• (0)

    ISO 27001 & ISO 22301 Knowledge base

    ISO 27001 compliance software
    ISO 27001 Templates
    ISO 27001 Courses

    How to get ISO 27001 certified

    If you are using ISO 27001:2013 to create an Information Security Management System (ISMS) for your company, you will likely consider certification against this standard. Certification by an independent third-party registrar is a good way to demonstrate your company’s compliance, but you can also certify individuals to get appropriate skills.

    So, how can you get ISO 27001 certification, you may ask?

    What is ISO 27001 certification?

    ISO 27001 certification may refer either to the certification of a company’s information security management system against the ISO 27001 requirements, or to the certification of individuals to be able to implement ISO 27001 or audit against the ISO 27001 requirements.

    ISO 27001 certification for companies vs. certification for individuals

    ISO 27001 is a management standard that was initially designed for the certification of organizations. The system works like this: a company (or any other type of organization) develops their Information Security Management System (ISMS), which consists of policies (e.g., Information Security Policy), procedures (e.g., risk assessment), people (e.g., internal auditor), technology (e.g., cryptography), etc., and then invites a certification body to audit whether their ISMS is compliant with the standard. If the certification audit is successful, then their ISMS is certified against ISO 27001.

    However, the whole industry related to ISO standards (certification bodies, consultants, training institutions, etc.) soon realized that without qualified people who could develop and maintain the management system, the whole concept would fail. So, various trainings have been developed for individuals who need to get education related to ISO 27001. This way, the individuals who attend the training and pass the ISO 27001 certification exam obtain a personal certificate that is issued in their name.

    ISO 27001 certification: How to get it?

    Certification of organizations

    What is required for ISO IEC 27001 2013 certification? Documenting and implementing information security-related requirements (e.g., risk assessment requirements) are only part of the job if an organization wants to achieve certification. ISO 27001 also requires organizations to perform internal audit management review, and treatment of nonconformities and corrective actions.

    How long does it take to get ISO IEC 27001 certification? The timing of the ISO 27001 certification process, between starting implementation and finishing the certification audit, varies according to many variables (e.g., available resources, experience with the standard’s requirements, top management involvement, etc.), but the whole process generally takes between 3 and 12 months. Some organizations perform a gap analysis against the standard requirements to have an idea about how much time they will take to implement it.

    How many companies are ISO certified? ISO 27001 has become the most popular information security standard worldwide, and many companies have certified against it – here you can see the number of certificates in the last couple of years:

    Number of ISO 27001-certified companiesSource: The ISO Survey of Management System Standard Certifications

    Which companies are ISO 27001 certified? There is no official central list of ISO 27001 certified organizations, so the information about which companies are ISO 27001 certified must be gathered directly from ISO 27001 certification companies.

    Certification of individuals

    Can a person be ISO certified? Yes, an individual can get ISO 27001-certified by attending one or more of the following trainings:

    How do I become ISO certified? To become ISO 27001 certified, you must attend a course and pass its final exam. The ISO 27001 certification exam covers both theoretical questions and situational questions, where the candidate must demonstrate how to apply the concepts learned.

    How much does it cost to get ISO 27001 certified?

    ISO/IEC 27001 certification cost for organizations depends on a significant number of variables, so each company will have to prepare a very different budget. The costs of the implementation and certification of the ISMS will depend on the size and complexity of the ISMS scope, which varies from organization to organization. The cost will also depend on the local prices of the various services you will be using for the implementation.

    Broadly speaking, the main costs are related to:

    • Training and literature
    • External assistance
    • Technologies to be updated/implemented
    • Employee’s effort and time
    • The certification audit

    A good practice before starting such an endeavor is to perform a gap analysis, to identify the current status of information security, and an initial expectation of required effort. To see a more detailed explanation of the certification costs, download the free white paper How to Budget an ISO 27001 Implementation Project.

    As for the certification of individuals, the cost of the trainings and exams are different in various countries, but these costs are usually displayed very transparently by each training provider. Besides the costs of the course and final exam related to the desired certification, a person must also consider additional costs to attend the course and the final exam (e.g., travel, accommodation, and transfer costs), unless an online course is attended.

    How long is ISO 27001 valid for once certified?

    Once a certification body issues an ISO 27001 certificate to a company, it is valid for a period of three years, during which the certification body will perform surveillance audits to evaluate if the organisation is maintaining the ISMS properly, and if required improvements are being implemented in due time.

    Which companies are ISO 27001 certified?

    The ISO.org website provides a general overview of certified organizations, categorized by industry, country, number of sites, etc. You can find the ISO Survey at this link: https://www.iso.org/the-iso-survey.html

    To check if a particular company is ISO 27001-certified, you have to contact the certification body, because there is no official centralized database of certified companies.

    Who gives ISO certification?

    First of all, ISO standards are published by the International Organization for Standardization (ISO) – this is an international body founded by governments around the world. Its purpose is to publish standards as a way to deliver knowledge and best practice, so ISO itself does not issue certifications.

    Certificates for companies are issued by organizations called certification bodies, which are entities licensed by accreditation bodies to perform certification audits and assess if a company’s Information Security Management System is compliant with ISO IEC 27001.

    Certifications for individuals are issued by organizations called training providers, and the most relevant courses are accredited, which guarantees the certificates will be recognized worldwide.

    To learn more on what the certification audit looks like, download this free white paper: What to expect at the ISO certification audit: What the auditor can and cannot do.

    To learn which course is better for you, Lead Auditor Course or Lead Implementer Course, see this article.

    To find out what ISO 27001 Lead Implementer training looks like, see this article.

    Here you can learn more about CISA and ISO 27001 Lead Auditor certifications and how they can be used together to help improve the effectiveness of the ISMS audit.

    Advisera Rhand Leal
    Rhand Leal
    Rhand Leal has more than 15 years of experience in information security, and for six years he continuously maintained а certified Information Security Management System based on ISO 27001.

    Rhand holds an MBA in Business Management from Fundação Getúlio Vargas. Among his certifications are ISO 27001 Lead Auditor, ISO 9001 Lead Auditor, Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), and others. He is a member of the ISACA Brasília Chapter.