Get in Touch Close Menu

ISO 27001 Compliance And Certification

ISO 27001

Why Sapphire?

1. Comprehensive service

Sapphire can help you achieve ISO 27001 compliance or certification with a framework that takes a holistic view of risks. Our service will help you, over time, to deliver effective cybersecurity, securely manage information, respond when incidents occur, and mature strategies.

2. Proven expertise

Sapphire’s deliver IS0 27001 services via a team that uses a phased approach, honed with 25 years of experience. Our team will understand your current climate, assess risk, chart improvements, train and educate groups and streamline and de-risk the submission process.

3. We are business centric

We leverage a team of ISO 27001 consultants (with experience understanding and managing security in a business context) to prioritise the approach and bring focus while maximising human and technical assets.


1. How can an organisation become ISO 27001 certified?

ISO 27001 certification process involves an in-depth audit by the certifying body, as well as follow-up assessments. For an organisation to receive certification to ISO 27001 requirements, it is a thorough process that also requires the involvement of internal and external stakeholders. For this reason, prior to applying for certification, it is advisable to ensure the maturity of your strategy prior to applying to be audited.

2. What is the framework of an ISO 27001 project?

Sapphire specialises in the delivery of either ISO 27001:2013 compliance or to achieve third party ISO 27001 Certification. Each programme is typically divided into a number of discrete phases.

a) Information Security Management System (ISMS) Scope
This phase clearly defines the scope of the ISMS. This is an organisational decision. A scope Statement is produced which details the departments and business units to be covered.

b) ISO 27001 Current State Gap Analysis
The initial gap analysis will review several areas of the business and benchmark current information security processes and procedures against the industry standard. The main output of this stage is a Current State Analysis, which is a document detailing the current state of the organisation against ISO 27002’s 114 security control objectives. This is then used to develop a Security Improvement Plan to identify next steps.

c) Risk Assessment and Risk Management
Any risk assessments that have been previously conducted by the organisation will be reviewed. A Risk Assessment Methodology Policy document will be produced detailing the risk process and plans. The results of the existing risk assessment process, as well as the results from the Gap Analysis, will then be put into a security improvement plan.

d) Security Improvement Plan
The Security Improvement Plan twill be translated into an Information Security Management System (ISMS). The ISMS will typically comprise of the policy, manual and procedures used to identify the rules and guidelines needed to protect information assets and prevent security breaches.

e) Information Security Awareness Education and Training
The provision of information security awareness training relating to ISO 27001 for specified groups e.g. senior management; technical training; and general staff training to selected ‘IS co-ordinators’ (skills transfer) to develop an effective Information Security Culture based upon ‘shared responsibility’.

f) ISO 27001 Mock Compliance
The ISMS document set will be reviewed to ensure it is complete and meets the requirements of ISO 27001:2013. An ISO 27001 readiness review and mock-assessments will then be conducted to determine that you are ready in all respects to proceed to compliance or indeed certification.

g) ISO 27001 Certification
Should the organisation want to complete the process to ISO 27001 certification, an independent accredited certification body will carry out a final audit and award certification.

3. What does an organisation gain from ISO 27001 compliance?

Given the rigour required to pass ISO 27001, it is a sign that an organisation has a high level of cyber risk maturity. It is also required as a compliance baseline in many industries.

4. How long does it take to be certified to ISO 27001?

This depends on a number of variables. It can be anywhere between 6 – 8 months for small organisations and between 12 – 18 months for larger enterprises.

Ready to begin your ISO 27001 certification journey?

Contact us today

I agree to the terms & conditions