ISO 27001 Certification

What is ISO 27001 certification?

Increasing pressure from regulators, clients, and the public for better assurances about the way in which organisations manage confidential and sensitive data has resulted in rapid growth of certification to ISO 27001.

ISO 27001 is the international standard that lays out the specifications for implementing an ISMS (information security management system). An ISMS can be audited by an independent CB (certification body) as a way to assess whether it conforms to the requirements of the Standard.

Purchase your copy of the standard today >>

ISO 27001 and ISO 27002 2022 updates

ISO/IEC 27001:2022 – the newest version of ISO 27001 – was published in October 2022.

Organisations that are certified to ISO/IEC 27001:2013 have a three-year transition period to make the necessary changes to their ISMS (information security management system).

For more information about ISO 27001:2022 and its companion standard, ISO 27002:2022, and what they mean for your organisation, please visit ISO 27001 and ISO 27002: 2022 updates

  Download your copy of ISO 27001:2022 here

  Download your copy of ISO 27002:2022 here

How long does ISO 27001 certification last?

Once certification is granted it is valid for three years, although the ISMS will need to be managed and maintained throughout that period. Auditors from the CB will continue to conduct surveillance visits every year while the certification is valid. 

Advantages of ISO 27001 certification

Although many organizations use ISO 27001 as a framework for information security best practice, organizations may prefer not to get certified at all, or postpone the certification process. There are, however, numerous benefits to achieving certification. Many organizations opt for certification because of client or contractual requirements.

Learn more about the benefits of ISO 27001 certification >>

 COVID-19: remote delivery options

We would like to reassure our clients that all training and consultancy services will go ahead as scheduled during the current COVID-19 situation. As a company that fully embraces flexible and remote working, we are adjusting our delivery methods to allow us to provide consultancy services, penetration tests and training remotely where necessary. Please also refer to our COVID-19 policy.

The ISO 27001 certification process

Once you are ready for certification, you will need to engage the services of an independent, accredited Certification Body (CB). These CBs have been assessed by the relevant national authority based on their competence, impartiality, and performance capability through a rigorous assessment process.

The certification process consists of two stages and is conducted by a qualified auditor:

Stage 1

The auditor will review your documentation to check that the ISMS has been developed in accordance with the Standard. You will be expected to present evidence of all key aspects of the ISMS, but how much depends on the CB’s requirements.

Stage 2

If you pass the first stage, the auditor will conduct a more thorough assessment. This will involve reviewing the actual activities that support the development of the ISMS. The auditor will analyse your policies and procedures in greater depth, and review how the ISMS works in practice, with an on-site investigation. The auditor will also interview key members of staff to verify that all activities are undertaken in accordance with the specifications of ISO 27001.

​If you're considering tackling an ISO 27001 project, discover how to best go about it and the solutions to support your project with our implementation checklist >>

ISO 27001 certification costs

Certification costs usually depend on the number of employees working for the organisation. Certification for an organisation with up to 500 employees could cost in the region of $13,000. 

Can you get certified to ISO 27001 with IT Governance?

IT Governance is not a CB. Instead, we specialize in helping organizations like yours to fully prepare for certification. We do this by providing any combination of training, consultancy, tools, books, and advice, so that you are ready by the time you engage a CB.

We support the concept of independent, accredited certification, which means that we do not audit our own work. For the same reason, CBs are not permitted to provide consultancy and advice to their clients before conducting a certification audit.

Through our years of experience assisting more than 600 organizations with ISO 27001 implementation and certification projects, we know exactly what CBs expect. As a result, we can offer you unrivalled advice and expertise on how to achieve certification with a certification guarantee.

Download our consultancy brochure for more information >>

How IT Governance can help you

• Our implementation methodology has been honed over 15 years.
• We are known as the global authority on ISO 27001 – our management team led the world’s first ISO 27001 certification project (formerly known as BS 7799).
• We offer everything you need to implement an ISO 27001-compliant ISMS – you don’t need to go anywhere else.
• We guarantee certification (provided you follow our advice!).
• You benefit from real-world practitioner expertise, not just academic knowledge.
• We have trained more than 7,000 professionals on ISO 27001 implementations and audits worldwide.
• We’ve helped more than 600 consultancy clients achieve certification to and compliance with ISO 27001.
• We have a proven and pragmatic approach to assessing compliance with international standards, no matter the size or nature of your organization.
• Our pricing and proposals are completely transparent, so you won’t get any surprises.
• We can help small organizations prepare for ISO 27001 certification in three months.