ISO 27001 Compliance and Certification

ISO 27001

As one of the most rigorous standards, achieving ISO 27001 compliance is an accurate information security management framework to help organisations mature towards high-performance levels.

However, achieving the standard can be daunting for many organisations since the necessary level of detail, and continual refinement can be challenging.

Sapphire’s experts have experience working inside complex security environments, helping manage the network of controls necessary to audit, assess and achieve ISO 27001 status while balancing organisational priorities.

WHAT IS ISO 27001?

ISO 27001 is the leading international standard for information security management systems. This well-proven framework outlines how an organisation can understand and mitigate its cyber risk, protect organisation data, apply controls and gradually improve posture over time. For those who are compliant, it is a sign of confidence for stakeholders and customers.

WHY SAPPHIRE?

1. Comprehensive service

Sapphire can help you achieve ISO 27001 compliance or certification with a service or a structured plan that takes a holistic view of risks. Our service will help you, over time, to deliver effective cybersecurity, securely manage information, respond when incidents occur, and mature strategies.

Sapphire delivers IS0 27001 services via a team that uses a phased approach, honed with 25 years of experience. Our team will understand your current climate, assess risk, chart improvements, train and educate groups and streamline and de-risk the submission process.

We are business centric

We leverage a team of ISO 27001 consultants (with experience understanding and managing security in a business context) to prioritise the approach and bring focus while maximising human and technical assets.

Frequently Asked Questions

ISO 27001 certification process involves an in-depth audit by the certifying body and follow-up assessments. Therefore, for an organisation to receive certification to the ISO 27001 standard requirements, it must go through a thorough process that requires the involvement of internal and external stakeholders. For this reason, before applying for certification, it is advisable to ensure the maturity of your strategy before applying to be audited.

Sapphire specialises in delivering either ISO 27001:2013 compliance or achieving third-party ISO 27001 Certification. Each programme is typically divided into several discrete phases.

  1. a) Information Security Management System (ISMS) Scope

This phase clearly defines the scope of the ISMS. This is an organisational decision. A scope statement details the departments and business units to be covered.

  1. b) Risk Assessment and Risk Management

Any risk assessments that the organisation has previously conducted will be reviewed. A Risk Assessment Methodology Policy document detailing the risk process and plans will be produced. The results of the existing risk assessment process, as well as the results from the Gap Analysis, will then be put into a security improvement plan.

  1. c) ISO 27001 Current State Gap Analysis

The initial gap analysis will review several business areas and benchmark current information security processes and procedures against the standard. The main output of this stage is a Current State Analysis, a document detailing the organisation’s current state against ISO 27002’s 114 security control objectives. This is then used to develop a Security Improvement Plan to identify the next steps.

  1. d) Security Improvement Plan

The Security Improvement Plan will be translated into an Information Security Management System (ISMS). The ISMS will typically comprise the policy, manual and procedures used to identify the rules and guidelines to protect information assets and prevent security breaches.

  1. e) Information Security Awareness Education and Training

Providing information security awareness training relating to ISO 27001 for specified groups, e.g. senior management, technical training, and general staff training to selected ‘IS co-ordinators’ (skills transfer) to develop an effective Information Security Culture based upon ‘shared responsibility.

  1. f) ISO 27001 Mock Compliance

The ISMS document set will be reviewed to ensure it is complete and meets the requirements of ISO 27001:2013. An ISO 27001 readiness review and mock assessments will then be conducted to determine that you are ready to proceed to compliance or certification.

  1. g) ISO 27001 Certification

Should the organisation want to complete the process to ISO 27001 certification, an independent accredited certification body will carry out a final audit and award certification.

Given the rigour required to pass ISO 27001, it is a sign that an organisation has a high level of cyber risk maturity. It is also required as a compliance baseline in many industries.

This depends on several variables. It can be between 6 – 8 months for small organisations and 12 – 18 months for larger enterprises.

ISO 27001 is an international standard established by the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) for data security. It provides a guide to creating an information security management system (ISMS) that includes people, processes, and technology.

The goal of ISO 27001 is to safeguard the availability, confidentiality, and integrity of information within an organisation. This is achieved by determining the potential issues that could arise with the information (i.e., performing risk assessment) and determining what must be done to address those issues (i.e., risk mitigation or risk treatment plan).

As a result, the core principle of ISO 27001 is built on a process for managing risks: identify the hazards and then systematically address them by implementing security controls (or safeguards).

The controls are categorised into the following domains:

  • Information Security Policies– To ensure the policies are written and reviewed according to the organisation’s practices and overall direction.
  • Organisation of Information Security- To assign responsibilities for specific tasks.
  • Human Resource Security– To ensure employees and contractors know their responsibilities.
  • Access Controls– Ensure employees view only the information relevant to their jobs.
  • Asset Management- To ensure organisations identify the information assets and determine the appropriate protection responsibilities.
  • Physical and Environmental Security- To prevent unauthorised physical access, interference or damage to data or premises and control of equipment to prevent damage, theft, and loss of hardware, software, and physical files.
  • Cryptography- To encrypt data and ensure integrity and confidentiality.
  • System Acquisition, Development, and Maintenance- To secure internal systems and the ones that provide services over public networks.
  • Operations Security- To ensure information processing facilities are safe.
  • Information Security Incident Management- To ensure effective management and reporting of security incidents.
  • Communications Security- To protect information networks.
  • Information Security Aspects of Business Continuity Management- To minimise business interruptions.
  • Supplier Relationships- To properly manage contractual agreements with third parties.
  • Compliance- To ensure adherence to the relevant laws and regulations and mitigate the risks of non-compliance


Like the other ISO management system standards, ISO/IEC 27001 certification is possible, but it’s not obligatory. Some organisations continue to implement the standard to take advantage of its best practices. In contrast, others may become certified to reassure customers and clients.

By achieving certification, organisations can reduce data security risks and enhance their capacity to adhere to data protection standards. Also, when you achieve certification, you can demonstrate your commitment to protecting your data assets, partners, suppliers, customers, and others.

Lastly, building trust can boost your organisation’s reputation and give you a competitive advantage.

The ISO 27001 certification process takes the following steps:

  • Develop an ISMS which includes people, policies, procedures, and technology
  • Conduct an internal review to find nonconformities and corrective actions
  • Call auditors to conduct a basic review of the ISMS.
  • Rectify the issues that the auditors will find
  • To ensure you followed the policies and procedures, have an accredited certification body conduct a thorough certification audit of the ISO 27001 components.

Certification will take about three to twelve months. Therefore, many organisations conduct a preliminary gap analysis against the standard to increase the certification process’s cost-effectiveness and determine the time and effort needed to implement any necessary changes.

Once you earn the ISO 27001 certification, you must perform regular internal audits.

The ISO 27001 controls, also called the safeguards, are practices that should be implemented to minimise risks to acceptable levels. ISO 27001 controls are implemented in the following ways:

  • Technical controls are mainly implemented in information systems using hardware, software and firmware components added to the system like a backup or antivirus software.
  • Organisational controls are implemented by specifying the rules and expected behaviour from users, software, systems and equipment, such as BYOD (Bring your own device) Policy, Access Control Policy, Acceptable Use Policy etc.
  • Legal controls are implemented by ensuring the rules and expected behaviours follow and enforce laws, contractual obligations, regulations, and other similar legal instruments like the SLA (service level agreement) or NDA (non-disclosure agreement)
  • Human resource controls are implemented by giving people the knowledge, education, skills, or experience they need to carry out their tasks safely. For instance, they are training internal auditors in ISO 27001 compliance.

Physical controls are mainly implemented using devices or equipment with physical interaction with objects and people, such as locks, CCTV cameras or alarm systems.