NagaShield Security
ISO/IEC 27001

ISO 27001 certification: the complete guide and our support

ISO 27001 is the reference standard for proving that your organisation has information security under control. Increasingly required by enterprise clients and investors, it is becoming a commercial advantage. Here is how to obtain it — and how I support you.

In short

ISO/IEC 27001 is the leading international standard for information security management (ISMS). A certified organisation demonstrates that it identifies and manages its security risks in a structured, continuous way. Getting ISO 27001 certified happens in several steps: define the scope, perform a risk analysis, implement security controls (Annex A, 93 controls in the 2022 version), document the ISMS, then pass a two-stage certification audit (documentation review then on-site audit) carried out by an accredited body. The typical timeline is 6 to 12 months and certification is valid for 3 years, with annual surveillance audits.

What is ISO 27001?

ISO/IEC 27001 is an international standard published by ISO and IEC. It defines the requirements for an Information Security Management System (ISMS): an organisational framework for protecting the confidentiality, integrity and availability of information through a continuous-improvement approach.

The current version is ISO/IEC 27001:2022, accompanied by an Annex A grouping 93 security controls across 4 themes (organisational, people, physical, technological). Certification is delivered by an independent accredited body, not by ISO itself.

Why pursue ISO 27001 certification?

  • Meet the requirements of enterprise clients who mandate it in their RFPs
  • Stand out commercially and shorten sales cycles (fewer security questionnaires)
  • Reassure investors, partners and cyber insurers
  • Structure security sustainably rather than reacting case by case
  • Ease compliance with other frameworks (NIS2, GDPR, SOC 2) that share many requirements
  • Concretely reduce the likelihood and impact of security incidents

The steps to obtain ISO 27001

The approach follows a clear logic, from scoping to certification:

1. Define the scope and context

Determine which services, sites and systems are in the ISMS, and identify interested parties and their requirements.

2. Perform the risk analysis

Map assets, identify threats and vulnerabilities, assess risks (EBIOS Risk Manager method or a scenario-based approach) and define acceptance criteria.

3. Build the risk treatment plan

Select the relevant Annex A controls, write the Statement of Applicability (SoA) and plan the treatment of residual risks.

4. Deploy the ISMS

Put in place policies, procedures and technical and organisational measures: access management, backups, incident management, awareness, etc.

5. Keep the system alive (internal audits, management review)

Conduct internal audits, address nonconformities and hold a management review — continuous improvement is at the core of the standard.

6. Pass the certification audit

The certification body runs a two-stage audit: documentation review (stage 1) then on-site implementation audit (stage 2). On success, certification is granted for 3 years.

How long and how much does it cost?

The timeline depends on your starting maturity: generally count 6 to 12 months for a first certification, sometimes more for a broad scope or an unstructured organisation.

The cost has two parts: the support (risk analysis, ISMS build-out, preparation) and the certification audit billed by the accredited body (varying with size and scope). Certification is valid for 3 years, with annual surveillance audits and a renewal audit in year 3. Well-run support strongly reduces the risk of audit failure, and therefore the total cost.

ISO 27001 for SMBs and startups: is it realistic?

Yes. The standard is deliberately adaptable to the size and context of the organisation: the scope, level of formality and chosen controls are proportionate to your real risks. An SMB or a SaaS startup can absolutely get certified, provided pragmatic support that avoids over-documentation.

The most common mistake is trying to document everything at once. An effective approach starts with a controlled scope, an honest risk analysis and controls that are actually applied — not a library of policies nobody reads.

My ISO 27001 support

NagaShield supports you end to end, as an outsourced CISO or on a dedicated engagement. I am a certified ISO 27001 Lead Implementer and have steered ISMS programmes in enterprise environments.

  • Gap analysis against the standard’s requirements
  • EBIOS risk analysis and prioritised treatment plan
  • ISMS build-out: policies, procedures, Statement of Applicability
  • Preparation for internal audits and the certification audit
  • Proportionate documentation, designed to actually be used

Frequently asked questions

Aim for ISO 27001 certification

Let's discuss your starting point and build a realistic roadmap to certification. Free scoping call.

Request a free quote Book a call

Read also

Outsourced CISONIS2 complianceAudit & PentestAll my services