10 Frequently Asked Questions about ISO 27001 Certification

ISO27001 Information Security FAQs

The following is a list of some of the questions that we most frequently get asked about obtaining ISO 27001 certification - and some quick answers. Contact us if you would like more details or have any specific questions.

  1. What is ISO 27001?
    ISO 27001 is an international standard that specifies the requirements for an ISMS (information security management system) in the context of an organizations risks. It specifies requirements for implementing information security controls and against which organizations can become certified. It can apply to any type of business.
  2. What are the benefits of complying/ certifying with ISO 27001?
    It seems that every other day another information security incident makes the news. Now, smart organizations are implementing an ISMS to preserve the confidentiality, integrity and availability of their information. An ISMS should lead to improvements in security processes and controls and more effective risk management. While there are alternatives, the ISO 27001 standard provides the most widely accepted model for an ISMS.
  3. Can we only comply with ISO27001 without being certified?
    Your ISMS can be developed to comply with the requirements of the standard without being certified. However, the question would be what assurance do your directors, management, clients any other interested parties have to verify it is actually fully compliant? ISO 27001 certification provides the best assurance for your organization’s systems and the information under its control.
    Increasingly, certification is also becoming a contractual obligation and may be a requirement to be considered for certain tenders.
    Subjecting your ISMS to regular external audits will also help to lock in good practice and lead to continual improvement.
    Certification would entitle your organization to use the certification body’s approved logo in marketing material for enhanced brand reputation.
    Certification may also increase your organization’s market value.
    For validity, certification should be sought from an accredited certification body. QCL can conduct your ISO27001 audit under our partner SciQual International's accreditation with JAS-ANZ which is an IAF approved accreditation body. This is the gold standard of accreditation and certificates issued are valid globally.
  4. What is the difference between ISO 27001 and 27002?
    ISO 27001 is the standard that specifies requirements and against which organizations can become certified. You cannot get certified to ISO 27002 because it is not a certification standard. It is essentially for guidance purposes and provides a great deal of useful detail for the implementation of controls in ISO 27001.
  5. How can we achieve certification?
    The first step is typically for a Gap Analysis to be conducted. QCL or one of its partners can do that for you - or you can choose to do it yourself. Your ISMS should then be established, documented, implemented and maintained to address the gaps identified and meet the applicable requirements of ISO 27001’s 7 clauses and 114 controls as applicable. To achieve certification, the ISMS must be successfully audited by an auditor or auditor team belonging to a certification body. There must be no major nonconformities (e.g. the absence or significant failure of a major system element). A small number of minor issues would not normally prevent certification.
  6. What are the different stages of certification?
    There are 2 stages:
    - Stage 1 is to establish whether the organization is ready to proceed to the certification audit. This typically takes just 1 or 2 days.
    - Stage 2 is the main certification audit. The duration of this will vary on the complexity of your business and we advise of the duration in our proposal. This will take 4 days or more.
    You then maintain and improve your ISMS over time. Your system would also be subject to surveillance audits by QCL (typically on an annual basis).
  7. What is the cost of certification?
    The cost will depend on the size of your organization, risk and other factors. We will gladly provide you with a competitive, no-obligation proposal.
  8. How long would it take to get a proposal for certification?
    With the required information, we can provide an estimate in 2-3 business days. Please allow 5 business days for a formal proposal to allow for our internal quality assurance checks.
  9. We are already certified. What are the advantages of transferring from our existing CB (Certification body)?
    If you are satisfied with your existing CB that's great, but QCL can offer a fresh, client-friendly approach to auditing:

    • We guarantee a simplified certification process
    • We will be responsive from your first contact with a dedicated Client Manager allocated to you.
    • We will be flexible in meeting your needs.
    • Our auditors are pragmatic and seeking to add value to your business.
    • A significant number of our management system auditors can conduct integrated audits of management systems across multiple topics.
    • Where appropriate, we will use technology to incorporate a degree of remote auditing to save you costs and minimise interruptions to your busy work schedule.
    • Unlike many certification bodies, Qudos charges no mark-up on travel costs.
    • Qudos exclusively offers its clients free access to Qudos Club – a huge, online resource centre that will help you understand relevant ISO requirements and develop, update or expand your management system with confidence - saving time and money. Qudos Club includes information and resources for all of our certification topics - ISO 9001 Quality, ISO 14001 Environment, ISO 45001 OHS, ISO 27001 Information Security.
    • QCL through our partner SciQual International can offer fully-accredited certification to ISO 9001 Quality, ISO 14001 Environment, ISO 45001 OHS, ISO 27001 Information Security - Not all CBs can offer that.
  10. Do we have to wait until re-certification time to transfer?
    No. In most cases, you can transfer from your existing certification body at any time - you don’t have to wait until re-certification is due. We will handle the certification arrangements for you. Contact us to find out how.