What is an ISO 27001 ISMS?

An Information Security Management System (ISMS) is the core framework required by ISO 27001. It is a systematic, documented approach to managing sensitive company information so that it remains secure. It includes people, processes, and IT systems by applying a rigorous risk management process.

How long does it take to get ISO 27001 certified in the UK?

For a small to medium-sized UK business starting from scratch, achieving ISO 27001 certification typically takes between 6 to 12 months. This timeframe heavily depends on the current maturity of your cybersecurity controls, the complexity of your IT infrastructure, and the availability of internal resources to draft policy documentation.

What is the difference between Stage 1 and Stage 2 ISO 27001 audits?

The Stage 1 audit is a documentation review; the auditor checks that your written ISMS policies meet the ISO standard requirements. The Stage 2 audit is an operational evaluation; the auditor visits your site and actively tests your systems to verify that you are actually following the policies you documented in Stage 1.

ISO 27001 Certification Checklist UK

ISO 27001 is the international gold standard for information security. For B2B companies in the UK—especially SaaS providers, fintechs, and managed service providers—holding this certification is often a mandatory prerequisite for closing enterprise deals.

Unlike Cyber Essentials, which focuses purely on technical IT controls, ISO 27001 takes a holistic approach. It requires you to build a comprehensive Information Security Management System (ISMS) that governs your people, processes, and technology.

Phase 1: Preparation & Scoping

Before you write a single policy, you must define the boundaries of your certification.

Secure Management Commitment: ISO 27001 cannot be driven by the IT department alone. The board of directors must formally commit to funding and supporting the ISMS.
Define the ISMS Scope: Are you certifying your entire global company, or just the London software development office? Defining a narrow scope initially makes the process much faster.
Identify Interested Parties: Document all stakeholders who care about your security (e.g., customers, regulators like the ICO, suppliers, and employees).

Phase 2: Risk Assessment & Treatment

Risk management is the absolute core of the ISO 27001 standard.

Create a Risk Methodology: Define exactly how you will identify, score, and evaluate risks (e.g., using a 5x5 impact/likelihood matrix).
Conduct the Risk Assessment: Identify all information assets (laptops, servers, source code, employee data) and document the threats they face (theft, fire, ransomware, accidental deletion).
Formulate a Risk Treatment Plan: Decide how you will handle unacceptable risks: Tolerate, Terminate, Transfer (e.g., insurance), or Treat (apply a security control).
Produce the Statement of Applicability (SoA): The SoA is the most important document in your ISMS. It lists all 93 controls from Annex A (2022 revision) and states whether you have applied them and why.

Phase 3: Implementation & Annex A Controls

This is where you actually build the security infrastructure. You must draft mandatory policies and implement the technical controls defined in your SoA.

Key Annex A Control Categories (2022 Update):

Organizational Controls (37): Information security policies, threat intelligence, asset management, and supplier relationships.
People Controls (8): Background screening, confidentiality agreements, and ongoing security awareness training.
Physical Controls (14): Secure offices, clear desk policies, and protection of hardware against environmental threats.
Technological Controls (34): Endpoint protection, encryption, secure coding practices, data masking, and network segmentation.

Phase 4: Training & Internal Auditing

You cannot pass ISO 27001 if your staff do not know your policies exist.

Conduct Staff Training: Ensure all employees undergo verifiable security awareness training.
Run an Internal Audit: An independent party (either an external consultant or an internal employee not responsible for the ISMS) must audit your system to find non-conformities before the official auditor arrives.
Hold a Management Review: The board of directors must review the ISMS performance and internal audit results, formally documenting their decisions.

Phase 5: The Certification Audits

You must hire a UKAS-accredited certification body (e.g., BSI, LRQA) to perform the official audits.

Stage 1 Audit (Document Review)

The auditor reviews your written policies, risk assessment, and SoA. They are simply checking if your ISMS design theoretically meets the standard. If they find gaps, you have time to fix them before Stage 2.

Stage 2 Audit (Operational Test)

The auditor visits your office and interviews staff. They test your systems to ensure you are actually following the policies you wrote. If you pass, you are awarded the ISO 27001 certification.