ISO 27001 FAQ

ISO 27001 compliance means implementing an information security management system (ISMS) that meets the requirements of ISO 27001 and achieving accredited certification against the Standard.

ISO 27001 certification is commonly a contractual requirement for doing business with large organisations and government bodies that require independent verification that you have implemented effective information security measures. Even when not formally required by contract, ISO 27001 certification sets organisations apart from their competitors.

No, ISO 27001 compliance is not a legal requirement, but it is an effective method of demonstrating compliance with many data protection laws like the GDPR and Data Protection Act. This makes it a useful tool to help your organisation meet its legal obligations.

Accredited certification to ISO 27001 demonstrates that your information security measures have been independently verified. While you can implement ISO 27001 without seeking certification and still gain significant benefits, accredited certification provides formal assurance that your ISMS follows best practice as set out in the Standard.

ISO 27001 certification is valuable to any organisation looking to demonstrate that it takes information security seriously. It demonstrates that your ISMS has been independently checked against the requirements of the Standard, providing the assurance that partners and clients demand.

The GDPR requires that organisations use “appropriate technical and organisational measures” to protect the security, confidentiality and integrity of the personal data they process. An ISO 27001 ISMS offers a structured way to achieve all three, making it an ideal way of complying with the security requirements of the GDPR.

There are also ISO standards that address the privacy-related aspects of the GDPR, such as ISO 27701. When used together, they provide an effective GDPR compliance programme.

The cost of the certification process will vary depending on the certification body you choose. The cost of implementing ISO 27001 largely depends on the size of your organisation, how mature your existing information security measures are, and how much support you need to achieve certification.

Accredited ISO 27001 certification lasts for three years. As your certificate nears expiration, you can undergo a recertification audit to renew your certification for a further three years.

One of the key controls in ISO 27001 requires you to manage the technical vulnerabilities of your IT systems, and penetration testing is the only way to reliably achieve this. New vulnerabilities are identified all the time, so proactive testing is an essential part of ISO 27001 compliance.

Not as hard as you think. While organisations with a mature information security programme will have an easier time implementing the Standard, ISO 27001 also provides an ideal foundation for building one. With the right support, any organisation can achieve certification and effectively secure their data.

The amount of time it takes to implement ISO 27001 will depend on the size of your organisation and your existing information security and governance measures. Most small-to-medium enterprises (SMEs) can achieve certification within six months if backed by expert support. Larger organisations often already have a formal information security programme of some kind, and so can generally expect to achieve certification within one year.

Controls are measures that deal with risks – such as requiring passwords for employees to log in, which prevents attackers from having easy access to company assets. ISO 27001 contains a list of organisational, people, physical and technical controls needed to build an effective information security programme. These controls are applied based on risk assessment, so you only implement the controls you need to address the unique risks your organisation faces.

ISO 27001’s requirements cover a range of activities including leadership, risk management, security controls and continual improvement. Taken together, they provide a framework for implementing an information security management system (ISMS) – a structured system that addresses all the activities needed to secure the information your organisation holds.

GRC Solutions sells the latest version of the ISO 27001 and ISO 27002 standards, along with a wide range of support services from implementation to ongoing assurance.

Implementing ISO 27001 is best implemented as a formal business project, supported by an initial gap analysis to help you understand where to begin. Getting expert support with your project is the best way to ensure it succeeds on time and within budget, particularly for organisations that do not have an existing information security programme.

ISO 27001 auditors should receive specialised training to ensure they understand the requirements of the Standard and how they should be applied. Auditors will check each part of your ISMS against the requirements of the Standard and highlight any potential nonconformities.

Any organisation that needs to demonstrate effective information security should consider ISO 27001 certification. It is often a requirement for government contracts, and many organisations require ISO 27001 certification before engaging a supplier. Even where certification is not a formal requirement, it sets organisations apart from their competitors, proving that they take information security seriously.