How to get ISO 27001 certified
If you are using ISO 27001:2013 to create an Information Security Management System (ISMS) for your company, you will likely consider certification against this standard. Certification by an independent third-party registrar is a good way to demonstrate your company’s compliance, but you can also certify individuals to get appropriate skills.
So, how can you get ISO 27001 certification, you may ask?
ISO 27001 certification for companies vs. certification for individuals
ISO 27001 is a management standard that was initially designed for the certification of organizations. The system works like this: a company (or any other type of organization) develops their Information Security Management System (ISMS), which consists of policies (e.g., Information Security Policy), procedures (e.g., risk assessment), people (e.g., internal auditor), technology (e.g., cryptography), etc., and then invites a certification body to audit whether their ISMS is compliant with the standard. If the certification audit is successful, then their ISMS is certified against ISO 27001.
However, the whole industry related to ISO standards (certification bodies, consultants, training institutions, etc.) soon realized that without qualified people who could develop and maintain the management system, the whole concept would fail. So, various trainings have been developed for individuals who need to get education related to ISO 27001. This way, the individuals who attend the training and pass the ISO 27001 certification exam obtain a personal certificate that is issued in their name.
Certification of organizations
What is required for ISO IEC 27001 2013 certification? Documenting and implementing information security-related requirements (e.g., risk assessment requirements) are only part of the job if an organization wants to achieve certification. ISO 27001 also requires organizations to perform internal audit management review, and treatment of nonconformities and corrective actions.
How long does it take to get ISO IEC 27001 certification? The timing of the ISO 27001 certification process, between starting implementation and finishing the certification audit, varies according to many variables (e.g., available resources, experience with the standard’s requirements, top management involvement, etc.), but the whole process generally takes between 3 and 12 months. Some organizations perform a gap analysis against the standard requirements to have an idea about how much time they will take to implement it.
How many companies are ISO certified? ISO 27001 has become the most popular information security standard worldwide, and many companies have certified against it – here you can see the number of certificates in the last couple of years:
Source: The ISO Survey of Management System Standard Certifications
Which companies are ISO 27001 certified? There is no official central list of ISO 27001 certified organizations, so the information about which companies are ISO 27001 certified must be gathered directly from ISO 27001 certification companies.
Certification of individuals
Can a person be ISO certified? Yes. The most recognized certifications for those seeking to acquire competencies are ISO 27001 Lead Auditor, ISO 27001 Lead Implementer, ISO 27001 Internal Auditor, and ISO 27001 Foundations.
How do I become ISO certified? To become ISO 27001 certified, you must attend a course and pass its final exam. The ISO 27001 certification exam covers both theoretical questions and situational questions, where the candidate must demonstrate how to apply the concepts learned.
How much does it cost to get ISO 27001 certified?
ISO/IEC 27001 certification cost for organizations depends on a significant number of variables, so each company will have to prepare a very different budget. Broadly speaking, the main costs are related to:
- Training and literature
- External assistance
- Technologies to be updated/implemented
- Employee’s effort and time
- The certification audit
A good practice before starting such an endeavor is to perform a gap analysis, to identify the current status of information security, and an initial expectation of required effort.
As for the certification of individuals, the cost of the trainings and exams are different in various countries, but these costs are usually displayed very transparently by each training provider. Besides the costs of the course and final exam related to the desired certification, a person must also consider additional costs to attend the course and the final exam (e.g., travel, accommodation, and transfer costs), unless an online course is attended.
Who gives ISO certification?
First of all, ISO standards are published by the International Organization for Standardization (ISO) – this is an international body founded by governments around the world. Its purpose is to publish standards as a way to deliver knowledge and best practice, so ISO itself does not issue certifications.
Certificates for companies are issued by organizations called certification bodies, which are entities licensed by accreditation bodies to perform certification audits and assess if a company’s Information Security Management System is compliant with ISO IEC 27001.
Certifications for individuals are issued by organizations called training providers, and the most relevant courses are accredited, which guarantees the certificates will be recognized worldwide.
To learn more on what the certification audit looks like, download this free white paper: What to expect at the ISO certification audit: What the auditor can and cannot do.