HELP! my customers ask for an ISO 27001 certificate

Download the pdf here

The focus on cyber security has been on the rise in the last few years. Naturally so, considering the amount of cyber attacks and data leaks/breaches. Where first you had to watch out for some basement hackers, 15 years later large criminals networks have emerged. The damage that is caused leads to astronomical amounts of financial loss. Your customers see this too, so there are increasing demands on the security level of suppliers. And requiring an ISO 27001 certificate has become almost standard among medium-sized companies.

But where do you start? How do you make sure that the amount of time and effort spend on getting that certificate is in line with the goals of the organization? In this article we’ll explain how you can approach a certification process in a practical way without too much effort.

Why are you doing it?

In the introduction we mentioned the financial loss that comes with getting hacked. It’s therefore no surprise that we regularly see that organizations want an ISO certificate for commercial reasons. This is a good starting point because it involves an investment in time and money, so there should be benefits against the costs incurred. But when it comes down to it, an ISO certification is for you and not necessarily your customers. Protecting the data of the organization and of your customers is essential to the success of the organization. Here we keep in mind that for any measure, the cost-benefit analysis has to be right.

Determine the scope

A key point within a certification process is determining the scope. Wat exactly do you want to certify? What exactly do you want to certify? This depends very much on the first question: “What are you doing it for?”. If you only process external data within a specific service, you can choose to certify only that service. Do remember that the scope will be stated on your certificate, and if you choose to certify only one service, your certificate is limited applicable. A counterargument is that if you choose to place the entire organization in the scope, a lot of effort will have to be made. This must also fit into the cost/benefit picture.

Management system

If you’ve ever dug into the concept of an ISO certificate, you already know that it’s a management system. This is what gets certified In essence, this management system is the same across all types of certification with some nuance differences. It’s all about being able to demonstrate that management pays attention to the specific subject (Information security, quality, privacy, etc.). It is also important that in the case of ISO 27001, you can demonstrate that information security is specifically addressed within the processes and that this is made measurable. This is in fact the core of the certification.

Implementation process

To keep the chance of getting certified realistic, we think that you need at least 6 months to get everything in order and to collect sufficient demonstrable evidence of the operation of the management system. But in most cases, we see that organizations take a year for the entire process. More time gives more breathing room and ensures that you don’t have to implement too hastily.

The implementation process has an x number of steps, which we briefly explain below:

Determine the scope:
We’ve covered this before, but the rule of thumb is that it should fit the “why” question. It’s important that you can explain why this scope has been chosen, and that management approves it.

Determine the context:

From the scope, you can determine the context of the management system. Consider here the organizational structure, internal and external stakeholder and what laws and regulations apply. The outcome of this process will be entirely different for a service than for the entire organization.

Make an inventory of what information is important:
To be able to protect the information of the organization and/or customers, you first need to know what information there is. You’ll have to make an inventory of what information is available. As soon as this is clear, you perform a Business Impact Analysis (BIA). In the BIA you see how much impact an incident with that data would have for the organization. This gives the opportunity to prioritize measures based on the BIA score. You then do a vulnerability analysis, looking in detail at the likelihood of an incident and how vulnerable the information is. If you multiply the three numbers together, you get a risk number. You will also use this number later to prioritize the improvement actions.

Provide consultation structures:
The ISO 27001 standard has several mandatory consultation structures, which must take place and be listed to demonstrate that attention is paid to information security. The agenda of these meetings must contain several mandatory subjects (Incident, improvement actions, internal audits, etc.)

Internal Audits:
Make sure there’s a multi-year plan for internal auditing of the various subjects from Annex A (later more on that). Someone will also have to be appointed as an internal auditor and preferably this person should be independent. In small organizations it’s often still okay to wear two hats, so to speak, but try to prevent a conflict of interest.

Define security controls:
This is where the Annex A shows up. The Annex A is a list with security controls that you can apply. The ISO 27001 only indicates the topics and you, as a company, may specify this yourself. A further elaboration of these topics is described in ISO 27002. You may also define your own controls, but it is preferable to use the ISO 27002 as a guideline because external auditors do use the control texts as a guideline. It isn’t mandatory to apply all the measures from Annex A, but the certificate does include a statement of applicability, so if you do not apply them, this will be stated as part of the certificate.


Plan-Do-Check-Act, the main mantra of ISO 27001 (and many other standards).The aim is that all measures do not have to be perfect now, but you are able to demonstrate that you are constantly trying to improve. This ensures that you’re able to make a realistic and feasible planning. Not everything has to be perfect, but at least there’s a plan. Another aspect is that you also must incorporate advancing insights into this. If, for example, measures don’t work or don’t work enough, or take too much time making it unfeasible, this needs to be identified and a plan drawn up on how and when to improve it.


This is in broad outlines how you work towards an ISO 27001 certification. There are a few more details involved, but that is a bit too much for a blog. Are you curious about these details, or do you have questions? Please contact us, we’re happy to answer all your questions!

Download our ISO 27001 brochure

All the information about an ISO 27001 process in one practical overview? Download the ISO 27001 brochure below.