Starting an ISO 27001 certification journey can feel overwhelming. Standard, requirements, controls, auditors, certification... Don't let these fancy words get you down!
Ultimately becoming ISO 27001 certified is a quite clear project. It even has a ready-made document that describes you all the requirements! When it's successful, it creates you an ISMS system and running it becomes a natural part of your organization.
At Cyberday, we've been ISO 27001 certified since 2021, and we've helped hundreds of customers (from all sizes and industries) reach the same goal.
This has helped us gather plenty of learnings that can be helpful - especially for any ISMS admin. Here are the ten key things I wish I had known before we got started.
For me the journey inside the fascinating world of information security frameworks started back in 2017. Then GDPR was a thing, ISO 27001 was a thing... and more new frameworks were being created continuously.
We started by digging deep into the ISO 27001 standard, trying to especially understand the different possible things-to-do to become compliant with requirements and implement controls.
We've since expanded the framework coverage in Cyberday to 35+ security frameworks. What we see continuously is that all the different security framework share the same core. They all talk about backups, personnel awareness, risk management, asset management, and so on - with slightly different priorities. You shouldn't see compliance with different frameworks as separate things - but as priorities in building your organization's own information security management.
This is what we nowadays aim to do through Cyberday - help you simplify good information security management and compliance, and save your sanity in the process.
Information security standards can sound a bit daunting. Especially for other people in your organization, who you should at some point get along in the process.
Still, you should approach ISO 27001 like any other business project:
ISO 27001 has 22 requirements and 93 controls, and making sense of these in your context pays off. Buy the standard and understand its contents.
You should aim high, but also always keep things practical. And understanding the standard helps you avoid overkill and ensure you end up creating an ISMS that's relevant and one you want to keep running and improving after the initial certification.
How long will certification take? It depends. For some, it’s two weeks. Others need two years — or never get there. Most can do it in a few months.
The timeline depends on:
If you start smart by first understanding the standard and then comparing ISO 27001 against your current measures, you’ll get a good feel for the road ahead.
This way you can create the understanding of the needed work and timeline in your organization.
Make sure that especially you and your top management have a common understanding of why you're doing ISO 27001. Is it...
These are not small goals, but usually these are the ones pursued with ISO 27001 certification.
When the goals are big, the effort needs to be matching. ISO 27001 can get hard, if you expect it to be easy.
Make sure especially your top management and the needed ISMS team are aligned on the goals, so you can also create a realistic understanding of the needed effort.
Your top management is a key player in ensuring resources to reach these goals. Without this, the project can lose momentum, when things are not easy-peasy.
And remember - no matter how many hours you spend on your ISMS, other people on your organization won't suddenly start caring about ISO 27001. They need to understand the goals and see the relevance, to commit.
In information security, documentation is essential, but there's no reason to make it overwhelming.
Usually things just get implemented better, if you clearly define them and write them down. This also ensure you can audit, review, and improve on things. Some key documents (e.g. SoA, risk management procedure, ISMS description) are mandatory requirements in ISO 27001, but there's not many of these.
You should always focus on clarity and fit-for-purpose over length, when documenting information security.
The ISMS admin should always act as a filter to keep things simple and relevant.
Yes, most of controls in ISO 27001 are relevant. The standard is built by very smart people and has been battle-tested over the years by hundreds of thousands of organizations. So take the controls seriously.
But there are different levels of implementing the controls. ISO 27001 standards provides a lot of implementation guidance, and these should be seen as example best practices. Not everything needs to be textbook on day one and you should use risk-driven thinking to find the appropriate level for you.
Because ISO 27001 can be a bit scary, the ISMS admin might feel like they’re alone in this. Other people might not be so interested in diving as deep into the idea of security standards - especially if they don't see the relevance from your organization's point-of-view.
There are a couple of key things that will help you a lot though. Focus on good role definitions in the beginning - this is a critical part of building an ISMS.
Set clear roles, related authorities and competences at least for:
These people will be supporting you and working together with you. And if you're only finding your own name for all these roles, this is a message for your organization to probably commit more people to some aspects - at least in the near future.
And don’t forget top management’s active role (ISO 27001 clause 5). They're needed in supporting the progress, reviewing things from their perspective, defining objectives and related resources, and so on.
ISO 27001 is about building a culture, it’s not “just an IT thing.” And culture is built through people. You need the people along, and a relevant ISMS helps you get them there.
If you want to get certified, book your auditor early. Their calendars can fill up months ahead.
When you're implementing the audit:
Good auditor collaboration (with internal and external audits) can be really valuable on finding the most important areas in your ISMS to improve.
To avoid this, your risk management process should steer the ship in a correct way.
Running information security risk management is a key process in ISO 27001. But you should approach it in a correct way:
Risk management evolves with your ISMS and even becomes more important as your ISMS matures - it's definitely not a one-time exercise in Excel.
The real work starts after you’re certified.
Done right, ISO 27001 becomes a key part of your organization’s DNA - ensuring mature security practices, not just checking boxes.
An important tip: Remember to focus on the core clauses of ISO 27001 (4-10) also after your initial certification. No matter how fancy anomaly detections or other technological things you've built, your ISO 27001 auditor will always pay most attention on these mandatory requirements of the standard.
Doing everything manually equals pain in the long run. It becomes really hard to monitor or improve your ISMS from static documents.
A modern ISMS tool will help you by:
Still, the tool is just a helper. You need to still make sure, you're doing things that are relevant for your organization and fit for purpose.
Hopefully these learnings can help you get started with ISO 27001 on the right track.
If you'd like to learn more from different perspectives, we’ve compiled a big bunch of helpful resources for you:
📚 ISO 27001 resource collection
🔗 ISO 27001 compliance & certification checklist
Or reach out to us directly - we’d love to share more about our experience and help you on your journey.
.png)
