Get in touch

Get in touch

  • This field is for validation purposes and should be left unchanged.

Privacy Notice

X

When you submit an enquiry via our website, we use the personal data you supply to respond to your query, including providing you with any requested information about our products and services. We may also email you several times after your enquiry in order to follow up on your interest and ensure that we have answered your it to your satisfaction. We will do this based on our legitimate interest in providing accurate information prior to a sale. Your enquiry is stored and processed as an email which is hosted by Microsoft within the European Economic Area (EEA). We keep enquiry emails for two years, after which they are securely archived and kept for seven years, when we delete them.

Reveal Menu

Ten Ways to Get Certified to ISO27001 as Fast as Possible

A question we’re most commonly asked is “how can we get certified to ISO27001 as quickly as possible?”. Often driven by the need to achieve ISO27001 certification for a specific contract or to stay top in competitive industries. Previously, this was often in industries such as hosting and cloud software, however as the world becomes more cyber aware and information security is at the forefront of many business decisions there has been a growth in demand for organizations achieving ISO27001.

It’s important to do it properly and gain certification from a registered certification body in your specific country (see our choosing a registered certification body guide for more info) otherwise you will risk the credibility of your management system and your hard work will be wasted.

Download Free Infographic!

Timing varies from business to business. There are various factors that affect the time to certification, and these are:

  • Where you are starting from in terms of your management system and controls
  • Your choice of Registered Certification Body (RCB) i.e. external auditor, in particular their availability to fit around your timescales
  • How much audit evidence you already have in place
  • How much resource you can dedicate to becoming certified and how quickly that resource can be made available
  • How quickly you can find an internal auditor who can complete a full internal audit before your certification audit

Regardless of where you are in your implementation journey, our ten suggestions below will help you speed up the process.

Ten Tips for Fast Certification

1. Make it your number one priority

First, and probably most obvious, is to throw as much resource at the project as possible. Of course, this is about priorities and only you can decide how important achieving ISO27001 certification is to your organization. But if it’s really that vital then make it a priority by getting as many staff involved as possible.

2. Choose your scope carefully

How long the job takes depends on how big the job is. Scoping is a tool you can use to make sure that you only do as much as you have to in order to achieve your goal. If ISO27001 certification is only needed for a subset of your business operations, then set your scope accordingly. Don’t cover everything straight away; you can widen the scope later if it makes sense to, but that’s after you’ve become certified.

A word of caution here; consider carefully what your customers need from you in terms of certification. What it says on your certificate needs to cover the areas that mean most to your customers and other people that matter, otherwise you’ve wasted your time.

3. Keep it simple

In various places in the standard it asks you to address key areas such as objectives, assets, risks, awareness, management reviews and improvements. But in most cases it doesn’t specify quantities or frequencies. There is a temptation when first implementing ISO27001 to try to address everything and do everything as often as possible. Resist this temptation.

By focussing on the most important few items, you can simplify your management system and keep the time required to a minimum.  Adopting a “top ten” approach to objectives, risks and assets can help to increase understanding of the process without getting bogged down in detail.

One management review meets the need, a short awareness session is better than none and just a few improvements mean the process is up and running. Don’t do more than you have to initially; you can enhance what you started with as part of the continual improvement for your annual surveillance audit.

4. Think about your risk appetite

There is a concept within ISO27001 of the “risk appetite” of an organization. This refers to the fact that different organizations have differing views on how much risk they are willing to take and accept.

This makes a difference in how you decide what to do about the risks you have identified. If your risk appetite is low, then you will want to mitigate even the lower likelihood or impact risks. But if your appetite is high, then this means you are willing to accept some risks that other organizations would want to do something about.

Controls take time to implement. If you accept risks rather than try to mitigate them with controls, then you will need to spend less time on implementing ISO27001 and you will get to certification faster.

Another word of caution here; the standard requires your management to sign off on the residual risks you have left after you have applied your controls, so you’ll need to make sure they agree with your definition of risk appetite.

5. Be specific about which controls are applicable

Annex A of the ISO27001 standard contains 93 controls (114 in the 2013 version). These are “reference controls” which are all good ideas for how to improve your security. However, they may not all apply to your organization and if they don’t, you have no need to implement them.

This is where the document “Statement of Applicability” comes in, which sets out which of the reference controls you consider apply to you. Look at each control carefully and decide whether it really does apply to your operation. Remember this is based on your risk assessment (which considers your risk appetite, see the point above) so if you don’t consider the risk worth treating then you don’t need the control.

6. Start small with your policies

The ISO27001 standard requires you to have a set of policies for information security. But it doesn’t say in much detail what should be in those policies. The important thing with policies from an auditing viewpoint is that if you say you’re going to do something, you must do it. The key concept here is to keep your policies simple to start with so that complying with them is relatively straightforward. You can always enhance your policies as part of your improvement activities – after certification.

Using template documents (such as the ones from our ISO27001 toolkit) will speed up the process whilst ensuring you have all the information you need to be audit ready.

7. Hold a management review early

You will need to have carried out at least one management review before you can become certified so you may as well get them started early. This will get the reviews established within your organization and highlight areas that still need to be completed so it’s worthwhile. It’s also one less thing to worry about as the certification audit gets nearer. If you have time for more than one management review (recommended) before the Stage Two audit then all the better, and make sure it covers the required agenda items too.

8. Plan in your pre-certification internal audit in good time

You will need to have evidenced a full internal audit of your management system to meet the requirements of a certification audit. If you don’t have an internal audit function, then you will need to find someone with appropriate qualifications and/or experience to carry out your internal audits.

CertiKit offers a comprehensive pre-certification internal audit conducted by our Lead ISO27001 auditors. We’ll measure in detail the compliance of your whole ISMS and prepare a comprehensive report ready for your certification audit.

9. Arrange your Stage One audit early

When you’re implementing ISO27001 it can be hard to see the wood for the trees; you don’t know which parts are important or what the auditor will pick up on. It’s tempting to try to make it perfect before arranging your Stage One audit. That’s fine – unless you’re trying to get certified as fast as possible. Holding your Stage One sooner rather than later means that:

  • You get to meet the auditor which (hopefully) makes everyone more relaxed
  • You start to see your management system through your auditor’s eyes
  • You get a concise list of things you need to focus on before the Stage Two

This can shortcut a lot of work that maybe you thought was needed but the certification auditor doesn’t think so. You will of course still need to have a management system in place before the Stage One audit, but it doesn’t need to be perfect.

10. Final tips

Whilst the aim for many organizations is to achieve certification as quickly and economically as possible, let’s not forget that the purpose of the standard is to make certified organizations more secure, so saving time and money should never be at the expense of good security. Implementing an information security management system is the first step in improving security and so the sooner this is achieved, the better.

Also, make sure you also budget for ongoing commitments and resourcing, and ensure Leadership are fully engaged in supporting the management system, otherwise you could lose it just as quick as you have achieved it!

 

Editor’s note: The original post was published in March 2016, and updates have been made in November 2022 in line with the ISO27001:2022 standard.


Download your free ISO27001 guide today!

Download our free ISO27001: 10 steps to certification guide to learn:

  1. Each step of the process from project planning to the certification audit
  2. Expert tips from the CertiKit team on best practise for easy implementation
  3. Key insights into building a successful ISMS
  • Privacy Policy

    X

    When you request to download our free ISO27001: 10 steps to certification guide, we use your name, company name (which is optional), phone number, country and your email address to email you a link to download the requested document. We may also email or call you after your download in order to follow up on your interest in our products and services. We will do this based on our legitimate interest in marketing to prospects for our products and services. Your name and email address are stored on our website which is hosted with Digital Ocean. Your personal data is stored for one year after you requested your download, after which it is deleted.

We’ve helped more than 4000 businesses with their compliance

Testimonials

Easy to follow, complete, logical setup and approach, and the templates are very easy to customize with company branding.

ReMark International
Netherlands

View all Testimonials