Book FREE Consultation

URM is pleased to provide a FREE 30 minute consultation on Transitioning to ISO 27001:2022 for any UK-based organisation. Once an enquiry form has been submitted, we will be in touch to understand the nature of your enquiry and to book a mutually convenient time for a 30-minute consultation slot with one of URM’s specialists.

What Are
Other Standards?
A Comprehensive Guide

Consultancy Services
ISO 42001
ISO 9001

What Are Other Standards?

ISO standards are internationally recognized guidelines and frameworks developed by the International Organisation for Standardization (ISO) to ensure quality, safety, efficiency, and interoperability across various industries and sectors. These standards are designed to provide a common framework for organisations to follow, helping them improve their processes, products, and services while meeting regulatory and market requirements.

Key aspects of ISO standards include:

  • Quality Management (ISO 9000 series): This series, particularly ISO 9001, outlines the requirements for a quality management system (QMS) to ensure organisations consistently provide products and services that meet customer and regulatory requirements and enhance customer satisfaction.
  • Environmental Management (ISO 14000 series): These standards, such as ISO 14001, specify requirements for an environmental management system (EMS) to help organisations minimize their environmental impact and comply with applicable laws and regulations.
  • Information Security Management (ISO/IEC 27000 series): This series, including ISO/IEC 27001, provides a framework for establishing, implementing, maintaining, and continually improving an information security management system (ISMS) to protect sensitive data and manage information security risks.
  • Occupational Health and Safety Management (ISO 45001): This standard outlines the requirements for an occupational health and safety management system (OHSMS) to improve employee safety, reduce workplace risks, and create better, safer working conditions.
  • Food Safety Management (ISO 22000): This standard specifies requirements for a food safety management system to ensure that food products are safe for consumption along the entire food supply chain.
  • Energy Management (ISO 50001): This standard provides a framework for establishing an energy management system (EnMS) to improve energy performance, increase energy efficiency, and reduce energy costs.
  • Social Responsibility (ISO 26000): This standard provides guidance on social responsibility, helping organisations operate in a socially responsible manner, taking into account ethical, environmental, and societal impacts.
  • Medical Devices (ISO 13485): This standard outlines requirements for a quality management system specific to the medical device industry, ensuring the consistent design, development, production, and delivery of safe and effective medical devices.

ISO standards are developed through a consensus process involving experts from various countries, industries, and stakeholders, ensuring that they are robust, relevant, and applicable globally. Organisations can seek certification to ISO standards from accredited certification bodies to demonstrate their compliance and commitment to best practices.

In the current digital age, maintaining the security of information has never been more important, but it has also never been more challenging.  As such, organisations across every industry must find robust solutions for safeguarding their information assets against threats in order to avoid potential financial, reputational and legal repercussions associated with information breaches.  As the most recognised and widely regarded information security management standard in the world, implementation of ISO 27001 offers the most effective method for protecting your information assets.

What Is Business Continuity (BC)?

ISO 27001 is the International Standard for Information Security Management.  Effectively, it provides any organisation, irrespective of size or sector, with a framework and an approach to protecting one of the most important assets its information.  ISO 27001 is one of the most adopted and fastest-growing international management system standards.

As with all ISO standards, it has been developed by a panel of experts from across the globe and provides a specification for the development of a ‘best practice’ information security management system (ISMS) based on a plan-do check-act continuous improvement cycle.

What is an ISMS?

An ISMS is a set of policies and processes and controls which are developed and implemented by an organisation to maintain its information assets’ confidentiality, integrity and availability (or ‘CIA’ – the core principles of information security).  In effect, an ISMS outlines the approach you take to managing your information security.  ISO 27001 provides a framework for how organisations can establish, implement, maintain and continually improve an ISMS that is aligned with best practice.

Key ISO 27001 Facts

It is a business management system standard (not an IT standard).

It provides a complete approach to information security – a set of policies, procedures, practices, and controls to protect the confidentiality, availability, and integrity of information.

It is based on the principle of continuous improvement – you may not be where you want to be on day one, but you are continuously reviewing and improving your position, as well as responding to ever changing threats and opportunities, be they technical, organisational, human or societal.

It is a risk-based standard, involving a risk assessment to evaluate the impact and likelihood of a range of threats to your information assets.

Benefits of Implementing ISO 27001

Cost Effective Security

ISO 27001 provides you with the flexibility to implement the controls that are most applicable and relevant to your organisation, allowing you to maximise your budget and avoid unnecessary expense.  An effective ISMS can also reduce the costs of a security breach, both in terms of minimising the likelihood of one occurring and also enabling you to respond more effectively if one does occur.  In doing so, your organisation can reduce or avoid the associated negative impacts, such as fines, remediation costs and reputational damage.

Robust Data Protection

ISO 27001 takes a holistic view to identifying all types of information including digital, hard copy, personal, company, financial etc., and to comprehensively safeguard data across each of these categories, particularly personally identifiable information (PII) and facilitate greater compliance with regulations such as the General Data Protection Regulation (GDPR).

Proactive Response to Security Threats

The ISMS central to ISO 27001 allows you to constantly adapt to the ever-changing threat landscape and keep abreast of changes to your organsiation’s information security risks.  As such, certification to ISO 27001 will help ensure your organisation is vigilant to and responds to wide-ranging threats (organisational, human, technical or societal) before they can result in an information security incident.

Improve Company-Wide Awareness

A key control of ISO 27001 is the requirement to provide staff and relevant interested parties with appropriate information security awarenesss, education and training along with regular updates on all the critical policies, processes and procedures.  Through a continuous awareness and training campaign, you are able to truly embed information security into your organisation’s ‘business-as-usual’ (BAU) operations and enhance your culture.

Ensure Compliance Across your Organisation

ISO 27001 ensures that you identify and meet  the requirements surrounding the privacy and protection of PII according to applicable laws and regulations such as the GDPR by providing you with a framework for identifying  and protecting sensitive information your organisation stores and processes.

Demonstrate your Commitment to Information Security

Certification to ISO 27001 provides reassurance to your clients and all relevant stakeholders (internal and external) that you take information security seriously, particularly if you are handling their data.  ISO 27001 certification is often specified on tenders and by prospective clients in contracts, and as such, it can provide you with a competitive edge and differentiator in the marketplace.

Contact the ISO 27001 Experts Today

Having assisted over 400 organisations to implement an ISMS and then achieve ISO 27001 certification since the Standard’s establishment in 2005, we at URM are the ideal experts and partners to help you certify.  With our fully-tailored approach, we can support you through each stage of the ISO 27001 management system lifecycle, offering guidance specific to your organisation’s unique requirements.  

Get in touch with our information security experts today to find out more.

Contact Us

ISO 27001 Certification

  • ISO 27001 certification signifies conformance with the International Standard for Information Security Management
  • It demonstrates that an organisation has implemented an information security management system (ISMS).
  • An ISMS is aimed at ensuring the ongoing confidentiality, integrity, and availability information assets
  • Certification involves a thorough assessment by an accredited certification body (CB). The United Kingdom Accreditation Service (UKAS) is the national accreditation body for the United Kingdom and accredits certification bodies such as BSI
  • The 2 stage certification assessment verifies that the organisation's management system meets ISO 27001 requirements.

How Long does ISO 27001 Certification Last?

An ISO 27001 certificate, which is issued by an accredited certification body, lasts for three years, after which it will need to be renewed.  Continued certification, however, is conditional on the effective ongoing operation of the ISMS.

The chosen CB will conduct annual (or 6 monthly) continuous assessment visits (CAVs) and, if the ISMS is not operating effectively and timely action is not taken to address this, then a certification may be withdrawn.

How Much does ISO 27001 Certification Cost?

There are typically 2 principal costs involved in achieving certification, that of the certification body and that of the consultancy organisation   With regard to certification costs, this will heavily depend on the size and complexity of the organisation (e.g., number of sites)  With regard to consultancy costs, this is heavily dependant on the availability and expertise of internal resource available to support the project along with the existence/ maturity of any ISMS information security controls.  Such controls may include technical  ones (network security, cryptography, malware protection) organisational (policies, processes, access control) human (screening of applicants, awareness training, disciplinary process) physical (perimeter security, clear desk/clear screen and secure areas).

Where organisations do not have the internal resources, they may choose to engage expert consultancy support, such as our expert team at URM which has supported over 400 successful certification projects.

ISO 27001 Gap Analysis

A gap analysis is an evaluation of your current information security practices against the requirements of ISO 27001.  It can be a simple and effective way of identifying at a high level both from a management system and control perspective the areas in which you are already meeting the requirements of ISO 27001, and those areas which may need further attention to achieve conformance.  URM typically conducts gap analyses through interviews with key staff, observation of activities during a site tour and inspection of documentation and evidential records.  A gap analysis will enable you to:

  • Understand ISO 27001 requirements
  • Assess current practices and processes against the mandatory clauses 4-10
  • Assess any gaps in control implementation
  • Identify gaps and deficiencies
  • Determine what the next steps and develop an action plan to address any gaps.

Learn more about ISO 27001 Gap Analysis

How to Become ISO 27001 Compliant

  • Define the scope of your ISMS
  • Engage senior leadership/management and obtain their buy in
  • Conduct a risk assessment and formulate a risk treatment plan
  • Prioritise and implement the required controls, practices and processes to address any identified risks
  • Understand the competencies required for key information security roles and address any gaps
  • Implement a security awareness programme
  • Monitor and measure the effectiveness of your management system
  • Continue to review and re-assess risks to your information assets.

ISO 27001 Solutions & Products

One the key requirements of ISO 27001 is the need for robust risk assessment which can produce repeatable and comparable results.  With its proven, best practice methodology, URM’s information security risk management software, Abriska 27001, enables you to meet this requirement.   We can also assist you to increase awareness among your staff with our expertly designed and engaging learning management system (LMS), Alurna.

View Products

ISO 27001 & InfoSec Training Courses

Our information security and ISO 27001 training courses can help you learn how to effectively manage information security.  Our Certificate in Information Security Management Principles (CISMP) training course will prepare you to take the BCS (Chartered Institute for IT) administered exam, enabling you to gain an industry-recognised qualification.  Meanwhile, our Introduction to ISO 27001 Course and ISO/IEC 27001:2022 Transition Course will significantly enhance your ISO 27001 knowledge and professional skillset.

View Training Courses

Why URM for ISO 27001?


Track record

URM has a 17-year track record of providing high-quality consultancy and training support, assisting organisations improve their information and cyber security, as well as information governance posture and capabilities.  A particular niche skill is helping organisations to conform or certify to ‘best practice’ international (IS) standards such as SOC 2 and ISO 27001.  URM is particularly adept at developing existing frameworks to meet the requirements of these standards or building on existing ISO 27001 ISMS’ to achieve NIST conformance.  Having assisted over 400 organisations to achieve world-recognised standards, URM has worked with organisations of all sizes from micro businesses to multi-national organisations and from all the major market sectors.

Tailored approach

URM is renowned for adopting a highly tailored and bespoke service where its consultants are constantly striving to deliver sustainable solutions that meet both the current and future needs of the client organisation.

Flexible delivery

When transferring knowledge on meeting the requirements of NIST, URM can deliver this through various delivery mechanisms, i.e., through one-to-one support, workshops or training courses.  Furthermore, when delivering remediation services to address gaps, URM’s support is tailored and flexible, based on the client’s requirements, internal knowledge and available resources.  Support can be delivered on an activity-per-activity basis or where a consultant is allocated on a recurring basis, e.g., 1 day a week.   As such, the engagements help to ensure that remediation activities are followed through, remain compliant and that sufficient evidence for the audit is generated.

ISO 27001 Consultancy Services

Webinars & Events

URM has gained a reputation as the preeminent UK provider of live webinars, aimed at delivering valuable and practical insights to organisations  looking to improve their information security, risk management, data protection etc. The webinars  are delivered by our senior consultants who share hints and tips on topics such as certifying to ISO 27001 and Cyber Essentials, complying with the GDPR.  All of our webinars are completely free to attend, and include an opportunity to ask questions at the end.

ISO 27001 related webinars
WebinarTransitioning to ISO 27001:2022
11:00 am
,
Wednesday24 Jan2024

This webinar is unique in that it brings together BSI, UK’s leading certification body and URM, leading ISO 27001 consultancy organisation.

Read more
Watch recording
USB stick, Padlock, Keys
WebinarTransitioning to ISO 27001:2022
11:00 am
,
Wednesday19 Jul2023

URM shares it's experiences of transitioning from the 2013 to the 2022 version of the ISO 27001 Standard

Read more
Watch recording
USB stick, Padlock, Keys
WebinarISO 27001 vs SOC 2
11:00 am
,
Wednesday7 Jun2023

In this webinar, URM will be sharing its extensive experiences of supporting organisations to certify/attest to these two standards.

Read more
Watch recording
USB stick, Padlock, Keys

ISO 27001 FAQs

How long does it take to implement ISO 27001?

There is no straightforward answer to this question as it depends on the size and complexity of your organisation, what systems and processes are already in place and what resources are available.  However, in URM’s experience it typically takes between 6 and 9 months for a small, low complexity organisation to fully implement ISO 27001.  

With larger, more complex environments, 9 to 18 months is closer to the norm for fully establishing an ISMS. This naturally assumes that the appropriate resources are made available to achieve the desired outcomes.

Apart from the existing maturity of operational practices and controls and availability of in-house resource, another key determinant in how long an ISO 27001 implementation will take place will be the support and involvement of senior management.  URM has seen organisations achieve very aggressive timescales in implementing and achieving ISO 27001 certification where Senior Management has prioritised the project, often associated with being awarded a significant client project.

Is there a legal requirement to comply with or be certified to ISO 27001?

There is, generally, no direct legal requirement for compliance as such, indicating why many people choose to use the word conformance rather than compliance.  Organisations choose whether or not to implement the requirements of ISO 27001 based upon the benefits that would be gained by doing so. However, you should pay close attention to any contractual obligations you may have for protecting the information of clients and other stakeholders.  

There is an increasing trend where customers require third party suppliers to implement or certify to ISO 27001, thus making it a legal requirement, by virtue of a contract.

What does ISO 27001 require you to do?

A key requirement of ISO 27001 is that you adopt a risk-based approach when implementing your ISMS.  You are also required to ensure that certain processes are in place to ensure effective and proactive management and continuous improvement.  

These requirements are broken down into 7 major clauses, which deal with context of the organisation, leadership, planning, support, operation, performance evaluation and improvement.  These clauses are consistent with other ISO Management system standards such as ISO 9001 and ISO 22301, and is known as the harmonised structure.

When was ISO 27001 last updated?

The current version of the Standard, ISO/IEC 27001:2022 replaced the 2013 version of the Standard on 25 October 2022.  As of 1 May 2024, all initial and recertification assessments must be conducted against ISO 27001:2022 and, on 31 October 2025, all ISO 27001:2013 certificates will be withdrawn.  Whilst the management system clauses received a relatively minor makeover in order to harmonize ISO 27001 with other standards, the information security controls contained within Annex A were completely restructured with some controls being merged with others as well as 11 new ones being introduced.

Read more
Find out more
Information Security FAQISO 27001 FAQ

Speak to ISO Standards Specialists

Our ISO certification track record is second to none with over 400 successful certifications and no failures.  We also guarantee you a successful result should you engage URM to help you achieve your certification.

Speak to one of our experts for more information on how we can help you certify. Simply call 0118 206 5410 or request a call back using the form below.

Having been involved in over 400 successful ISO 27001 certifications, URM Consulting Services (URM) is ideally placed to advise you on the essential activities and tasks you will need to carry out in order to maintain and improve your ISO 27001 auditing function and programme.
Find out more
related BLog
Governance, Risk Management and Compliance
|
Information Security
|

5 Golden Rules for Implementing ISO 9001

Published on
25/7/2024

URM’s blog offers advice and guidance on how to implement and maintain an ISO 9001-aligned QMS and receive the maximum benefit from your investment.

Read more
Thumbnail of the Blog Illustration
Other Standards
Published on
5/6/2024
ISO 42001 Artificial Intelligence Impact Assessments (AIIAs)

URM’s blog explores artificial intelligence impact assessments (AIIAs) and offers advice on how to conduct these assessments in full conformance with ISO 42001.

Read more
Thumbnail of the Blog Illustration
Other Standards
Published on
17/5/2024
ISO 42001 and AI Perspectives

URM’s blog explores ISO 42001, its intentions and structure, and the AI perspectives that will need to be considered by organisations implementing the Standard.

Read more
Thumbnail of the Blog Illustration
Other Standards
Published on
1/3/2024
ISO and IAF add Climate Change Considerations to 31 Management Systems Standards

On 22 February 2024 ISO and IAF released a joint statement relating to an amendment to a total of 31 existing Annex SL management system standards.

Read more
"
Without doubt, URM helped us to achieve our planned objectives a lot sooner than expected. The engagement was a huge success and couldn’t have gone any better.
Tony Smollett
Group IT Director, UK Mail