Build trust with ISO 27001 in 2024

Demonstrate a high standard of information security through ISO 27001 certification.

alab-network-countries-and-employees-1

We work with more than 500 fast-growing companies across 20+ countries, ranging in size from 2 to 26,000+ employees.

ISO 27001 CERTIFICATION

Is this the year you

grow with ISO 27001?

ISO 27001 certifications demonstrate an effective information security management system (ISMS). The standard was developed by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).

ISO 27001 provides an ISMS framework for organisations to establish, implement, maintain and continually improve their information security processes and controls. 

As trusted ISO 27001 auditors, we’re ready to help you earn trust with ISO 27001 audits globally. We provide audit pre-assessments through to certification that can be combined with other global standards to remove the usual duplication of multi-standard audits.

Ready to get started with ISO 27001?

alab-soc2-image
  • Vital
  • Vital
  • Vital
  • Vital
  • Vital
  • Vital
  • Vital
  • Vital
  • Vital
  • Vital
  • Vital
  • Vital
  • Vital
  • Vital
  • Vital
  • Vital
  • Vital
  • Vital
  • Vital
  • Vital

THE PROCESS

Six Phases of ISO 27001

left arrow right arrow
ISO 27001 Pre-Assessment

Pre-Assessment

An optional assessment for those pursuing ISO 27001 certification for the first time. We assess your readiness against the ISO 27001 checklist to undergo the following Stage 1 and Stage 2 audits.

alab-soc2-audit-01-icon

Stage 1 Audit

Audits your key ISMS documentation from a design standpoint to confirm it satisfies the mandatory requirements of ISO 27001. A report is issued with any non-conformities, process improvements and observations to consider while implementing the remaining ISMS activities.

alab-soc2-audit-02-icon

Stage 2 Audit

Audits the complete ISMS against the mandatory requirements and ISO 27001 Annex A controls in your Statement of Applicability. A report is issued with any non-conformities, process improvements and observations. Minor non-conformities require a management action plan and agreed timeframe, with up to 90 days given to address these before the certification decision.

alab-recognition-of-partial-progress-icon

Certification Decision

The certification decision is conducted at the mutually agreed date, up to 90 days after the Stage 2 audit is complete. This allows time to remediate any non-conformities that may adversely impact the decision. Upon a successful certification decision, the certification documents are issued.

Surveillance audits

Surveillance Audits

To ensure ongoing conformity of your ISMS with ISO 27001, surveillance audits are performed for the following two years while the certification remains valid. We follow a risk-based approach for ongoing conformance to the ISO 27001 requirements, by rotating areas of focus and combining them with a general assessment of its ongoing operation.

Recertification audit

Re-certification Audit

The certification expires in three years. The recertification audit is conducted before the expiry to ensure continuous certification. The recertification audits assess the full ISMS mandatory requirements and Annex A controls in the Statement of Applicability.

Ready to get started on your compliance journey?

THE BENEFITS

Clear reasons to act

alab-international-credibility-icon

International credibility

A globally recognised certification
to build trust at scale

alab-customer-confort-and-trust-icon

Customer comfort and trust

AssuranceLab is a certified audit firm and
trusted audit provider

alab-minimal-business-disruption-icon

Minimal business disruption

Agile and flexible audits leveraging technology to
help minimise the disruption 

alab-choice-of-goalposts-icon

Broadened coverage

Optionally add ISO 27017, 27018, or 27701 to
increase your coverage

alab-multi-standard-compliance-icon

Multi-standard compliance

Audits that can combine multiple related
frameworks, standards and certifications

alab-recognition-of-partial-progress-icon

Recognition of progress

Audit reports and status letters that keep your customers informed of your progress

FAQ

Your questions answered

What is ISO 27001 accreditation?

ISO 27001 is an international standard for information security management systems (ISMS). It provides a framework for organisations to establish, implement, maintain and continually improve their information security processes and controls. The standard was developed by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).

The main objective of ISO 27001 is to help organisations protect the confidentiality, integrity and availability of their information assets. It provides a systematic approach to managing sensitive company information including financial data, intellectual property, employee details and customer information. The standard applies to all types and sizes of organisations, whether private, public, for-profit or non-profit.

What is the ISMS and SOA?

The ISO 27001 standard is a set of requirements for operating an effective information security management system (ISMS). That management system is assessed and must adhere to those requirements to achieve certification. Those requirements extend to the implementation of specific information security controls, which can be selected from a prescribed appendix A in the ISO 27001 standard. The controls selected and implemented are included in a Statement of Applicability (SoA) to demonstrate how that mix of controls supports the ISMS objectives and forms a key part of meeting the ISMS requirements.

When am I ready for Stage 1?

A Stage 1 audit should be commenced once you’ve implemented the mandatory requirements of the ISO 27001 standard; namely the ISMS framework. That will give you feedback on how it is set up, to ensure you’re on track for the Stage 2 audit and can address any identified non-conformities prior.

When am I ready for Stage 2?

Stage 2 should commence once you’ve implemented all controls in the Statement of Applicability, or justified their exclusion. Any major non-conformities from the Stage 1 should have been remediated. You should also complete at least one cycle of the information security management system, including a management review and internal audit.

What are non-conformities?

Major non-conformities are where your ISMS doesn’t meet the requirements of the ISO 27001 standard. Generally, these are significant gaps in the management system's overall design or the controls in the statement of applicability. In contrast, minor non-conformities may undermine the effectiveness of the ISMS or have a minor impact on the requirements of the ISO 27001 standard but don’t prevent it from achieving its goals or meeting the key requirements of the ISO 27001 standard.

Can we get certified if we have non-conformities?

Yes, it is possible to get certified with open non-conformities. That will generally only include minor non-conformities with a clear and reasonable action plan for when and how those non-conformities will be remediated. If there are a high number of minor non-conformities or major non-conformities, you are given up to 90 days to remediate those before the certification decision.

How does the three year certification period work?

ISO 27001 follows a 3-year certification cycle. In the first year is the full certification audit. That’s either an initial certification audit when it’s the first time, or a re-certification audit if it’s following a previous 3-year certification cycle. These full certification audits cover all areas of your ISMS and review all controls in your Statement of Applicability. In the following two years, surveillance audits (scaled-down audits) are conducted to review the operation of the ISMS and some areas of the Statement of Applicability.

Can we reduce the audit work by using a compliance platform?

Yes, and no. ISO 27006, which guides the ISO 27001 standard, prescribes audit days based on the company size and complexity factors and only allows for adjustments of +/- 30%. A compliance platform can be used to facilitate the audit and manage outstanding tasks but will not save as much time as would be the case for a SOC 2 audit. If you are looking at a compliance platform for your audit, we work with several leading platforms to help streamline the process.

OTHER STANDARDS

Earn trust with other leading standards

alab-blended-audits-icon

SOC 1 / SOX ITGC

Satisfy publicly listed customers regulated by Sarbanes Oxley and supporting financial reporting requirements.

alab-hipaa-icon

HIPAA

The de facto global and best practice standard for proving secure handling of electronic protected health information (ePHI).

alab-custom-framework-icon

Custom Frameworks

Manage any compliance obligations from customers, regulators or your own internal risk requirements with custom frameworks.

alab-iso-27001-icon

ISO 27001

An international framework to apply a structured and best practice methodology for managing information security.

alab-csa-star-icon

CSA STAR

A comprehensive, best practice standard for cloud security to achieve Level Two accreditation in the security, trust and risk (STAR) register.

alab-cdr-icon

Consumer Data Right

Access consumer data in Australia’s economy-wide open data regime with Consumer Data Right accreditation.

alab-esg-icon

ESG Reporting

A flexible and lightweight framework to report up to 500+ positive impact activities supporting environmental, social and governance (ESG) objectives.

alab-gdpr-icon

GDPR

The global gold-standard for privacy. GDPR is regulated for personal data collected from EU citizens, and an effective framework to satisfy enterprise customers globally.

alab-soc1-sox-itgc-icon

SOC 2

Trust services criteria to satisfy a broad customer base globally for security, availability, confidentiality, privacy and processing integrity.

Get started your way

We’re ready when you are

alab-gdpr-icon

GDPR

The global gold-standard for privacy. GDPR is regulated for personal data collected from EU citizens, and an effective framework to satisfy enterprise customers globally.