ISO/IEC 27001: Information Security Management System (ISMS) Certification

Designed for management, decision makers and risk owners, this one-day workshop converts the ISO 27001 standard into specific, measurable, achievable, relevant, and time-bound (SMART) activities and objectives which can be incorporated into a project or business-as-usual activities.  

Upon completion, you will receive an ISMS scope of certification which can then be used as part of clause 4 of the standard, and onwards, within your management review and other related processes.  

The workshop includes ideas for engaging the rest of your organisation as well as demonstrating how any work you may be doing for other security or compliance regimes (such as PCI DSS) can be incorporated into your ISO/IEC 27001:2022 ISMS.  

This review is centred around the standard’s core requirements and is designed for top management, decision-makers and risk owners. It will determine your organisation’s compliance with clauses 4 to 10 in ISO/IEC 27001:2022 and provide you with a tailored roadmap, specific to your business’s objectives, to achieve full compliance.  

Our experts will use a combination of substantive and compliance methods to assess your security controls against the ISO/IEC 27001 Annex A Controls, with the help of ISO/IEC 27002:2017. This review will look across your entire organisation and provide you with an indication of your security posture and risk levels as well as providing you with the ability to create SMART activities/objectives to address those risks. Other key outputs include a Statement of Applicability (for clause 6) and the creation of an implementation roadmap. 

Risk management is at the heart of ISO/IEC27001. Working with you, we create a risk management system that incorporates the requirements of the standard and is tailored to your organisation. The risk management system will be incorporated into your ISMS and will underpin a risk assessment process (including information security risk assessment and risk treatment) which is required for certification alongside your Statement of Applicability. 

Third-party risk management is crucial for safeguarding your data and meeting the ISO 27001 standard. Our experts will work with you to determine your third parties’ risk levels and design an assessment process to manage these. We can also support you by completing risk assessments on your behalf and reporting any risks to a risk owner, within your organisation, with suggested remediation activities. 

Internal auditing serves as a cornerstone for maintaining the integrity and effectiveness of your information security management system. By conducting regular internal audits, you not only identify areas for improvement but also ensure alignment with ISO 27001 standards and regulatory requirements.

Our team can seamlessly step in to perform thorough internal audits on your behalf, ensuring compliance with clause 9.2 of ISO 27001 and fostering a culture of continuous improvement. With our assistance, you can confidently navigate the audit process, identify improvement opportunities and maintain your commitment to information security excellence. As your familiarity with the standard and processes improves, you may choose to bring this in-house or retain LRQA to deliver this core element of the standard on your behalf. 

ISO 27001 is the international management system standard that defines the requirements for an Information Security Management System (ISMS). The standard provides a best practice framework to identify, analyse and implement controls to manage and mitigate risks – reducing the likelihood of an information security breach.
Any organization - irrespective of size and sector - can utilize the requirements and controls within ISO 27001 to implement an effective ISMS which can be independently certified.

Accredited ISO 27001 certification provided by a reputable and independent certification body demonstrates a commitment to information security, providing an unbiased view regarding the robustness and effectiveness of your ISMS. This helps to fulfil contractual obligations, and in many cases acts as a licence to trade.

Protect your data and reputation

ISO 27001 certification demonstrates you’ve established a systematic, risk-based approach to information security that drives best practices around: 

• Identifying information and cyber security risks
• Analysing risks based on impact and likelihood
• Evaluating risks and prioritising when they’re addressed based on factors relating to your business
• Selecting risk treatment options

Demonstrate compliance with laws, regulations and contractual requirements

Gaining certification to ISO 27001 requires you to identify applicable legislation, such as the EU GDPR or regulations like HIPAA. This has a positive impact on risk management and corporate governance, helping you demonstrate compliance and fulfil contractual requirements.

Competitive edge

Certification from LRQA gives clients and stakeholders confidence that security risks – which could relate to IT, people, the physical environment and business continuity – have been adequately addressed in order to protect their information.

ISO 27001 certification provides a clear statement of your capability and demonstrates that you operate in line with internationally recognized best practices – helping you win new business.

ISO 27001 audits follow the same approach as other Annex SL based management systems. You can start with training and gap analysis, but the formal process involves an audit of the design of the ISMS (Stage 1) and an audit of its operation (Stage 2). The outputs of these audits are technically reviewed by a qualified, independent person in LRQA to ensure consistency and alignment with our commitment to the best practices defined by accreditors.

Once approved your ISO 27001 certificate is issued and you begin a three-year cycle of surveillance audits leading up to a renewal audit to re-establish the next three years. Surveillance enables both LRQA and your organization to manage changes and ensure that audits are relevant to current industry needs.

Once approved, certification lasts for three years subject to effective system maintenance demonstrated through the surveillance program.

A typical ISMS certificate scope statement includes activities relating to the delivery of products and services. It does not need to include internal activities or ISMS processes. The aim is to assure the reader that the information provided when receiving the product or service is protected.

The statement of applicability refers to the list of selected controls. It does not provide details of those controls but a traceable reference to a control statement used as the basis of the last ISO 27001 audit. Sometimes organizations have a sharable public version that simply lists the controls selected from ISO 27001 Annex A, but this is not a mandatory requirement.

The cost is based on the number of audit days which relates to the number of employees within the scope of the ISMS. The number of audit days is published in the accreditation standard, ISO 27006, and available for all to see. Engaging an accredited certification body like LRQA ensures you get a proposed audit duration based on industry best practices that is comparable to all other accredited certification bodies.

As an example an organization of 100 Full-Time Equivalents (FTEs) should expect an initial audit duration (Stage 1 + Stage 2) of between 8 and 12 days depending on the sector they operate in, how complex their working environment is, whether they are involved in developing software, or if they need to build security into the product. The subsequent surveillance programme would be 3-4 days/year and the renewal 6-8 days.

Yes – as both ISO 9001 and ISO 27001 are based on the generic best practice model for management systems - Annex SL - the core management processes can be optimized to meet the requirements for both standards. In fact, designing a system to address both improves the effectiveness of organizational governance. For example, business objectives such as growth often require the development of new products where security is typically considered a quality standard in line with market expectations. Integration can also minimize duplication which can lead to a reduction in audit time, providing a cost-effective option.

The path that your organization takes to achieve ISO 27001 certification often depends on your business's level of maturity in relation to information security and broader risk management, amongst other factors. But the typical process to get ISO 27001 certified includes 3 main steps.

• Stage 1 Audit – document review and planning: Your auditor will review the design and documentation of your management system – in most cases, this is carried out remotely.
• Stage 2 Audit – evaluating your implementation: Your auditor will evaluate the implementation and effectiveness of your ISMS in line with the requirements of ISO 27001. If there are no non-conformities, you’ll receive your certification. This stage can be carried out remotely or on-site.
• Promote your ISO 27001 certification: Your certification demonstrates a commitment to internationally recognized best practices and continual improvement – helping you win new business and meet customer demands.

The publication of ISO 27002:2022 provides an update to the list of controls present in ISO 27001 – which dates back to 2013. The revised controls reflect developments relating to both threats and current best practices, and the broadened scope of ISO 27002 helps ensure that risk management measures are wide-ranging and effective. Organizations can use the comprehensive list of controls to treat the risks they’ve identified or discover potential gaps – helping them remain one step ahead of the complex and evolving threat landscape facing businesses today.

A new version of ISO 27001 is expected to be published by the end of October 2022. It will feature the new controls outlined by ISO 27002:2022 requiring organizations to revisit their risk assessment and determine whether new risk treatments need to be implemented.