ISO 27001 Certification

You can apply for an audit of your ISMS according to the current standard ISO 27001:2022. Our audit teams audit locally in most jurisdictions around the world. The ISO 27001 auditors inspect your Information Security Management System in over 7 different languages (English, German, Dutch, Spanish, French, Turkish and Polish). Apply now for an ISO 27001 Certification! Is your main business location is in USA, Europe, Africa or Asia? Certification audits are possible in many regions.

ISO 27001 Certification Areas

Within the ISO 27000 Standard is the main core standard 27001, which is the required certification for any kind of Addon (e.g., ISO 27018, ISO 27701, ISO 27090, ISO 27091). If your organization has never been through an audit and you have just recently introduced your ISMS, then focus on ISO 27001 Certification. Once your ISMS has a substantial maturity, you can go for expanding your ISO 27001 certificate with special certifications (e.g. ISO 27018 for Cloud Service Provider).

Information Security

ISMS: Implement a management system to protect the data in your company with a ceetified information security

ISO 27018
Cloud Security

CSMS: Information security in the cloud is a very important issue. This niche is exposed to unique threats and has experienced scandals.

PIMS: Protecting your clients data from being misused is so important for social media and eCommerce platforms.

What is ISO 27001?

The international Standards Organisation (short: ISO) introduced the ISO 27001 standard in order to help organisations set up and operate a management system, which is geared towards protection of any kind of information. Such information can be in digital (on drives, discs, cloud, etc.) or analogue (on paper, on drawings, product design sketches) format.

The ISO 27001:2022 standard has following structure:

  1. Introduction – the standard describes a process for systematically managing information risks.
  2. Scope – it specifies generic ISMS requirements suitable for organisations of any type, size or nature.
  3. Normative references – only ISO/IEC 27000 is considered absolutely essential reading for users of ’27001.
  4. Terms and definitions – see ISO/IEC 27000.
  5. Context of the organisation – understanding the organisational context, the needs and expectations of ‘interested parties’ and defining the scope of the ISMS. Section 4.4 states very plainly that “The organisation shall establish, implement, maintain and continually improve” the ISMS, meaning that it must be operational, not merely designed and documented.
  6. Leadership – top management must demonstrate leadership and commitment to the ISMS, mandate policy, and assign information security roles, responsibilities and authorities.
  7. Planning – outlines the process to identify, analyse and plan to treat information risks, to clarify the objectives of information security, and to manage ISMS changes.
  8. Support – adequate, competent resources must be assigned, awareness raised, documentation prepared and controlled.
  9. Operation – more detail about assessing and treating information risks, managing changes, and documenting things (partly so that they can be audited by the certification auditors).
  10. Performance evaluation – monitor, measure, analyse and evaluate/audit/review the information security controls, processes and management system, systematically improving things where necessary.
  11. Improvement – address the findings of audits and reviews (e.g. nonconformities and corrective actions), systematically refining the ISMS.

Why can an ISO 27001 certification be beneficial to you?

When an organisation decides to become ISO 27001 certified, they undergo a journey towards building their ISMS documentation and preparing all people inside the business for applying the new security measures. Thereby, the organisational processes achieve a greater maturity. Once the certification audit is successfully completed, the ISO 27001 certificate will show to outsiders following positive aspects:

  • Greater information security
  • Regular security improvements
  • Greater trustworthiness
  • Greater reliability
  • Lower risk to client assets and IP

Furthermore, an organisation also experiences following inner improvements:

  • Information flow inside company is secure and efficient
  • Information is available and reliable at all times
  • Loss, theft, misuse, manipulation of data is less likely
  • Only authorized persons have access to confidential data
  • Greater compliance with laws, regulations and contractual obligations

What is required for ISO 27001:2022 certification?

The ISO 27001:2022 standard requires following 14 items to be compliant within the ISMS documentation in order to issue a certificate:

  1. ISMS scope (as per clause 4.3)
  2. Information security policy (clause 5.2)
  3. Information risk assessment process (clause 6.1.2)
  4. Information risk treatment process and the Statement of Applicability (clause 6.1.3)
  5. Information security objectives (clause 6.2)
  6. Evidence of the competence of the people working in information security (clause 7.2)
  7. Other ISMS-related documents deemed necessary by the organisation (clause 7.5.1b)
  8. Operational planning and control documents (clause 8.1)
  9. The risk assessment outputs i.e. the assessed risks (clause 8.2)
  10. The risk treatment decisions (clause 8.3)
  11. Evidence of the monitoring and measurement of information security (clause 9.1)
  12. The ISMS internal audit program and the results of audits conducted (clause 9.2).
  13. Evidence of management reviews of the ISMS (clause 9.3)
  14. Evidence of nonconformities identified and corrective actions arising (clause 10.1)

 

How will the audit plan be influenced by the statement of applicability?

 

Our audit teams follow an audit plan which takes your organisation’s specific industry sector and business model into consideration. The compliance of your ISMS will be reviewed in relation to the different chapters and parts of Annex A. In order to conduct  a proper audit, it is necessary for the audit client to name staff members, who can answer questions in relation to parts of the audit plan. Such an example would be naming the firewall administrator for the security controls related to access controls. During the audit  the lead audit will then request the information security officer of the organisation to arrange with the firewall admin to be available for the session regarding access control. 

An organisation must review regularly its statement of applicability (SoA), in order to decide which controls are necessary. Auditors will will review the SoA and question in particular controls that have been stated as not applicable. The controls marked as applicable will also be inspected but in a different way.

How much will the audit and ISO 27001:2022 certification cost?

The cost of an ISO 27001:2022 certification process is dependent on the size and risk profile of the organisation. The ISO 27006 Standard provides an average number of audit days for an organisation of average risk and certain number of included staff. Our audit estimators evaluate the to be expected audit time in relation to company specific parameters. Some factors allow for a reduction of audit duration and thereby positively reducing the audit costs.

Where risks require additional depth of audit activities, the audit plan will have to allocate extra time for it. This increases the audit time and the audit related costs. In addition if auditors have to travel to the client’s operational locations, the client organisation will incur additional travel expenses. The ISO standard allows for up to 30% of the audit to be conducted as remote audit. If the company structure (home office) or the situation (e.g. pandemic) required a 100% remote audit, the certification body is required to gain consent from the respective accreditation body. Remote audits avoid travel costs and are usually ideal for “virtual organisations” (e.g. 100% home office based teams).

Number of persons doing work under the organization’s control ISMS audit time for initial audit (auditor days)
1~10 5
11~15 6
16~25 7
26~45 8,5
46~65 10

Above table is based on the ISO 27006 Standard document (Table B1).

FAQ for ISO 27001 Certification

The cost of your ISO 27001 certification will be quoted based on organization size and risk profile. The offer will contain a fixed fee basis and the estimated audit days. This will allow you to better budget your certification project.

The cost of certification will depend on:

  • your organisation’s total size
  • the sector you operate in
  • the number of locations you operate from and their particular activities
  • your organisation risk profile

You will be assigned an account manager who coordinates the first stage of your journey towards the ISO 27001 certificate. This person will get you a fixed fee quote and gather the key details of your desired scertification scope.

The lead auditor will then arrange with you a 1-2 hour call to check that all aspects of your sik profile have been considered and that the audit plan structure matches the availability of the key people in your organization.

Once you have completed the audit, the account manager will keep you updated while the audit documentation is being processed by the compliance team in the certification body. After a positive review the ISO 27001 certificate will be issued to you.
We will also help you understand how to best use the certificate and associated logos, in order to avoid conflicts with the ISO rules.

Stratlane's accreditation is a key part of the assurance we can guarantee those who trust you by trusting your certificate.

Our accredited ISO 27001 certificates include not only your logo but also the logo of the accreditation body and respective accreditation associations.

Let's Get Your Company Certified!

Make use of our certification services so that your businesss gains the competitive advantage of having accredited ISO certifications.