top of page

ISO 27001 Certification

What is ISO 27001?

 

ISO 27001 is an internationally recognised standard for establishing, implementing and maintaining an Information Security Management System (ISMS) within a business. It is one of the most globally recognised standards, in regard to information security. The standard was last updated in 2022. Its aim is to protect all information assets within an organisation. 

 

ISO 27001 uses a risk-based approach, referencing a set of 93 controls (referred to as Annex A) across 4 domains: Organisational, people, physical and technical. What controls are applicable is dependent on your organisational context, scope and risk. 

 

Why should a business consider ISO 27001?

 

An effective ISMS helps demonstrate management of cyber security within an organisation, bolstering their cyber resilience. 

​

ISO 27001 offers a range of benefits for businesses of all sizes. It provides a structured framework approach for managing information security risk. This allows a small organisation to ensure the confidentiality, integrity and availability of information (commonly known as the CIA triad). ISO 27001 allows an organisation to demonstrate to stakeholders that they take information security seriously, improving trust.  

​

Furthermore, ISO 27001 helps  businesses comply with information security legal and regulatory requirements. The framework provides a clear demonstration of managing information security, helping you comply with relevant laws and regulations. This means the reduced likelihood of fines and penalties associated with lack of compliance. 

​

From a compliance standpoint, an ISMS that conforms to the ISO 27001 standard can help with conforming to article 32 of the EU General Data Protection Regulation (GDPR). An effective ISMS showcases the consideration of the CIA triad within the organisation. You can read further about the link between ISO 27001 and GDPR here

​

ISO 27001 also provides a great competitive advantage. Some businesses require compliance with ISO 27001 as a condition of doing business. Having this competitive advantage could better position your organisation to attract new clients and opportunities. 

​

The benefits offered by ISO 27001 are huge for a small organisation. Strengthening your security posture helps protect your organisation, whilst also enhancing your reputation and potential opportunities.

​

If you are a small business, you can read about why ISO 27001 would be a great fit for you in our blog post: ISO 27001 - The gold standard of Cyber Security for Small Businesses?

 

How can we help? 

 

Practical Infosec can help by offering consulting around the implementation of the ISMS, using the ISO 27001 standard. We can guide you through the process, getting you to the audit stage. 

 

Depending on your timescales and requirements, we spread the process out over a yearly program as part of our Security Journey service, costing from £1,790 per month. We also offer implementation in 3 and 6 month periods. 

 

What does the process look like? 

 

ISO 27001 is designed around the context of your organisation and setting the scope for the ISMS. From there, the process involves identifying, managing and mitigating information security risk. The risk management stage allows us to design a program around continuous improvement of the ISMS, involving people, process and technology. This will then be audited internally, then externally and if correctly implemented, achieving certification to ISO 27001. 

 

ISO 27001 is typically implemented through the PDCA Cycle:

  • Plan - What you wish to achieve and how to do it 

  • Do - Implementing what you have planned for 

  • Check - Confirming if things went as planned 

  • Act  - Closing the gap between planned and check phase 

 

Once certification is achieved, a big step is demonstrating your commitment to continuous improvement of the ISMS. The Certification body will then reassess you on a 3 year interval, as part of the 3 year re-certification audit.  

​​

For an organisation looking to implement ISO 27001 over a 12 month period, the approximate process would look like: 

​​

​​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​​

​

​

​

 

Price:

From £1,790 per month, typically over a 12 month period.

​

Extra Costs:

 

As shown in our end-to-end process above, there are additional costs associated with ISO 27001 audits beyond our implementation fee. The exact amount can vary depending on several factors, including:

  • Organisational size - Headcount

  • Operational setup - Remote vs physical locations

  • Complexity of the audit scope - For example, if you conduct extensive software development, maintain in-house servers, or operate in highly regulated industries

 

Based on our previous remote projects, typical additional costs are approximately:

  • Organisations with around 10 employees:

    • Internal Audit - £2,850​

    • External Audit - £4,000

  • Organisations with around 11-50 employees:

    • Internal Audit - £3,800 - £5,000

    • External Audit - £4,500 - £7,500

  • Organisations with 51-100 employees:

    • Internal Audit - £4,000 - £6,000

    • External Audit - £7,500 - £12,500

  • Organisations with 101-200 employees:

    • Internal Audit - £5,000 - £7,500

    • External Audit - £10,000 - £15,000

​

If you are a UK company, VAT would also be applied to this on top. As mentioned above, these are approximate ranges, and can vary depending on other factors outside of the size of the organisation.

​​

If you want to become ISO 27001 certified really quickly, e.g. in 6 weeks or three months, book a call here to get a quote.

​
Next Steps

​

If you would like to enquire about ISO 27001 or ask any questions, you can book a free call here

or get in touch.

ISO 27001 External End to End Process (Website Edition).png
bottom of page