Our team is initiating our pursuant of ISO 27001. Any general guidance from those who have recently been through the process and received their certification?
Sort by:
Thank you Elliott, this is very helpful.
1. Go through each controls of ISO 27001. Identify a person who can lead this effort. Have the person conduct internal audit against all the controls, document the gaps and find a way to fill the gap.
2. For each control, have the policy or guidelines documented, internally reviewed, approved and published. Each document should have last review date. And then collect evidence of use to show the auditor.
3. Do not volunteer additional information other than what has been asked by auditor :-).
Hope this helps. Happy to help more if you need. All the best for audit and certification.
Yes, thank you Dhananjay.
Before pursuing ISO 27001 certification, the company should first understand the standard and gain executive buy-in to secure resources and support. The next step is defining the ISMS scope, followed by conducting a gap analysis to assess current security posture. A project plan should be created, and a risk assessment carried out to identify and treat risks, culminating in a Statement of Applicability.
Required policies and procedures must be documented, and the ISMS implemented across their company, supported by staff training and awareness. Internal audits and a management review help verify effectiveness before selecting a certification body. An optional readiness review may be conducted prior to the formal certification audit, which is performed in two stages: a documentation review and a full audit of the ISMS.
Key points to call out are:
Ensure staff understand and support the initiative, and that top management have bought into the initiative.
Be prepared for the additional documentation burden, ISO27001 is documentation-heavy.
Be ready for the fact that certification requires continuous improvement and re-certification every 3 years, including annual surveillance audits.
If the business holds other standards then all the standards will need to be integrated (e.g., ISO9001) into an integrated management system.
Thank you for your feedback Alex.
I’m an ISO 27001 Lead Auditor and recently guided a company through a successful certification. From experience, the effort required varies greatly depending on your organization’s context — for example, a publicly traded company will not need the same depth as a mid-sized enterprise, and both industry requirements and IT exposure will heavily influence the scope.
A few tips I’ve found valuable:
1) Secure top management buy-in – Leadership must understand why the certification is valuable, how it supports business objectives, and also the commitments it brings (such as annual surveillance audits and full recertification every three years). ISO27 is not a free process!
2) Work directly with the standard – The Annex provides the full control set. Use it as your checklist and verify that appropriate controls are in place and effective.
3) Keep it simple – Policies, training, and processes should be concise and practical. Excessive paperwork slows down adoption; the goal is always to support the business, not create friction.
Finally, take the time to compare certification bodies. Pricing can vary significantly, as can the flexibility and support auditors provide—choosing the right partner can make the process much smoother.