ISO 27001 certification - Everything you need to know about getting ISO 27001 certified

ISO 27001 certification - Everything you need to know about getting ISO 27001 certified - 27001Academy
ISO 27001 compliance software
ISO 27001 certification - Everything you need to know about getting ISO 27001 certified - 27001Academy
ISO 27001 Templates
ISO 27001 certification - Everything you need to know about getting ISO 27001 certified - 27001Academy
ISO 27001 Courses

Updated: November 14, 2022

ISO 27001 certification for companies vs. certification for individuals

ISO 27001 is a management standard that was initially designed for the certification of organizations. The system works like this: A company (or any other type of organization) develops their Information Security Management System (ISMS), which consists of policies (e.g., Information Security Policy), procedures (e.g., risk assessment), people (e.g., internal auditor), technology (e.g., cryptography), etc., and then invites a certification body to audit whether their ISMS is compliant with the standard. If the certification audit is successful, then their ISMS is certified against ISO 27001:2022.

What is ISO 27001 certification?

ISO 27001 certification may refer either to the certification of a company’s Information Security Management System against the ISO 27001 requirements, or to the certification of individuals to be able to implement ISO 27001 or audit against the ISO 27001 requirements.

However, the whole industry related to ISO standards (certification bodies, consultants, training institutions, etc.) soon realized that without qualified people who could develop and maintain the management system, the whole concept would fail. So, various trainings have been developed for individuals who need to get education related to ISO 27001. This way, the individuals who attend the training and pass the ISO 27001 certification exam obtain a personal certificate that is issued in their name.

ISO 27001 certification | Everything you need to know | Advisera

ISO 27001 certification for companies

If you are using ISO 27001 to create an Information Security Management System (ISMS) for your company, you will likely consider certification against this standard. Certification by an independent third-party registrar is a good way to demonstrate your company’s compliance, but you can also certify individuals to get appropriate skills.

So, how can you get ISO 27001:2022 certification, you may ask? What does the ISO 27001 certification process look like? What will the auditor ask? And how much does the ISO 27001 certification cost?

Steps prior to ISO 27001 certification

What is required for ISO IEC 27001 certification? Documenting and implementing information security-related requirements (e.g., risk assessment requirements) are only part of the job if an organization wants to achieve certification. ISO 27001 requires organizations to perform the following general steps before they go for the certification:

  • Write all the necessary documentation and implement security processes and controls.
  • Perform the internal audit.
  • Perform the management review.
  • Resolve all the nonconformities.

To see a detailed description of all the implementation steps, see this article: ISO 27001 Implementation Guide: Checklist of Steps, Timing, and Costs involved.

ISO 27001 certification process

After a company has completed the implementation, the ISO 27001:2022 certification process can start – here are the three main certification stages:

Stage 1 audit – Document review. In this audit, the auditor will look for the documented scope, ISMS policy and objectives, description of the risk assessment methodology, Risk Assessment Report, Statement of Applicability, and Risk Treatment Plan, along with procedures for document control, corrective and preventive actions, and internal audit. You will also have to document some of the controls from ISO 27001 Annex A. Also, you will need records of at least one internal audit and management review. If any of these elements are missing, this means that you are not ready for the next stage.

Stage 2 audit – Main audit. This stage usually follows a few weeks after the Stage 1 audit. The auditor will check whether your ISMS has really materialized in your company, or if it is only there on paper. He will check this through observation and interviewing your employees, but mainly by checking your records. So, you need to make sure you are really complying with everything you have written in your security policies and procedures. If there are no major nonconformities, the certification body will issue the ISO 27001 certificate to your company.

If the auditor did find a major nonconformity, he will give you a deadline by which the non-conformity must be resolved (usually 90 days). Your job is to take appropriate corrective action, but you have to be careful – this action must resolve the cause of the nonconformity; otherwise, the auditor might not accept what you have done. Once you are sure the right action is taken, you have to notify the auditor and send him/her the evidence of what you have done. In the majority of cases, if you have done your job thoroughly, the auditor will accept your corrective action and activate the process of issuing the ISO 27001 certificate.

Stage 3 audit – Surveillance audit. The certificate issued by the certification body will be valid for three years – during this time, the certification body will check if your ISMS is maintained properly; hence the surveillance audits. The surveillance audits are very similar to main audits, but they are much shorter – about 30% of the duration of the main audit. There will be at least one surveillance audit each year – for example, if your company got certified in February 2023, then the first surveillance audit will be in February 2024, and the second in February 2025; in February 2026, your certificate will expire, and you will decide whether you want to go for the recertification. The recertification audit has the same three stages as the initial certification.

Which questions will the ISO 27001 certification auditor ask?

Now, let’s get deeper into the things an auditor could ask you about.

1) Mandatory documentation

The auditor will first do a check of all the documentation that exists in the system (normally, this takes place during the Stage 1 audit), asking for proof of the existence of all those documents that are required by the standard. In the case of security controls, he will use the Statement of Applicability (SOA) as a guide. In addition to the mandatory documents, the auditor will also review any document that the company has developed as support for the implementation of the system, or the implementation of controls. Examples could include a project plan, a network diagram, the list of documentation, etc.

2) Evidence

The next step is to verify that everything that is written corresponds to the reality (normally, this takes place during the Stage 2 audit). For example, imagine that the company defines that the Information Security Policy is to be reviewed annually. What will be the question that the auditor will ask in this case? I am sure you would guess: “Have you checked the policy this year?” And the answer will probably be yes. But the auditor cannot trust what he doesn’t see; therefore, he needs evidence. Such evidence could include records, meeting minutes, etc. The next question would be: “Can you show me records where I can see the date that the policy was reviewed?”

Regarding security controls – he will also seek evidence that they are implemented, although in this case the records can be logs, files in the system, diagrams of the network, configuration of platforms, agreements with suppliers or customers, legislation, etc.

3) Interviews

At this time, the auditor knows which documents the company uses, so he needs to check if people are familiar with them and if they actually use them while performing daily activities, i.e., check that the ISMS is working in the company. Therefore, the auditor should conduct interviews with staff members to learn about their degree of knowledge of, at least, the most important documents that apply to them: Security Policy, confidentiality clauses, acceptable use of assets, Access Control Policy, etc.

An example of questions in an interview could be as follows:

  • “Do you have access to the internal rules of the organization in relation to the information security?”
  • “Can you show me some of the related policies?”
  • “Could you tell me what you consider to be the most important points in the policy?”

On the other hand, the auditor can also interview those responsible for processes, physical areas, and departments, to get their perceptions of the implementation of the standard in the company. In these interviews, the questions will be aimed, above all, at becoming familiar with the functions and the roles that those people have in the system and whether they comply with implemented controls.

Who gives ISO certification?

First of all, ISO standards are published by the International Organization for Standardization (ISO) – this is an international body founded by governments around the world. Its purpose is to publish standards and to deliver knowledge and best practice, but not to issue certificates.

Certificates for companies are issued by organizations called certification bodies, which are entities licensed by accreditation bodies to perform certification audits and assess if a company’s Information Security Management System is compliant with ISO IEC 27001.

Not all certification bodies (also called registrars) are created equal. Chances are, you’ll find at least a couple of them in your country, so you’ll be able to choose the one that suits you the best. Price is important, of course, but this is not the only criterion you should use – what is also important is that the auditors know your industry, that they have a good reputation, that they can certify other standards as well, etc.; the list goes on – see this article for more: How to choose an ISO certification body.

ISO 27001 certification cost

There is no fixed cost for the certification audit – the certification body will charge you based on several factors, but these two are the most important: (1) the size of your company, and (2) the price of local certification auditors. For example, a very small company in the United States might pay around US$ 7,500 for the certification audit. To get a more precise idea of the ISO 27001 certification cost, it is a good practice to ask for quotes from a couple of certification bodies.

Even before you pay for the certification audit, you will have to pay for the implementation – to see a more detailed explanation, download the free white paper How to Budget an ISO 27001 Implementation Project.

How long is ISO 27001 valid for once certified?

Once a certification body issues an ISO 27001 certificate to a company, it is valid for a period of three years, during which the certification body will perform surveillance audits to evaluate if the organization is maintaining the ISMS properly, and if required improvements are being implemented in due time.

How many companies are ISO certified?

ISO 27001 has become the most popular information security standard worldwide, and many companies have certified against it – here you can see the number of certificates in the last couple of years:

ISO 27001 certification | Everything you need to know | Advisera

Source: The ISO Survey of Management System Standard Certifications

Which companies are ISO 27001 certified? There is no official central list of ISO 27001-certified organizations, so the information about which companies are ISO 27001 certified must be gathered directly from ISO 27001 certification companies.

The ISO.org website provides a general overview of certified organizations categorized by industry, country, number of sites, etc.

Certification of individuals

Can a person be ISO certified?

Yes, an individual can get ISO 27001 certified by attending one or more of the following trainings:

The most relevant courses are accredited, which guarantees the certificates will be recognized worldwide.

How do I become ISO certified?

To become ISO 27001 certified, you must attend a course and pass its final exam. The ISO 27001 certification exam covers both theoretical questions and situational questions, where the candidate must demonstrate how to apply the concepts learned.

The costs of personal certification

The cost of the trainings and exams for individuals are different in various countries, but these costs are usually displayed very transparently by each training provider.

Besides the costs of the course and final exam related to the desired certification, a person must also consider additional costs to attend the course and the final exam (e.g., travel, accommodation, and transfer costs), unless an online course is attended.

To speed up your ISO 27001 implementation, sign up for a free trial of Conformio, the leading ISO 27001 compliance software.

Advisera Dejan Kosutic
Author
Dejan Kosutic
Leading expert on cybersecurity/information security and author of several books, articles, webinars, and courses. As a premier expert, Dejan founded Advisera to help small and medium businesses obtain the resources they need to become certified against ISO 27001 and other ISO standards. He believes that making ISO standards easy-to-understand and simple-to-use creates a competitive advantage for Advisera's clients.

As an ISO 27001 expert, Dejan is sought out to help companies find the best way to obtain certification by eliminating overhead and adapting the implementation to the specifics of their size and industry.
Connect with Dejan: