ISO 27001 Certification

ISO 27001 certification is a formal third-party confirmation that your organisation's information security management system (ISMS) meets the requirements in the ISO/IEC 27001 standard. A certificate signals to customers, partners and regulators that your organisation takes information security seriously and has documented processes in place.

Back to Dictionary

What is ISO 27001 certification?

ISO 27001 certification documents to the outside world that your organisation has built and operates an information security management system (ISMS) that meets the international standard ISO/IEC 27001. The certification is issued by an accredited certification body (e.g. Bureau Veritas, DNV, SGS or TUV) following an external audit.

In Denmark and the Nordics, we see increasing demand for ISO 27001 certification, particularly from B2B companies delivering digital services and from suppliers to public institutions and large enterprises.

The certification process

A typical certification process proceeds through these phases:

Phase 1 -- Gap analysis: Map the difference between your current state and ISO 27001's requirements.
Phase 2 -- Implementation: Build the ISMS, conduct risk assessment, implement controls and prepare documentation.
Phase 3 -- Internal audit: Conduct an internal audit and address any non-conformities.
Phase 4 -- Management review: Top management reviews the ISMS's performance and results.
Phase 5 -- External audit: The certification body conducts Stage 1 and Stage 2 audits.
Phase 6 -- Certification: The certificate is issued, typically valid for three years.

Stage 1 and Stage 2 audit

Stage 1 (documentation audit): The auditor reviews your documentation and assesses whether the ISMS is sufficiently planned and documented. The focus is on policies, risk assessment and the Statement of Applicability.

Stage 2 (implementation audit): The auditor visits the organisation and verifies that controls are actually implemented in practice. Interviews are conducted with staff and management, and evidence of implementation is checked.

Non-conformities and observations: The auditor may find non-conformities and observations. Non-conformities must be corrected before the certificate can be issued. Observations are improvement points with no requirement for immediate action.

Maintaining the certificate

An ISO 27001 certificate is valid for three years but requires ongoing maintenance:

Surveillance audit (years 1 and 2): Shorter audits that verify the ISMS continues to operate effectively.
Recertification audit (year 3): A full audit equivalent to the initial certification.
Ongoing: Internal audit, management review and risk assessment updates must be conducted at regular intervals.

Frequently Asked Questions about ISO 27001 Certification

What is ISO 27001 certification?

ISO 27001 certification is a formal confirmation from an accredited certification body that your organisation's ISMS meets the requirements in the ISO/IEC 27001 standard. The certificate is typically valid for three years with annual surveillance audits.

How long does it take to achieve ISO 27001 certification?

For most SMEs, it typically takes 6-18 months from start to certificate. The timeframe depends on the organisation's size, complexity and existing security maturity.

What does ISO 27001 certification cost?

Costs vary considerably depending on the organisation's size and scope. For a smaller company, the total process can typically cost between GBP 15,000 and GBP 50,000, including internal staff time, possible consultancy support and the certification body's fees.

What is the difference between Stage 1 and Stage 2 audits?

Stage 1 is a documentation review where the auditor checks that the ISMS is sufficiently planned and documented. Stage 2 is an implementation audit where the auditor verifies that controls are actually implemented and operating in practice.

How is the certificate maintained after it is issued?

The certificate requires annual surveillance audits in years 1 and 2, and a full recertification audit in year 3. The organisation must also conduct regular internal audits, management reviews and risk assessment updates throughout the three-year cycle.