Is Getting ISO 27001 Certification Difficult?


ISO 27001 is the most widely recognised standard for information security management systems (ISMS). It provides a framework for organisations to manage their information security risks. Many companies now seek ISO 27001 certification to demonstrate their commitment to security. But is getting certified difficult? Let’s explore some of the main concerns.

The Implementation Process

Implementing the controls and processes required by ISO 27001 can seem daunting initially. It requires defining a formal information security policy, classifying assets and recording risks, implementing controls, and establishing formal procedures. However, the standard is designed to suit organisations of all sizes and sectors so is flexible enough to allow organisations to tailor the ISMS to their specific needs. With proper planning and gap analysis, the project can be managed.

Expertise Required

ISO 27001 implementation is much easier when the person doing the implementation has some expertise with the requirements of the ISO Standard. There are also areas which may require some expert support including risk management, information security controls, internal auditing etc. Most organisations find they need to get external consulting help, at least during initial implementation to help support the internal resources. The costs and time commitment varies based on the organisation’s size and complexity and the level of knowledge available in house.

The Certification Process

Achieving Certification involves formal audits by an accredited certification body. The auditor from the certification body will verify that the ISMS implemented meets requirements the of the standard. Organisations must show evidence of effective implementation with proper documentation. The initial certification process involves 2 audits, the stage 1 and then the certification audit, called Stage 2. While thorough preparation is required, if you follow a project plan most organisations should be able to comply and achieve certification.


Once certification has been achieved, organisations then need to maintain the ISMS through Management Reviews, regular internal audits, risk assessments and periodic reviews as well as making continuous improvements to the ISMS. This involves optimising existing processes rather than starting from scratch. The maintenance aspects should be undertaken regularly as this significantly reduces the time spent maintained the ISMS.


While ISO 27001 implementation takes significant effort, it is easily manageable with expert help and management commitment. Given the value delivered in terms of security, compliance and competitive advantage, the time and resources are well justified. So rather than asking whether it is difficult, organisations should focus on how to achieve certification successfully and the benefits that certification provides.

If you want to talk through whether ISO27001 is for your organisation you can book a free call here