Preparation for ISO 27001 certification

If you are aiming for ISO 27001 certification, you will need a variety of documents that represent an Information Security Management System (ISMS). These documents must be adapted to the situation and infrastructure of the respective company. As soon as all documents are complete, ISO 27001 preparation for the audit should take place. This also includes training all employees to improve security awareness (e.g., “Cyber Security Awareness Training”).

It is not enough to have a nice document folder and neither the technical nor the human resources to focus on data security. Although auditors largely examine the documents presented, technical aspects may be addressed in the initial certification audit or in subsequent surveillance audits. If the auditor determines that it is just a management system that has not been implemented, he may be forced to declare the certificate that has already been issued invalid.

We have provided a short video for you here on the subject of audit preparation:

What kind of evidence do you need for an ISO27001 audit?​

As you could already see from the video, you definitely need the following to carry out a qualitative ISO27001 audit:

  • Customized management system according to ISO/IEC 27001 (in DOCx or PDF format)
  • Proof of security training for all employees (Security Awareness Training)
  • Proof of the appointment of a security officer (Information Security Officer)

The following documents, measures and evidence may also be required:

  • IT emergency plan
  • IT audit report with the following evidence:
  • External pen test
  • Network analysis
  • Directory of all IT systems
  • IT forensics report on identified traces of previous incidents
  • Data protection folder with the following evidence:
  • Internal and public procedure directory
  • Appointment of an expert data protection officer (DPO)
  • Documentation of the security optimizations made, e.g.
  • Modernization of the firewall/switches/routers
  • Network segmentation and VLAN setup
  • Switching PCs from Windows 7 to Windows 11
  • Introduction of encrypted notebook data carriers
  • Expansion of backup arrangements
  • Separation of PC data and VoIP data networks (see VLAN)
  • Conversion of the ISDN telephone system to a cloud telephone system (e.g. 3CX Pro)
  • Conversion of mobile phone contracts for greater security of mobile devices (e.g. framework contracts)
Where is this regulated in the GDPR or the ISO 27001 standard? Legal texts can be confusing
The list above shows that you should be well prepared for the ISMS audit. Not all of the measures recommended above need to be taken. The more of these are implemented, the better able you are to live by the required set of rules. In the event of a security incident, an insurer can decline liability if systematic negligence is found. A company without economically and technically appropriate security precautions cannot convincingly maintain an ISMS management concept. We not only help you quickly put together the extensive set of policies, but also take any necessary technical measures and receive the absolutely necessary training.

How strictly do auditors check the ISO27001 ISMS?​

First, the auditors check the completeness of the documents and the plausibility of the information provided there. Then they specifically focus on individual critical points as well as noticeable components. For SMEs, the management system consists of a manageable number of documents. This helps the auditor save a lot of time. Nevertheless, he is also required to take samples that he knows from his “auditing practice” to be aspects that are mostly neglected or often missing.

It would be highly recommended to have at least some documents to hand. This information convinces the auditor that this is not a crazy “monkey business”.

Frequently asked questions about preparing for ISO27001 certification

The ISO/IEC 27001 certification requires that we comply with the main normative part of ISO 27001. The requirements can be summarized as follows:

  • Context of the organization
  • Leadership and commitment
  • planning
  • Support
  • Operation
  • Evaluation of performance
  • improvement
  • Controls (Annex 1)

The certificate is valid for a maximum of 3 years and must then be extended through a recertification audit. The recertification audit checks whether the requirements for an extension of the certificate still exist.

The costs for certification according to ISO 27001 can be defined quite well for small companies (SMEs) in hardly complex industrial sectors. Here the audit and the issuance of the certificate together cost around £1,500-£3,000.

Things are more difficult for companies with complex processes and increasing company size.

Here, the very complex audit costs significantly more because the risks are significantly higher. Additional technical IT audits often take place here (e.g. pen test, software source code audit). These are usually necessary because these companies require the ISO27001, due to the regulations of the legislator or the main insurer of the company concerned.

Therefore, the certification of large corporations can quickly cost over around £15,000.

The ISO27001 standard enables companies to integrate a comprehensive information security system into the organization through certification.

These are the 5 elementary advantages for small and medium-sized companies:

  1. Optimized information security
  2. Sustainable strategies
  3. Supplement to the existing management system
  4. Reduce costs and increase productivity
  5. Competitive advantage increases sales

These individual benefits are explained in more detail in the article on the strategic benefits of ISO27001.