You’ve done everything right with your potential new client. In fact, you’re amazed that each step in the process has gone as smoothly as it has.
You’re just one call away from closing your deal.
They’re a big name, and your company can add tremendous value to theirs.
The best part? The opportunity is both lucrative and a huge credibility booster for your organization.
And all you have to do is nail this next call.
Great news! They love your company, your team, and your process. And they are ready to move forward with your organization…
Just as soon as you achieve ISO 27001 certification.
The Basics of ISO 27001 Certification: Everything You Need to Know
Step 0: Don’t Panic
Step 0: Don’t Panic
To start, don’t panic. You’re not the first person in this position.
Especially since requirements like this are becoming increasingly more common.
But we get it – this is new to you. And it sounds like a massive undertaking.
Take a deep breath, and we’ll walk you through the process from start to finish, including everything you need to know.
By the end of this post, you’ll understand what ISO 27001 compliance is, why it’s important, and the step-by-step process to get certified. We’ll even answer some of our most frequently asked questions.
But first, let’s start with the basics – what is ISO 27001? And why does it matter?
What is ISO 27001 Certification?
Technically, the certification is called ISO/IEC 27001. ISO stands for the International Organization for Standardization, and IEC stands for the International Electrotechnical Commission.
These two bodies set the international standard for “establishing, implementing, maintaining, and continually improving an information security management system ” (or ISMS). This quote is taken from the ISO/IEC 27001 International Standard Document, but we’ll discuss that more soon.
But what exactly is an ISMS? It’s the term ISO uses to refer to a cybersecurity program. In other words, it’s the strategic, overarching system for all your security decisions. It’s not one particular tool or subset of procedures but your comprehensive cybersecurity program.
Your ISMS is your systematic and thorough approach to managing sensitive information, protecting against cyber threats, and setting up procedures to improve your security posture. ISO 27001 is particularly prescriptive when it comes to your ISMS. Certainly more so than other frameworks like SOC 2, for example, which offers a bit more wiggle room.
Just a heads-up, though – it will likely take anywhere from 6 months to over 1 year to get certified, depending on your organization. This may vary based on your company’s size, maturity, availability of internal resources, and whether you have already built a cybersecurity program .
Simply put, if you can show that your organization meets the security requirements set forth in the ISO/IEC 27001 Standard, you can get certified.
If that sounds like a long time and makes you wonder whether or not it’s worth it, we get that, too. But, to answer your question, yes, it is worth it (for many) .
Cybersecurity Checklist Download
What Are the Benefits of ISO 27001 in an Organization?
Getting ISO 27001 certified demonstrates your organization’s commitment to security. With that comes a significant list of benefits.
1. Sales Enablement
You may or may not have experienced the situation in the introduction. A prospect wants to work with you but won’t until you have a specific certification.
For many companies we’ve worked with, the consensus is that these kinds of requirements are becoming increasingly common.
In fact, some even say that they use certifications or compliance frameworks (like ISO 27001 or SOC 2 ) as a sales tool. By getting certified, you’re opening up the door to many more opportunities you wouldn’t otherwise have.
Plus, this certification puts you in a better position to beat out your uncertified competitors, and if you’re like us, you appreciate any competitive edge to help you win.
2. Building and Establishing Trust
Of course, it’s not just about having more opportunities but also building and establishing trust with your existing (or prospective) customers.
A certification like ISO 27001 is a great way to do that, as it shows customers that you take security seriously. Achieving this certification is no small feat, making it a great trust-building tool. And not just for customers but shareholders and investors, as well.
3. Better Overall Security
Another key benefit is that you’ll have a stronger security position with optimized procedures. Especially when cyberattacks are on the rise and 95% of IT leaders agree they’re growing in sophistication.
One cybersecurity breach can be an absolute nightmare on every front. There’s the cost of recovering from a breach, downtime, revenue loss, loss of customer trust, and more.
Want to save money? Invest ahead of time in a certification and do everything you can to prevent a breach. Because if it happens, you might not be able to recover from it, financially and legally.
Sure, there are more benefits, but these are the crucial ones. If you’re sold on the ISO 27001 certification, your next question might be most important.
What Are the Steps in Achieving ISO 27001 Certification?
So, where do you start, and how does it work? We’ll cover that here by giving you a general overview of each step.
Before You Start
A quick note before you start. This is an extensive process. The goal here is to, first of all, be prepared to go after the certification.
Your future will consist of heavy investments across every department. The reason we say that is you want to make sure that everyone understands this. We’ve seen departments and department heads who failed to grasp the situation, and that is not a position you want to be in.
Make sure leadership buys into it. If they don’t, the project will fail.
Also, this is a great time to consider if you have access to any internal or external resources to help manage your project.
Okay, let’s jump into it.
1. Purchase the Standard from ISO and Read It
The most important first step (other than not panicking) is to read the document dedicated to ISO 27001 . Purchase your own license and give it a read so that you know what you’re up against.
Sure, it’s not the most riveting read, but it isn’t terribly long, and even a brief read-through will provide the perfect foundation for getting started. Plus, you can use the guide to get familiar with the requirements, risks, and controls.
Beyond the standard itself, we also recommend this book as an ISO primer: ISO 27001 Handbook: Implementing and Auditing an Information Security Management System in Small and Medium-Sized Businesses by Cees Van Der Wens.
2. Decide on a Scope
We’ve already established that your ISMS is an overarching system. For the sake of certification, you’ll have to get a bit more specific. This strategic decision is vital to setting the boundaries of your ISMS and what aspects of your organization will be subject to the ISO 27001 requirements.
For example, what operations, physical locations, and information systems will your ISMS focus on? Or, if you’re a SaaS company with several product lines, which of those product lines will your program address? Ideally, you should adjust your focus to any areas involving information security.
3. Develop Policies for the ISMS
With your scope defined, you can start to develop policies to build and enhance your security position. Policies and procedures are foundational to successfully creating an effective ISMS. They are the bones of a solid security program.
Each control in ISO 27001 requires the creation of a policy or a set of policies . For every area related to information security, your policies should cover all aspects, including data protection, access control, incident response, and more. Each policy should be linked to one or more of your organizational goals.
These procedures must be clear, teachable to staff, and always accessible. Again, as goals change over time or policies are adjusted, just make sure these available materials are regularly updated. Everything must be documented, which will be a common theme throughout.
4. Conduct a Risk Assessment
If your first thought here was that risk assessment should be done before policy development, we see where you’re coming from.
However, building out the policies first creates a solid structure and gives direction to the risk assessment process. Especially since you’ve been focusing on how your policies relate to your goals as you’ve built out your program.
This is crucial because if you don’t have an already developed cybersecurity program in place, your risk assessment will probably miss the mark. By establishing your program beforehand, you can iron out the minor and more basic issues early on. Then, you can get more value from the risk assessment process because you’ll have a better view of the more crucial business risks.
A risk assessment involves finding and analyzing risks relating to your information assets. Each risk is a little bit different in terms of its likelihood, impact, and threat level.
In this stage, you’ll document each risk and its priority, starting with the most impactful. And this will allow you to create the appropriate controls in the next phases.
Qualitative vs. Quantitative Risk Assessment
You can take two approaches to risk assessment – qualitative and quantitative. The qualitative approach is more subjective and discusses risk in terms of words (low, medium, high). The quantitative approach calculates risk in terms of numbers, figures, and calculations.
Quantitative risk assessments are an inherently more effective approach to gauging risk because they’re backed by objective numerical data, adding consistency to your risk management process.
The quantitative approach is particularly valuable in that it allows you to track the effectiveness of your security measures and justify cybersecurity decisions (and investments) with real, numerical evidence. This makes things like cost-benefit analysis and benchmarking possible, as well as the ability for different assessors to replicate your assessment.
What does this look like? Start by identifying a risk and then calculating both its likelihood and impact. You can determine likelihood through historical data and statistics (plus expert judgment, if possible), and impact through the financial or operational cost of that risk.
The higher a risk’s likelihood and impact, the higher its priority should be. Since this is all done in terms of numbers and figures, it’s easy to see which risks you should tackle first. This also makes it easier to justify budget and resource allocation. That’s hard to do if you’re working with a list of risks that are all labeled “medium” (something that traditional risk assessment firms tend to do, leading to worthless results). Quantitative risk assessments provide those actionable numbers, so businesses can make better decisions.
5. Conduct a Gap Analysis
This part is pretty straightforward but super informative. The gap analysis phase requires you to compare your current ISMS against the ISO 27001 requirements.
As you analyze how your program meets or doesn’t meet requirements, you’ll document all of your findings and misalignments. The result of this phase is to create a clear, focused action plan to bridge any gaps in your system. This drives you closer to ISO 27001 compliance.
6. Implement Controls
Based on both the risk assessment and the gap analysis, you have plenty of information to start building out specific controls for each risk. If you are unfamiliar with the term control, think of it in terms of protecting your house. If the risk is that a burglar will break in, the controls you put in place include door locks, a security system, and cameras.
During this phase, you’ll want to focus on creating controls that are specific to their corresponding risks, keeping in mind that one risk may require many controls for effective management.
For easier reference, the ISO 27001 Annex A has a list of controls from which you can pull. They include controls like technical measures, such as encryption software, and organizational measures, such as new and ongoing staff security training.
Again, each control should be relevant to specific risks and should align with your organization’s cybersecurity goals. Remembering your objectives will greatly increase your success rate throughout this process.
7. Conduct Internal Audits (Now and Forever)
An internal audit is a crucial step that precedes an official audit and must be conducted in planned intervals.
Once you’ve established your ISMS with the steps above, you can systematically review your security posture as it relates to ISO 27001 requirements. The process, as defined by ISO 27001, looks like this:
1. Define the criteria and scope of the audit.
Running the internal audit is a matter of choosing an ISO 27001 requirement, listing it and its place in the ISMS, and then providing evidence that it’s being implemented. If the requirement is access control, you’ll note where it’s located in your ISMS documentation, and provide evidence like screenshots of your access control settings and access logs.
Every control in the ISMS needs to be internally audited at least once throughout every three-year certification cycle. However, the recommended frequency in the industry is once per year – though this may differ depending on the specific controls in question.
8. Conduct Management Reviews
For the mandatory management review process, senior leadership must examine, in regularly planned intervals, the effectiveness of your ISMS. This is another reason why getting buy-in from top management is crucial.
The ISO Standard outlines several key areas of input from management, but here are a few paraphrased points:
The status of action points from the last management review
Changes in external or internal ISMS issues or changes in expectations from interested parties
Feedback on information security performance, such as nonconformities, audit results, and how results are monitored and measured
Risk assessment results and action plan
Opportunities for continual improvement
From these points, they can create a focused action plan for improving and maintaining your program’s effectiveness over time. These regular management reviews ensure your ISMS remains resilient while aligning with organizational goals.
Pro tip : create a management review meeting checklist and build your agenda around it, so that you cover all of ISO’s requirements.
9. Select an Auditor
Auditors perform the third-party evaluation of your cybersecurity program and grant your certification.
It is important to select a good auditor. Bad auditors are likely to negatively impact your business. They could fail to grant your certification if you earned it, or even grant you certification when you don’t meet the requirements! This is a true story (with fake names) we’ve shared before:
“One audit, we had a client, Sample Co., that did not meet one element of the ISO standard despite what we coached them to do. Why didn’t they bother? Because their ISO auditor didn’t enforce it. They got their ISO 27001 certification but weren’t fully compliant.vendor management program . The auditor ACME brought in to perform the audit was also an ISO auditor, who easily identified the discrepancy between Sample Co.’s security program and the ISO 27001 standard.
How do you make sure you have a good certification body? Be sure to pick an accredited one .
If you don’t get an accredited auditor, your certificate means nothing.
10. Certification Audit
Finally, the third party of your choice will conduct your certification audit. This happens in two stages:
A documentation review, known as a Stage 1 audit.
A comprehensive audit, usually on-site.
In the first step, the auditor will examine all of your documentation to see if you meet the ISO 27001 requirements. This brief step can be conducted digitally since they’re just checking your documentation. If that goes well, they proceed to the much more entailed second stage.
Stage two is a comprehensive audit that is often performed on-site – though some ISO auditors no longer perform on-site audits if no systems are hosted on-site (e.g. an entirely cloud-based company). This ensures that every risk management procedure and control is implemented effectively. It’s more time-consuming because of how thorough it is.
Successfully completing the audit will result in your organization being awarded the ISO 27001 certification.
The End Result of ISO 27001 Certification
Yes, there’s a lot to do, and ISO 27001 is a certification known for its rigidity.
But it’s worth it.
You’re approached by a solid prospect who will only work with you if your organization is ISO 27001 certified.
Rather than waiting several months to get certified (or losing business altogether), you’re ready to go. You’ll simply present your ISO 27001 certificate as part of your security review.
Enjoy your new business, as well as all the new opportunities that are available to you!
Need Help?
ISO 27001 doesn’t have to be the headache it sounds like.
If you need help, Fractional CISO can take control of your program, ensuring you successfully get your certification while relieving your internal staff of the heavy lifting.
From preparation to certification, we’ll help you manage the process, covering each step along the way so you can confidently navigate ISO 27001 certification .
Reach out to us today so we can help you create a security program tailored to your organization and bring you from being unsure where to start, all the way to getting ISO 27001 certified.
Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.
Frequently Asked Questions About ISO 27001
Okay, you may have some questions. Here are a few brief answers.email us today, and we’ll be more than happy to help.
Who Needs ISO 27001? B2B companies need to get ISO 27001 certification if their customers are asking for it. Failure to get ISO 27001 when asked will result in lost business as security-conscious customers will select other vendors with the certification. Generally speaking, ISO 27001 is the preferred cybersecurity compliance option in Europe, while SOC 2 is preferred in North America.
What Are the Three Guiding Principles of ISO 27001? This is usually referred to as the CIA triad – Confidentiality, Integrity, and Availability.
What Is the Difference Between ISO 27001 and ISO 27002? ISO 27001 provides details on how companies are supposed to run and document their cybersecurity program. ISO 27002 is the fully detailed list of controls used in ISO 27001. The controls from ISO 27002 are listed and summarized in an annex of ISO 27001, but this annex does not have the full detail.
How Many Controls Are There in ISO 27001? There are 93 technical controls used in ISO 27001. Beyond the technical controls, there are many required practices, such as management reviews, risk treatment planning, and more.
Is ISO 27001 Mandatory? No, ISO 27001 is not mandatory, but many companies require it if you want to do business with them.
What Are the 14 Domains of ISO 27001? The 14 domains are:
What Are the Other Standards in The 27000 Family? Other standards in the 27000 family include:
