Achieving ISO27001 certification is a major milestone for any organisation. Not only does it demonstrate that your business prioritises information security, but it also solidifies trust with clients and partners. For us, getting certification ready in just six weeks was both a challenge and an achievement. Here’s how we did it, and how you might do it too.
Start with Why
Before diving into the certification process, it’s important to ask a crucial question: Why are you getting certified?
In our case, the certification was driven by customer demand (I’ll not mention the lengthy Due Diligence Questionnaire’s you’re often asked to fill in if you don’t have an ISO27001 cert!). More and more businesses are requiring their partners to be ISO27001 certified to ensure their data and intellectual property are in safe hands. For us, this certification was not just about compliance, but about building long-term trust with our customers and maintaining a high standard of security.
Beyond external motivations, the internal value is equally significant. Everyone in the company stands to benefit from the certification, as it strengthens our internal processes and gives us a clear roadmap for managing security risks. But certification doesn’t stop after achieving the initial milestone. Maintaining it is crucial, which means having a plan in place for continual improvement and monitoring.
When deciding to get ISO27001 certified, don’t forget - losing your certification could be worse than never having it at all.
If certification lapses due to poor management or neglect, it can signal to clients and stakeholders that security isn’t truly a priority, causing lasting damage to your reputation.
If you’ve gotten this far and still want to proceed with getting certified, step 1 is book your audit! Getting a slot with a certification auditor can take time, with some booking up months in advance. Get a date booked in. This will help focus the mind and you know the target your aiming for.
A Good Foundation Helps
One of the reasons we were able to fast-track the certification process is because we laid the groundwork early. Our founding team are certified ISO27001 auditors, which gave us a strong understanding of what needed to be done from the outset (some might say this was an unfair advantage when getting certification ready in only 6 weeks). This knowledge, combined with the early adoption of security practices, made a huge difference.
Even when we were just a two-person startup, we invested in HR tools, software development pipelines, and security management software to build our internal structure with security in mind. These early investments may have seemed excessive at the time, but they paid off by establishing a security culture that made our certification journey more efficient and less painful.
Another critical element was our clear understanding of the business. Not every part of an organisation needs to be certified, and knowing which areas to focus on simplifies the process. For example, if you operate fully remotely and rely on cloud infrastructure, you may decide you don’t need to include physical security controls in your Statement of Applicability. Understanding your business and scope is essential to making the certification journey manageable.
Start with the Right Tools
Conventional wisdom suggests that you should start with a gap analysis. While that is an important step, we believe that starting with the right compliance management software is even more critical. Relying solely on consultants and Excel spreadsheets is too slow and can become prohibitively expensive. By leveraging compliance management software, we were able to automate many aspects of the certification process, including the gap analysis itself.
The software not only helped us identify the areas where we were missing in-scope controls, but it also made tracking and closing those gaps more efficient. This approach saved us significant time, allowing us to focus on what really mattered: improving our security posture.
Documentation is Critical
One of the most time-consuming aspects of ISO27001 certification is documentation. But it’s also one of the most important. You must have comprehensive policies and procedures in place that align with the scope of your Information Security Management System (ISMS). If you start with a compliance management system, these will often give you templates which are a great starting point and ensures you don’t miss out on any policies required under the ISO27001 framework.
A central store for documentation is essential. This isn’t just about keeping things organised—it’s about ensuring that documents are properly controlled. Every time I’ve audited a company, I’ve found non-conformities related to document control. It's a simple area, but one that often trips companies up.[MC1]
Regular document reviews are also crucial. It’s not enough to create documentation once and forget about it. You need to establish a schedule for reviews, assign responsibilities, and ensure that the relevant people are aware of what they’re responsible for. Calendar reminders aren’t enough (I’ve been there, tried it, regretted it!). We found using a digital document portal helped with document control as there was always a version history, and we didn’t need to worry about checking every Word doc for a cover page listing the owner and review dates (your auditor will have a field day with these!).
The Risk Register is Your Friend
Many people are intimidated by the risk register, viewing it as a negative aspect of the process. In reality, the risk register is one of your most valuable tools. It demonstrates that you’re aware of the risks in your business and have a plan to manage them.
Far from being something to fear, the risk register should be embraced. If you identify a non-conformity, document it in the risk register, manage it through to remediation, and show your work. This transparency is what ISO27001 is all about.
Additionally, the risk register helps you engage with senior management. It’s essential for them to understand the risks the company is living with and make informed decisions about resource allocation to mitigate those risks.
Fill in the Gaps
Once we had our systems, policies, and documented procedures in place, it was time to address the gaps. It’s important to assess whether you need additional software or processes to manage these gaps effectively.
One of the key considerations during this phase is scalability. Can the processes you’ve implemented be maintained and scaled as your business grows? If not, you’re better off adjusting your approach before the certification audit takes place. Remember, you don’t want to lose the certification at the next audit. If it’s manual to maintain and likely to fall out of compliance without anyone noticing, it’s going to cause you problems down the line.
Stakeholder buy-in is also crucial during this phase. Getting support from teams across the business makes the certification process smoother and more effective. One of the best strategies we’ve seen implemented was appointing security champions from each department. These champions helped ensure their teams were contributing to the company’s overall security efforts. This approach also made security a company-wide responsibility, not just the responsibility of the security or compliance team.
Ongoing Management Support is Essential
ISO27001 is a top-down framework, which means that leadership support is essential. If your senior management isn’t on board, the journey will be much more difficult. Some organisations view ISO27001 as a one-off project that, once completed, can be forgotten. This is a dangerous mindset.
ISO 27001 isn’t a “set it and forget it” certification. It requires ongoing commitment from everyone in the organisation, but especially from leadership. If your leadership team views certification as a check-the-box exercise, you’ll need to educate them on the long-term benefits of maintaining certification, the associated costs, and the ongoing effort it requires.
Conclusion
Getting ISO27001 ready in just six weeks was a challenging but rewarding experience. The key to our success was early preparation, using the right tools, and fostering a company-wide commitment to security. By laying a strong foundation, we were able to accelerate the process without cutting corners or compromising on quality.
Remember, ISO27001 is more than just a certification—it’s a long-term commitment to protecting your business and your customers. By taking a thoughtful, proactive approach, you can achieve certification quickly and maintain it effectively for years to come.
Comments