Skip to main content
NSF Home

ISO/IEC 27001 Information Security Management System

Manage risk, improve resilience and align information security needs with business objectives.

What is ISO/IEC 27001 and who is it for?

ISO/IEC 27001 is the international management system standard for information security. It provides a robust framework for organizations to manage risks associated with information security and keep sensitive information safe.

The standard is jointly published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Since its first iteration, in the mid-1990s as BS 7799, the standard has evolved rapidly over time to keep pace with an increasingly digitalized world and the corresponding growth in cyber threats.

ISO/IEC 27001 offers a high degree of flexibility that allows organizations of all sizes and industries – whether commercial enterprise, government agency or a non-profit organization – to adopt the standard and reduce information security risks. Currently, there are more than 47,000 valid ISO/IEC 27001 certificates that have been issued by accredited certification bodies such as NSF.

Transfer Your Certification

Whether you are looking for a new Certification Body or wanting to consolidate multiple management systems, NSF is here for you.

What are the benefits of ISO/IEC 27001 certification?

ISO/IEC 27001 takes a comprehensive, risk-based approach to managing information security. In so doing, it ensures organizations are able to build resilience against, and preparedness for, existing and emerging cybersecurity threats. It is widely considered the gold standard for effective information security. As such, it brings many benefits for those organizations who achieve certification, including:

  • Increased trust in the business
  • Reduced business risk
  • Better business protection
  • Greater regulatory compliance
  • Improved competitive edge
  • Lower risk of errors.

While ISO/IEC 27001 is not a legal requirement, for heavily regulated industries such as finance and healthcare, it can help demonstrate compliance with best practice, and it may indeed be a requirement of specific contracts. The standard also aligns closely with the requirements of the EU’s General Data Protection Regulation (GDPR).

What are the requirements of ISO/IEC 27001?

The latest version of ISO/IEC 27001 was published in 2022 (known as ISO/IEC 27001:2022). Certified organizations have until 31 October, 2025 to complete their transition to this version of the standard.

ISO/IEC 27001:2022 contains updates that reflect the latest business practices and emerging threats in information and cybersecurity. These include new controls in Annex A of the standard to address cloud security and data privacy. To increase information security resilience, there is also a greater focus on risk management right across the latest version of the standard.

As with most management system standards, the information security management system, (ISMS), is formed of 10 sections, known as clauses. These align with the ISO harmonized approach to management system standards.

To achieve certification, organizations must meet the requirements of each clause. However, the standard is not prescriptive, and it takes into account that every organization is different. That’s why organizations embarking on certification need to determine what information they need to protect as well as the scope of the certification.

ISO 27001 certification requires ongoing commitment and resources to ensure continual improvement of the information security management system. Success therefore requires the support of leadership at the highest level within the organization.

NSF-ISR's Security Gap Assessment

Information security is a concern for everyone, and we believe that all businesses can benefit from a comprehensive security assessment. Whether you're looking for a one-time audit or working toward certification, NSF-ISR's Basic Security Assessment is the starting point.
Get Started Today

What are the steps to obtaining ISO/IEC 27001 certification?

The route to ISO/IEC 27001 involves several key steps, the first of which is to buy a copy of the standard that can be purchased direct from ISO. There are then five steps to follow:

  • 1

    Read and understand the standard

    To solidify understanding of the standard and understand what’s required to implement it within your organization, it’s advisable to attend an ISO/IEC 27001 training course.
  • 2

    Take action

    Before beginning to implement ISO/IEC 27001, a gap assessment can help to identify how ready your organization is. The results will show where you might already meet some, or even all, of the requirements of the standard and where you might still have work to do.
  • 3

    Choose a certification body

    Once you’ve determined that you have met the requirements of ISO/IEC 27001, it’s time to choose an accredited, independent third-party certification body such as NSF to audit your organization against the standard. The audit duration will depend on factors such as the number of employees and the complexity of your organization. It’s important to ensure that those responsible for the ISO/IEC 27001 management system in your organization are available when the audit takes place.
  • 4

    Receive audit recommendation

    If all the requirements of the standard are met, the auditor will make a recommendation for certification. Where minor nonconformities are identified, you’ll be given a specified time period in which to address them and submit to the certification body evidence of the work done to rectify them. Major nonconformities will likely require another audit to be scheduled.
  • 5

    Certification is granted

    Finally, when all requirements are met, certification can be granted. Earning ISO/IEC 27001 certification is a huge success for an organization and should be celebrated and communicated with all stakeholders, whether that’s though internal communication channels, PR activity, on social media, on your website or via any other channel through which you communicate with stakeholders.

    ISO/IEC 27001 certification is intended to promote continual improvement and follows a three-year certification cycle. Audits will be conducted each year of the cycle to ensure continued compliance with the requirements of the standard. A recertification audit will be conducted in the third and final year of the cycle. If successful, certification will be granted for another three years, and the accompanying annual audit cycle will recommence.

Why choose NSF for ISO/IEC 27001 certification?

As an ANSI National Accreditation Board (ANAB) accredited third-party Certification Body, NSF issues thousands of certificates. Our lead auditors have many years of direct experience in information security management systems and can apply deep, relevant industry knowledge. Their expertise can help you to strengthen your security and grow confidence in your ISMS.

We work hard to provide outstanding customer service and take pride in the high scores we receive in our client satisfaction survey.

What is an Integrated Management System?

ISO/IEC 27001 follows the same structure as for other management system standards, such as ISO 45001 or ISO 9001. This structure is known as Annex SL. The benefit of this consistent structure is that management systems can be more closely aligned and integrated. This can help deliver efficiencies in an organization when integrating two or more management system standards. NSF is well placed to support organizations to do this. Contact us for more information about the benefits of an integrated management system.

Resources

Want To Get Certified?

Talk to one of our team.