Overview of ISO/IEC 27001 Certification

Table of Contents

After reading this post, you’ll have a general overview of the ISO/IEC 27001 certification and get a preliminary idea of whether it is suitable for your goals. We’ll explore what it is, its core principles, and the steps involved in getting certified, along with a real-world example of costs and timelines.

By the way, 📚🚀 I invite you to dive into my sci-fi epic, GÖD’S GATE! Alongside an action-packed storyline, I’ve woven in some cool computer science elements, detailing the cyber offense capabilities of a powerful AI. Whether you’re a sci-fi fan or a computer scientist, this one’s for you. 👾👾

Landscape

You may have heard of companies getting certified under ISO/IEC 27001, a widely recognized international standard for information security management systems (ISMS). This certification helps organizations, big and small, protect their information assets in a structured and systematic way. It’s particularly valuable for companies that handle sensitive or valuable data, as it demonstrates a commitment to robust security practices.

By following the ISO 27001 framework, a company can specifically identify the risks it faces and implement proportionate, sustainable, and cost-effective ways to manage them. This process is not just about technology; it’s about people, processes, and systems working together to protect information.

The Core of ISO/IEC 27001

At its heart, ISO/IEC 27001 provides a framework for an ISMS. This system defines and manages the controls an organization needs to implement to ensure the confidentiality, integrity, and availability (CIA) of its assets from threats and vulnerabilities. According to the standard:

  • Confidentiality means ensuring that information is accessible only to those authorized to have access.
  • Integrity means safeguarding the accuracy and completeness of information and processing methods.
  • Availability means ensuring that authorized users have access to information and associated assets when needed.

The standard is based on the Plan-Do-Check-Act (PDCA) cycle, a continuous loop of improvement:

  • Plan: Establish objectives, resources, policies, and identify risks.
  • Do: Implement what was planned.
  • Check: Monitor and measure performance against objectives.
  • Act: Take action to improve performance as needed.

There are other standards in the ISO 27000 series that provide guidance on ISMS, but ISO/IEC 27001 is the only one intended for certification. The standard requires a review every five years, ensuring that certified businesses continually update their security measures to stay current.

The certification offers the following promises to companies that achieve it:

  • Credibility that the system can achieve its intended outcomes.
  • Reduced risk and uncertainty and increase market opportunities.
  • Consistency in the outputs designed to meet stakeholder expectations.
  • Regular assessment to continually monitor and improve processes.

The Certification Process: Step-by-Step

Getting certified under ISO/IEC 27001 is a structured process that can take a company anywhere from a few months to over a year, depending on its size and complexity. For larger organizations, it will be more costly and time consuming, but they have more people. It is the reverse for a startup. The certification typically takes between 1 and 10 months and may cost between €6k and €40k, depending on the size and complexity of the company.

Here’s a typical roadmap:

  1. Preparation: First, you need to buy the standard (around €100) and designate personnel to become familiar with it. This team will define the scope of the certification—which parts of the organization will be subject to it—and identify the information assets that need protection.

  2. Gap Analysis: Conduct a gap analysis to see where you stand. This involves comparing your current security controls with the requirements of the standard to see what’s fully fulfilled, partially fulfilled, or missing. Automated tools can be a cheaper alternative to consultants here.

  3. Risk Assessment: Based on the identified gaps, perform a comprehensive risk assessment. ISO 27005 offers guidance on this, which involves systematically identifying risks, assessing their likelihood and consequences, and defining countermeasures.

  4. Develop & Deploy the ISMS: Develop the necessary policies, processes, and documentation to cover the identified gaps. This includes defining an information security policy, setting objectives, and outlining roles and responsibilities. Then, deploy these measures as your official ISMS.

  5. Training & Internal Audit: Train all employees on the new policies and procedures. Once the system is in place, conduct an internal audit and involve management to ensure the ISMS is working effectively. Improve any areas that are lacking.

  6. Official Certification Audit: Select a certified body to conduct the official audit, which typically has two stages:

    Stage 1 (Pre-certification): The auditor meets with your ISMS project manager and reviews your documentation and readiness to ensure you’re prepared for the full audit.

    Stage 2 (Formal Audit): A detailed compliance audit where auditors check for evidence that the ISMS has been properly designed, implemented, and is in operation. Passing this stage results in certification.

  7. Maintaining Certification: The journey doesn’t end with certification. Annual surveillance audits are required to ensure the organization remains compliant, and a full re-assessment is needed every few years. This ensures a culture of continual improvement.

Cost and Timeline: A Real-World Example

The time and cost of certification can vary significantly based on the company’s size, sector, number of locations of operation, and existing security controls.

A friend of mine who directs a 50-person software company shared their experience from certifying their company in 2023:

Timeline
It took them 3-4 months to get certified, with one person working on it part-time (10-20 hours/week).

Costs
They used a compliance automation tool to help with automated checks, which cost them ~€6,800 per year. (There are many European startups offering this)

The total certification cost for the first year was ~€9,700, which included an internal audit and the external audit by a certified body. - An internal audit ≈ €3,100 EUR - External audit ≈ €6,600 EUR

When the company does not have the expertise, the internal audit in preparation for the external is done by an external body, like a infosec consultancy.

In 2024, maintenance costs, i.e. annual surveillance audits (~€4,660) and updating to a new version of the standard (~€1,770) totaled ~€6,430 per year.

In total (2023-2024), the certification and maintenance cost ~€22,930 + time/money of one employee working part-time for the 3-4 month on the certification period and annual maintenance.

With the upcoming EU Cyber Resilience Act (CRA), many companies will find themselves closer to fulfilling ISO 27001 requirements by default, as the new law will mandate security controls.

There is also this Belgian source to estimate the time required to get certified based on the number of employees.

Takeaways on ISO/IEC 27001

What it is: An international standard for an Information Security Management System (ISMS).
Core Principles: Protects information through a risk management approach, focusing on confidentiality, integrity, and availability.
Framework: Based on the Plan-Do-Check-Act (PDCA) cycle for continuous improvement.
Certification: Involves a multi-stage audit process to confirm the ISMS is properly designed and implemented. Companies that can do internal and external certifications are, for example, Arculus Cyber Security and British Assessment Bureau, respectively. There are multiple compliance automation tools, for instance, Vanta.
Benefits: Assures regular assessment, provides credibility, reduces risk, and increases market opportunities.

GÖD’S GATE

Liked this post? Then there’s a statistically significant chance you’ll enjoy my sci-fi novel GÖD’S GATE, check it out!

Donations

Feeling generous? Toss a coin to your blogger via Paypal 😀

References

NQA ISO 27001 Implementation Guide
https://www.nqa.com/getmedia/ae12c945-4dbb-4b73-a4e3-996261a540af/NQA-ISO-27001-Implementation-Guide.pdf

Wikipedia - Information Security Management
https://en.wikipedia.org/wiki/Information_security_management

The ISO Survey
https://www.iso.org/the-iso-survey.html

Vanta - ISO 27001 Certification Cost
https://www.vanta.com/collection/iso-27001/iso-27001-certification-cost

HighTable - ISO 27001 Gap Analysis Guide
https://hightable.io/iso-27001-gap-analysis-guide/

Optimiso Group - 16 Steps to Get ISO 27001 Certification
https://optimiso-group.com/en/articles-en/16-steps-to-get-iso-27001-certification/

Disclaimer
Any views expressed in this post are solely those of the author and do not represent the opinions or policies of any affiliated organizations.

GÖD'S GATE — Buy on Amazon