ISO 27001 Certification: 19 Crucial Questions Answered

Whether to start down the path to ISO 27001 certification is a difficult and important decision for any company. In addition to our deep dives on the cost of ISO 27001 and how it compares to SOC 2, we’ve compiled this list of answers to the 19 most common questions we get about the ISO 27001 standard, and the process of certification.

Simply use the table of contents below to navigate to your most pressing question.

(NOTE: If you’re looking for consulting around ISO 27001 certification, our free tool below matches you with a top-rated ISO consultant that suits your budget and requirements.

Find the Right ISO 27001 Consultant Fast

Get matched for free with top ISO consultancies that fit your budget.

Sidechannel Logo Optiv Logo

By submitting this form I acknowledge that I have read and understand the Privacy Policy and agree to the Terms of Use.

What Are The 3 Pillars of ISO 27001?

The ISO 27001 standards goal is the security of the 3 pillars: people, processes, and technology. It is achieved by utilizing the cornerstones of information security: confidentiality, integrity, and availability also known as the CIA triad.

ISO 27001 is the only international auditable standard that defines the requirements for an information security management system (ISMS) which is a systematic approach that consists of identifying the processes, technology, and people which protect and manage your organization’s information utilizing risk management.

ISO 27001 certification demonstrates that your organization has invested in the people, processes, and technology necessary to protect your organization, and its clients’ data, as well as provides an independent verification standard that your data is sufficiently protected.

The first pillar of the ISO 27001 standard is People. There are two major aspects to managing people; first, you must ensure that everybody in your organization is aware of their part in preventing and reducing threats via employee awareness, policies, and procedures.  The second part is ensuring that your company has specialized cybersecurity staff and that they are staying up to date with their certifications, skills, and qualifications.

The second pillar of ISO 27001 is Processes. The organization’s process defines how its activities, its roles, and its documentation are utilized together to protect the organization from any risks to information threats. The cyber security horizon changes constantly which creates a need for organizations to continuously review the processes that are in place as well as document any changes. The final and most important part of the process is ensuring that your staff is following the subscribed policies.

Last, but not least, the third pillar of ISO 27001 is Technology. Once your organization has performed risk assessments and identified the cyber risks that it faces the organization must then determine what controls need to be established and what technology is needed to prevent or mitigate cyber risks.

What Are The 6 Domains of ISO 27001?

The ISO 27001 standard has 14 domains that cover six main security areas:

01 – Company security policy
02 – Asset management
03 – Physical and environmental security
04 – Access control
05 – Incident management
06 – Regulatory compliance

Within those six main security areas, the 14 domains are:

  • Information Security Policies
  • Human Resource Security
  • Access Control
  • Physical and Environmental Security
  • Operations Security
  • Organization of Information Security
  • Asset Management
  • Cryptography
  • System Acquisition, Development and Maintenance
  • Supplier Relationships
  • Communication Security
  • Business Continuity Management
  • Compliance
  • Information Security Incident Management

What Are The Steps to ISO 27001 Certification?

The ISO 27001 implementation process consists of the following steps:

  1. Scoping the project
  2. Obtaining senior leadership commitment to secure necessary resources
  3. Conducting risk assessments (such as a pentest) of affected environments
  4. Implementation of the required controls
  5. Development of the appropriate internal controls
  6. Creation and implementation of policies and procedures which support the ISMS
  7. Implementation of technical measures for risk mitigation
  8. Awareness training for all employees
  9. Continuous monitoring and auditing of the ISMS
  10. Completing the actual certification audit with an external auditing body

These ten steps can be broken into three main benchmarks which, once completed correctly, will have your organization ISO 27001 certified.

Phase 1: Readiness

The readiness stage can last anywhere from a few months up to over a year. The organization will start by designating an ISO 27001 project team. The ISO 27001 project team consists of senior management, management of applicable teams within the organization, and subject matter experts (SMSs) from key areas of the organization. An information security SME would be of great service to the team. After team assimilation, timelines and goals must be established as well as steps to determine scoping.

Conducting a gap assessment will provide a current view of the company’s security standing as well as identify deficiencies/weaknesses. Then, a risk assessment will need to be conducted and a risk treatment plan developed. In tandem, policies and procedures must be created and implemented. The team must develop a plan for implementation that will occur in Phase two. The organization then needs to develop a Statement of Applicability (SoA) that states which ISO 27001 controls and policies are currently in place. Organizations spend most of their time in this readiness stage.

Phase 2: Implementation

The second phase of your company’s ISO 27001 certification is the audit. The organization will use information obtained in phase one to progress its information security management system into a mature and compliant state.

The organization will do this by implementing and testing the company’s ISMS and ensuring that the organization effectively applies all processes and controls identified within the SoA. The way the organization will do this is by performing an internal assessment to identify its security baseline and determine what steps need to occur to close any identified gaps. The internal assessment is a mandatory step to certification. Once internal assessments have been completed, all non-conformities must be identified and eliminated.

In tandem with the implementation process, the organization should be applying previously identified controls from phase one, as well as collecting evidence that controls are performing as expected.

Phase 3: Formal Certification Audit

The formal certification audit is performed by an accredited certification body that specializes in ISO 27001 accreditation and assures that the auditor is regularly monitored for performance, quality, and competence by the accrediting body such as ANSI-ASQ National Accreditation Board (ANAB).

The certification body will perform a two-step audit, the first of which is a documentation audit. The auditor will examine the organization’s policies, procedures, standards, and documentation ensuring that it meets ISO 27001 standards, as well as is regularly updated and reviewed.

The second step of the formal certification audit is called the field review or evidence audit. The auditor will review evidence that shows the policies in the ISMS documentation are being followed, observe the actual working of the ISMS by conducting interviews with staff members, perform audit tests to validate evidence, and document the results of all steps.

Once these steps are completed the auditor then analyzes the data from the documentation and interviews and creates an audit report that either grants certification or lists CAPs (corrective action plans) that must be remediated and retested for certification.

Is ISO 27001 Certification Hard?

ISO 27001 Compliance is both difficult to achieve and difficult to maintain. Once the organization has achieved certification, there is still much work to be done to maintain it. 

On an annual basis, your auditor will complete a surveillance audit to ensure the organization remains in compliance with ISO 27001 standards by maintaining the ISMS and Annex A controls.  During the time period between certification and surveillance audits the organization will need to stay updated by performing required internal and external audits, completing and documenting regular employee awareness training, updating and approving the ISMS at specified intervals, and regular completion/documentation of risk assessments at intervals specified in the ISMS. 

ISO 27001 certification is a heavy task for an organization to undertake.

What is ISO 27001 Certification Used For?

ISO 27001 Certification is used to provide verifiable proof that the organization has formalized and improved business processes surrounding information security, and privacy, and is serious about securing its information assets. 

How Many Companies Are ISO 27001 Certified?

Due to the nature of ISO 27001 certification and the requirement for annual review and recertification every three years, the number of companies that are ISO 27001 certified is in constant flux. 

As of December 2021, there were between 30,000-40,000 companies that are ISO 27001 certified, in approximately 40 industries/sectors.  China is the country with the most certifications, at over 18,000. 

What is the Benefit of ISO 27001 Certification?

The benefits of ISO 27001 certification are many and include:

  1. Protecting the organization from security threats.
  2. Providing internationally recognized proof that the organization takes security seriously and can be trusted with privacy management.
  3. It also means that current customers and clients are less likely to need to audit the organization, as ISO 27001 certification answers the majority of third-party required audit questionnaires.
  4. The organizations’ structure and focus are improved due to the system created that ensures employees maintain focus on information security and its application.  The ISO requirement of annual risk assessments means that any issues can be mitigated quickly and effectively.
  5. Finally, ISO 27001 assists with compliance with legal and regulatory requirements which may assist the organization in preventing legal and regulatory fines in the event of a cyber breach.

What is The Difference Between ISO 9001 and 27001?

ISO 9001 and ISO 27001 standards regulate different management systems although they do have much in common such as scoping, leadership requirements, human resources support, document management, internal assessment/audits, management support, and continual improvement. 

Even with all of those commonalities, the difference between the two standards cannot be understated. ISO 9001’s objective is to maintain the expected quality standards in the organization, and ISO 27001’s objective is to provide requirements for the establishment, implementation, and maintenance of an information security management system. 

ISO 9001 focuses on product quality, while ISO 27001 is focused on the security of information within the organization.

Is ISO 27001 an Audit?

An ISO 27001 audit is a review process that ensures the organization’s information security management system (ISMS) is in alignment with information security best practices, as defined by ISO 27001 guidelines. Organizations must conduct regular internal audits as well as external audits to receive and retain their ISO 27001 certification.

ISO 27001 certification demonstrates that a company’s ISMS controls are sufficient to secure data and documents, as well as other information assets. ISO 27001 certification also gives organizations a competitive advantage, showcasing that their security controls are more rigorous and aligned with international standards.

To qualify for certification, companies must receive an external audit from a third-party, accredited, objective auditing firm to prove their processes and systems meet ISO 27001 standards.

Annual ISO 27001 certification audits demonstrate the efficiency and efficacy of a company’s security controls. They also show ongoing compliance with ISO standards. Regularly conducting audits allows organizations to review and assess the level of residual risk involved with their existing information security standards. 

Using the results from an audit for ISO 27001 certification, an organization will continue to improve its information security management systems and make residual risk more tolerable.

Who Performs an ISO 27001 Audit?

The formal ISO 27001 certification audit is performed by an accredited certification body that specializes in ISO 27001 certification and accreditation and assures that the auditor is regularly monitored for performance, quality, and competence by the accrediting body such as ANSI-ASQ National Accreditation Board (ANAB).

Your organization should research accredited certification bodies to ensure the agency has experience with your industry and company size and has a positive reputation. The costs of the audit include audit days and time, travel for on-site auditing requirements, and administrative fees.

The certification body you use will perform a two-step audit, the first of which is a documentation audit. The auditor will examine your organization’s policies, procedures, standards, and documentation ensuring that it meets ISO 27001 standards, as well as is regularly updated and reviewed.

Can You Fail an ISO 27001 Audit?

The short answer to whether an organization can fail an ISO 27001 audit is yes, you absolutely can fail. If the organization fails the audit, the organization is given detailed information about the reasons it failed and the remediations that it can take to address those reasons. This comes in a document from the auditing body and includes what are called CAPs, or Correctional Action Plans. 

There’s a significant cost for a failed audit depending on the severity of the noncompliance; some businesses will need to make minor adjustments that could result in additional spending.

Depending on the actual level of noncompliance, a reassessment can cost as much as 60% of the original auditing cost.

There may be multiple areas of noncompliance, classified by severity. An opportunity for improvement is the least severe noncompliance, you can still be certified with opportunities for improvement.  The next level of noncompliance is a minor nonconformity- depending on the number of minor nonconformities, the organization can still be certified, provided those areas are covered in the annual surveillance audit.

A major nonconformity is a show-stopper for the organization.  Any major nonconformity results in a failure of the audit.

There is no direct penalty to an organization if they’re deemed not compliant. They are simply not awarded ISO 27001 certification, however, this can cause other repercussions in the event that the organization has clients or contracts that are requiring certification.

Is ISO 27001 Mandatory?

In most countries, ISO 27001 is not mandatory.  Some countries do have regulations that require specific industries to maintain ISO 27001, however, that is not the case in the United States.  Public and private organizations can decide if they wish to be ISO 27001 certified, and companies can dictate whether vendors are ISO 27001 certified in contracts or service agreements with their suppliers.

Who Needs ISO 27001 Compliance?

It’s a common misconception that only companies that are in information technology have a need for ISO 27001 compliance; it is often mistaken for an IT standard that would only apply to the IT industry; however, the truth of the matter is that although most IT companies are ISO 27001 certified there are many other organizations that would benefit from compliance with the ISO 27001 standard.

The type of organizations that could benefit greatly from ISO 27001 is any organization that manages customer data and any business that deals with sensitive information, such as health care, IT companies, telecoms, and financial industries as well as many manufacturing industries.

Does ISO 27001 Certification Expire?

After your company is ISO 27001 certified, the organization’s certification is valid for three years. 

However, organizations must continue to manage and maintain the ISMS throughout the certification validity period.  The organization’s auditor will return on an annual basis during the two consecutive years after certification to perform annual surveillance audits, which ensure that your ISMS remains in compliance with the ISO 27001 standard.

How Long Will it Take to Get ISO 27001 Certified?

Most organizations will take up to 12 months to get ISO 27001 certified. The amount of time it will take an organization to complete the certification process, and be ready for ISO 27001 certification is heavily dependent on the organization’s commitment to certification and the resources designated to achieve certification.

What is the Cost of ISO 27001 Certification?

ISO 27001 certification cost can vary greatly; estimates range from $5,000 to over $100,000 for a small to medium-sized business, inclusive of all readiness stages, internal audit and remediation, the actual audit, and annual surveillance audits.  

Proper planning is a requirement for ensuring that your organization stays within the established budget for ISO 27001 certification. By breaking up the ISO 27001 certification process into benchmarks, you can ensure you remain on budget and that the ability to course correct is spread amongst major benchmarks.

For a complete breakdown of the costs of ISO 27001 certification, see this article.

Why is ISO 27001 Certification so Important?

ISO 27001 is an internationally recognized security certification standard, utilizing universal standards. An ISO 27001 certification requires your organization to prove that you have developed and maintained an Information Security Management System.

It also reviews the design, implementation, and operational effectiveness of the same. ISO 27001 has the goal of assuring the organization has a fully operational security framework for managing data.

Which is Better, ISO 27001 or NIST?

ISO 27001 is a strong choice for an organization that already has a fully operational ISMS, has a process to regularly have an internal audit in place, and is seeking certifications. 

NIST CSF is better for less mature organizations that are in the beginning stages of performing internal audits and designing an ISMS or risk management plan as there will be sufficiently more effort involved to achieve certification. 

NIST and ISO 27001 certifications potentially work together because they both handle information security and risk management from slightly different perspectives, and with different scoping.  If the organization does not currently have a functional ISMS, a designated internal audit process, or the resources necessary to create and maintain one, the NIST CSF is an excellent alternative. 

Which is Better, ISO 27001 or SOC 2?

Deciding which certification to pursue is solely dependent on your business needs. Paying attention to what your clients are requiring is one way that organizations decide what certification to obtain, however, there are times when one certification is preferable over the other.

If your organization does business with international clients, ISO 27001 is internationally recognized. ISO 27001 will provide greater coverage and opportunities for your organization. SOC 2 audits may be preferred for organizations that already have a security management system in place and want to ensure their current standards and policies are functional. SOC 2 will likely suffice if you are only conducting business in the United States, and you are looking to save on costs.

For a more in-depth breakdown of the differences between ISO 27001 and SOC 2 certification, see this article.


Published by Denise McMillan - ISO 27001 Lead Auditor
Denise McMillan has over 10 years' experience providing IT infrastructure management, Governance and Compliance auditing management and remediation experience utilizing standards found in: ISO27001, COBIT, HITRUST, FEDRAMP, and NIST 800-53....
Network Assured on Facebook     Network Assured on Twitter
Copyright © 2022 Network Assured