The Journey to ISO27001 Certification

20th November 2019

iso bog feature image

There are many reasons why an organisation may want to implement an effective Information Security Management System (ISMS), and the vast majority proceed to have this independently assessed for ISO27001 certification.

This evidence demonstrates a responsible approach to information security, which is important for customer confidence, legislative compliance and also helping to keep the organisation safe from ever increasing cyber threats.

Whilst some organisations will complete their ISMS implementation and certification project through internal resources, this is unusual as there are some great methodologies, tools and resources available. These can help increase the chances of improving cyber resilience and certification success.

It is important to understand that time and effort will be involved to develop the “information security culture” that is required to achieve ISO27001.

That’s why we’ve created an ISO27001 checklist to help your organisation to adapt.

The steps for an organisation to change their culture:

  • The organisation’s senior management needs to be committed to the project, and the achievement of its objectives.
  • There needs to be an allocation of resources for the project, including any training needed to deliver project tasks and an understanding of the security needs of interested parties – customers, partners, regulators etc.
  • Information security documentation and records – policies, procedures and work instructions need to be produced.
  • There needs to be risk management to identify the organisation’s assets and assessing their levels of risk to vulnerabilities and threats.
  • There needs to be risk treatment, to implement security controls to manage risks which have been identified.
  • There needs to be effective information security education, awareness and communications.
  • Select a certification company and understand their approach.
  • Complete an external audit: Gap Analysis, Stage 1 Assessment (management framework), Stage 2 Assessment (implementation activities).
  • Continuing post-certification activities, continued internal audits, risk management, training programmes etc.

Our experience working with businesses

Most SME organisations will take between 9 and 12 months from project inception to the completion of certification activities. This is only a guide however. It will vary depending on the complexity of the business, the number of employees and the amount of resource that has been assigned to complete the project.

And the cost?

That depends on the cost of the labour resource, the use of external specialists, expenditure for implementing controls, fixing risks, undertaking technical tests and the certification process itself.

Most credible UKAS audit companies will charge in the region of GBP 5,000 for initial certification, and an ongoing day rate for surveillance audits each year.

This is neither a quick nor cheap activity to undertake, but the value of the benefits of customer confidence and business resilience are widely acknowledged as far outweighing the costs of achieving an ISO27001 certificate.

We can support you through the process

We’ve been implementing successfully certified information security management systems for over twenty years.

Our experience over that time has allowed us to develop and deliver a variety of resources, which continue to support successful ISO27001 certification projects to this day. It’s also why many of our new customers are pleased to have been referred by those we already work with.

Our “Eight Steps to ISO27001 Certification” below provides a graphical overview of the different steps involved in the implementation and certification process.

Eight Steps to ISO27001 Certification

How to successfully gain ISO27001 certification


Gain support with our document packs

We have also prepared a number of competitively priced documentation packs, which provides a solid foundation for customising to meet your organisation’s specific requirements.

Be wary of suppliers who claim that they can write documentation without taking time to understand your business, or those who may have pre-prepared documentation that is claimed to be fit for all purposes. It’s embarrassing (and expensive) to find out that your ISMS documentation is not meeting the requirements of ISO27001 during the certification phase.

You can find our documentation options here.

If you require support in customising InfoSaaS documentation please get in touch – we have a number of experienced and friendly partners who would be pleased to assist you.

Find a system to implement and maintain

The main element of the ISO27001 standard is to implement and manage an effective system for the identification, management and treatment of risks.

That’s why we developed InfoSaaS, our information security management system.

Achieve and maintain certification with InfoSaaS

Already deployed in many countries around the world, and with a healthy portfolio of successful customer certifications to its name, InfoSaaS provides an intuitive and user-friendly means of complying with Sections 6.1.2/8.2 (Information Security Risk Assessment) and 6.1.3/8.3 (Information Security Risk Treatment) from the standard.

The best means of seeing InfoSaaS in action is to explore our demonstration environment. We also have a short training video available to help you and your colleagues become familiar with the many features of InfoSaaS quickly and easily.

If you would like a helping hand with setting up or using InfoSaaS, our experienced network of partners (in the UK, North America and Australia) would be pleased to discuss your requirements with you.

InfoSaaS systems have formed the cornerstone of successful audits undertaken by some of the world’s largest and most credible certification organisations.

As a Gold-level Consultant of LRQA, we are pleased to recommend their certification services, and we can also provide discounts for LRQA ISO27001 training for you or your colleagues.

The journey towards ISO27001 does not need to be daunting. Our advice is always free, and our services are here to help you when you need them.

Back to Insights

Share Insight: