ISO 27001 FAQs: Frequently Asked Questions

As cyber security experts we’re often asked about the standards and accreditations that organisations can keep and use to stay safe from cyber attacks. We’ve put together an ISO 27001 FAQs guide for one of the most popular information security standards!

Check out our most frequently asked questions (FAQs) for an ISO 27001 certification as it may just answer some questions within your organisation!

iso 27001 certification logo

What is ISO 27001?

ISO 27001 (ISO/IEC27001:2013) is an international standard for the best practice of an ISMS (information security management system). The standard is well recognised across the world, ranking as one of the most popular global information security standards. An ISO 27001 certification demonstrates that you can protect your data systems and information assets and keep them safe and secure.

The accreditation is earned by an organisation showing that they can protect employee information, manage information security risks and achieve compliance with well-known regulations such as the GDPR (General Data Protection Regulation). Controls will need to be selected from the Annex-A standard which will need to be implemented after a risk assessment has been completed for the organisation. Although, some information security controls from the standard may already be in place within the organisation which will need to be evidence in the Statement of Applicability (SoA).

Check out the rest of our ISO 27001 FAQs…

How many controls are in an ISO 27001 certification?

There are 114 controls in total from the Annex A 27001 standard, which are separated into 14 different categories. Organisations are not expected to implement all 114 controls, the controls are just possibilities to choose from and only the most suitable ones will be selected to meet the requirements of your organisation.

This guide to adopting ISO 27001 details the 18 groups of controls and helps you get to grips with the basics of ISO 27001 and ISMS.

Who is applicable for an ISO 27001 certification?

Any organisation who is looking to improve information security within their organisation is applicable for an ISO 27001 certification. The certification plays a key role in improving an organisations information security defence and is the best practice for developing an ISMS (information security management system). This is a widely accepted standard within all industries – therefore businesses of any size or industry are applicable go forward with the standard.

Which countries use ISO 27001?

ISO 27001 is an internationally recognised standard which is accepted in all countries around the world; all ISO standards are globally recognised.

How much does ISO 27001 cost?

The cost of an ISO 27001 certification is dependent on the site of the organisation, the scope and which certification body is appointed. A scoping discussion will first take place to understand the business needs and what the business wants to implement for ISO 27001. A gap assessment is undertaken upfront to determine the scope, create a plan and quote the cost for the whole project.

How are ISO 27001 and ISO 27002 different?

ISO 27001 – which is the worldly recognised standard, is the information security standard which organisations certify too. On the other hand, ISO 27002 is a supplementary standard which provides in-depth advice and guidelines on how to implement the Annex A controls, listed in ISO 27001. Put simply, ISO 27002 details the Annex A controls listed in the ISO 27001 standard in more-depth and helps organisations to consider what they need to put in place to meet ISO 27001 accreditation requirements.

The relationship between ISO 27001 and ISO 27002

ISO 27001 uses the information security controls listed in ISO 27002 to suggest the potential controls which could be implemented as part of developing an ISMS (information security management system). The ISO 27001 standard provides a brief overview of the controls which can be chosen for multiple aspects of an ISMS. Many organisations who certify against ISO 27001, also use ISO 27002 as a guidance document to gain knowledge of the appropriate controls and how to implement them.

It is important to understand that you cannot certify to the ISO 27002 standard, as the organisation would be certified against ISO 27001 and ISO 27002 used for implementation guidance of the controls. Compliance with the ISO 27002 is considered as less value compared to an ISO 27001 certification as without a risk assessment or ISMS implemented, as well as the chosen controls – it is worth little.

What does ISO 27001 bring to an organisation?

An ISO 27001 certification brings multiple advantages to an organisation, as well as increasing business reputation. A certification shows your customers, clients or third-party vendors that you take their information security seriously, providing confidence to them whilst they invest in you. A massive benefit which ISO 27001 brings to an organisation is risk management against cyber-attacks and threats. An information security management system means that your organisation follows a set of documented procedures to protect information on all levels of the business.

The ISO 27001 accreditation also means that within your business you have the confidence and assurance in your information security arrangements. This helps protect business reputation and ensures that internally, the relevant people know how to deal with an unfortunate cyber incident.

planning isms

We hope you found our ISO 27001 FAQs guide useful, and answered any question’s about the ISO 27001 certification within your organisation you may have. If you would like to speak to a consultant about certifying please contact us on 0203 728 6555 or e-mail us at

Looking to become certified? Our ISO 27001 Services...

Design & Implement ISMS

A simple, well-designed Information Security Management System based on ISO 27001 is a practical management tool to help you stay on top of information security risk, not only within the organisation itself, but also throughout its supply chain. The objective of a ISMS is to effectively manage an organisation’s sensitive data and reduce risk in event of a security breach.

ISO 27001 Scope Extension

Many organisations start small with ISO 27001 by only including specific areas in the scope of the management system.  However, business needs and ever-evolving security threats often lead to a requirement to extend the scope of the ISMS to other areas of the business. An ISO 27001 compliant ISMS allows you the flexibility to extend the scope to meet changing information security needs.

ISMS Audits

Maintaining a capability for performing your own internal audits is often expensive and strenuous, and may place additional pressure on staff that have been allocated as internal auditors, especially if this is not their only role in the business. Engaging an external information security consultancy for your internal audits addresses these challenges and you gain expertise of information security experts to drive improvement and compliance within your ISMS.