to carry out a second visit; known as the ‘Stage 2 Audit’. They’ll review the effectiveness of your information security management system and determine whether it meets all the requirements of the standard. If you are fully compliant, you’ll be recommended for certification by your Auditor. The Auditors’ report will then be checked via an approvals process and if no anomalies are identified, ISO 27001 certification is officially awarded.

Ongoing Certification

To maintain your ISO 27001 certification, it is mandatory to have at least one surveillance audit visit per year to ensure you are still meeting requirements. Such surveillance audits sample the ongoing effectiveness of your information security management system and you will receive a written report outlining the results. These can include major or minor non-compliances and observations. Should a major non-compliance be identified, you would be given a set period of time to rectify the situation.

Every third year a full re-audit is undertaken; identifying key strengths and weakness. Your certification body will work with you to identify opportunities for improvement. Third year audits are more extensive than annual surveillance audits and some certification bodies may charge extra to undertake them.

It’s our philosophy to work with our clients ‘without fear or favour’. To maintain our objectivity and impartiality, we cannot undertake improvements for you but we can and will point you to recognised best practice. Ultimately, we want to help you gain the most from ISO 27001 certification and reap the benefits that a commitment to continuous improvement can offer.

CASE STUDIES: See how our clients have succeeded!

If you would like to find out how we can help you with ISO 27001 certification, we can answer your questions and give you a fixed price, no-obligation quote. Please get in touch using the Get a Quote form or call free on 0800 404 7007.

profile image of Elizabeth Sheldon
Written by Elizabeth Sheldon

ISMS Scheme Manager - Experienced Senior Lead Auditor with a demonstrated history of working in the information services industry. Skilled in ISO 27001 ISO 9001, ISO14001 and ISO 45001.