Do I need to be ISO 27001 certified?

ISO 27001 is the internationally recognised standard for information security management proficiency. It is a globally recognised standard that is adopted for handling the risks that are linked to the information that is in your company’s possession. 

This popular standard uses a technique-based methodology to help you set up, use, monitor, regulate, and enhance each component of your information security management system (ISMS). Additionally, ISO 27001 outlines the policies, procedures, and staff training that should be used by enterprises to manage the risk associated with information security risks.

As part of ISO 27001 organisations must determine the information security risks to their business and the necessary measures to mitigate those risks in accordance with the standard.

ISO 27001 is made up of 14 categories and 114 controls. If you are not familiar with the certification or these categories and controls this can seem overwhelming. That’s where we come in. Clients come to us for a range of reasons; many asking ‘do I need to be ISO 27001 certified?’. The answer to this can vary.

Being ISO 27001 certified is not a legal requirement but can support businesses with streamlining internal processes, protecting information, avoiding hefty fines for noncompliance, lowering insurance premiums and enhancing applications for tendered work. In some instances, large tenders will require this certification to be in place.

We advise clients that it is not necessary to put all of ISO 27001’s controls into practice. They just show the options that an organisation might consider based on its specific requirements.

Do I need to be ISO 27001 certified?

What does being ISO 27001 certified cover?

Many businesses have some sort of information security standards in place, but in the absence of a unified ISMS, those solutions may be fragmented and contain numerous vulnerabilities that could result in data breaches and information leaks.

Additionally, because companies are concentrating on IT-related issues, they may not be putting protection in place for items like hard copies of papers or intellectual property. Implementing ISO 27001 aids organisations in safeguarding all of their private and sensitive data, whether it comes from the inside or outside, and regardless of where or how it is kept.

The three requirements of ISO 27001 are:

  1. A methodical review of an organisation’s information security risks, taking into consideration the implications, threats, and vulnerabilities.
  2. Creating and putting into practice a complete and well-coordinated set of information security controls, as well as other methods of risk management (such risk avoidance or risk transfer), to address those risks.
  3. Adopting a comprehensive management strategy to guarantee that the organisation’s continuing information security needs are being continuously met by the information security controls.

ISO is one of the most widely implemented information security standards and works alongside GDPR. ISO 27001 and GDPR are equally important because they ensure people’s data is kept secure. In an earlier article we explore ‘Does ISO 27001 cover GDPR data protection’.

ISO 27001 is one of the most extensively used and applied standards and almost all businesses will benefit from ISO 27001 compliance.

Is ISO 27001 the best information security standard to implement?

All of our standards are UKAS accredited. If you decide to partner with Compliant the UKAS (United Kingdom Accreditation Service) recognised certification body independently audits your organisation before awarding you ISO 27001 certification. We have professional partnerships with a range of certification bodies and can pass cost savings through preferential rates directly onto you.

When applying for ISO 27001 certification, more than technological safeguards must be in place. The goal of ISO 27001 is to make sure a business’ controls and management procedures are sufficient and reasonable given the information security threats and opportunities it has identified and considered with regards to risk assessment.

For more information on becoming ISO 27001 certified or ISO 27001 as an information security standard, view our latest video interview with Compliant Director and Lead Auditor, Mark Henderson here.

The ISO 27001 Certification process

We’ve laid the ISO 27001 process out below to help you decide if it is right for your business:

  1. Deciding to invest in ISO 27001
  2. Choosing to progress as a company or appointing a certification consultant to take the lead
  3. Clearly defining the scope and successfully putting in place an information security management system (ISMS)
  4. Deciding on an ISMS lead who will communicate regularly with senior management and important stakeholders from throughout the organisation
  5. Internally auditing the ISMS and how it is being used in the organisation
  6. Undergoing an ISO assessment with a third-party auditor from outside

If you choose Compliant as your certification consultant, we can support with steps 3 to 6. As mentioned, we are partners with the majority of certification bodies and can pass cost savings onto clients.

We recommend that to make sure that your organisation’s ISMS is working efficiently and in accordance with the ISO 27001 standard regular internal audits are conducted. Compliant offers a FREE Gap Analysis to all new clients and can help build a management system with documentation, processes and procedures that you already have in place.

There are two steps in the external audit process. A stage 1 audit includes a thorough documentation examination, during which an external ISO 27001 auditor examines a company’s policies and procedures to make sure they adhere to the ISO standard and the company’s internal standards. A stage 2 audit involves the auditor running tests to make that the ISMS of an organisation was properly created, implemented, and is operating as intended.

Compliant offers clients a framework to embed their documentation into and works with clients to make sure they are audit ready. We also attend audits with clients and answer any questions arising from the audit. We take the pressure out of the process allowing you to get on with your day job.

Although an ISO 27001 certification is valid for three years, ISO mandates that surveillance audits be carried out annually to make sure that the ISMS and its installed controls are still functioning as intended. This means that an organisation’s ISMS must go through an external audit every 12 months throughout the course of a three-year cycle, during which an auditor will evaluate different aspects of the ISMS.

This is something that we can also support with and we recommend investing in our ongoing monthly support. Find out more about our support package here.

Do I need to be ISO 27001 certified; should we make the investment?

Even though obtaining an ISO 27001 certification can be advantageous, not all businesses will necessarily need to spend the time and money to do so. For instance, a lot of banks and other financial organisations abide by ISO 27001, although they are not certified.

Organisations such as this must adhere to very tight information security policies and procedures in order to comply with laws in many different countries, and they will employ the ISO 27001 framework to do so. Therefore, there is no purpose to pursue an ISO 27001 certification after the criteria for their country’s regulatory standards have been satisfied.

Aside from the additional security and assurance it gives, an ISO 27001 certification is also beneficial for businesses in avoiding possible penalties and legal actions for data breaches, increases customer trust and enhances public reputation.

But here’s why being accredited might be advantageous for some companies.

  • Obtaining certification might help you stand out from the competition and demonstrate to your clients that you value their information security.
  • If you don’t pursue the certification, you might even discover that your customers need it, and you could lose out on revenue.
  • In the event of a data breach, certification can also assist you in preserving your reputation. Reputations suffer when client data is accessed or stolen.
  • If your company complies with ISO 27001, there’s a good chance that you also abide by other security regulations, including ones that are required by law.

Aside from the additional security and assurance it gives, an ISO 27001 certification is also beneficial for businesses in avoiding possible penalties and legal actions for data breaches, increases customer trust and enhances public reputation. Check out an earlier article of ours; ‘Benefits of ISO 27001’.

ISO 27001 certified

Is certification or compliance with ISO 27001 required?

Do I need to be ISO 27001 certified? The immediate answer is no. While some wrongly confuse ISO 27001 compliance with legal obligations, only a few of nations have legislation that force businesses to use the framework. Of course, nothing in life is so straightforward, and there may be circumstances in which your company needs to hold an ISO 27001 certification. Contracts and vendor procurement procedures may, and frequently do, require ISO 27001 compliance, particularly in delicate sectors like finance and healthcare. We have successfully helped businesses to implement ISO 27001 and get onto the NHS framework.

Additionally, even if it is not formally needed, there are some market segments where ISO 27001 accreditation is usually assumed.

Clauses and controls of ISO 27001

The most recent version of the ISO 27001 standard, which was released in 2013, is made up of 11 clauses numbered “0” through “10,” plus “Annex A” that details certain security policies.

Except for the introduction, each of the main clauses has a number of subclauses. Clauses 4 through 10 are regarded as “required,” and a company cannot declare compliance with ISO 27001 without adhering to its specifications. The following is a list of these 11 key phrases:

  1. Introduction
  2. Scope
  3. Normative references
  4. Terms and definitions
  5. Context of the organisation
  6. Leadership
  7. Planning
  8. Support
  9. Operation
  10. Performance evaluation
  11. Improvement

The official ISO 27001 documentation also includes an appendix of control goals and controls that can be utilised to assist an organisation’s information security programme in addition to the principal clauses. 14 essential groups and 114 controls total are found in the annex. Keep in mind that the controls and control objectives are offered as best practices reference material. An audit to determine if an organisation is in conformity with ISO 27001 may look at how each control is implemented, but it will do so considering how each control complies with the mandatory clauses.

Compliant’s ISO 27001 is broken down into 9 areas to cover the above clauses and controls including:

  1. Implementation Resources
  2. Context of the organisation
  3. Leadership
  4. Planning
  5. Support
  6. Operation
  7. Performance evaluation
  8. Improvement
  9. Annex A

As part of our offer we explain what is expected to stay compliant in each section; collate all of your documentation and populate the framework; supply templates where criteria has not been met and liaise directly with the auditor on your behalf.

ISO 27001; protecting your information

Are you wondering why are so many businesses that aren’t IT related interested in ISO 27001? Believe it or not IT is not the most important component in data security.

Most of the time, the businesses have all the necessary technology in place, such as firewalls, antivirus software, backups, etc. Data breaches still occur, though, as implemented systems are not sufficient.  

We have found that employees lack of security awareness and, more crucially, the technology’s poor ability to protect against insider attacks result in breaches that can lead to hefty fines.

So, who is ISO 27001 certification for?

Any business that wants or needs to categorise its business practices around information security and data privacy is eligible for the ISO 27001 certification.

Any company handling private information, such as credit card or personal information, should be ISO 27001 compliant.

Financial institutions, healthcare providers, telecom businesses, government agencies, and information technology companies (such as managed services providers) are some organisations that stand to gain from obtaining ISO 27001 certification.

Next steps

Hopefully this article has answered the question ‘Do I need to be ISO 27001 certified?’ If you are thinking you would like to find out more about becoming ISO 27001 certified, the costs and timescales involved see getting started below.

For more information on ‘How long does ISO 27001 certification take?’ check out last month’s article here.

Getting started with Compliant

We successfully deliver ISO 9001, ISO 14001, ISO 22301, ISO 27001 and ISO 45001 and can help businesses to access funding for their certifications.

Compliant will go the extra step in an initial teams meeting to fully understand your business, its requirements, the structure of the management system required, and the organisational context. We will then submit all your information to one of our preferred certification body partners.

If you would like a FREE quotation just fill in our quote calculator here!