ISO 27001 gives organisations a structured way to manage IT security: identifying what you are protecting, assessing what could go wrong, and putting controls in place to stop it. Certification is the outcome, but the real value is the security management system you build to get there. This guide covers the six steps, realistic timelines, and the mistakes that slow people down.
ISO 27001 is the international standard for information security management systems (ISMS). It sets out a framework for how an organisation identifies, assesses, and manages information security risks. Achieving certification means an accredited third-party auditor has verified that your ISMS meets the standard's requirements.
The standard has two main parts. The main clauses (4 to 10) cover governance: leadership commitment, risk assessment methodology, objectives, documentation, and management review. Annex A contains 93 controls across four themes: organisational, people, physical, and technological. You do not need to implement every control. You need to justify which controls apply to your risk profile and document why you have excluded any that do not.
The 2022 update to the standard (ISO/IEC 27001:2022) replaced the older 114-control Annex A with 93 consolidated controls. If you are starting implementation now, you are working to the 2022 version.
You do not have to certify your entire organisation. Many organisations certify a specific service line or product, which keeps the scope manageable and reduces audit complexity. Define your scope carefully at the start: it is difficult to reduce it once the project is underway.
ISO 27001 is not legally mandated in most sectors. Businesses pursue it for four main reasons:
If none of these apply to your situation, ISO 27001 may not be the right priority. Cyber Essentials Plus or a targeted security assessment may deliver more value for less effort.
The path from decision to certified typically follows six stages, regardless of organisation size.
The gap assessment and scoping phase typically takes two to four weeks. Building the ISMS documentation takes four to eight weeks depending on how much already exists. The implementation and operation period, where you run the ISMS and generate evidence, should be at least three months. Internal audit takes one to two weeks. Stage 1 and Stage 2 certification audits are usually scheduled two to four weeks apart.
The most common cause of delays is scope creep or over-engineering the documentation. Policies written for a 10-person business do not need to be 40 pages long. Proportionality is built into the standard.
Many organisations try to implement all 93 controls regardless of whether they apply. The Statement of Applicability exists precisely to let you exclude controls that are not relevant to your risk profile. A small software business with no physical product line does not need physical and environmental security controls designed for a data centre.
ISO 27001 has three main cost components: consultancy or internal staff time, tooling, and certification body fees. The ranges below are indicative and vary by scope and organisation size.
Organisations that handle more of the work internally reduce the consultancy component significantly. Those starting from a strong baseline (existing security policies, documented asset inventory, established access control processes) also move faster and spend less.
Annual surveillance audits from the certification body typically cost 1,500 to 4,000 euros depending on organisation size and scope. The full recertification audit at year three is similar in cost to the original Stage 2.
"The standard is scalable. A 15-person professional services firm and a 150-person SaaS business need different ISMS implementations, and the standard accommodates both. The mistake is treating it as a one-size enterprise exercise."
Certification is not a one-time project. The standard requires continual improvement, and your certificate depends on demonstrating that the ISMS remains effective over time.
In year one post-certification, focus on embedding the ISMS into normal operations: ensure management reviews happen, incidents are logged and reviewed, and the risk register is updated when your business or threat landscape changes. Staff turnover is the most common cause of ISMS drift, so build awareness training into your onboarding process.
Surveillance audits happen at roughly 12-month intervals. They review a subset of the controls and check that any nonconformities from the previous audit have been addressed. They are less intensive than the original Stage 2 but require up-to-date evidence.
At year three, you undergo a full recertification audit. Organisations that maintain their ISMS actively throughout the three years find recertification straightforward. Those that let documentation go stale and only update records in the weeks before the audit tend to find it stressful and expensive.
The single most valuable first step is a gap assessment. Before you commit to a project timeline or budget, you need to understand the distance between where you are now and where ISO 27001 requires you to be. A gap assessment typically takes one to two weeks and gives you a clear project plan with estimated effort per workstream.
If you are considering ISO 27001 because a client has asked for it, start by understanding their timeline and whether Cyber Essentials Plus would satisfy their requirement in the interim while you work toward full certification.
Cyvra's audits and compliance team conducts ISO 27001 gap assessments and supports businesses through the full certification process, from scoping through to Stage 2 audit preparation. If you want to understand what your path to certification looks like, the conversation starts with a short call.
ISO/IEC 27001:2022 is published by the International Organisation for Standardisation. ENISA's cybersecurity best practice resources include implementation guidance that complements the standard's control objectives for organisations at the start of their ISMS journey.
Cyvra works with businesses of all sizes that need ISO 27001 to meet a client requirement, satisfy a regulatory review, or build demonstrable security maturity. Most arrive with a specific trigger: a procurement team asking for it, a new contract that requires it, or a board decision to pursue certification this year.
An engagement covers the full project from scoping through to Stage 2 audit preparation. Cyvra conducts the gap assessment, builds the ISMS documentation, supports control implementation, runs the internal audit, and prepares you to face your chosen certification body. We stay involved until you have your certificate.
What you receive during the engagement:
After certification, Cyvra provides ongoing support for annual surveillance audits and risk register maintenance. Businesses that find recertification straightforward at year three are the ones that kept the ISMS current throughout, not the ones that rebuilt documentation in the weeks before the audit.
If a client has asked for ISO 27001 or you have a certification timeline in mind, get in touch. The first step is a short call to understand your situation before recommending a scope and approach.
Most organisations achieve ISO 27001 certification in six to twelve months. The timeline depends on how mature your existing security controls are, how quickly you can implement missing controls, and the availability of your chosen certification body. Organisations starting from a low baseline or with limited internal resource should allow nine to twelve months.
Total costs typically range from 15,000 to 40,000 euros for a first-time certification, covering consultancy support, internal staff time, any tooling needed to implement controls, and the certification audit fees. Certification body fees are usually 3,000 to 8,000 euros for the two-stage audit. Annual surveillance audits cost less. Organisations that handle more of the work internally reduce costs significantly.
Cyber Essentials is a UK government-backed scheme covering five basic technical controls: firewalls, secure configuration, access control, malware protection, and patch management. It is relatively quick to achieve and mandatory for some UK government contracts. ISO 27001 is a full information security management system standard covering governance, risk management, people, physical security, and 93 controls. ISO 27001 is internationally recognised and carries significantly more weight with enterprise clients and regulated sector procurement teams.
No, but most organisations benefit from one. Self-implementation is possible if you have someone internally with the time and information security knowledge to lead it. In practice, most organisations without a dedicated security function find that a consultant accelerates the process significantly. A good consultant also helps you avoid over-engineering the ISMS, which is a common mistake that makes ongoing compliance unnecessarily burdensome.
The Statement of Applicability (SoA) is a required document that lists all 93 controls from Annex A and states whether each one applies to your organisation, whether it is implemented, and why it has been included or excluded. It is one of the core documents auditors review and must reflect your actual risk assessment decisions, not a generic template. Getting the SoA right is one of the areas where experienced guidance adds the most value.
A gap assessment gives you a project plan, timeline, and cost estimate before you commit to anything.
Disclaimer: This article is for general informational purposes only and does not constitute legal, regulatory, or professional advice. Cyvra makes no warranty as to the accuracy or completeness of this content, which may not reflect the most current regulatory developments. Readers should seek independent legal and regulatory advice appropriate to their specific circumstances. Cyvra accepts no liability for any loss arising from reliance on this content.