<img alt="" src="https://secure.badb5refl.com/165368.png" style="display:none;">

Using the ISO 27001 Framework to Strengthen Cybersecurity

ISO 27001 Compliance Made Easy With Apptega


What is ISO 27001?


ISO 27001 is a cybersecurity framework you can use to create, implement, and maintain your Information Security Management System (ISMS) and strengthen your security posture over time.

It features 114 control options you can use to develop and mature your cybersecurity processes. It’s applicable for organizations of all sizes—from small to large.

In this ISO 27001 resource center, we’ll explore the history of the framework and how it originated, what it’s intended to do, and how it’s related to other ISO standards. We’ll also share recommended steps you can take to implement ISO 27001 for your organization and help you prepare to map the ISO 27001 framework to others you may use such as PCI DSS, SOC 2 and CMMC.

Here’s What You’ll Learn:

What is ISO 27001?

ISO/EIC 27001 is an internationally recognized set of standards to guide your information security management systems (ISMS).

Learn More

Who Needs ISO 27001 Certification?

Some industries make ISO 27001 compliance part of industry standards, but even without the requirement, it’s a great foundation for ISMS management.

Learn More

Manage ISO 27001 Compliance with Apptega

You can use Apptega to simplify ISO 27001 compliance and prepare your organization to successfully complete an audit for certification.

Learn More

Build Your ISO 27001 Compliance Strategy

Check out this ISO 27001 compliance guide to learn how you can adopt ISO controls to create, implement, and manage your ISMS to reduce cyber risks.

Learn More

ISO 27001 Benefits

ISO 27001 is an international standard that demonstrates to your clients, key stakeholders, and the public you have implemented an effective ISMS to protect data.

Learn More

Understanding ISO 27001 Standards

ISO 27001 is part of the ISO 27000 series. These standards are internationally respected for developing, implementing, and managing an ISMS.

Learn More

ISO 27001 Compliance Requirements

There are seven core areas you must demonstrate compliance to become ISO 27001 certified, ranging from organizational context to plans for improvement.

Learn More

Understanding ISO 27001 Controls

There are 114 ISO 27001 controls organized across 14 categories. You do not have to implement all 114 controls to become ISO 27001 certified.

Learn More

Steps for ISO 27001 Certification

Want to know which steps you can take to become ISO 27001 certified? Check out this quick reference to begin your ISO 27001 compliance journey.

Learn More

ISO 27001 Audit Process

ISO 27001 audits happen in two stages: 1. documentation, policy, and process review, and 2. evaluation of practices and controls to see if they meet ISO requirements.

Learn More

ISO 27001 Blog Snapshots

Want to know if your organization should become ISO 27001 certified? Check out this and other blogs to explore the benefits of ISO 27001 compliance.

Learn More

ISO 27001 Webinar Snapshots

Want to learn more about best practices to pass your ISO 27001 audit? Check out this and other webinars.

Learn More

The Apptega Solution for ISO 27001 Compliance

Apptega can help you simplify compliance with multiple frameworks, including cross-walking your ISO 27001 standards with other frameworks.

Learn More

ISO 27001 Marketplace

Searching for tools, guidance, and assistance with ISO 27001? Try the ISO 27001 Marketplace.

Learn More

ISO 27001 Frequently Asked Questions

Have questions about ISO 27001? This FAQ provides answers to many of the most common questions.

Learn More
Managing Compliance
What is ISO 27001?
Managing Compliance

Managing Your ISO 27001 Framework with Apptega

ISO 27001 is a widely used framework that consists of policies and processes you can use to implement legal, technical and physical controls to enhance your organization’s risk management processes.

If you’re looking to protect your organization’s information security systems, you can use Apptega to automate ISO 27001 controls to achieve compliance including:

  • Risk assessments
  • Security policies
  • Organizing information security
  • Asset management, human resources security
  • Physical and environmental security
  • Communications and operations management
  • Access control, information systems acquisition
  • Development and maintenance
  • Information security incident management
  • Business continuity management
What is ISO 27001?

Understanding ISO 27001

ISO 27001 was borne from a collaboration between the International Standards Organization (ISO) and the International Electrotechnical Commission (IEC), who united to develop a standardized system to guide the development, implementation, and management processes related to Information Security Management System (ISMS). ISO 27001 creates a unified approach for information security—one that can help your organization deal with an increasing number of vulnerabilities and security issues.
Today, ISO 27001, which is the first of 12 standards in the ISO 27000 set, consists of 114 controls organized into 14 categories. You do not have to implement all 114 controls, but they should be considered as part of your information security program. Your organization can use these controls to mitigate a wide range of security risks, including facilitating an assessment of how well you meet certain information security standards and where there are gaps, while serving as a guidepost for scaling your information security processes.

Many organizations choose ISO 27001 as a foundation for building an information security program, which can then be enhanced by adding controls and recommendations from other frameworks. The controls can also be customized for your organization’s unique and specific needs. It’s a great way to show your clients, the general public, and your key stakeholders that you take information security seriously and are committed to protecting data within your organization.

There are six core criteria areas for ISO 270001: leadership, planning, support, operation, performance evaluation, and improvement. To become ISO 27001 compliant, you must meet certain requirements in each of those six areas. ISO 27001 certification is not a mandatory process, although some industries may require it. Nonetheless, many organizations find it beneficial to implement ISO 27001 controls to build a strong information security framework to protect sensitive data and other information.


Does Your Organization Need to be ISO 27001 Certified?

The International Organization for Standardization (ISO) is not involved in the ISO 27001 certification process. It develops the standards from which external certification bodies can issues certifications.

ISO 27001, in general, is not a mandatory certification process, however, some industries require it as part of contractual or other legal obligations. While it may not be mandatory for your organization to become ISO 27001 certified, you may find it brings a number of benefits to your organizational security posture, especially if you’re just starting out building an information security program or if you’re looking for ways to identify gaps in your existing processes and mature your program as your organization scales.

To become ISO 27001 certified, you will need to complete a successful ISO 27001 audit. This process will include a review of your organization’s information security policies, implemented practices, and security infrastructure.

Want to know more about if ISO 27001 certification is right for you? Check out this blog.

How to Build a Successful ISO 27001 Engagement Strategy

ISO 27001 provides a foundation from which you can build and then mature an information security program for your organization. It can help you create, implement, monitor, and manage your information security management system (ISMS).

In this compliance guide, you’ll learn more about the 114 optional controls outlined in ISO 27001 and how you can adapt them to protect your ISMS.

Download this guide to learn more about the implementation steps including:

  • How to conduct a self-review and assessment
  • How to set roles and responsibilities
  • Planning requirements
  • Development adequate resources with training and awareness campaigns
  • Requirements for monitoring, measuring, analyzing and evaluating your ISMS with internal audits and reviews
  • How to improve your program when you discover gaps and weaknesses

The guide will also walk you through ISO 27001 certification requirements and explain what you can expect during an ISO 270001 audit.

Apptega’s ISO 27001 Compliance Framework

ISO 27001 and SOC 2 Crosswalk Dashboard

Many organizations must follow a variety of cybersecurity and other compliance frameworks. In the past, it was common for organizations to manage these framework requirements manually, such as on paper or in a spreadsheet. The challenge is that these manual processes can be tedious, repetitious, and error-prone. They also create inefficiencies because there is no clear visibility where processes and policies overlap, resulting in organizations re-inventing the wheel for different frameworks that have the same goals.

So what can you do? Apptega’s intelligent framework mapping—Harmony—is the answer. With Harmony, you can map multiple security programs, for example, ISO, PCI, HIPAA, GDPR and others, right in one solution with a convenient, easy-to-understand dashboard. The cost and effort required to manage multiple frameworks can be reduced by 50% or more. And when you need compliance evidence for only one framework during an audit or customer survey, you can easily isolate that framework in the Apptega dashboard and reports.

What Our Customers Are Saying

Chris Engels headshot - circle
Chris Engel
Chief Information Officer, TeleNet

“We evaluated a variety of platforms and found many to be too complex and hard to use. In Apptega, we found an ideal fit for our need to align our cybersecurity program with leading frameworks and efficiently address the gaps to undergo a thorough audit and achieve certification.”

Benefits of ISO 27001 Certification for Your Organization

Like many security and compliance frameworks, there are a number of benefits of adopting the ISO 27001 as part of your organizational information security program.

For starters, ISO 27001 is a great starting point for developing your information security processes and policies. As an international standard, you’ll know that you’re developing a program that’s been tested and is respected by organizations of all sizes, crossing multiple industries, around the world.

ISO 27001 controls can help you improve the stability, reliability, and security of your ISMS. Not only can this help you build trust with your clients and key stakeholders, it can also help you establish practices that decrease your chance of a breach, thereby potentially avoiding the impact of heavy fines and other civil or criminal penalties. Data breach avoidance is also a great way to help protect your organization’s brand and reputation because significant damage such as loss of revenue, loss of customers, and potentially even business failure can result from even just one successful breach.

In some cases, you may find having an ISO 27001 certification gives you a competitive advantage, helping you attract and retain clients who trust that you take information security seriously and you’re implementing security controls to keep sensitive data safe.

Here are a few other important benefits of getting an ISO 27001 certification:

  • You can establish benchmarks for where your ISMS security program is today and set goals for maturing it in the future.
  • You can establish processes to conduct internal audits so you can identify and mitigate issues prior to an outside audit.
  • You can monitor your efforts for meeting specific compliance, regulatory, legal, and contractual obligations.
  • You can more quickly and easily identify and remediate problematic areas where you may have security gaps or weaknesses.
  • You can better identify vulnerabilities or other security issues within your attack surface so you can make plans to mitigate and remediate issues to stave off a breach.
  • You can communicate your ISMS security program success to your key stakeholders and use that objective data to make a business case for areas where you need additional staff, resources, tools, or financial support.
  • Increase organizational resiliency and support your business continuity initiatives.
  • You can make improvements to your existing security processes.

Understanding the ISO 27000 Family of Standards

ISO/EIC 27000 consists of a series of information security standards organizations can use to develop an information security management program. This set of standards outlines information security management systems, also known as ISMS, and related technologies and security practices you can implement to keep protected and sensitive data safe. This can be a variety of data, from your organization’s and client’s financial information to intellectual property and employee information. You can use ISO 27000 standards to decrease your cyber risks and implement plans to improve your security practices over time.

ISO 27000 has almost 50 individual standards, including ISO 27001, which we’re detailing within this resource center. You can think of ISO 27001 as an introduction to the ISO 27000 series, where you can garner more information about how the ISO standards create a framework to help you create and operate your ISMS. Specifically, ISO 27001 provides an overview of all of the controls, policies, and procedures you can implement to build your ISMS program and proceed toward an ISO 27001 certification, with emphasis on specific keywords and their related definitions.

There are 14 cybersecurity control sets outlined in ISO 27001 Annex A. Annex A is a control list you can use to improve your information security, which is further supported by sub-controls and further developed in ISO 27002. These sub-controls can be used to help ensure you meet the core purpose of each of the ISO 27001 controls.

ISO 27001 Compliance Requirements

To become ISO certified, your organization must prove that you can meet these seven ISO 27001 compliance requirements:

  1. Organizational context
    • Scope: You understand ISO requirements, including both internal and external issues, and you’re aware of how they may affect interested parties
  2. Leadership
    • You’ve outlined executive management responsibilities, including roles and expectations, and have developed an organizational information security policy that’s been approved by your executive leadership (and/or board as appropriate)
  3. Planning
    • Outlines your requirements for addressing the following areas:
      1. Risk assessments
      2. Risk treatments
      3. State of applicability
      4. Plans for risk treatment
      5. Information security objectives
  4. Support
    • Outlines that you have adequate resources and capabilities to manage your ISMS from implementation through review
  5. Operation
    • Reviews threat assessments to determine information you need from your network to evaluate threats and manage your ISMS, including enabling changes as needed, and documentation of process effectiveness or weaknesses
  6. Performance evaluation
    • Establishes performance metrics and establishes guidelines that determine efficiencies for processes, procedures, and action to protect your data and meet compliance requirements
  7. Improvement
    • Reviews your audit processes so you can make adjustments to improve your threat assessments and risk management processes.
Watch Video Demo Now

Understanding ISO 27001 Controls

There are 14 control sets outlined in ISO 27001 Annex A. Each of these control sets has several controls within each, totaling 114 controls. It is not mandatory to implement all 114 controls for your organization, but they can serve as guidance to build and mature your program. Let’s take a quick look at each control set and explore what they’re designed to do:

Information security policies (2 controls)
  • Understand how to develop policies, write those policies, and routinely review them to ensure organizational consistency and that you’re meeting your organization’s documented cybersecurity practices, and other legal, compliance, and regulatory mandates.
Organization of information security (7 controls)
  • Create a framework that outlines the tasks, responsibilities, and controls related to developing and managing an ISMS, including addressing both remote work functionalities and mobile devices
Human resource security (6 controls)
  • Ensure that your employees and contractors understand their roles, understand organizational information security requirements and practices, and that they are committed to protecting your data, including when changing employment roles or upon termination
Asset management (6 controls)
  • Create an inventory of all organizational assets and related protection measures to prevent data breaches or unauthorized disclosure, removal, modification, or destruction of data
Access control (14 controls)
  • Limit access to information as applicable per job function, including establishing access control, outlining user responsibilities, and setting system and application controls
Cryptography (2 controls)
  • Ensure proper and effective use of cryptography to protect data integrity, confidentiality, and availability
Physical and environmental security (15 controls)
  • Stop unauthorized access, damage, or interference to your information security facilities to prevent data loss, damage, theft, or asset compromise that may interrupt or stop operations
Operations security (14 controls)
  • Guide secure operations of all your data processing facilities, including procedures and responsibilities to keep information processing facilities secure, including preventing data loss, malware, breaches, asset vulnerability exploits and other security issues that may disrupt operations
Communications Security (7 controls)
  • Ensure network security, including protection of the network and other data processing systems and services to maintain data security when information is in transit within your organization and exchanged with third parties
System acquisition, development and maintenance (13 controls)
  • Ensure information security across the entire lifecycle, including specifications for ISMS over public networks
Supplier relationships (5 controls)
  • Protect organizational assets and information that suppliers and outside vendors access to ensure they meet requirements and agreed upon standards for information security
Information security incident management (7 controls)
  • Effectively manage and report any security incidents to ensure effective and consistent approaches for information security management
Information security aspects of business continuity management (4 controls)
  • Ensure information security continuity is part of your business continuity management systems, including redundancies and information processing facility availability
Compliance (8 controls)
  • Outlines all relevant regulatory, compliance, legal, statutory, and contractual obligations to reduce the risk of non-compliance and ensure that information security practices align with standards established in organizational processes and procedures

Steps to Become ISO 27001 Certified

As with other frameworks, ISO 27001 can help you establish policies and create standards and controls that can help you build a strong information security program. From there, you can demonstrate accountability and compliance by becoming ISO 27001 certified.

Here’s a high-level look at some of the steps you can take to become ISO 27001 certified.

  • Review all of the ISO 27001 controls to determine which ones are applicable to your organization and which ones you want implement.
  • Set your program scope and objectives, including business and security goals, and context.
  • Conduct a self-review and assessment to determine both internal and external issues, as well as the benefits and risks.
  • Conduct a risk assessment and establish appropriate controls to mitigate those risks.
  • Define your information security policy.
  • Determine roles and responsibilities.
  • Outline requirements for risk assessments, risk treatment including avoidance, acceptance, reduction, transfer and mitigation, and outline your information security objectives.
  • Provide adequate and ongoing education and support for your employees, including communication and awareness strategies, and documentation.
  • Review processes with a self-review or internal audit to determine program effectiveness and identify gaps and weaknesses.
  • Make plans and implement processes to correct deficiencies and close gaps.
  • Establish and implement documentation for all processes including ongoing monitoring, measurements, analysis, and performance reviews.
  • Utilize this information to prepare for your ISO 27001 compliance audit.
  • Complete an external audit from a qualified assessor.

What Happens During an ISO 27001 Audit?

For many organizations, the word “audit” instantly incites dread. You know you’ll have resources and employees tied up throughout the evaluation. You’ll need lots of proof and documentation about your practices. Your team members will need to be available to address issues and answer questions. And, you may worry about the impact of potential findings.ISO 27001 audits happen in two stages: The first reviews your documentation for compliance. The second evaluates your practices and controls, which, if compliant, pave the way for your ISO 27001 certification.Since knowledge is power, understanding what happens during in ISO 27001 audit can help you prepare, ensure you have adequate resources and documentation, and ease some of the worry. Here’s a quick look at what your ISO 27001 audit might look like:


Your ISMS auditor will set the scope of focus for your audit, including identification of all areas outside of audit scope.


The auditor will review audit evidence as it relates to information risks and related requirements.


The audit scope will be further specified, often as a checklist.


After evidence is reviewed, results are compiled in a report

Fieldwork for Evidence

This is where the auditor(s) should gather audit evidence as outlined by the plan checklist. Tests may be performed to evaluate performance and to validate evidence as collected.

ISO 27001 Blogs

Business Processes on the Mechanism of Metal Gears.

ISO 27001 Certification: Should My Business Become Certified?

The ISO 27000 series is designed to help you keep your data safe. This includes asset management such as financial data, customer data, employee information, intellectual property and more. By becoming ISO 27001 certified, you can demonstrate organizational commitment to data security and information security management. ISO certification in itself is not mandatory, however, many industries require it as a part of other standards or regulations. Even if it’s not a requirement, you may wonder if your organization would benefit from an ISO certification. Check out this blog to learn if an ISO 27001 certification may be right for you.

Read More

Managing Cybersecurity Risks Up & Down the Supply Chain, Part 1

Organizations of all sizes now face an increasing number of third-party risks that often originate within or span across the supply chain. Unfortunately, one missed vendor risk assessment or review could have devastating effects on your business. A single breach could result in thousands of dollars in fines and penalties—if not more—along with customer loss and brand and reputation damage. The ISO 27001 framework can help you effectively mitigate many of the risk often overlooked or unmanaged within your supply chain. Read part 1 of this blog to learn more about security frameworks and supply chain management.

Read More
Supply Chain part 2

Managing Cybersecurity Risks Up & Down the Supply Chain, Part 2

From NIST 800-30 to ISO 27001, there are a variety of cybersecurity frameworks you can use to help address information security and other issues within your supply chain. But how do you know which framework is right for you and which one can help you meet your compliance and regulatory requirements. In part two of this supply chain blog, you can take a deeper dive into framework types including information about why organizations increasingly need third-party risk frameworks to help keep their information and data safe. Read this blog to take a closer look at third-party risks and how you can identify and mitigate them.

Read More

ISO 27001 Webinars

Building Cybersecurity Programs for SaaS

Expert Panel Webinar: Building Cybersecurity Programs in SaaS Companies

Your IT team can address the increased due diligence requests and questionnaires from your customers faster and easier with customer-driven cybersecurity supported by a cybersecurity framework management solution.

In this webinar, you’ll also learn:

1) How you can address challenges of building a stronger cybersecurity program with limited resources
2) How to build and maintain programs like SOC 2 and ISO 270001
3) How to build, manage, and report on your cybersecurity without adding staff
4) How to efficiently manage your entire cybersecurity lifecycle

Watch Now
Passing a Cybersecurity Audit

Secrets to Passing a Cybersecurity Audit

In this webinar, cybersecurity experts share their experiences being involved in audit processes for organizations around the globe.

You’ll also learn more about:

1) Some of the potential pitfalls you may encounter during your audit
2) How you can mitigate risks for your audit
3) How to successfully pass your audit
4) Time-saving tips to help you better engage with your auditors
5) How to provide accurate, detailed information your auditors need with ease

Watch Now

Apptega Product Highlights

SOC 2 + ISO 27001 Design v2

Simplified ISO 27001 Compliance

Simplify your company compliance in Apptega with multiple cybersecurity and business continuity frameworks, including ISO 27001. Using Harmony, Apptega’s intelligent framework mapping capability, you can automatically crosswalk and consolidate all of your framework controls, sub-controls, activities, and resources.

End-to-End Information Security Management

In addition to easily cross-walking multiple frameworks within the Apptega solution, you can also streamline tasks and manage roles and responsibilities. Apptega’s dashboard gives you instant, easy-to-understand insight into the status of your ISO 27001 compliance helps you quickly identify areas where you need more attention.

ISO 27001 Marketplace

ISO 27001 Marketplace

Searching for tools, guidance, and assistance with ISO 27001?

The ISO 27001 Marketplace in CyberXchange is mapped to all the controls defined in the ISO 27001 framework. For each of your gaps or compliance deficiencies, you can instantly find solutions mapped to your specific needs. Guesswork is eliminated. The research is already done for you.

Join thousands of CISOs, CIOs and other cyber professionals who are already finding perfect-fit solutions.

Frequently Asked Questions about ISO 27001 (FAQs)

What is ISO 27001?
ISO 27001 is part of the ISO 27000 series. ISO 27001 is an international standard your organization can use to develop and manage your information security management system (ISMS). ISO 27001 helps you develop information security practices that encompasses technology, as well as people and processes, to keep sensitive data safe.
Who oversees ISO 27001?
ISO/EIC 27001 was created in a joint effort between the International Organization for Standardization (ISO) and the International Electrotechnical Commission (EIC). The organizations released the first set of standards in 2005 and then updated them and issued revisions in 2013. ISO/IEC 27001:2013 is the most current version of standards, which incorporates changes made in 2017. While ISO/EIC sets the standards, the organizations do not manage ISO 27001 compliance audits, which are handled by external auditors for certification.
Why does my organization need ISO 27001?
ISO 27001 can help your organization develop, manage, and mature your information security management program. Some industries require ISO certification as part of regulatory or other compliance requirements; however, even if your organization isn’t required to attest to ISO 27001 standards, adopting these measures can help build confidence with your clients, partners, vendors, key stakeholders, and general public that your organization takes information security seriously and that you’ve implemented internationally recognized standards to keep your data safe.
What is an ISMS?
ISMS is an abbreviation for information security management system. An information security management system is a documented system your organization can use to ensure you’ve implemented necessary (and required) measures to protect information within your organization and shared with third-parties. This includes your security standards and related controls used to create, implement, and manage your information security practices.
Why is an ISMS important?
An ISMS is important because it can help your organization more effectively protect your systems and processes from unauthorized access to sensitive and protected data. It can help you identify critical weaknesses and vulnerabilities, and establishes plans and processes to mitigate cyber risks and improve your overall cybersecurity posture. An ISMS outlines systematic and repeatable processes you can use to help keep your data safe and better protect your organization from cyber risks.
What is the most current version of ISO 27001 and where can I find it?
The most current version of ISO 27001 is ISO/EIC 27001:2013. This version aligns the standards to the most recent changes made in 2017. Find out more about ISO 27001, including where and how you can get a copy, here: https://www.iso.org/isoiec-27001-information-security.html.
What are the ISO 27001 compliance requirements?
These are the core ISO 27001 requirements needed to become compliant and earn your certification: organizational context, leadership, planning, support, operation, performance evaluation and improvement. Check out the ISO Requirements section in this resource center to learn more.
How many controls are in ISO 27001?
There are 114 controls organized into 14 sections for ISO 27001: information security policies (2 controls), organization of information security (7 controls), human resource security (6 controls), asset management (6 controls), access control (14 controls), cryptography (2 controls), physical and environmental security (15 controls), operations security (14 controls), communications security (7 controls), system acquisition, development and maintenance (13 controls), supplier relationships (5 controls), information security incident management (7 controls), information security aspects of business continuity management (4 controls), and compliance (8 controls). For more information, check out the controls section in this resource center.
How is ISO 27001 different from ISO 27002?
ISO 27001 and ISO 27002 work together, but they are different. ISO 27001 is the official standard that outlines all of the controls, policies, and procedures for ISO certification. ISO 27002 outlines all of the sub-controls you can implement to meet requirements defined in each ISO 27001 control.
How is ISO 27001 different from NIST SP 800-53?
ISO 27001 and NIST 800-53 are different, but share similarities. Both can be used as frameworks to build your cybersecurity program. ISO 27001 deals specifically with information security management systems, while NIST 800-53 guides security practices specifically for federal information systems. ISO 27001 is generally less technical than NIST 800-53, with more focus on risk reduction for ISO 27001.
How do I get ISO 27001 certified?
To become ISO 27001 certified, you must successfully complete an audit that demonstrates you meet ISO 27001 compliance requirements in the areas of organizational context, leadership, planning, support, operation, performance evaluation and improvement. There are generally two stages of an ISO 27001 compliance audit that lead to certification. Stage 1 evaluates if you have documentation, policies, processes in place to implement and manage your ISMS. Stage 2 evaluates how well your policies and processes work and if they meet ISO 27001 compliance requirements.
Who needs ISO 27001 certification?
Some industries make ISO 27001 certification mandatory as a part of a range of compliance, regulatory, legal, and contractual requirements; however, most organizations can benefit from using the ISO 27001 framework to develop, implement, manage and mature your information security management system.
Can individuals be ISO 27001 certified?
Yes. Individuals can be ISO 27001 certified as: lead auditor, lead implementer, internal auditor, and foundations. These individuals must demonstrate they understand how to implement an ISMS in a way that data integrity, confidentiality and availability is always preserved.
Is ISO 27001 certification mandatory?
In general, ISO 27001 certification is not mandatory, however, some industries require it as part of legal, contractual, compliance, and regulatory standards.
What’s an ISO 27001 audit?
An ISO 27001 audit reviews your organization’s policies, documentation, practices, and infrastructure to determine compliance with ISO 27001 requirements to determine certification eligibility. There are generally two stages of an ISO 27001 compliance audit that lead to certification. Stage 1 evaluates if you have documentation, policies, processes in place to implement and manage your ISMS. Stage 2 evaluates how well your policies and processes work and if they meet ISO 27001 compliance requirements.
How much does an ISO 27001 certification cost?
There are a number of factors that influence how much it may cost your organization to acquire an ISO 27001 certification. This can include (but not limited to) the size of your organization, the scope of your ISO 27001 certification, the maturity stage of your information security management systems, how effective your existing information security policies are, and how they align with ISO 27001 certification requirements, related fees paid to your auditors, and audit length of time. In many cases, this can cost a small-to-mid-size organization tens of thousands of dollars, expanding into hundreds of thousands and more for larger ones.
How long is an ISO 27001 certificate valid?
ISO/EIC 27001 certificates are valid for three years.
How do I maintain ISO 27001 certification?
Once you obtain your ISO 27001 certification, you will need to demonstrate that your practices can evolve and scale with you. Auditors for certification will generally re-audit our organization at least annually to determine if you continue to meet the core seven requirements and have addressed gaps and other weaknesses since your last audit.
Can I map ISO 27001 to other frameworks?
Yes! You can map ISO 27001 to other frameworks using Apptega’s intelligent framework mapping program, Harmony. Read more about Harmony here.
How can I access the ISO 27001 Marketplace?
You can access the ISO 27001 Marketplace by going to https://cyberxchange.apptega.com/framework/iso-27001-a. There you can quickly find the ideal services and products to help with ISO 27001 preparation and certification, including auditors and consultants with proven expertise in your specific compliance gaps.