ISO27001
Frequently Asked Questions
(FAQs)
Do you want to learn all about ISO27001?
You've come to the right place.
All the ISO27001 help you need in one place.
You’ve come to Consultants Like Us because you want answers you can rely on!
You want the truth about ISO27001, but the question is, can you handle the truth?!
I’m pretty sure you can, and you want to learn about what it takes to become certified to ISO27001, to become more secure and how to make it all an easy process! (if you can have fun along the way, then that’s just a bonus!).
​
If you want more information or ongoing insights, check out our blog page. For more information you will see our Videos and our Resources pages too.
​
It IS possible to make ISO27001 fun!
​
Buckle up; we're about to turn the mundane into the extraordinary.
Say goodbye to boring Policy Packs and online ‘guru’s who are selling snake oil in the hope you’ll buy their ‘remedies’ to ISO27001. Say Adios to policy packs that are about as exciting as watching paint dry.
Consultants Like Us are here to inject some life into ISO27001, stripping away the nonsense and making it as user-friendly as humanly possible while STILL making you secure (that’s the point right?!)
Whether you're a ‘noob’ to ISO27001, need a cosmic clarity boost, or an intergalactic kick-up the backside, consider us your ISO27001 spirit guides!
All you need to know (but were afraid to ask about ISO27001)
Dive in (and out) of our knowledge pool at your leisure – we're here to demystify the secrets of the ISO27001 universe.
But we’re not here to sugar-coat things! There is work for you to do. But knowledge is power, and we want to answer some questions we’re frequently asked.
We hope this helps you. We hope you enjoy our writing style (we are passionate about what we do and we LOVE it!). But if you need something specific, then please get in touch.
​​
We’ll add more information about ISO27001 to this page to make it easier for you. Yes, it cane be found in our courses, online videos and book “The Real Easy Guide to ISO27001” but you have questions and we have answers.
​​
So let’s blast off into the cosmic realm of ISO27001 with the most important question of all…
​​
What is ISO27001?
ISO27001 is the internationally recognised standard for implementing an Information Security Management System (ISMS). Picture it as a map of the universe, with directions, and stop-off points that will ultimately lead you to your destination (that big shiny certificate on the wall, and a trusted and safer business).
​​
It’s made up of two parts; The Information Security Management System (ISMS) and the Annex A controls. There are currently 93 controls in the Annex A, and these are separated into four (4) areas;​
​
-
Organisational Controls
-
People Controls
-
Physical Controls
-
Technical Controls
​​
This is very closely aligned to the ‘People, Process, Technology’ terminology that you may have come across. But it clearly shows that ISO27001 is about more than ‘IT’.
​​
I’ve heard about ISO27002. What is it?
Great question… There are a number of guidance documents within the ISO27000 ‘family’. ISO27002 is just one of them. It provides detailed explanations on what you should consider when implementing the 93 controls of Annex A (contained within ISO27001).
​
The important thing to remember is that ISO27001 talks about what you shall put in place, and ISO27002 talks about what you should put in place. It is guidance. It is not a standard and therefore you cannot be certified against ISO27002.
​​
Who Needs ISO27001? (Spoiler Alert: Everyone!)
If you're handling personal info, financial data, or intellectual goodies, ISO27001 is your ticket to the information security party! It's the must-have certificate for anyone playing with data that they want to protect. But do you need it?
​​
Ask yourself these questions;
-
Are clients asking for it? Then you need it
-
Are you spending money on security without knowing why? Then you need it
-
Are you looking to scale your business? Then you need it
​
ISO27001 offers a road map to a more trusted and secure business. This is why we all need it.
​​
Do I need to be certified to ISO27001?
In a word, no. But if you’re doing the work to align to the standard, then why wouldn’t you do the test at the end? It’s like learning to drive, but never getting the licence at the end!
Getting ISO27001 certified is like donning a superhero cape for your business. It screams to your clients, "I'm serious about keeping your secrets safe!"
​​
But the process of aligning and achieving ISO27001 has a plethora of goldmine of benefits too!
-
It helps you become more efficient and effective at managing security risks
-
It demonstrates to your clients and others that you take data security seriously
-
It helps you land bigger deals and win tenders
-
It improves the procurement process
-
It saves you money, by focusing on key areas of (security) risk
-
It aligns with other standards (like ISO9001) so if you have them, it’s even easier to work with!
-
It helps you demonstrate compliance with national and international data protection laws (like the EU GDPR)
​​
What’s the process of become ISO27001 Certified?
Ready to ascend the ISO27001 mountain? Here you are, the ‘quick fix’ steps;
​​
-
Buy the ISO27001 standard
-
Buy the ISO27002 guidance
-
Read them (both)
-
Complete a gap analysis between where you are, and what is required in ISO27001
-
Create a ‘to do’ list
-
Identify your most important assets (physical and virtual)
-
Identify the risks to these assets
-
Action your ‘To Do’ list (to protect these assets)
-
Sign-up a Certification body (someone like Approachable Certification) for your Stage 1 and 2 audits
-
Agree dates for Stage 1
-
Agree dates for Stage 2
-
Run your external audits
-
Celebrate with a big mug of Yorkshire tea (there is no other tea available).
​
There you are! It’s that easy.
​
Of course there are tasks here to be completed, like conducting internal audits, management reviews and training. But that’s easy right?
​​
Do I need a Consultant? Can’t I just buy some ISO27001 templates?
Of course you can just buy templates! There are loads of them out there that will help you ‘do it yourself. '
​
So the simple answer is, no, you might not need Consultants Like Us.
​
You could do this on your own. We don’t know what skills or experience you have. But if you have the time and competency to implement ISO27001, then go for it!
​
But before you rush off to buy a policy pack, why not use ChatGPT and ask it to create your policies for you...
​​
How can I use ChatGPT to create my ISMS?
If you’re looking to do this on your own, then let us save you a few hundred pounds. Just remember NOT to paste any company confidential information into ChatGPT, but try these prompts and see what happens.
​​
First, start by telling it how to act.
“Act as an ISO27001 expert, who understands the [Insert your industry here]. Write the following in the 'first person'.” (this is important so that it talks about 'we' and 'ours').
​
Now tell it what you want;
“Write an Information Security Policy that includes a commitment to Continuous improvement. Write it in a friendly and conversational manner.”
​
Now go on and tell it what other ISO27001 policies you need. Such as
“Now write an Acceptable Use Policy, a back-up policy, a policy on [insert policies]”
​
Once you have all the ISO27001 policies, ask it to create a Risk Register
“Now create a risk register in a table, and provide risks associated with [your industry]”
​
Need an internal audit plan? No problem.
“Create an Internal audit plan that focuses on the Annex A controls of ISO27001:2022”
​​
​
Carry on in this way until you have all the documents you need.
​​
How much does ISO27001 Certification Cost?
As a wise man once said to me; If you measure everything by cost, you won’t see the value in anything.
​​
But lets get serious; The answer is always “it depends” right? Well, sort of. Let me try and break it down for you, and show you some typical, tangible costs;
​
-
Do it yourself – Using ChatGPT - £0
-
Do it yourself – Using templates - £100 - £800
-
Using Consultants Like Us - £1,500 - £10,000
-
Certification Body (stage 1 and stage 2) - £4,000 - £7,000
​​
So you can see there is a big leap from doing it yourself and bringing in a professional.
But that’s true of anything, right?
​
Want to fit a new kitchen? Sure… Do it yourself and costs are low. Bring in an expert and suddenly it’s a lot more expensive.
​​
The questions you have to ask yourself are;
-
What value do you place on your time?
-
How quickly do you want this done?
-
What assurances do you need that you will be certified AND more secure?
​
Do your research, but make sure you factor in the cost of your time and what your true goal is.
​​
How long does it take to become certified to ISO27001?
This goes back to the previous question… it depends! In our experience it can take anything between three (3) and six (6) months. It depends on the size of your business, the scope of the ISMS, how much time you are willing to devote to the process, and the certification body you go with.
​
Certification Bodies (CB) are very busy, and we’re seeing a four (4) to six (6) month wait time for stage 1 and stage 2 audits to be completed. Yes, some are quicker but our advice is to book a CB as soon as you can. It’s like booking a holiday! It gives you something to aim for!
​
What is the ISO27001 certification process?
There are essentially three (3) stages that you will go through with the Certification Body;
​
-
Stage 1 – ISO27001 Audit of the ISMS
-
Stage 2 – ISO27001 Evidence Audit
-
Annual Surveillance Audit
​
Your Stage 1 audit is intended to check that you have all the mandatory records and documentation in place.
​
Your Stage 2 audit will check that you are doing everything you said you would do. For example, in stage 1 you need an “audit plan”, which is a schedule of audits you’ll conduct. Stage 2 will need to see evidence audits are being completed.
​
Your annual surveillance audit is in place to ensure you’ve continued to do the things you said you were going to do!
​
What are the mandatory ISO27001 policies?
There’s less than you would imagine, and certainly less than you think;
​​
You only need the following policies;
-
Information Security Policy
-
Clear Screen Policy
-
Mobile & BYOD Policy
-
Remote Working Policy
-
Access Control Policy
-
Backup Policy
-
Cryptography Policy
-
Secure Development Policy
​
Remember that ISO27001 now talks about policies, rules and standards. They are not the same thing.
​
Policies are a statement of fact, but open to interpretation. For example, your Information Security Policy might outline the organization's commitment to protecting sensitive information,
​
Rules are more well defined and explicit in their application. For example, a “Password Complexity Rule” could specify the minimum length, character types, and expiration period for user passwords.
​
A Standard is more prescriptive and might reference external requirements. For example, an Encryption Standard might define the algorithms and key lengths that must be used to encrypt sensitive data.
Want more information about ISO27001?
We’ll keep adding to this ‘FAQ’ list, so keep on sending in your questions and I’ll do my best to answer them for you!
​
If you would like to join our FREE Weekly ISO27001 drop-in sessions, then get in touch.
​
If you'd like to sign-up to our Newsletter, please click here.