ISO/IEC 27001 Certification: Information Security Management System

• Obtain the standard:

Get a licensed copy of the relevant standard and familiarize yourself with the requirements to decide if certification/registration to this standard makes good sense for your organization.

• Review available literature and apply digital tools

Explore available literature, guidelines from the standard owners (e.g. ISO/TS 9002 for ISO 9001, ISO 14004 for ISO 14001)   and digital sources and tools that can assist with implementation. Note that as a DNV customer you get access to tailored tools that can assist you.

• Assemble a team and define strategy:

To implement a management system should be a strategic decision for the entire organization. Senior management must be involved in the decision, committed and involved in shaping the system. They decide the business strategy the management system should support. In addition, you need a dedicated team to develop and implement your management system.

• Determine competence needs:

First, your team implementing and maintaining the management system needs a thorough understanding of the chosen standards. Later on, the wider organization needs awareness training. DNV offers a variety of public and in-house courses worldwide that meets your competence training needs at all levels within your organization.

• Review consultant options:

Independent consultants can advise on a workable, realistic, and cost-effective strategy plan for implementation if you do not have this competence or capacity already.

• Develop management system documentation: 

Decide on an appropriate platform for your documented information (e.g. software, process map- or SharePoint-based). The right platform is important to ensure effective management, communication and implementation.

• Determine, manage and document processes:

First identify key processes – what they are, how they work, and how they interact. Each process should have a clear purpose, defined responsibilities, and expected outputs. The level of documented information needed depends on the organization’s size, complexity, and the importance of each process, but must include relevant processes and other documented information needed to deliver on intended outcomes and comply with the chosen standard’s requirements.

• Implement management system:

Clear communication and necessary competence training are essential elements. During the implementation phase, you will work to ensure that your organization is working according to defined and documented processes. Once successful, you can prove system’s compliance and effectiveness.

• Select a certification body/registrar:

Selecting the right certification body/registrar can make a difference throughout your certification journey. DNV offers a trusted partnership approach, a risk-based approach and range of free digital tools that help you manage your certification journey before, during and after the audit.

• Consider a pre-audit gap analysis:

Consider a preliminary evaluation by your certification body/registrar to identify and correct nonconformities before starting the official certification process. The purpose is to identify areas of non-conformance or weaknesses, allowing you to correct these before you begin the official certification process.

ISO/IEC 27001 is the international recognized standard for information security management systems (ISMS) relevant for any organization with assets that need protection. It provides a structured framework for establishing implementing, operating, monitoring, reviewing, maintaining and improving an organization’s information security management system.

The ISO/IEC 27001 standard provides a holistic, risk-based approach to managing threats across people, processes and technology. It helps a company understand its risks and ensure that security is consistent, documented and auditable. ISO/IEC 27001 is applicable to organizations of any size, sector and location.

The cost of ISO 27001 certification depends on the organization’s size, complexity and how much external support they need, especially to develop and implement the management system.

Development and implementation costs can include gap assessments, training and a consultant, if one is hired. Companies should also the cost of internal resources spent on developing processes and systems and implementing the management system.

Then comes the cost of accredited third-party certification by someone like DNV, which starts with the initial certification audit and continues with the mandatory annual audits. The total cost will depend upon the scope of the certification, number of sites, employee count, etc.

To achieve ISO/IEC 27001 certification, an organization must first develop and implement an information security management system (ISMS) that meets the requirement of the standard and then undergo an independent third-party audit for verification of conformity.

The amount of time it takes to achieve certification the first time depends upon on the organization’s size, complexity, how mature their information security practices are and how much external support is needed. For small organizations with one location and small systems, it can take as little as 3 months to achieve certification. For large or complex organizations, for example with multiple locations, complex IT environments, regulated industries or extensive evidence collection and alignment work, it may take up to 18 months, for example.

To achieve ISO/IEC 27001 certification, an organization must implement a compliant information security management system (ISMS). Before the certification audit by an independent third party like DNV, it is recommended that the organization has completed internal audits and a management reviews to confirm that the ISMS is operating effectively and identified remaining gaps are closed.