Get in touch

Get in touch

  • This field is for validation purposes and should be left unchanged.

Privacy Notice


When you submit an enquiry via our website, we use the personal data you supply to respond to your query, including providing you with any requested information about our products and services. We may also email you several times after your enquiry in order to follow up on your interest and ensure that we have answered your it to your satisfaction. We will do this based on our legitimate interest in providing accurate information prior to a sale. Your enquiry is stored and processed as an email which is hosted by Microsoft within the European Economic Area (EEA). We keep enquiry emails for two years, after which they are securely archived and kept for seven years, when we delete them.

Reveal Menu

What is ISO27001?

ISO27001 (or to give its proper name, ISO/IEC 27001) is the international standard for Information Security Management Systems.

Since its launch in 2005, becoming certified to the ISO27001 standard has become more popular every year, as concerns and publicity about cyber security breaches have increased. In fact, the 2017 ISO survey recorded a 19% increase in certifications in one year.

ISO27001 is part of the ISO27000 family of standards which also includes a significant number of supporting guidance documents such as ISO27002 and ISO27005. But if you want your organization to become certified, it’s ISO27001 specifically that holds the requirements you have to meet.

The ISO27001:2022 Update

ISO are expected to release a revised version of the ISO27001 requirements standard in October this year. This is following on from the release of the ISO27002:2022 information security guidance standard in February this year (now included in our ISO27001 toolkit).

The new ISO27001:2022 standard is expected to include minor amendments to the management system and alignment to the new ISO27002 controls within Annex A.

With all new ISO Standard releases you will not be expected to implement the new version straight away and have a transition period (usually two to three years from the date of publication) to certify to the current version to maintain a valid certification.

How can implementing ISO27001 benefit your organization?

Implementing an ISMS according to the ISO27001 standard improves your information security and makes it less likely that you will suffer a breach or other type of unwanted cyber incident. Secondly, becoming certified proves to interested parties, such as customers, employees, shareholders and suppliers that the organization is committed to keeping their data secure; this can be a significant marketing advantage where trust and risk is an issue.

Although it’s often perceived to be a technical, IT-centred standard, ISO27001 actually covers the whole organization and is concerned with the protection of information in all its forms. It’s not just for software companies and cloud service providers, many organizations, both small and large, within different industries comply to ISO27001, especially as they implement more online processes.

What is an Information Security Management System?

An ISMS is a set of processes that together help an organization to manage their information security by assessing their risks and taking action to reduce them. The management system is simply a set of things you must do to keep on top of your information security, and the main components are:

  • Information security policy – what are your rules on keeping things secure?
  • Objectives – what are you trying to achieve?
  • Risk assessment and treatment – what could go wrong and how can you stop it?
  • Roles and responsibilities – who does what in your ISMS?
  • Competence – does everyone have the skills they need?
  • Awareness training – does everyone know about information security?
  • Monitoring and measuring – quantifying what’s going on.
  • Internal audit – independent checks that it’s all happening as it should.
  • Management review – keeping everything under control.
  • Continual Improvement – addressing and nonconformities against the operational aspects or management system, and continuing to improve the processes.
  • Annex A controls – ISO27001 provides a standard set of controls that you can select and apply as appropriate to any risks identified in the risk assessment process

Add in some written procedures, evidenced communication and continual improvement, and you have a viable and compliant ISMS.

The contents of the ISO27001 standard

The ISO27001 standard can be considered to consist of two main parts:

  1. An information security management system, or ISMS
  2. A set of controls used to reduce your risk

Although the initial emphasis is often on the controls (such as anti-virus, vulnerability scanning and access control), the management system part of the standard is just as important and, in many cases, can pose more problems when implementing the ISO27001 standard.

ISO has deliberately made the wording of the management system the same in ISO27001 as in other standards, such as ISO9001 and ISO14001, so it’s easier to become certified to more than one standard (this layout is often referred to by the rather confusing name “Annex SL”).

The other part of ISO27001 involves the 114 reference controls contained in Annex A. This is a set of good-practice ideas that you can use to make your organization more secure, and they’re organised into 14 areas such as information security policies, human resource security, access control and incident management, to name but a few.

Some of these controls may not be relevant to you, in which case you can say so, in a required document called the Statement of Applicability. But in most cases the number of inapplicable controls is few, and there’s no alternative but to work your way through implementing them as best you can.

How to become certified

It is important to note, there’s no obligation to go for certification to ISO27001 and many organizations choose to simply use the standard as a set of good-practice principles to guide them along the way to running their business in a more secure way. However, many become certified to prove their compliance internally and externally. The main reasons companies do certify is because of customer, or interested parties needs as well as senior management commitment to certify.

When you have your ISMS in place, and it has been operating for a period of time, and you’re well under way with the Annex A controls, it’s time to book a stage one review with a Registered Certification Body (RCB), also known as an external auditor. This is simply a company that is accredited to carry out audits to the ISO27001 standard and issue certificates.

Stage one is basically a review of how ready you are for the main event, the stage two certification audit. You may pick up a few pointers for improvement (known as nonconformities) at Stage Two but, if these aren’t too serious, your organization effectively becomes certified and can advertise the fact to anyone with an interest.

But don’t forget the auditor will be coming back every year from now on to reissue certification, so it’s important to keep things running smoothly and continuously improving.

How can CertiKit help?

ISO27001 is considered to be one of the best ways to become, and stay, more secure in this online world in which we live. It’s not a guarantee that nothing bad will happen, but it goes a long way to making it much less likely.

Whatever assistance you require with your ISO27001 compliance, we can help. From guidance via our award-winning toolkit, through to consultancy, and internal auditing, we have the tools and personnel available to streamline your ISMS implementation and prepare you for certification fast.

Get a head start with your ISO27001 compliance!

Are you tasked with implementing ISO27001 into your organization but unsure where to start? Well, we’re here to help…

Download our free ISO27001: 10 steps to certification guide to learn:

  1. Each step of the process from project planning to the certification audit
  2. Expert tips from the CertiKit team on best practise for easy implementation
  3. Key insights into building a successful ISMS

Simply fill out the form and your guide will be on its way to your email.

Free Guide - ISO27001: 10 Steps to Certification

  • Privacy Policy


    When you request to download our free ISO27001: 10 steps to certification guide, we use your name, company name (which is optional), phone number, country and your email address to email you a link to download the requested document. We may also email or call you after your download in order to follow up on your interest in our products and services. We will do this based on our legitimate interest in marketing to prospects for our products and services. Your name and email address are stored on our website which is hosted with Digital Ocean. Your personal data is stored for one year after you requested your download, after which it is deleted.

We’ve helped more than 4000 businesses with their compliance


I am very pleased to have found you and would like to say thanks for the toolkit, it made my life so much easier.

RFIB Group Ltd

View all Testimonials