What Is ISO 27001 Compliance And How Do You Get Certified?

If you don’t have an Information Security Management System (ISMS) then an ISO 27001-aligned one is the best place to start.

ISO 27001 (International Organisation for Standardisation 27001) is a globally recognised information security standard that provides a framework for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS) within an organisation. 

To certify to the Standard, your organisation must demonstrate to an external, qualified auditor that its ISMS aligns with information security best practices defined by ISO/IEC 27001:2022 guidelines.

How Your Organisation Can Benefit From An ISO 27001 Certification

Enhance your global reputation by following an internationally recognised standard

Help avoid financial penalties and reputational damage associated with a data breach

Easily implement controls that help ensure compliance with business, contractual, legal and regulatory requirements

Risk Crew's Step-by-Step Process to Get You Certified

Risk Crew can help your organisation achieve and maintain compliance through one (or a combination of any) of our four cost-effective compliance services:

To help your organisation get started with complying with the ISO 27001 standard, Risk Crew can provide your organisation with the following;

  • Conduct ISO 27001 Compliance Gap Assessment: We will assess your current information risk management processes, operations, policies, and controls against those recommended by the standard, to identify the current compliance “gap” and then generate a comprehensive report of our findings and recommendations 
  • Create ISO 27001 Compliance Activities Roadmap: The roadmap will cite specific actions required for compliance, proposed action owners, target completion dates, and estimated budgets required.
  • Conduct Stakeholder Workshop: Upon completion of the above, a half-day workshop for key business stakeholders will be conducted to ensure their understanding of the remedial actions needed for compliance and the estimated resources and timeline required.

These will result in a solid understanding of the standard and what’s required from your business to comply.

Our Assist service offers all deliverables from our Discover service plus the following:

  • Identify, Locate, and Classify Assets: Risk Crew will review your business model and interview your key business stakeholders to identify, locate and value the sensitive information assets processed, stored and transmitted by your organisation.
  • Craft Data Classification Schemes: We develop clear marking schemes for secure handling, aligning with regulations like Data Protection.
  • Create Comprehensive Asset Register: Information assets will be documented citing their sensitivity level, ownership, and IT system locations. The register becomes your risk management inventory.
  • Thorough Threat and Risk Assessment: Risk Crew's analysis uncovers threats, predicts impacts, and prescribes solutions, presented in a practical Risk Treatment Plan.
  • Stakeholder Strategy Workshop: Collaborating with key stakeholders, we will clarify assessment results and define your information risk stance.
  • Tailored ISMS Documentation: We will go ahead to use a bespoke ISMS template developed by our in-house consultants to draft a relevant Statement of Applicability, adaptable Security Policies, and Procedures.
  • Simulation Audit: Ready for the real deal? Risk Crew will perform a mock audit, delivering an ISO 27001 compliance report to pave your certification path.

This service provides the framework essential for compliance and is ideal for organisations that have operational resources but specifically lack in-house information security risk management expertise.

Our Implement service offers all the deliverables from both our Discover and Assist services and the items below. This popular service comes with our 100% guarantee that you will pass your compliance audit.

  • Fit-for-Purpose ISMS Documentation for your Business: This includes a compliance-specific Statement of Applicability (SoA) along with bespoke information security policies and procedures for your organisation.
  • Control recommendations: This includes recommendations on control objectives, control configuration (if required) control evidence, and control testing procedures.
  • Conduct Network and Website Security Vulnerability Assessment Scanning: This service is accompanied by an automated vulnerability assessment scanning to identify security weaknesses associated with your business systems and websites
  • Implement Information Security Awareness Training Program: Risk Crew will provide computer-based information security awareness training to your staff to ensure their understanding of cyber security threats to the business. Face-to-face workshops with cyber security experts are also available in lieu of or to supplement this training depending on your preference.
  • Conduct ISMS Workshop with Stakeholders to Ensure Understanding, Roles and Responsibilities: Upon completion of the above, Risk Crew will hold a full-day workshop with your key business stakeholders to ensure their comprehensive understanding of the ISMS, its goals and objectives, key performance indicators (KPIs), staff responsibilities and ongoing actions required to support it.

This comprehensive service provides everything you need for your ISO 27001 compliance and is designed for organisations looking for a cost-effective, turn-key solution. If, for any reason, any additional remedial actions are required for certification, we will implement these actions at no charge to you.

If your organisation is currently ISO 27001 compliant then you know that once you get compliant the challenge is to stay compliant.

Risk Crew can help you meet this challenge with a variety of support services from delivering on-going requirements such as conducting risk assessments, scanning, testing and delivering information security awareness training to providing continuous ad-hoc advice and assistance to answer questions, clarify requirements and ensure you stay the course of compliance.

We Don't Sell Products, We Sell Results.

✓ Competitive and Transparent Pricing

Our service comes with fixed pricing with no unexpected added costs. Additionally, we offer a managed service to conduct penetration testing on a continual basis.

✓ Flexible Delivery

This service can be delivered on-site or remotely using cutting-edge technology to maintain the security of our communications. Whichever method you opt for, quality service and hands-on expertise  are provided.

✓ On-going Support

Risk Crew helps you maintain compliance with a variety of support services including risk assessments, security testing and staff awareness training.

✓ 100% Satisfaction Guarantee

We think deeply, question assumptions, detect cause and effect and deliver measurable results. No one else does that. Our deliverables produce metrics you can use to monitor and manage real-world cyber risks.

Our Certifications And Accreditations

Our Clients Come for the Expertise & Stay for Exceptional Service

Speak With a Consultant Today

Instil customer confidence and gain new business with ISO 27001 Certification

Access More ISO 27001 Resources

add_task

ISO 27001 Compliance Discovery Session

Get a mini-gap assessment and advice from an ISO 27001 expert. Schedule a call or online meeting.

inventory

ISO 27001 Documentation Guide & Checklist

Learn what documentation and policies are required to achieve certification to the standard.

auto_stories

ISO 27001 Certification Case Study

Read how Risk Crew helped a Agrifood organisation achieve and maintain ISO 27001 certification.

auto_stories

ISO 27001:2022 Transition Guide

Accelerate your implementation and/or transition with guidance on the new standard.

Frequently Asked Questions

What is the process for becoming ISO 27001 compliant?

The first step is to define the scope of ISO 27001 compliance. This could be the whole company or just a part of it. Once the scope has been defined there is usually a gap analysis to see what information security infrastructure is already in place and what is required to align it with the ISO 27001 standard. Additional workstreams would address any gaps identified and will look to build an Information Security Management System (ISMS) following ISO 27001 requirements.

How do I get ISO 27001 certified?

Before achieving ISO 27001 certification an organisation must first meet the requirements of the standard and be able to provide evidence to support that compliance. To become certified a company will undergo a two-stage audit by an externally accredited ISO 27001 auditor. The first stage looks at the documentation to establish whether it is in line with the requirements of ISO 27001. Stage 2 is different as the auditor will conduct a thorough assessment to establish whether the organisation’s ISMS is compliant with the ISO 27001 standard and will look for evidence that the organisation is following the documentation (policies, procedures, etc.) in practice. The audit report will confirm a pass or a fail and include any findings that need or should be addressed.

Why is the ISO 27001 certification important?

The ISO 27001 certificate is important for a business as it helps to strengthen the three areas of cyber security: people, processes and technology. The ISO certification gives you the correct tools to minimise the risk of data breaches and the fines associated with them.

Is ISO 27001 compliance expensive?

Achieving ISO 27001 compliance will almost certainly require an organisation to invest time and effort. However, this investment pays dividends when you consider the general improvements to an organisation’s approach to information security. Breaches of data can be very expensive to an organisation especially if the data includes personal and/or sensitive data. GDPR introduced maximum fines of 20,000,000 EUR or 4% of on organisation's revenue and no organisation wants to incur those penalties. Becoming ISO 27001 compliant can help an organisation reduce the risk of data breaches and not pay fines.

How long does the ISO 27001 compliance process take?

The length of time required to get a organisation to be compliant with the standard will vary depending on the organisation’s size and it’s starting position. If there is no information security infrastructure to work with then it will take a lot longer than if the existing policies and procedures just need to be aligned to the standard.

What are the benefits of becoming ISO 27001 compliant?

There are multiple benefits to becoming ISO 27001 compliant in addition to improving the organisations security posture. Some government departments or agencies will require ISO 27001 before awarding contracts. The same is true of many banks and financial institutions. It may also be a valuable differentiator between your organisation and competitors.

How much does the ISO 27001 certification cost?

The cost of the ISO 27001 will factor in the size of the business, number of employees, sector and annual turnover. The cost of the certification will also vary depending on how you decide to implement it, which could vary depending on if you use a contractor or a consultant. Risk Crew offers a variety of consultancy options to help you gain and maintain ISO 27001 compliance. Get in touch to find out more.

Should I implement ISO 27001:2022?

Certification bodies will not offer ISO 27001:2022 certification immediately as they will be transitioning themselves to understand the audit process to the new standard. It's best for all new implementation projects to adhere to ISO 27001:2022 so when the Certification Bodies are ready you will be too. Have more questions on the new standard? Get in touch - we're happy to help.