What is ISO 27001?
ISO 27001 is the global standard for information security. With the ISO 27001 certification or ISMS (Information Security Management System) certification, you show that you meet the requirements around information security.
Information security is important for a number of reasons. It ensures that:
- confidential information remains private and is only accessible to authorized individuals (confidentiality);
- information is accurate and complete, and has not been tampered with or modified in any way (integrity);
- information is available to those who need it when they need it (availability).
Many industries and government regulations require businesses to protect certain types of information, and failure to do so can result in legal and financial consequences. A breach of information security can damage a company’s reputation and affect customer trust, which can be difficult to recover from.
Overall, information security is critical for protecting sensitive information, maintaining the trust of customers and partners, and ensuring compliance with legal and regulatory requirements. An ISO 27001 certification is therefore of high value. It allows you to demonstrate to stakeholders that your information security meets high requirements. Brand Compliance can perform this certification under accreditation.
ISO 27001 requirements
The standard describes the requirements for setting up, implementing, maintaining and continuously improving an Information Security Management System (ISMS).
The main requirements of ISO 27001 are:
- Context analysis: The organization must understand the internal and external environment to determine the scope and objectives of the ISMS.
- Risk assessment and risk treatment: The organization must identify the risks that affect information security and take measures to deal with them.
- Security controls: The organization must implement, regularly evaluate and update custom security controls.
- Management responsibility: Top management should provide resources and support for the ISMS and be actively involved.
- Performance evaluation: The organization should regularly evaluate the performance of the ISMS to continuously improve the system.
- Continuous improvement: The organization must continuously strive to improve information security and meet the changing needs of stakeholders.
ISO 27001 checklist
How do you start with ISO 27001 certification? To obtain an ISO 27001 certification, you can go through the following steps:
- The ISO 27001 PDF can be purchased via, for example, the NEN.
- Schedule a free, no-obligation introductory meeting with one of our account managers to find out more about the certification for your organization.
- Acquire the necessary knowledge about ISO 27001, for example by following a training course.
- Implement the ISO 27001 management system in your organization and ensure that it meets the standard requirements.
- Carry out internal audits to check whether the system is working properly and to assess whether your system meets the standard requirements.
- Have management review the results of the internal audit and take any corrective action. Record the conclusion about compliance with the requirements in the management review.
- Let an independent Brand Compliance auditor determine whether your management system meets all ISO 27001 standard requirements.
- If your organization meets the standard requirements, we provide you with an ISO 27001 certificate.
ISO 27001 certification costs
The implementation starts with the purchase of the ISO 9001 standard. The costs of the entire process depend on various factors. For example, the complexity of the processes, whether work is done in shifts, the extent to which matters are already in order within the organization, the number of FTEs and locations. The costs for the certification consist of the number of hours that Brand Compliance spends preparing the audit, the audit itself, the reporting and additional costs such as the certificate, administration and travel costs. The quickest way to calculate the costs starts with an introductory meeting.
New version
From February 1, 2023, we will offer customers proposals for certification processes against the new version of the standard, ISO 27001:2022. Is your organization already certified for ISO 27001:2017? Then a transition audit must take place to the new version of the standard. We wrote an article for more information about the transition audit, as well as an FAQ. In addition, we regularly offer a transition training through our BC Academy.
More information
For more information about everything related to certifications, we have set up our knowledge base, which includes a number of articles under ‘certification process‘.
Information on the differences between ISO 27001 in relation to other standards can be found below in our FAQ.
Start Your Certification JourneyFAQ
ISO 27001 is a management system standard. This standard states how an organization can set up its ISMS in a process-oriented way. This process must comply with the PDCA cycle, and a risk analysis must be done. ISO 27002 is an extension and discusses ISO 27001 controls. It provides guidelines for implementing the requirements of ISO 27001. ISO 27002 contains examples and controls to shape the risk analysis for your organization.
The basis of both standards is the same, but NEN 7510 is specific to organizations that process personal health information.
Read a more detailed article about the differences.
ISO 27001 is a global standard for information security in which the focus is on the implementation of an information security management system. ISO 9001 is a global quality management standard that focuses on the implementation of an internal quality management system.
The ISO 27000 series are all information security standards. ISO 27001 and ISO 27002 are the best-known standards in the family. Only ISO 27001 is certifiable. All other standards within the 27000 family are extensions of ISO 27001. These standards are often meant for fields/niche markets that need more specific controls. For example, there are extensions for cloud services (ISO 27017), network security (ISO 27033) and the healthcare sector (ISO 27799). All these standards can be found on the ISO or NEN website. You can see an overview of all standards on the ISO 27000 wikipedia page.
A certificate is valid for three years and consists of a cycle. During these three years, surveillance audits take place to check whether the organization still meets the requirements of the standard. After three years, a recertification will take place and if the result is positive, the certificate will be renewed for another three years.
Read more in our extended article.