ISO 27001 certification

What are the common mistakes to avoid when getting an ISO 27001 certification?

Since the ISO 27001 standard is designed to be customizable to your organization, there are several instances where businesses could go wrong in their implementation process.

Based on our extensive experience of working with varied clients, we’ve pulled together a list of the most common pitfalls businesses face when implementing the standard, along with advice on what you can do to avoid them.

Not defining the right scope

Finding the right scope for implementing your organization’s ISMS can be tricky. Organizations often set overambitious implementation goals, leading to the adoption of several redundant and unneeded controls and processes.

This can lead to resource wastage, increased cost of information security, and demotivated employees chasing unachievable targets.

On the other hand, an organization may define their scope too narrowly, ignoring controls that are absolutely necessary. This could lead to noncompliance with the ISO 27001 standard and can make it appear that your organization is not in control of its ISMS during the certification audit.

Lack of management

Implementing ISO 27001 controls is often considered to be an IT exercise and the responsibility of the IT department. In reality, it is a management standard for information security. The upper management in an organization may not see the value the implementation of ISO 27001 adds to the business, and they may be hesitant to fully commit.

Too few resources

Often, ISO 27001 implementation falls to a particular individual or team within the organization. This type of approach can create information security silos where only very few individuals are aware of the controls and procedures around the ISMS and other aspects of the standard. The loss of such individuals could cause the collapse of the entire ISMS.

Find out which two other mistakes are common for all businesses and how you can prevent them from happening in our free guide about the most common pitfalls during ISO 27001 certification.

How long does it take to get ISO 27001 certified?

Usually, the process can take 6 to 12 months, depending on business size and complexity. The use of designated solutions like the DataGuard platform can speed up the process to as little as 3 months (also depending on a business’ unique circumstances).

First steps are called the ramp-up phase, where the main chunk of work is done. You carry out a gap analysis that aims to close up to 50% of your company's most significant risks in as little as 8 weeks.

Getting through the process involves:

• Defining your scope
• Building your Information Security Management System (ISMS)
• Identifying and managing risks
• Protecting your information assets
• Passing your ISO 27001 audit
• Maintaining your ISMS, keeping your certificate

Does the ISO 27001 certification expire?

The ISO 27001 certification needs to be renewed every 3 years. We recommend remaining compliant to protect your company’s assets and ensure your information remains safe. Furthermore, companies must pass the annual surveillance audit to verify compliance and to avoid expiry of the certification before the three-year cycle.

How do you transition from ISO 27001:2013 to ISO 27001:2022?

If you already comply with the ISO 27001:2013 certification, you don’t necessarily need a separate audit to transition to the new revision. You can either undergo a standalone transition audit or you can opt for a transition audit at the time of annual surveillance or re-certification. This depends on where you are in the certification lifecycle.

Here is an overview of a typical transition roadmap:

Complying with the new 2022 standard is bound to save your organization resources and frustrations. This is why we recommend transitioning sooner rather than later. You can gain detailed insights here: DataGuard's expert insights on the ISO 27001:2022 update.

What are the benefits of getting ISO 27001 certified?

The benefits of implementing ISO 27001 are plenty—both for your business and external parties and stakeholders. Here's an overview of the most important ones:

• Your company or organization can avoid significant financial losses caused by ransomware attacks.
• Win more deals; having a certified information security system can set you apart from the competition and win trust among prospective buyers.
• You may be able to secure investment more easily. Investors are becoming more and more aware of the threats ransomware attacks have.
• Reduced risk of data breaches: By having the proper measures in place, you can avoid the risk of a breach before it even happens.
• Setting up processes and procedures when it comes to how you handle data can also mean increased operational efficiency. Because now you have a standard process instead of different methods.
• Customers want to know how you handle their information, and getting ISO 27001 certified is the ultimate promise that you take information security seriously.

What does the ISO 27001 certification process look like?

Accredited vs. non-accredited certification

As we have learned so far, ISO 27001 certification is not mandatory for businesses. However, it’s recommended to be compliant with the standard. But what’s the difference between being certified and being compliant? In general, you must understand the three ways of communicating the implementation of ISO 27001:

• ISO 27001 compliant
• ISO 27001 certified
• ISO 27001 certified by an officially accredited certification body

The difference is that an independent third certification body validates an accredited certification. A non-accredited certification means you have implemented the ISO standards but have not undergone an external audit, nor have you been issued a certificate for an external certified body.

Often, certain contractual agreements require an official accredited certification. Apart from this, achieving an accredited certification is highly recommended. You can use it in your communications towards customers and have an external assess your information security to ensure your ISMS is in check.

We strongly recommend seeking certification exclusively through accredited bodies. Business partners often do not acknowledge certifications lacking confirmation from an international accreditation body. Read more about accredited bodies here.

Implementing controls and a risk treatment plan to manage risks

An integral part of your information security program is the risk treatment plan. This plan is all-encompassing and is meant to execute measures to either accept, avoid, transfer, or mitigate the possibility or consequences of risks.

Of utmost importance within a risk treatment plan is the aspect of implementation. Its significance lies in guaranteeing the actual execution of risk treatment procedures.

You can read ISO 27001 risk treatment plan: How to develop the right one here.

Completing your ISMS documentation

Documentation is the basis of your ISMS and the most important part of getting and maintaining your certification. If it's not documented, it's not relevant.

You need to keep track of many things when it comes to documentation. To give you a complete overview of the documentation required for ISO 27001 certification, along with information on preparing said documentation, we have created a detailed list:

Definition of the scope of application of the ISMS (Information Security Management System)

The scope of application of the ISMS is defined in the so-called “Scope Document.” This determines which divisions of your company are subject to the ISMS. Your ISMS doesn’t necessarily need to be rolled out across the entire company—only the relevant departments and divisions. That said, in the case of smaller companies, it will usually cover all departments.

Coordination and documentation of the guideline on information security

The objectives which your company seeks to achieve with your ISMS should be clearly defined in the guideline on information security. This document should also demonstrate why information security is a top priority in your organization and that management is responsible for the guideline.

This does not have to be formulated by management themselves but must always be approved by the necessary stakeholders. The ISO standard already specifies the following information security objectives:

• Data confidentiality
• Data availability
• Data integrity

Definition of risk assessment and risk management methods

You will need to identify your company’s risks, assess them individually, and define an appropriate methodology for risk management. The assessment should always be carried out by the respective risk owner and should ultimately be approved by management.

In addition, this area should be coordinated within the company, ideally with your ISO, CISO, or risk management department. Given that this process must be repeated on a regular basis, it can result in a lot of effort, especially for small and medium-sized enterprises that lack in-house security and risk experts. Repetitions happen when there are new assets in the company that require a risk assessment.

Preparing a declaration of applicability

As part of this step the ISO/CISO shall agree, with the respective specialist departments, which of the 93 controls stated in Appendix A of ISO 27001:2022 must be carried out or which are relevant for the company.

ISO 27001 has specified various areas such as cryptography, HR security, or operational security. Companies may exclude some of these areas by providing appropriate justification. For example, if a business does not have a loading zone, it is simply not necessary to draw up rules for loading zones.

If you choose to work with experts such as DataGuard or an external consultant, you may receive documentation templates that will cut down your manual work significantly compared to creating them from scratch.

What is an audit, and why is it important?

An audit is basically the process of checking that your ISMS meets the requirements and criteria of a standard. If you are certifying against ISO 27001, it will be the requirements of the ISO 27001 standard.

Audits ensure the success of your ISMS by identifying information security non-conformities and can be either internal or external. Internal audits can be carried out using the organizations’ own resources—whether that’s internal company employees or contracted independent consultants.

External audits are carried out by a certification body, external partners, or customers who want to assess the ISMS on their own terms. The latter is the exception than the rule—when referring to an external audit, a certification body is meant in most cases.

Audits are incredibly important because they are:

• A concrete requirement of the ISO 27001 standard
• The only way of verifying whether you comply with the standard
• Necessary to obtain your ISO 27001 certification

How do you conduct internal audits?

Internal audits are vital for long-term success in earning and keeping your ISO 27001 certification. They should be carried out on a regular basis by employees within the company, as opposed to external auditors coming into your company to assess your ISMS.

However, independence and qualification are a must for being an internal auditor. Another option is to perform internal audits with external consultants, like the experts at DataGuard, who also offer regular audits. Internal audits are your best bet for catching gaps in your documentation and improving it.

When you are getting certified for the first time, the internal audit ensures you have everything you need in place to pass your certification on the first try.

An internal audit checklist will help you keep an overview of the necessary steps. Here is an overview:

1. Documentation Review
   • All documentation from the management and control system should be reviewed to ensure that it is complete, accurate, and up-to-date.
   • A team should be assigned to perform this task.
   • The team should be given a clear set of instructions to follow while they are performing the review.
   • The documentation should be examined for completeness, accuracy, consistency, and suitability for its intended purpose.
   • The auditor will then check to see if you have the required documents and that it complies with the standards.
2. Management Review
   • The management review team should go through the documentation again to make sure that all relevant information has been recorded and that there are no omissions or missing information.
   • Finally, management needs to look over the report and take the audit results into account. Make sure that any essential changes and corrective measures are put into place.

Get a full breakdown of how to conduct an internal audit.

What can you expect from an external audit?

You will be in touch with your auditor before the external audit takes place to agree on resources and timelines.

In general, there are four types of external audits:

• Stage 1 Audit: This is the documentation-review audit, where the external auditor checks if your organization has all the necessary documentation in place for a fully functioning ISMS. Your documents need to cover the documentation required in the ISO/IEC 27001 standard. The certification body will take the time to gain a sufficient understanding of the ISMS design in the context of your organization, risk assessment and treatment (including the controls determined), information security policy and objectives. A large emphasis will also be put on your company's preparedness for the audit. This allows planning for stage 2.
• Stage 2 Audit: Based on documented findings in Stage 1's audit report, the certification body will develop an audit plan to conduct Stage 2. In addition to evaluating the effective implementation of the ISMS, the aim of Stage 2 is to confirm that your company adheres to its own policies, objectives, and procedures.

To do this, the audit will focus on:

• Top management leadership and commitment to information security policies and the information security objectives
• Documentation requirements listed in ISO/IEC 27001
• Assessment of information security-related risks and that the assessments produce consistent, valid and comparable results if repeated
• Determination of control objectives and controls based on the information security risk assessment and treatment processes
• Information security performance and the effectiveness of the ISMS, evaluating against the information security objectives
• Correspondence between the determined controls, the Statement of Applicability and the results of the information security risk assessment and risk treatment process and the information security policy and objectives
• Implementation of controls (referring to ISO 27001 Annex A), taking into account the external and internal context
• And related risks, the organization’s monitoring, measurement, and analysis of information security
• Processes to determine whether controls are implemented and effective and meet their stated information security objectives
• Programmes, processes, procedures, records, internal audits, and reviews of the ISMS' effectiveness to ensure that these are traceable to top management decisions and the information security policy and objectives

Once you have completed Stage 2 and passed the audit, you will receive your official certification.

• Surveillance/periodic Audits: happen between certification and recertification audits, focusing on specific areas of the ISMS. This is done every year.
• Recertification Audit: This is necessary to keep your certification, covers all aspects of the standard, and must be carried out every 3 years.

How long does it take to get ready for an ISO 27001 external audit?

Depending on the size of your company, you can be audit-ready in about 8 weeks. If you decide to go the manual route of building your documentation from scratch, it can take at least 4 months.

• 1 to 20 employees: Up to 3 months
• 20 to 50 employees: 3 to 5 months
• 50 to 200 employees: 5 to 8 months
• More than 200 employees: 8 to 20 months

It is also important to take into account several other variables that may affect the time it takes for you to obtain the certification.

• The number of individuals on the ISMS implementation project (relative to the size of the business)
• The amount of time individuals are willing to spend on the project
• Engagement and support from leadership
• The size of the company and complexity
• Auditor availability to conduct the external audit

When implementing your ISMS, you may experience unforeseen challenges which may delay certification as well.