- Implement & Learn
Implementation Products - Resources
- For Consultants
- About Us
ISO 27001 Expert - Contact Us
Updated: November 9, 2023.
ISO 27001 is a management standard that was initially designed for the certification of organizations. The system works like this: A company (or any other type of organization) develops their Information Security Management System (ISMS), which consists of policies (e.g., Information Security Policy), procedures (e.g., risk assessment), people (e.g., internal auditor), technology (e.g., cryptography), etc., and then invites a certification body to audit whether their ISMS is compliant with the standard. If the certification audit is successful, then their ISMS is certified against ISO 27001:2022.
ISO 27001 certification may refer either to the certification of a company’s Information Security Management System against the ISO 27001 requirements, or to the certification of individuals to be able to implement ISO 27001 or audit against the ISO 27001 requirements.
However, the whole industry related to ISO standards (certification bodies, consultants, training institutions, etc.) soon realized that without qualified people who could develop and maintain the management system, the whole concept would fail. So, various trainings have been developed for individuals who need to get education related to ISO 27001. This way, the individuals who attend the training and pass the ISO 27001 certification exam obtain a personal certificate that is issued in their name.
If you are using ISO 27001 to create an Information Security Management System (ISMS) for your company, you will likely consider certification against this standard. Certification by an independent third-party registrar is a good way to demonstrate your company’s compliance, but you can also certify individuals to get appropriate skills.
So, how can you get ISO 27001:2022 certification, you may ask? What does the ISO 27001 certification process look like? What will the auditor ask? And how much does the ISO 27001 certification cost?
What is required for ISO IEC 27001 certification? Documenting and implementing information security-related requirements (e.g., risk assessment requirements) are only part of the job if an organization wants to achieve certification. ISO 27001 requires organizations to perform the following general steps before they go for the certification:
To see a detailed description of all the implementation steps, see this article: ISO 27001 Implementation Guide: Checklist of Steps, Timing, and Costs involved.
After a company has completed the implementation, the ISO 27001:2022 certification process can start. There are the three stages to the ISO 27001 certification process:
ISO 27001 certification process stage 1 audit – Document review. In this audit, the auditor will look for the:
In this stage of the ISO 27001 certification, you will also have to document some of the controls from ISO 27001 Annex A. Also, you will need records of at least one internal audit and management review. If any of these elements are missing, this means that you are not ready for the next stage of the certification process.
ISO 27001 certification process stage 2 audit – Main audit. This stage usually follows a few weeks after the stage 1 audit. The auditor will check whether your ISMS has really materialized in your company, or if it is only there on paper. They will check this through observation and interviewing your employees, but mainly by checking your records. So, in order to pass this stage of the ISO 27001 certification process, you need to make sure you are really complying with everything you have written in your security policies and procedures. If there are no major nonconformities, the certification body will issue the ISO 27001 certificate to your company.
If the auditor did find a major nonconformity, they will give you a deadline by which the non-conformity must be resolved (usually 90 days). Your job is to take appropriate corrective action, but you have to be careful – this action must resolve the cause of the nonconformity; otherwise, the auditor might not accept what you have done. Once you are sure the right action is taken, you have to notify the auditor and send him/her the evidence of what you have done. In the majority of cases, if you have done your job thoroughly, the auditor will accept your corrective action and activate the process of issuing the ISO 27001 certificate.
Stage 3 audit – Surveillance audit. The certificate issued by the certification body will be valid for three years – during this time, the certification body will check if your ISMS is maintained properly; hence the surveillance audits. The surveillance audits are very similar to main audits, but they are much shorter – about 30% of the duration of the main audit. There will be at least one surveillance audit each year – for example, if your company got certified in February 2023, then the first surveillance audit will be in February 2024, and the second in February 2025; in February 2026, your certificate will expire, and you will decide whether you want to go for the recertification. The recertification audit has the same three stages as the initial certification.
Now, let’s get deeper into the things an auditor could ask you about.
1) Mandatory documentation
The auditor will first do a check of all the documentation that exists in the system (normally, this takes place during the Stage 1 audit), asking for proof of the existence of all those documents that are required by the standard. In the case of security controls, they will use the Statement of Applicability (SOA) as a guide. In addition to the mandatory documents, the auditor will also review any document that the company has developed as support for the implementation of the system, or the implementation of controls. Examples could include a project plan, a network diagram, the list of documentation, etc.
2) Evidence
The next step is to verify that everything that is written corresponds to the reality (normally, this takes place during the Stage 2 audit). For example, imagine that the company defines that the Information Security Policy is to be reviewed annually. What will be the question that the auditor will ask in this case? I am sure you would guess: “Have you checked the policy this year?” And the answer will probably be yes. But the auditor cannot trust what he doesn’t see; therefore, he needs evidence. Such evidence could include records, meeting minutes, etc. The next question would be: “Can you show me records where I can see the date that the policy was reviewed?”
Regarding security controls – they will also seek evidence that they are implemented, although in this case the records can be logs, files in the system, diagrams of the network, configuration of platforms, agreements with suppliers or customers, legislation, etc.
3) Interviews
At this time, the auditor knows which documents the company uses, so he needs to check if people are familiar with them and if they actually use them while performing daily activities, i.e., check that the ISMS is working in the company. Therefore, the auditor should conduct interviews with staff members to learn about their degree of knowledge of, at least, the most important documents that apply to them: Security Policy, confidentiality clauses, acceptable use of assets, Access Control Policy, etc.
An example of questions in an interview could be as follows:
On the other hand, the auditor can also interview those responsible for processes, physical areas, and departments, to get their perceptions of the implementation of the standard in the company. In these interviews, the questions will be aimed, above all, at becoming familiar with the functions and the roles that those people have in the system and whether they comply with implemented controls.
First of all, ISO standards are published by the International Organization for Standardization (ISO) – this is an international body founded by governments around the world. Its purpose is to publish standards and to deliver knowledge and best practice, but not to issue certificates.
Certificates for companies are issued by organizations called certification bodies, which are entities licensed by accreditation bodies to perform certification audits and assess if a company’s Information Security Management System is compliant with ISO IEC 27001.
Not all certification bodies (also called registrars) are created equal. Chances are, you’ll find at least a couple of them in your country, so you’ll be able to choose the one that suits you the best. Price is important, of course, but this is not the only criterion you should use – what is also important is that the auditors know your industry, that they have a good reputation, that they can certify other standards as well, etc.; the list goes on – see this article for more: How to choose an ISO certification body.
There is no fixed cost for the certification audit – the certification body will charge you based on several factors, but these two are the most important: (1) the size of your company, and (2) the price of local certification auditors. For example, a very small company in the United States might pay around US$ 7,500 for the certification audit. To get a more precise idea of the ISO 27001 certification cost, it is a good practice to ask for quotes from a couple of certification bodies.
Even before you pay for the certification audit, you will have to pay for the implementation – to see a more detailed explanation, download the free white paper How to Budget an ISO 27001 Implementation Project.
Once a certification body issues an ISO 27001 certificate to a company, it is valid for a period of three years, during which the certification body will perform surveillance audits to evaluate if the organization is maintaining the ISMS properly, and if required improvements are being implemented in due time.
ISO 27001 has become the most popular information security standard worldwide, and many companies have certified against it – here you can see the number of certificates since 2006:
Source: The ISO Survey of Management System Standard Certifications
Which companies are ISO 27001 certified? There is no official central list of ISO 27001-certified organizations, so the information about which companies are ISO 27001 certified must be gathered directly from ISO 27001 certification companies.
The ISO.org website provides a general overview of certified organizations categorized by industry, country, number of sites, etc.
Yes, an individual can get ISO 27001 certified by attending one or more of the following trainings:
The most relevant courses are accredited, which guarantees the certificates will be recognized worldwide.
To become ISO 27001 certified, you must attend a course and pass its final exam. The ISO 27001 certification exam covers both theoretical questions and situational questions, where the candidate must demonstrate how to apply the concepts learned.
The cost of the trainings and exams for individuals are different in various countries, but these costs are usually displayed very transparently by each training provider.
Besides the costs of the course and final exam related to the desired certification, a person must also consider additional costs to attend the course and the final exam (e.g., travel, accommodation, and transfer costs), unless an online course is attended.
To speed up your ISO 27001 implementation, sign up for a free trial of Conformio, the leading ISO 27001 compliance software.
Dejan Kosutic