For any organisation – regardless of size or sector - ISO/IEC 27001 provides a strong foundation for a comprehensive information and cyber security strategy. The standard outlines a best practice ISMS framework to mitigate risks and safeguard business-critical data through identification, analysis and actionable controls. Accredited ISO 27001 certification demonstrates that you have the processes and controls in place to defend your organisation’s information – and that of your customers – against an increasingly complex threat landscape. Check out the Frequently Asked Questions about the standard and our offerings.
Our ISO/IEC 27001 services
Our certification and training services can be delivered on-site, remotely or via a blended approach - giving you flexibility and a service model to suit your needs.
Build your knowledge of ISO 27001 with a range of courses designed for different experience levels - delivered via multiple learning styles.
An optional service where one of our expert auditors will help you identify any critical, high-risk, or weak areas of your system prior to your formal ISO 27001 audit.
An independent two-stage process that provides a clear statement of your capabilities – helping you win new business and build trust with stakeholders.
If you’ve implemented multiple management systems, you could benefit from an integrated audit and surveillance programme which is more efficient and cost-effective.
A 360⁰ approach to information and cyber security
Our deep technical insight and expertise, supported by our extensive cybersecurity portfolio, enables us to work collaboratively with your business – helping you identify the specific threats you face before providing solutions to mitigate them. We can certify your systems, identify vulnerabilities, and help prevent attacks and incidents that could impact your brand integrity, finances and operations.
Why work with us?
Local & global expertise
We’re everywhere you are. With more than 300 highly qualified auditors and 250 dedicated cybersecurity specialists worldwide, we can provide a local service with a globally consistent dedication to excellence. Our people are technical experts with in-depth knowledge of information and cyber security risks, challenges, standards, regulations, and frameworks.
In most cases, all our ISO 27001 training and certification services can be delivered on-site or remotely using safe and secure technology. If you opt for our remote delivery methods, you’ll receive the same high-quality service with several added benefits, including flexibility, fast delivery and access to global expertise.
History of firsts
We were the first to receive UKAS accreditation to deliver certification services for a range of standards across the globe. We continue to be instrumental in developing a variety of specific standards and frameworks across different sectors.
Together with our award-winning cybersecurity business Nettitude, we can help you stay one step ahead of sophisticated cyber threats with advanced services that give a first line of defence and response to all threats and vulnerabilities.
Are you ready for the next steps?
What is ISO 27001?
ISO 27001 is the international management system standard that defines the requirements for an Information Security Management System (ISMS). The standard provides a best practice framework to identify, analyse and implement controls to manage and mitigate risks – reducing the likelihood of an information security breach.
Any organisation - irrespective of size and sector - can utilise the requirements and controls within ISO 27001 to implement an effective ISMS which can be independently certified.
Accredited ISO 27001 certification provided by a reputable and independent certification body demonstrates a commitment to information security, providing an unbiased view regarding the robustness and effectiveness of your ISMS. This helps to fulfil contractual obligations, and in many cases acts as a licence to trade.
What are the benefits of ISO 27001 and why is it so important?
Protect your data and reputation
ISO 27001 certification demonstrates you’ve established a systematic, risk-based approach to information security that drives best practices around:
- Identifying information and cyber security risks
- Analysing risks based on impact and likelihood
- Evaluating risks and prioritising when they’re addressed based on factors relating to your business
- Selecting risk treatment options
Demonstrate compliance with laws, regulations and contractual requirements
Gaining certification to ISO 27001 requires you to identify applicable legislation, such as the EU GDPR or regulations like HIPAA. This has a positive impact on risk management and corporate governance, helping you demonstrate compliance and fulfil contractual requirements.
Certification from LRQA gives clients and stakeholders confidence that security risks – which could relate to IT, people, the physical environment and business continuity – have been adequately addressed in order to protect their information.
ISO 27001 certification provides a clear statement of your capability and demonstrates that you operate in line with internationally recognised best practices – helping you win new business.
How do ISO 27001 audits work?
ISO 27001 audits follow the same approach as other Annex SL based management systems. You can start with training and gap analysis, but the formal process involves an audit of the design of the ISMS (Stage 1) and an audit of its operation (Stage 2). The outputs of these audits are technically reviewed by a qualified, independent person in LRQA to ensure consistency and alignment with our commitment to the best practices defined by accreditors.
Once approved your ISO 27001 certificate is issued and you begin a three-year cycle of surveillance audits leading up to a renewal audit to re-establish the next three years. Surveillance enables both LRQA and your organisation to manage changes and ensure that audits are relevant to current industry needs.
How long does ISO 27001 certification last?
Once approved, certification lasts for three years subject to effective system maintenance demonstrated through the surveillance programme.
What is included in a typical ISMS scope and statement of applicability?
A typical ISMS certificate scope statement includes activities relating to the delivery of products and services. It does not need to include internal activities or ISMS processes. The aim is to assure the reader that the information provided when receiving the product or service is protected.
The statement of applicability refers to the list of selected controls. It does not provide details of those controls but a traceable reference to a control statement used as the basis of the last ISO 27001 audit. Sometimes organisations have a sharable public version that simply lists the controls selected from ISO 27001 Annex A, but this is not a mandatory requirement.
How much does it cost to get ISO 27001 certified?
The cost is based on the number of audit days which relates to the number of employees within the scope of the ISMS. The number of audit days is published in the accreditation standard, ISO 27006, and available for all to see. Engaging an accredited certification body like LRQA ensures you get a proposed audit duration based on industry best practices that is comparable to all other accredited certification bodies.
As an example an organisation of 100 Full-Time Equivalents (FTEs) should expect an initial audit duration (Stage 1 + Stage 2) of between 8 and 12 days depending on the sector they operate in, how complex their working environment is, whether they are involved in developing software, or if they need to build security into the product. The subsequent surveillance programme would be 3-4 days/year and the renewal 6-8 days.
already have ISO 9001. Can I integrate it with ISO 27001?
Yes – as both ISO 9001 and ISO 27001 are based on the generic best practice model for management systems - Annex SL - the core management processes can be optimised to meet the requirements for both standards. In fact, designing a system to address both improves the effectiveness of organisational governance. For example, business objectives such as growth often require the development of new products where security is typically considered a quality standard in line with market expectations. Integration can also minimise duplication which can lead to a reduction in audit time, providing a cost-effective option.
What is a typical ISO 27001 certification Process?
The path that your organisation takes to achieve ISO 27001 certification often depends on your business's level of maturity in relation to information security and broader risk management, amongst other factors. But the typical process to get ISO 27001 certified includes 3 main steps.
- Stage 1 Audit – document review and planning: Your auditor will review the design and documentation of your management system – in most cases, this is carried out remotely.
- Stage 2 Audit – evaluating your implementation: Your auditor will evaluate the implementation and effectiveness of your ISMS in line with the requirements of ISO 27001. If there are no non-conformities, you’ll receive your certification. This stage can be carried out remotely or on-site.
- Promote your ISO 27001 certification: Your certification demonstrates a commitment to internationally recognised best practices and continual improvement – helping you win new business and meet customer demands.
What is ISO 27002:2022 and what is its impact?
The publication of ISO 27002:2022 provides an update to the list of controls present in ISO 27001 – which dates back to 2013. The revised controls reflect developments relating to both threats and current best practices, and the broadened scope of ISO 27002 helps ensure that risk management measures are wide-ranging and effective. Organisations can use the comprehensive list of controls to treat the risks they’ve identified or discover potential gaps – helping them remain one step ahead of the complex and evolving threat landscape facing businesses today.
Is a new version of ISO 27001 in development?
A new version of ISO 27001 was published on 25 October 2022. Featuring the new controls outlined by ISO 27002:22, organisations will need to revisit their risk assessment and determine whether new risk treatments need to be implemented.
Are you already certified to ISO 27001 and would like to transfer?
If you hold a valid accredited certificate of approval with another provider and you are considering making the move, transferring your ISO 27001 certification to LRQA is simple. We'll work with you to ensure your transfer is as smooth as possible.
Check out other related certifications
From management systems certification and training, to governance, risk and compliance, we offer 360⁰ services
Who we work with
We help businesses across dozens of sectors push forward and achieve like never before. How can we help you?
UKCloud: Leading with information security.
ISO 27018 Statement of Verification for added confidence in Cloud services. Read more in our case study.
What we think
LRQA's experts regularly share their research and insights.