As it’s Cybersecurity Awareness Month, we asked our InfoSec Manager, Ross O’Sullivan, to share his insights on obtaining an ISO 27001 certification and what goes into the whole process. Since ISO 27001 can be applied to organisations of any type or size, we wanted to share what the certification process and ongoing maintenance might look like for your business.
With the right commitment, you can go from zero to certified in just a few months. Beyond enhancing security, ISO 27001 can help you build trust with clients by demonstrating your commitment to protecting sensitive information—something crucial for every organisation today.
(Please note that this highlights our experience in getting certified initially for ISO 27001:2013. There is a newer version available now, ISO 27001:2022, which introduces substantial structural changes and addresses newer security challenges.)
So, what is ISO 27001?
ISO 27001 is an international standard for managing information security, outlining best practices for protecting sensitive data and mitigating risks. It helps organisations establish, implement, maintain, and continually improve an Information Security Management System (ISMS). Organisations who have an ISO 27001 certification demonstrate that their business is committed to maintaining high standards of information security.
There are other security certifications available, such as NIST, SOC 2, and Cyber Essentials. Depending on your organisation’s location, industry, or compliance requirements, one of these may be a better fit for your needs. However, for us at Zartis, ISO 27001 has been the gold standard.
Initial Certification Process
The first step towards ISO 27001 certification is to buy yourself a copy of the standard itself and to familiarise yourself with the relevant version. For us, this was the 2013 version, but if you are starting the process now, you will likely be working towards the 2022 version. You can buy the resources directly from ISO (https://www.iso.org/store.html).
Whichever version you follow, the standard clearly outlines which areas of your organisation must be protected. This forms the foundation of your Information Security Management System (ISMS), which should document everything you are doing to meet the requirements of ISO 27001.
Next, you’ll need to assess where your organisation currently stands and where it needs to be in order to fulfil the standard’s requirements. You must also perform a risk assessment to identify areas needing protection, potential vulnerabilities, and the appropriate security controls to mitigate these risks.
Based on the results of your gap analysis and risk assessments, you will need to design and implement security policies and controls. These should cover a range of areas, including access management, data encryption, and incident response plans. Additionally, training and awareness programmes are crucial to ensuring that staff understand and comply with your security measures, particularly in high-risk areas.
Gaining commitment from senior management is essential, as their support is key to providing the necessary resources and ensuring that policies are effectively implemented. This will help establish the ISMS and maintain its effectiveness over time.
As part of the ongoing process, you should regularly review your security controls to ensure they remain effective. An Internal Audit Process (IAP) is critical in identifying any areas of non-compliance with your policies and the ISO 27001 requirements.
Once you feel prepared, you will undergo an external audit by an accredited certification body. This audit is typically conducted on-site and can take a few days. The auditor will review your ISMS documentation and assess the effectiveness of your security controls.
If successful, you will receive your ISO 27001 certification. However, this is not the end of the process; maintaining certification requires ongoing effort, with regular audits and updates to ensure continual compliance and improvement.
For us, the entire process took between six and nine months to complete. However, depending on the size and nature of your organisation, it could take more or less time. There are now various tools available that can streamline the implementation of certain security controls and assist in demonstrating compliance, which may help speed up the process.
Ongoing Commitment
Maintaining ISO 27001 certification requires continuous commitment throughout the three-year certification cycle. In the two years following the initial audit, there are two subsequent audits. These are generally less intensive than the first audit and focus on demonstrating that you are continuously monitoring, updating, and improving your ISMS in response to new threats and changing internal and external factors. These audits are more about ensuring you are adapting to new risks and that your ISMS is maturing, rather than conducting a comprehensive review of all controls.
Ideally, these subsequent audits should result in no non-conformities or major recommendations. However, auditors often provide feedback on areas for improvement. For any non-conformities with the standard, you will typically be required to provide evidence that these have been addressed within a specified timeframe.
Once all issues are cleared, you will receive a decision to maintain your ISO 27001 certification for another year, typically issued in the form of a letter or certificate.
At Zartis, we have an internal audit process that not only reviews the security controls themselves but also examines the supporting processes to ensure continual improvement. This proactive approach helps us stay aligned with the evolving requirements of ISO 27001.
In addition to internal audits, we hold bi-weekly security-related meetings, which provide an opportunity to discuss emerging risks, address ongoing security concerns, and ensure our security measures remain both effective and up to date. We also conduct a Quarterly Management Review (QMR) with our COO, where we comprehensively review our ISMS. This ensures top-level management remains actively involved in the process and that the necessary resources—both human and non-human—are dedicated to supporting the ISMS.
As the ISO 27001 really becomes intertwined with key areas of your business, it’s hard to specify exactly what is purely ISO 27001 related and what isn’t, but we roughly allocate a couple of days per month to ensure things are correctly documented and maintained.
Transitioning to Newer Versions
ISO 27001 is revised periodically to account for emerging threats and the evolving technological landscape, such as advancements in cloud computing, artificial intelligence, and data privacy concerns. While transitioning from one version of the standard to the next does require a significant amount of work, it is not as extensive as the initial efforts to gain certification. The changes are generally refinements to existing practices, rather than a complete overhaul, though companies must still be diligent in ensuring their ISMS is fully aligned with the updated requirements.
We have already experienced this process when transitioning from the 2013 to the 2017 version of ISO 27001, and we are now preparing for the shift to the 2022 version. One of the key differences between the 2017 and 2022 versions is the increased emphasis on managing risks associated with newer technologies like artificial intelligence and cloud services. The 2022 version also places more focus on supply chain security and data privacy concerns, reflecting the growing complexity of today’s digital ecosystems. Companies, including ours, will need to consider these updates when refining their risk management processes, as well as ensuring their security controls are robust enough to address these modern challenges.
Although the transition requires updates to policies, procedures, and controls, in our experience, the workload is less intensive than the initial certification process. By building on the foundations already laid down, we can focus on aligning our current ISMS with the specific changes in the newer standard, ensuring we remain compliant and secure against both known and emerging threats.
While you are not reinventing the wheel, transitioning to a newer standard can consume more resources than just a regular surveillance/maintenance audit. Again, it’s hard to specify exactly how much more time it will take, but it’s probably closer to a couple of weeks rather than a couple of months like needed for the very first audit.
Lessons Learned and Looking Forward
Achieving and maintaining ISO 27001 certification has provided Zartis with several key benefits. One of the most valuable lessons we’ve learned is that having this certification not only helps us manage information security effectively, but it also acts as a trust signal to our customers. It has played a crucial role in attracting and retaining clients who place a high value on robust security practices. This certification demonstrates that we adhere to internationally recognised standards, which reassures customers that their data is being handled securely and responsibly.
Additionally, ISO 27001 has given us a tried and tested framework for managing security and reducing associated risks. The structure and discipline it provides have been essential for ensuring that our approach to security is comprehensive and continually improving. By embedding risk management, regular reviews, and continual audits into our processes, we have created a strong foundation to handle both current and future security challenges.
Looking ahead, we see the certification not just as a badge of credibility but as a core component of our operational resilience. With emerging threats and new technologies on the horizon, the framework ISO 27001 provides will continue to guide us as we adapt to new risks and regulatory requirements. The structure it has brought to a critical area of our business—security—will remain an invaluable asset as we evolve and grow in an increasingly complex digital landscape.