One of the first questions we get asked is “What does ISO27001 require us to do as an organisation in order to get certification?”. We have had a number of clients who have been told they need to get ISO27001 certified so that a particular client will continue to work with them. When you first start looking at ISO27001, there are a number of elements to it, all of which appear to need completing at the same time. There is also specific terminology used as part of the certification process.

It feels like ISO requires you to multi-task in order to be able to achieve the certification. Everything seems to hang on something else being completed first and it can be daunting to work out where to start. There are some key things you need to understand first before you can do anything else.Policies and Procedures flowchart


Policies can be a challenge as they have to meet certain criteria and we recommend creating your policies to reflect the good practices you have in place. There is no point in creating a policy which looks perfect but bears no resemblance to what happens in your business. You can also fail your certification if your procedures do not align with your policies.

Risk Management

Risk Management is usually something an organisation manages unconsciously. ISO27001 requires you to have a formal policy in place. This includes a risk management process and risk map identifying your risks and how you will manage or mitigate them. This can be an uncomfortable process without some guidance.

Internal Audits

Internal audits are key to the certification process. Many ISO27001 accreditation companies will not consider you for certification without a full suite of internal audits being undertaken. So, you need to put that into your planning process as well.


Staff training is key to the certification process. All staff should understand their responsibilities, where to find policies and procedures, who the key personnel for your information security management system are and what to do in the event of a data breach. We provide bespoke training that covers the needs of the ISO27001 certification process as well as including elements for GDPR.

Finally, there is the Statement of Applicability, a long list of expected controls. This defines how your organisation is meeting the requirements for certification. This should be cross-referenced to your policies and procedures to demonstrate where you meet the requirements. This is the most complex piece of evidence for your certification as it pulls everything else together.

If you want to discuss ISO27001 implementation, please contact us.