How to successfully start with ISO 27001 certification

Written by Ivar van Duuren


January 25, 2024

security island
What does an ISO 27001 certification project look like? What internal and external people and resources do you need? And exactly which measures are mandatory (or not)? Co-founder of ISOPlanner Ivar van Duuren explains.

ISO 27001 certification in a nutshell

To give you an overview of the whole process, here I briefly explain the main steps you need to take. The first step to start with ISO certification is to look at the context of your organization. Which parties are involved with you as an organization? Think about employees, shareholders, clients, suppliers, and other parties like that. And what do those parties expect from you when it comes to information security?

The next step is to determine the risks. What risks do you see as an organization when it comes to information security? And then you usually start formulating a policy: you choose the measures you are going to use to mitigate those risks and how you want to implement them in your organization. And finally, you make sure that you periodically check whether you still comply with this policy.

What help do you need with ISO 27001 certification?

You may wonder if you need help implementing the ISO 27001 standard or if you and your colleagues can do it yourselves. This depends on a few things.

First, it depends on how much experience you already have within the organization with implementing ISO standards. If you don’t have any, then it might be nice to bring in an external consultant to help you with the implementation.

This also helps maintain progress. Implementing ISO 27001 may not always be the highest priority among the various departments involved. There are always things that take priority: customers who need help, and projects that need attention. Bringing in a consultant can help you keep pace with implementation.

In addition, your need for help also depends on your decision to purchase a sample documentation package, for example. Such a package already provides a lot of information and sample documents that you need during implementation. It also provides a lot of structure that will help you implement ISO 27001 independently in your organization.

Internal stakeholders in ISO 27001 implementation

So who within your organization should you involve in the implementation of ISO 27001?

First, your management must be involved. This is an important requirement of the ISO 27001 standard. Management must have an active role in controlling information security in the context of ISO 27001.

In addition, more roles within your organization are relevant to information security. Very often we see an IT manager involved, from the technical aspects of information security. In addition, we also often see an HR manager. Who has to control who enters the organization as an employee. So for such “in and out” processes, that HR manager is important.

And finally, there are often people involved who do executive work, such as making backups and setting them up. These are also people you want to involve in this project.

Required services with ISO 27001 certification

What external services do you need with an ISO 27001 certification? What you need in any case is an external auditor. This is a party that checks whether you as an organization ultimately meet the requirements of ISO 27001.

From the ISO 27001 standard, another mandatory part is an internal audit. ‘Internal’ sounds a bit confusing, because it seems to imply that you can pick up this part internally. In principle, you can, but you need internal people who have the competencies to perform internal audits. And who therefore have experience in doing so.

However, many organizations that start with ISO 27001 certification do not yet have that experience. So many organizations have an internal audit performed by an external auditor. This is not the same party that performs the real external audit. But in most cases, this is an external consultant who helps you implement ISO 27001 and who also takes on the internal audit.

Finally, one of the measures in the ISO 27001 standard requires an external check on the technical security of your own developed applications. Many organizations commission a pen test for this purpose. If that applies to you, you will of course need a specialist party for that as well.

Are all ISO 27001 measures mandatory?

Many organizations wonder which ISO 27001 measures are mandatory to implement. The standard contains an annex, Annex A, with many measures that you can implement. These measures aim to reduce your security risks.

Yet these measures are not mandatory, they are mere suggestions. The standard says that you must identify risks and take measures to control those risks. But you are not obliged to implement those suggested measures.

However, it is mandatory to indicate why you are implementing all these measures. For example, based on risks you see. Also, if you do not implement a measure, you indicate your reasoning. You are also free to create your own measures if you find them more appropriate to manage your identified risks.

How does an ISO 27001 certification audit work?

An external auditor checks whether your organization meets all the requirements of the ISO 27001 standard set. This is a certifying organization whose purpose is to verify that you meet all the requirements. This is done during the certification audit, which consists of two parts.

The first phase consists largely of checking the documentation in place. The auditor checks whether your organization has all the mandatory documents you must have for ISO 27001. And also whether you have started your improvement cycle where necessary.

In practice, he or she assesses whether you have a working process, or an information security management system (ISMS). Which involves the following questions:

  • Do you have an overview of all your organization’s stakeholders?
  • Have you inventoried all the risks?
  • Have you taken measures to control those risks?
  • Have you written out policies to do so?

In the second phase of the certification audit, the auditor not only looks at documentation and the policies that have been written. Now the auditor also checks whether you are complying with the established policy.

Also read: Expert Tips On ISO 27001 Implementation

About Ivar van Duuren

Ivar van Duuren is a co-founder of ISOPlanner. He’s had experience with the fragmented ISO certification approach with separate documents and the pressure to do it within a certain deadline.

A simpler system that provided an overview and insight into the required measures and planning was the answer to this frustration. With its unique integration with Microsoft Outlook and Microsoft Teams, ISOPlanner provides a simple and clear tool during certification processes.

More tips on compliance automation?

Feel free to contact us. We would love to talk to you!

Related Articles

Tips for security (risk) awareness in information security

One of the most important aspects of effective information security is security awareness - employees' awareness and knowledge of security risks and how to prevent them. In this article, you'll discover more about what security (risk) awareness is, who poses the...

Everything you need to know about an ISMS

As a security officer, you have the important task of keeping information security in order. If you want to become ISO-certified for information security within your organization, setting up an Information Security Management System (ISMS) is a mandatory component....

Sign Up For Our Newsletter

Join over 1.000 ISO professionals for the latest ISO insights