ISO 27001 Certification: 27 FAQs answered

Questions and AnswersWe've gathered in this post all the commonly asked questions about ISO 27001 Certification together with expert answers. 

Here are those questions: 

Click on the question to go directly to the Answer.

  

What is ISO?

The International Organization for Standardization (ISO for short) is the world's largest developer of voluntary International Standards. Their collection of 21,000+ standards offers solutions and best practice guidance for all types of technology and businesses, helping companies and organizations to increase performance while protecting consumers and the planet.

While most are product and technical standards, the ISO has developed 40+ management system standards.

The best known of these include ISO 9001 (quality), ISO 14001 (environment), ISO 45001 (Health & Safety), and ISO 27001 (information security management). The feature they all have in common is that they are auditable. They are written to facilitate auditing by an independent third party (e.g., CAB) to confirm compliance with the standards’ requirements. Therefore. the Certificates issued by the CABs are recognized worldwide as genuine and as having value.

For more visit ISO 27001 on the ISO website.

What does ISO 27001 mean?

ISO 27001 (or to give it its full title ISO 27001:2013, Information technology — Security techniques — Information security management systems — Requirements) is an internationally-recognised standard that sets out the requirement for an Information Security Management System (ISMS).

It was initially developed by the British Standards Institute and known as BS 7799. It became an international standard in 2000 as ISO/IEC 17799, "Information Technology - Code of practice for information security management' when published under the auspices of the International Standards Organization (ISO). This guide was then incorporated into the ISO 27000 Series in 2005 as the Code of Practice, ISO 27002.

ISO 27001 was first published in 2005, which was later replaced by a second version, ISO 27001:2013.  This remains the current version and, surprisingly, the ISO Technical Committee has not initiated another revision.  Instead, they are relying on the publication of guides and supplements of the ISO 27000 Series of Standards to keep the requirements up-to-date.

As every organization has information of value and every organization is a target for crypto-criminals, ISO 27001 is relevant and globally applicable to all kinds of organizations.

What is the purpose of ISO 27001?

The purpose of the Standard is to provide a framework for an organization to develop a management system that will control the risks associated with information and data to a high level of confidence.  Note carefully that this standard does not deal with Information Technology (computerised data) alone. Data in all 'shapes and forms' are included as are the physical resources (the premises) used to protect them.

The Standard requires that management:

  • Systematically examine the organization's information security risks, taking account of the threats, vulnerabilities, and impacts (PLAN);
  • Design and implement a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable (DO); and
  • Adopt an overarching management process to ensure that the information security controls continue to meet the organization's information security needs on an ongoing basis (CHECK & ACT).

For more visit Managing Risks with ISO 27001 

What is an Information Security Management System (ISMS)?

An ISMS is a systematic and formal approach consisting of processes, technology and people that enables an organization to protect and manage its information assets, physical and virtual, through effective risk management.

What is the Purpose of an Information Security Management System?

An ISMS helps coordinate and direct an organization’s attention to assuring the adequacy of controls against information security threats and, with the use of Annex A of the Standard, to ensure that all commonplace vulnerabilities have been addressed.

 

Who needs an Information Security Management System?

Whether you realise it or not, you’ve already got an informal ISMS. You back-up your computer data, don’t you? You ensure that strangers can't enter and walk about your premises.  You check the backgrounds of potential recruits before you employ them? And so on.  You have many information security controls already in place. 

But the key question is: are your current IS Controls enough to prevent all but the most technically advanced crypto-criminals from breaching your cyber defences.  Without applying the rigorous requirements of ISO 27001 plus applicable supplements, it is most unlikely that you are adequately protected.  Just think for a moment about what you would do if tomorrow morning you arrived at work to find a ransom demand on every screen, all your data encrypted and, unless you pay up immediately, you're out of business.

What are the benefits of a formal Information Security Management System?

There are at least twenty benefits that organizations with a quality management system in place can enjoy such as:

  1. Recognized reputation as a security-conscious organization. Even more, you have the internationally recognized certificate to prove it,
  2.  
  3. Awareness at all levels and functions within the organization. As an organisation, you need to always be prepared for the existential threat that data theft poses (e.g. through phishing) for the business and of their individual responsibility in protecting that information.
  4.  
  5. Awareness that information security is about protecting physical assets. This covers practices in the workplace, personal behaviour, working from home, etc. and not just about computer systems.
  6.  
  7. Satisfaction at Board level. Members of the organisation can rest assured that information assets are being properly cared for,
  8.  
  9. Satisfaction for Suppliers and Customers. Both suppliers and customers can be reassured that their information assets and/or intellectual property is being professionally protected (your Customers will be aware that attack through their Suppliers ICT systems is a well-known vulnerability),
  10.  
  11. Objective evidence for Senior Management, the C-Suite. With the help of independent auditing, senior management can be assured that information security policies are being adequately implemented,
  12.  
  13. The reassurance that Information Security processes are in place. This will help ensure that the organization learns from its mistakes and that such errors and breaches occur only once,
  14.  
  15. Reduced risk of data loss and of reputational damage. This can be achieved by having a robust and tested ISMS implemented and maintained that is suited to the vulnerabilities and threats the business faces,
  16.  
  17. A larger pool of qualified candidates applying to work with your business. When you have a great reputation, attracting top talents to your organisation is a lot easier.
  18.  
  19. Reduced absenteeism and employee turnover rates. Employees have objective reasons to feel secure in their jobs and to value them,
  20.  
  21. Improved ability to respond to regulatory compliance issues. With an improved relationship with GDPR and other personal data regulatory authorities, you don't have to be on edge whenever new rules or guidelines get announced.
  22.  
  23. Reduced cost of security incidents. You have a system in place to investigate them and to take formal action to prevent their recurrence,
  24.  
  25. Reduced downtime and the costs of disruption to operations. Thanks to fewer information security incidents, issues can be dealt with systematically and efficiently,
  26.  
  27. Reduced cost of insurance premiums. This is because insurance companies recognise that certified businesses make fewer, and less costly, claims,
  28.  
  29. Peer recognition for having achieved an international benchmark. This, in turn, influences current and potential customers who are concerned about their intellectual property security,
  30.  
  31. Improved scoring in pre-tender documents.  This helps ensure that your organization gets a chance to compete with established businesses (especially true for public sector organizations),
  32.  
  33. Reduced fines if prosecuted. Your certification constitutes objective evidence to a court of the seriousness with which information security is treated,
  34.  
  35. Improved Management control. This covers all forms of business data and information,
  36.  
  37. A formalized approach to continual improvement. When it comes to information security performance, consistency is key.
  38.  
  39. Continual review of the ISMS. It is important to always make sure that the ISMS is aligned with the business's strategic plan.

For more visit ISO 27001 and the Manufacturing and Service Industry

Choose from five ISO 27001 Courses

What is ISO 27001 Certification?

An ISO 27001 Certificate is recognition from a Certification Body – CAB (usually, an accredited Certification Body) that an organization has implemented and is maintaining an information security management system that meets the requirements of ISO 27001:2013.

Do I Need ISO 27001 Certification?

Yes and No. In many cases, ISO 27001 Certification is not mandatory but can be a useful tool to add credibility, by demonstrating that you manage business information in a secure manner suited to the expectations of your customers. For some industries, certification is a legal or contractual requirement. In other cases information security requirements will be specified in an SLA - Service Level Agreement.

Who can benefit from ISO 27001 Certification?

Organizations globally, both public and private spheres, and from every economic sector can benefit from maintaining an ISO 27001 compliant Information Security Management System (ISMS), that is, your entire supply chain.

What are the Benefits of having ISO 27001 Certification?

In terms of information security, an ISMS allows an organization to:

  • satisfy the security requirements of customers and other stakeholders;
  • improve an organization’s plans and activities;
  • meet the organization’s information security objectives;
  • comply with regulations, legislation and industry mandates; and
  • manage information assets in an organized way that facilitates continual improvement and adjustment to current organizational goals and to the environment.

Furthermore, the independent certification involved in ISO 27001 Certification will permit an organisation to:

  • achieve greater assurance that its information assets are adequately protected against information security risks on a continual basis;
  • maintain a structured and comprehensive framework for identifying and assessing information security risks, selecting and applying applicable controls, and measuring and improving their effectiveness;
  • continually improve its control environment; and,
  • effectively achieve legal and regulatory compliance.

For more information on certification and the use of an Accredited Certification Body, visit www.ukas.org or  www.inab.ie.

 

Gap Analysis Tool ISO 27001

How much does ISO 27001 Certification Cost?

The cost of ISO 27001 certification varies hugely based on the size of the organization, geographical location and on economic prosperity.

Let’s take the example of an SME with 10 employees. Here are some typical prices from the UK for 2021 where we consider three scenarios …

Scenario (1)

Do-it-yourself (2)

Minimum Consultancy Support (3)

Maximum Consultancy Support (4)

Develop ISMS (8 days)

800

1600

4000

Implement ISMS (8 days)

800

1600

4000

Maintain ISMS (2 x 3 years)

600

600

3000

Certification Year 1

2500

2500

2500

Year 2

1000

1000

1000

Year 3

1000

1000

1000

Total 3-year Cost

£6700

£8300

£15500

Typical duration to Certification

11 months

5 months

4 months

Notes:

    1. It is necessary to examine a 3-year horizon as CABs play games with their quotations that can be confusing. What is a given, however, is that CAB Audits and the associated contract must, under IAF rules, be based on a 3-year cycle.
    2. No outside help. The project leader would need ISO 27001 Lead Implementer Training.
    3. Four days of consultancy support included here. Priced at £ 500 p.d., consultancy costs range from £300 to £700 per day. Essential that satisfactory references are obtained for previous ISO 9001 projects.
    4. Maintenance here includes 2 days annually for internal auditing and Management Review support.

 

The best advice in controlling costs is to shop around and recheck the competitiveness of your chosen CAB regularly.

For more visit ISO 27001 Lead Implementer Certification Course. Also, visit 31-steps to ISO 27001 Certification.

Who Issues ISO 27001 Certification?

The ISO develops International Standards, such as ISO 9001 and ISO 14001, but is not involved in their certification. It does not issue certificates. ISO 27001 certification is performed by external certification bodies; so, a company or organization cannot be certified by the ISO organization itself.

How to Get an ISO 27001 Certificate?

Certificates are issued by CABs after they have gone through an ISO Certification process. This is based on a comprehensive 2-stage audit (itself based on the auditing standard, ISO 19011), that involves a review of documentation and an independent on-site audit.

The CAB gathers and documents objective evidence of compliance with the requirements of ISO 27001. After the CAB has confirmed that all the requirements of the ISO 27001 Standard have been implemented and are being maintained, a Certificate is issued as is permission to use logos to publicise the fact.

For more visit IAF Scope regarding ISO 27001

Are the Controls listed in Annex A, Statement of Applicability, enough to meet requirements?

A Control is a precaution to be taken in order to reduce the risk associated with a particular vulnerability.  Annex A of the Standard lists 115 such vulnerabilities and, against each one, includes one Control.  This has often been taken to mean that these are the only vulnerabilities to be considered and that, should a vulnerability give rise to a threat (i.e. the vulnerability applies to the organization and hence there is a threat to be managed) one Control is enough.  This is not the case as ...

  1. Many organizations will have IS vulnerabilities/threats unique to their business and these will need risk assessment and risk treatment (i.e additional Controls ), and
  2. One Control may not be sufficient to reduce the risk associated with a particular vulnerability/threat to an acceptably low level.

For more see Risk Management - the Swiss Cheese Model explained

Why are there so many Standards (47+) in the ISO 27000 Series of Standards?

Let's start with another question: Is Compliance with Other Standards and Guides in the ISO 27000 Series Mandatory?

The answer is No and Yes! 
NO: There is nothing in the standards and guides making their use obligatory, but:
YES: External auditors are aware of these standards and guides and they will be informally using them to frame their interview questions. 
 
For example, if an organization has Personally Identifiable Information, the external auditors will ask how the organization has addressed the typical vulnerabilities identified in ISO 27701 - this is 'low hanging fruit' for the auditor.  
So, you cannot afford to ignore the standard and your risk assessment (and opportunities) needs to add relevant vulnerabilities from ISO 27701 to those from the Statement of Applicability in Annex A of ISO 27001.
You will need to consider all 47 Standards in order to decide whether they apply to your ISMS (and don't worry as it's unlikely that more than one or two of them apply) you should visit ...
  1. The chart with an overview of the ISO 27001 Series at To select your ISO 27001 Auditor Course, and
  2. The section What comprises the ISO 27001 Series of Standards.


What is the significance of ISO 27002?

To give it it's full titleISO/IEC 27002:2013 Information technology — Security techniques — Code of practice for information security controls, gives guidelines for organizational information security standards and information security management practices including the selection, implementation and management of controls taking into consideration the organization's information security risk environment.

It is designed to be used by organizations that intend to:

  • select controls within the process of implementing an Information Security Management System based on ISO/IEC 27001;
  • implement commonly accepted information security controls;
  • develop their own information security management guidelines.

You should expect External Auditors to ask whether you've made use if this Guide.

Where do other established IS Standards like PCI-DSS or the Payment Card Industry Data Security Standard fit in?

Many data security standards other than ISO 27001, like PCI-DSS and COBIT, remain in common use. Where certification to ISO 27001 and one or more of the other Standards is needed a single ISMS addressing all the requirements is the norm.  Care needs to be taken to ensure that internal audits include the audit of all applicable requirements.

For more see Information Security Standards other than ISO 27001.

Can I get Certified to ISO 27701, Personal Information?

The short answer is, no. This is because ISO 27701, which deals with PII - Personally Identifiable Information, is not an auditable standard in its own right. It was published as a Supplement to ISO 27001.  Its incorporation into an ISO 27001 compliant ISMS is in the form of additional Vulnerabilities/threats (as listed in ISO 27701). as applicable.

For more information see ISO 27701 brings ISO 27000 Standards Series to a total of 47.

Can we get one site Certified to ISO 27001 or must it be the entire organization?

Certainly. An organization with multiple sites may have a single site certified to ISO 27001.  However, the exchange of information between the site in question and the other sites of the organization will have to be controlled.  And this to a level that compares equally with the controls applied to information exchange with Customers and Suppliers.

Is GDPR Compliance compatible with ISO 27001 Certification?

After the release of our ISO 27001 Course on implementing an Information Security Management System (ISMS), we were asked for advice regarding the relationship between GDPR documentation and ISO 27001 documentation.  There are three basic options (or strategies) to choose from when documenting GDPR and ISO 27001 compliance, namely:

  1. Keep the GDPR documentation entirely separate from the ISMS and its documents,
  2. Fully integrate the regulatory requirements into your ISMS Documents, or
  3. Keep GDPR Documents separate from, and cross-referenced to, ISMS Documents.

For more see GDPR, ISO 27701 and ISO 27001: a natural combination?

We're an SME. Do we need cybersecurity?

As an SME you are a particularly attractive proposition for a cyber attack.  This is because cyber-criminals expect your IS Controls to be weak and so vulnerable.  While they may be interested in a ransom attack, it is equally likely that they are trying to use your IT System as a back door into the systems of your major public and private sector Customers and Suppliers.  That is, you are going to be their Trojan Horse! 

As your Customers and Suppliers become more aware of IS, you can expect to be challenged more frequently on your information security arrangements and for these also to feature in SLAs.  Your best option is to get certified to ISO 27001 sooner rather than later.

For more see Cybersecurity for SMEs

How to Choose a Certification Body?

The choice of CAB is important. An accredited CAB (e.g. BSI) should be used wherever possible and with ISO 27001 one won’t be too difficult to find.

Accreditation, which is issued by a nationally recognized Accreditation Board (e.g., UKAS) is an important confirmation as to the legitimacy of the CAB. To help ensure an international ‘level playing field’ for CAB auditing standards, National Accreditation Boards have their own international organization, the International Accreditation Forum (IAF), which oversees an ongoing programme of witnessed self-assessment of IAF Members of each others’ activities.

A Certificate from an accredited CAB will carry three logos. #1 the CAB’s own logo and #2 the Accreditation Boards logo and #3 the IAF logo. If you present an ISO 27001 Certificate to a customer or potential customer that does not carry all three logos, expect to be challenged. Without a plausible explanation, you can expect your approach to be rejected.

Are £1995 ISO 27001 Certificates That You Can Get Within 30 days Legitimate?

Legally speaking? Yes. But the Certificate is worthless. There are ‘cowboy’ CABs (whom you should ask to explain how an organization can create 3-months of records, the minimum needed to prove maintenance of an ISMS, in 7 days) and even ‘cowboy’ Accreditation Bodies.

With ISO 27001 Certificates, making sure you have the real thing fundamentally means choosing a CAB that will get you an IAF logo of your Certificate. Ask about it by name and accept nothing else.

Why is it Important to Get Certified by the Proper Certification Body?

Remember that those reviewing tender documents are unlikely to be inexperienced. They will recognise a phoney Certification instantly. And your offering will go directly into the rubbish bin with the hard work you’ve expended to develop products and services you are proud of totally wasted. Most importantly, you wouldn't want an ISO Auditor to find such bogus Certificates when checking your evaluation of external providers (suppliers).

For more visit Is IAF Accreditation possible for all ISO Standards? and Your Accreditation Body must follow IAF Guidance.

How does the ISO 27001 Certification Process Go?

As you will have seen in the cost data above, there are two stages in securing ISO 27001 Certification:Path to ISO 27001 Certification

Stage 1. Develop, implement and maintain a suitable ISMS for your organization, which includes Controls for Annex A and other vulnerabilities/threats, and

Stage 2. Engage the services of a CAB to undertake the necessary evaluations and ISO Certification Audits.

Stage 1. Develop, implement, and maintain a suitable ISMS for your organization:

Our Infographic shown here nicely illustrates the multi-step process involved in preparing for Certification (click on the infographic image to get a copy for yourself). Whichever of the three approaches you choose (or variants thereof) you will benefit from our ISO 27001 Lead Implementer Course in managing and directing your ISO 9001 Project.

Stage 2. Engage the services of a CAB to undertake the necessary evaluations and audits:

When choosing a certification body, you should:

  • Evaluate several certification bodies.
  • Check if the certification body auditing activities include ISO 27001:2013.
  • Check if it is accredited. Accreditation is not compulsory, and non-accreditation does not necessarily mean it is not reputable, but it does provide independent confirmation of competence. To find an accredited certification body, contact the national accreditation body in your country or visit the International Accreditation Forum.

Note: the terms certification and accreditation cannot be used interchangeably, though it is not uncommon to do so. The difference between certification and accreditation are as follows:

Certification – the provision by an independent body of written assurance (a certificate) that the product, service, or system in question meets specific requirements.

Accreditation – the formal recognition by an independent body, generally known as an accreditation body, that a certification body operates according to international standards.

For more visit International Accreditation Forum/about us/ and 10 Reasons to change your ISO Certification Body.

How to check the ISO 27001 Certification of an organization?

The IAF, after struggling with the issue for many years, launched IAF CertSearch. This is an exclusive global database for accredited management system certifications. Other databases, irrespective of the organization publishing them, should be treated with scepticism or, better still, ignored.

Currently, CertSearch has over 400,000 valid certifications across more than 150 economies covering a range of sectors, 4000 certification bodies and 68 IAF MLA signatory accreditation bodies. While highly dependable, this database is a long way from being complete when one considers that there are 1 million plus organizations certified to ISO 9001:2015 alone. And to date, not many CABs have added their ISO 27001 customers to the Register.

Businesses and governments can digitally validate an organization’s certification(s), in order to determine if a certificate is valid and if the Certification Body issuing the certificate is accredited to issue certifications to that standard.

The direct route is, of course, always open to you – ask the organization for a copy of their current Certificate. Many will have their Certificate on display on their website.

For more visit IAF CertSearch

Do Management Representatives or others responsible for an ISMS need training?

The training of a Management Representative or others with day-to-day responsibility to maintain an ISMS is NOT mandatory. Training is implied as part of developing competence but not a specific stand-alone requirement. So, unless you determined to outsource this support indefinitely (and technically that’s not permitted), you need to train your Management Representative. And you’re in luck. We’ve got exactly the Course you need.

For more visit ISO 27001 Lead Implementer Course.

Visit the ISO 27001 Lead Implementer Product Page

Do Internal Auditors need training?

Again, training here is not mandatory. But effective internal audits are essential to doing a professional job in maintaining your QMS and in avoiding nasty surprises at your next Certification Body audit. Also, if you don’t train them, your auditors won’t have any of the skills necessary to ‘harvesting’ those improvement suggestions from the people in your organization who actually do the work.

For more visit ISO 27001 Internal Auditor Course.

 


Got a Question we haven't answered?

We'd love to hear it and, if possible, answer it for you.  Just use our Support Ticket System.  You'll find a Knowledge Base there that might have an immediate answer for you. Otherwise, fill in a Ticket.

For more visit deGRANDSON Support Ticket.

 

Written by Dr John FitzGerald

Director & Founder of deGRANDSON Global. He spent 15 years in the manufacturing industry and 25 years training, consulting & auditing management systems

Subscribe to Email Updates

FOLLOW US ON...

Recent Posts

Posts by Topic