What is ISO 27001?

ISO 27001 is the global standard for information security. With the ISO 27001 certification or ISMS (Information Security Management System) certification, you show that you meet the requirements around information security. It allows you to demonstrate to stakeholders that your information security meets high requirements. Brand Compliance can perform this certification under accreditation.

Information security is important for a number of reasons. It ensures that:

  • confidential information remains private and is only accessible to authorized individuals (confidentiality);
  • information is accurate and complete, and has not been tampered with or modified in any way (integrity);
  • information is available to those who need it when they need it (availability).

Many industries and government regulations require businesses to protect certain types of information. Failure to do so can result in legal and financial consequences. A breach of information security can damage a company’s reputation and affect customer trust. This can be difficult to recover from.

ISO 27001 certificationOverall, information security is critical for protecting sensitive information, maintaining the trust of customers and partners, and ensuring compliance with legal and regulatory requirements. An ISO 27001 certification is therefore of high value.

ISO 27001 requirements

The standard describes the requirements for setting up, implementing, maintaining and continuously improving an Information Security Management System (ISMS).

The main requirements of ISO 27001 are:

  • Context analysis: The organization must understand the internal and external environment to determine the scope and objectives of the ISMS.
  • Risk assessment and risk treatment: The organization must identify the risks that affect information security and take measures to deal with them.
  • Security controls: The organization must implement, regularly evaluate and update custom security controls.
  • Management responsibility: Top management should provide resources and support for the ISMS and be actively involved.
  • Performance evaluation: The organization should regularly evaluate the performance of the ISMS to continuously improve the system.
  • Continuous improvement: The organization must continuously strive to improve information security and meet the changing needs of stakeholders.

Easy step-by-step plan

To achieve ISO 27001 certification, you can take the following steps:

  • The ISO 27001 PDF can be purchased via, for example, the NEN.
  • Schedule a free, no-obligation introductory meeting with one of our account managers to find out more about the certification for your organization.
  • Acquire the necessary knowledge about ISO 27001, for example by following a training course.
  • Implement the ISO 27001 management system in your organization and ensure that it meets the standard requirements.
  • Carry out internal audits to check whether the system is working properly and to assess whether your system meets the standard requirements.
  • Have management review the results of the internal audit and take any corrective action. Record the conclusion about compliance with the requirements in the management review.
  • During an audit, let an independent Brand Compliance auditor determine whether your management system meets all ISO 27001 standard requirements.

Once your organization meets the (standard) requirements, we provide you with an ISO 27001 certificate.

ISO 27001 certification costs

The implementation starts with the purchase of the ISO 9001 standard. The costs of the entire process depend on various factors. For example, the complexity of the processes, whether work is done in shifts, the extent to which matters are already in order within the organization, the number of FTEs and locations. The costs for the certification consist of the number of hours that Brand Compliance spends preparing the audit, the audit itself, the reporting and additional costs such as the certificate, administration and travel costs. The quickest way to calculate the costs starts with an introductory meeting.

More information

For more information about everything related to certifications, we have set up our knowledge base. You can find a number of articles under ‘certification process‘.

Information on the differences between ISO 27001 in relation to other standards can be found below in our FAQ.

Schedule a call

FAQ

What is the difference between ISO 27001 and ISO 27002?

ISO 27001 is a management system standard. This standard states how an organization can set up its ISMS in a process-oriented way. This process must comply with the PDCA cycle, and a risk analysis must be done. ISO 27002 is an extension and discusses ISO 27001 controls. It provides guidelines for implementing the requirements of ISO 27001. ISO 27002 contains examples and controls to shape the risk analysis for your organization.

What is the difference between ISO 27001 and NEN 7510?

The basis of both standards is the same, but NEN 7510 is specific to organizations that process personal health information.

Read more about the differences en similarities between ISO 27001 and NEN 7510 in our article.

What is the difference between ISO 27001 and ISO 9001?

ISO 27001 is a global standard for information security in which the focus is on the implementation of an information security management system. ISO 9001 is a global quality management standard that focuses on the implementation of an internal quality management system.

What other standards does the ISO 27000 family have?

The ISO 27000 series are all information security standards. ISO 27001 and ISO 27002 are the best-known standards in the family. Only ISO 27001 is certifiable. All other standards within the 27000 family are extensions of ISO 27001. These standards are often meant for fields/niche markets that need more specific controls. For example, there are extensions for cloud services (ISO 27017), network security (ISO 27033) and the healthcare sector (ISO 27799). All these standards can be found on the ISO or NEN website.

How long is the validity period of an ISO 27001 certificate?

A certificate is valid for three years and consists of a certification cycle. During these three years, surveillance audits take place to check whether the organization still meets the requirements of the standard. After three years, a recertification will take place and if the result is positive, the certificate will be renewed for another three years.

What is the difference between ISAE 3401 and ISO 27001?

ISO 27001 focuses on information security within organizations and leads to certification. ISAE 3402 provides certainty about internal controls that affect financial reporting of customers. This results in an Assurance report. In addition, ISO 27001 is widely applicable, while ISAE 3402 is specifically intended for service organizations. They can both be used within an organization though.

You can read more on our page ISAE 3402 vs ISO 27001.

  • Bart Versluijs

    Account Manager

  • Jade Reilink

    Account Manager