When you submit an enquiry via our website, we use the personal data you supply to respond to your query, including providing you with any requested information about our products and services. We may also email you several times after your enquiry in order to follow up on your interest and ensure that we have answered your it to your satisfaction. We will do this based on our legitimate interest in providing accurate information prior to a sale. Your enquiry is stored and processed as an email which is hosted by Microsoft within the European Economic Area (EEA). We keep enquiry emails for two years, after which they are securely archived and kept for seven years, when we delete them.
If you’re thinking about ISO 27001 certification for the information security and privacy standard, then you may have a number of key questions that need to be answered before you go any further. So let’s pick some of these up and give you some straight answers.
This means that an accredited external certification body has audited your ISMS (information security management system) and agrees that it complies with the requirements of the ISO27001 standard. They will then give you a certificate to prove it and you can show this to anyone that wants to know how seriously you take information security.
The ISO27001 framework provides several benefits for organizations which together make the costs and efforts of implementation all worthwhile.
There’s no doubt that putting an ISMS in place will improve your organization’s information security. This potentially means fewer breaches and, in some cases, fewer fines. But it’s also a useful marketing tool to show your prospects and customers that you’ll look after their data, so it may enhance your reputation and win you more business too. It also goes down well with regulators too and saves you a huge amount of time when responding to tenders.
Certification audit costs depend largely on the size of the organization and the degree of risk involved in what it does. A typical small business might require 3-4 days of auditing at a daily cost of around £1300 (depending on the certification body) so that’s £3900 to £5200. Maintenance of the certification might be 1-2 days a year – £1300 to £2600.
There are also other costs to consider such as implementation, documentation writing and the all-important internal audit. Our blog on ISO27001 certification costs runs through everything you may want to budget for before commencing the project.
Before your organization can become certified, it needs to put an ISMS (information security management system) in place, that complies with the ISO27001 standard. This will include defining roles and responsibilities, creating policies and procedures, setting objectives, assessing risks and selecting controls, establishing an internal audit programme and performing management reviews. For more guidance on what exactly is involved, you can download our free ISO27001 implementation guide to see what is required for each clause of the standard.
Achieving certification is a two-stage process carried out by a registered certification body (RCB). Stage one is a review to see how ready you are and, if successful, stage two is the actual certification audit. If not too many nonconformities are found, the RCB will recommend your organization for certification and their accreditation body, such as UKAS in the UK, will rubber stamp the audit, after which a certificate will be issued by the RCB.
An ISO27001 certification is valid for three years, during which annual surveillance audits will be carried out. At the three year mark a recertification audit will be necessary, which may take a little longer than a surveillance audit. An organization remains certified for as long as they keep passing the audits.
Maintaining your ISMS is ongoing though and not something that can just be reviewed annually. If embedded properly you will see the benefits of the management system in improved data privacy, staff awareness and efficiency in the workplace.
Written by CertiKit’s CEO, Ken Holmes CISSP, CIPP/E. Ken is the primary author of CertiKit’s toolkit range, an ISO 27001 Lead Auditor and has helped to implement, operate and audit ISO certifications over a varied 30-year career in the Information Technology industry.
CertiKit are a provider of ISO toolkits, consultancy and internal auditing services, and have helped more than 4000 organizations worldwide with their compliance.
For more guidance on implementing the ISO27001:2022 standard, we’ve put together a list of our best free resources including video guides, blogs and downloadable documents.