Editor’s note: The original post was published in March 2016, and updates have been made in January 2022 for accuracy and comprehensiveness.
A question we’re most commonly asked is “how can we get certified to ISO27001 as quickly as possible?”. Often driven by the need to achieve ISO27001 certification for a specific contract or to stay top in competitive industries. Previously, this was often in industries such as hosting and cloud software, however as the world becomes more cyber aware and information security is at the forefront of many business decisions there has been a growth in demand for organizations achieving ISO27001.
It’s important to do it properly and gain certification from a registered certification body in your specific country (see our choosing a registered certification body guide for more info) otherwise you will risk the credibility of your management system and your hard work will be wasted.
Timing varies from business to business. There are various factors that affect the time to certification, and these are:
Regardless of where you are in your implementation journey, our ten suggestions below will help you speed up the process.
First, and probably most obvious, is to throw as much resource at the project as possible. Of course, this is about priorities and only you can decide how important achieving ISO27001 certification is to your organization. But if it’s really that vital then make it a priority by getting as many staff involved as possible.
How long the job takes depends on how big the job is. Scoping is a tool you can use to make sure that you only do as much as you have to in order to achieve your goal. If ISO27001 certification is only needed for a subset of your business operations, then set your scope accordingly. Don’t cover everything straight away; you can widen the scope later if it makes sense to, but that’s after you’ve become certified.
A word of caution here; consider carefully what your customers need from you in terms of certification. What it says on your certificate needs to cover the areas that mean most to your customers and other people that matter, otherwise you’ve wasted your time.
In various places in the standard it asks you to address key areas such as objectives, assets, risks, awareness, management reviews and improvements. But in most cases it doesn’t specify quantities or frequencies. There is a temptation when first implementing ISO27001 to try to address everything and do everything as often as possible. Resist this temptation.
By focussing on the most important few items, you can simplify your management system and keep the time required to a minimum. Adopting a “top ten” approach to objectives, risks and assets can help to increase understanding of the process without getting bogged down in detail.
One management review meets the need, a short awareness session is better than none and just a few improvements mean the process is up and running. Don’t do more than you have to initially; you can enhance what you started with as part of the continual improvement for your annual surveillance audit.
There is a concept within ISO27001 of the “risk appetite” of an organization. This refers to the fact that different organizations have differing views on how much risk they are willing to take and accept.
This makes a difference in how you decide what to do about the risks you have identified. If your risk appetite is low, then you will want to mitigate even the lower likelihood or impact risks. But if your appetite is high, then this means you are willing to accept some risks that other organizations would want to do something about.
Controls take time to implement. If you accept risks rather than try to mitigate them with controls, then you will need to spend less time on implementing ISO27001 and you will get to certification faster.
Another word of caution here; the standard requires your management to sign off on the residual risks you have left after you have applied your controls, so you’ll need to make sure they agree with your definition of risk appetite.
Annex A of the ISO27001 standard contains 114 controls. These are “reference controls” which are all good ideas for how to improve your security. However, they may not all apply to your organization and if they don’t, you have no need to implement them.
This is where the document “Statement of Applicability” comes in, which sets out which of the reference controls you consider apply to you. Look at each control carefully and decide whether it really does apply to your operation. Remember this is based on your risk assessment (which considers your risk appetite, see the point above) so if you don’t consider the risk worth treating then you don’t need the control.
The ISO27001 standard requires you to have a set of policies for information security. But it doesn’t say in much detail what should be in those policies. The important thing with policies from an auditing viewpoint is that if you say you’re going to do something, you must do it. The key concept here is to keep your policies simple to start with so that complying with them is relatively straightforward. You can always enhance your policies as part of your improvement activities – after certification.
Using template documents (such as the ones from our ISO27001 toolkit) will speed up the process whilst ensuring you have all the information you need to be audit ready.
You will need to have carried out at least one management review before you can become certified so you may as well get them started early. This will get the reviews established within your organization and highlight areas that still need to be completed so it’s worthwhile. It’s also one less thing to worry about as the certification audit gets nearer. If you have time for more than one management review (recommended) before the Stage Two audit then all the better, and make sure it covers the required agenda items too.
You will need to have evidenced a full internal audit of your management system to meet the requirements of a certification audit. If you don’t have an internal audit function, then you will need to find someone with appropriate qualifications and/or experience to carry out your internal audits.
CertiKit offers a comprehensive pre-certification internal audit conducted by our Lead ISO27001 auditors. We’ll measure in detail the compliance of your whole ISMS and prepare a comprehensive report ready for your certification audit.
When you’re implementing ISO27001 it can be hard to see the wood for the trees; you don’t know which parts are important or what the auditor will pick up on. It’s tempting to try to make it perfect before arranging your Stage One audit. That’s fine – unless you’re trying to get certified as fast as possible. Holding your Stage One sooner rather than later means that:
This can shortcut a lot of work that maybe you thought was needed but the certification auditor doesn’t think so. You will of course still need to have a management system in place before the Stage One audit, but it doesn’t need to be perfect.
Whilst the aim for many organizations is to achieve certification as quickly and economically as possible, let’s not forget that the purpose of the standard is to make certified organizations more secure, so saving time and money should never be at the expense of good security. Implementing an information security management system is the first step in improving security and so the sooner this is achieved, the better.
Also, make sure you also budget for ongoing commitments and resourcing, and ensure Leadership are fully engaged in supporting the management system, otherwise you could lose it just as quick as you have achieved it!
Download our free ISO27001: 10 steps to certification guide to learn: