The

ISO 27001
Bible
Everything you
need to know
about compliance
 02
Contents Introduction

03
What is ISO 27001
04
Who needs to be ISO 27001
06
The benefits of ISO 27001
certification? compliant? certification

08
How to get ISO 27001
13
How long does it take to
14
Trends, statistics,
compliant get ISO 27001 certified? and studies

15
Summary

SC Y TA L E | T HE I SO 270 01 B IBLE 1 / 15

INTRODUCTION
Getting ISO 27001 certified is no
small undertaking. If you’re not
sure how to set up an information
security management system or
if you’re feeling overwhelmed,
you’re not alone.
What is ISO 27001?
ISO 27001 is the leading international data security standard,
trusted by companies around the world. In Europe, the protocol
is generally recognized as the gold standard in information
security.
ISO 27001 is a rigorous and comprehensive information security
protocol that covers an organization’s overall information
security protocols, including information security management
systems, information security technology, and information
security requirements.
SC Y TA L E | T HE I SO 270 01 B IBLE
Why is ISO 27001 so important?
Obtaining an ISO 27001 certification demonstrates that a
company complies with the highest internationally-recognized
information security standards.
This certification demonstrates world-class operational
security in threat monitoring, security breach mitigation, and
sensitive data protection. With this exemplary reputation
for risk management, partners and customers of ISO 27001
accredited organizations are very confident in the security of
their information assets.
However, implementing ISO 27001 is more than a highly
effective way to enhance an organization’s information security
process. Becoming ISO 27001 certified is evidence of world-
class security protocols and therefore offers a key competitive
advantage in any sector where robust security is a highly prized
asset. Indeed, SaaS companies without evidence of a robust
data security protocol may struggle to attract customers and
fail to meet clients’ demanding procurement requirements.
ISO 27001 certification requires an investment of time and
resources. However, with the right technology and insight, the
process has the potential to be much simpler, faster and more
efficient. When implemented effectively, the rewards of ISO
27001 are immense for many organizations.
We have created this guide to help you manage the demanding
ISO 27001 certification process from start to finish, reducing the
time and resources normally required to do so, as well as having
a clear understanding of everything you need to know about
ISO 27001 certification.
2 / 15
 01
What is ISO 27001
certification?
ISO 27001 certification is an internationally recognized
compliance standard aimed at protecting critical information
assets, mostly customer data. ISO 27001 stipulates specific
requirements for the establishment, maintenance, and
continuous improvement of an organization’s information
security management systems (ISMS).

The ISMS is a broad framework consisting of policies and

procedures designed to ensure the company effectively
identifies risks and establishes and implements controls to
effectively manage those risks. Ideally, the ISMS also sets a
benchmark for continuous assessment and improvement.
Following ISO 27001 best practice, and seeking certification, is
an effective way to both develop a robust ISMS and demonstrate
the effectiveness of your controls.

As many companies require evidence of effective information

security, becoming ISO 27001 certified is an efficient way to
meet exacting procurement requirements. To become certified,
a business undergoes a rigorous audit by an independent third-
party auditor. The auditor carefully evaluates the company’s
policies and controls. If the audit is successful, the company
receives ISO 27001 certification, which demonstrates that the
ISMS meets the protocol’s high standards.

Nonconformities are a possible outcome of the certification

audit, which means you do not fully meet the requirements
of the standard, such as missing records or documentation.
The more nonconformities, the less compliant you are. If the
auditor observes a major nonconformity, a company cannot
get certified. However, when this happens, the auditor will state
the major non-conformity in the audit report and give you a
deadline to resolve the cause of the non-conformity (usually
90 days). Once the auditor observes this evidence, if you have
addressed the nonconformity thoroughly, most of the time the
auditor will accept your corrective action and proceed to issuing
the certificate.

SC Y TA L E | T HE I SO 270 01 B IBLE 3 / 15
 02
Who needs to
be ISO 27001
compliant?
While ISO 27001 certification is globally recognized, it is
particularly valued in European markets. Any business looking
to develop a European presence will gain a strong competitive
advantage by becoming ISO 27001 compliant. The standard
also helps SaaS companies, and any tech business that
manages user data, meet demanding information security
procurement protocols, in Europe and beyond.
But why, exactly, do you need a robust ISMS? Don’t most
tech businesses already have advanced data security tools in
SC Y TA L E | T HE I SO 270 01 B IBLE
place? Believe it or not, IT isn’t the key element in protecting
information anymore. In the majority of cases, the companies
already have a lot of relevant technology in place – for example,
antiviruses, multi-factor authentication, and backups.
However, in any organization, suitable technology is necessary
but not sufficient. If the actual information security systems
are not organized effectively and deployed properly, then
there are likely to be data security weak points. In addition,
without effective, ongoing monitoring, security risks are being
compromised at any point in time, and not getting the right
attention on time.
And this is what ISO 27001 compliance is about: it provides a
framework for companies to find out the potential incidents
that could happen to them (i.e., risks), and then develop robust
procedures to manage those risks appropriately.
From this point of view, ISO 27001 has obvious value for any
organization that seeks to (or has a mandate to) formalize
and improve business processes around information security,
privacy, and securing its information assets.
In the modern information economy, many businesses, in
various sectors, manage large amounts of sensitive data, across
various networks.
4 / 15
 Let’s take a look at just
some of the industries that
are typically implementing
this standard:
Tech companies
For cloud computing providers, Software as a Service,
and IT support businesses, implementing ISO 27001 is
good for business. Those companies can attract clients by
demonstrating that they can safeguard their information
in the best way possible.
Many tech businesses also rely on ISO 27001 to guarantee
compliance with contractual security regulations from
their main clients.
ISO 27001 is also an excellent way for startups and
fast-growing companies to resolve problems in their
procedures, as the standard forces companies to define
responsibility and implement the steps that need to be
taken in the most important operations.
Financial industry
Insurance companies, payment companies, brokerage
houses, banks, and other financial institutions frequently
take advantage of ISO 27001 certification in order to comply
with the high levels of information security required in the
financial sector. ISO 27001 is the proven, generally accepted
methodology for achieving compliance in these industries.
Financial services are also strongly motivated by the
costs associated with poor risk management. Preventing
incidents before they occur is significantly less costly than
suffering a serious breach.
SC Y TA L E | T HE I SO 270 01 B IBLE
Government agencies
Government agencies typically handle extremely
sensitive data. ISO 27001 is specifically designed to meet
the exacting data security demands of organizations,
making it an ideal methodology to manage information
security risk.
Telecoms
Internet providers and telecommunication companies are
also very keen on protecting the huge amounts of data that
they handle and also reducing the number of outages. ISO
27001 is an invaluable framework for achieving those goals.
Furthermore, as with financial institutions, ISO 27001 helps
telecom companies meet the ever-evolving set of laws and
regulations governing the industry.
A powerful standard
for any sector
In fact, ISO 27001 compliance is not limited to any
particular set of industries. It is a powerful standard that
helps many organizations in various industries meet their
most exacting information security requirements.
Any company that stores sensitive customer information
will benefit from implementing ISO 27001. For instance,
healthcare providers rely on the framework to protect
sensitive patient information and comply with strict
confidentiality laws. Cybersecurity firms are able to assure
clients of secure, reliable service. Indeed any businesses
that manage confidential information, such as HR data
and personnel files, will benefit from the enhanced
security ISO 27001 provides.
5 / 15
 03 1

The benefits of ISO

27001 certification
Stand out in a
Information security and competitive market
compliance are not just a priority ISO 27001 compliance is internationally recognized and
for information security and respected. Becoming certified confers a significant competitive

compliance teams. Being a advantage, especially when entering new markets. Customers
want reassurance that their providers will effectively safeguard
certified ISO 27001 supplier means their data, and ISO 27001 certifications signal precisely that.
major benefits for an organization.

2 3

Customer requirements Avoid security breaches

Many businesses have strict in-house security standards and
will only do business with companies that offer sufficient
reassurance of security and data integrity. Becoming ISO 27001
compliant is one of the most effective ways of meeting these
requirements.
Prevention is better than cure, especially when it comes to
data security. Becoming ISO 27001 compliant is one of the best
ways of developing effective risk management systems that
effectively prevent breaches and data leaks. Considering the
lasting reputational damage caused by data security incidents,
many businesses value ISO 27001 as a rigorous and effective
risk-management system.

SC Y TA L E | T HE I SO 270 01 B IBLE 6 / 15
 4 5
Higher levels of trust
Most users will demand a high level of trust in your platform
before they permit you to process their personal data. ISO
27001 certification demonstrates to users that you follow best
data security practices and will safeguard their confidentiality.
6 7
Manage third-party
vulnerabilities
Data security is compromised if there are any weak links. If
data is shared with third parties, you need a mechanism to
ensure the entire chain of transmission is secure. ISO 27001
compliance involves comprehensive data protection policies
that account for your data systems as a whole, including any
third party vendors.
SC Y TA L E | T HE I SO 270 01 B IBLE
Preventing downtime
Downtime means missed opportunities to supply your services.
Frequent downtime also risks annoying your customers.
As part of ISO 27001 ISMS, companies implement an effective
business continuity (BC) and disaster recovery (DR) plan. These
plans will help you continue to provide continuous service, even
in the event of a crisis, and minimize downtime experienced by
customers.
Reduce human error
Security is as strong as the weakest link. ISO 27001 compliance
helps reduce human error in two important ways. First,
implementing controls around all checkpoints in an employee
lifecycle: recruitment, onboarding, transition between roles and
offboarding. Moreover, ongoing security awareness training
and improved internal processes helps employees follow best
security practices and stay up-to-date with the latest security
protocols, ensuring a security-aware culture. In addition,
having effective and reliable security systems and consistent
risk monitoring in place prevents more human risks too.
Second, if you are using purpose-made compliance
technology to manage your ISO 27001 compliance, it helps
automate and simplify many complex human processes.
7 / 15
 STEP 1

04
Organize the
implementation team
Considering the scope and complexity of

How to get ISO implementing ISO 27001, it’s critical to have a

dedicated manager driving the entire process. This

27001 compliant shouldn’t be an afterthought: effective leadership is

critical to the success of your compliance initiative.

Implementing an ISO 27001-compliant Information Security
Management System (ISMS) can be challenging but extremely
rewarding. After all, building watertight information security
systems across an entire organization takes an investment of
time and resources, especially for startups and first-timers.
If you’re just starting out with the standard, we’ve put together
this helpful ISO 27001 implementation roadmap to help you
get it right the first time.
The project manager needs sufficient authority and
resources to implement all reasonable compliance
interventions.
That said, ISO 27001 is not simply a top-down process.
For startups, in particular, implementation will
potentially affect everyone in the business. There
needs to be clear lines of communication and precisely
define roles and responsibilities from the outset.

SC Y TA L E | T HE I SO 270 01 B IBLE 8 / 15
 STEP 2
Define the scope
of your ISMS
At its best, ISO 27001 compliance isn’t a one-size-fits-all process.
Startups and all dynamic businesses can implement a rigorous
and independently-recognized security standard in a way that
fits their specific operations and needs.
Of course, that means that, to get the most out of the process,
the business needs to make a number of critical decisions at
each stage in the process.
STEP 3
Implement your
relevant policies
Once the organization is clear on the scope of the ISMS,
you need to establish your security policies. These are high-
level policy documents detailing your security objectives.
Remember, ISO 27001 is not a cookie-cutter standard. The
security policies are unique to your company, devised in
context of your changing business and security needs. Your
policies will ultimately shape the way information security is
implemented throughout the business.

Once you’ve established the how, it’s time to clarify the what. Some required policies for ISO 27001 are the following:
That is, what people, systems, applications and processes will be
covered by your ISMS. This is defined in your scope statement.
Information Security Policy
After all, the ISMS is the system of controls that safeguards data
and ensures consistency and reliability. But each business has
different security needs and operational requirements. Not
Data Protection Policy
every ISMS will look the same.

Defining the scope of your ISMS is therefore an important

strategic decision. Your ISMS needs to be broad enough to Access Control Policy
cover all critical data security risks. At the same time, most
startups can’t afford to waste time and resources on inessential
or irrelevant processes. Finding the right balance is a critical
step in developing an effective and efficient ISMS. Asset Management Policy
It is important to understand that ISO 27001 certification is for
an organization (and its subsidiaries) and not for a product, and
so a company needs to choose which part of the organization
Business Continuity Policy
needs to be in scope.

Change Management Policy

Risk Management Policy

SC Y TA L E | T HE I SO 270 01 B IBLE 9 / 15
 STEP 4
Establish your risk
management procedure
In order to perform a precise, verifiable risk assessment
of the company’s data security, you need to establish a
method for scoring risks. ISO 27001 doesn’t specify any one
method for scoring risks. The company has the flexibility to
choose a method that suits its needs. You need to ensure,
however, that the methodology is appropriate to your ISMS
policy objectives and that all relevant personnel are fully
briefed on the selected procedure.
STEP 5
Perform the risk
assessment
Once you’ve defined your assessment methodology,
it’s time to identify and evaluate any information
security weaknesses in the organization.
This is a sophisticated multi-stage process that goes
beyond simply identifying potential threats
Once you have identified security gaps you should
i) assess their impact and
ii) devise a risk treatment.

Assessing risk impact

Not all risks are equally serious. You should assess the
potential consequences of each risk and prioritize the
risks accordingly.

Implement a risk treatment

Following the impact assessment, you need to decide
how you will address each risk. High-priority risks
obviously demand the most urgent and far-reaching
attention.

In terms of ISO 27001 risk treatment procedures, the

organization has four broad options in response to a
given risk:

Avoid the risk

Decrease the risk

Share the risk

Retain the risk

SC Y TA L E | T HE I SO 270 01 B IBLE 10 / 15
 To understand the details of Annex A controls and how they
could be implemented, you need to consult ISO 27002,
which serves as a guidance document of the ISO 27001
security controls.

ISO 27002 was officially updated on February 15, 2022, and

STEP 6 updates in ISO 27001 Annex A will take place during the
course of 2022. The 2022 updates apply to the security
Statement of Applicability controls of ISO 27002 and therefore, Annex A of ISO 27001

A Statement of Applicability is a requirement for your The previous version of Annex A contained 114 controls
ISO 27001 audit. It outlines which Annex A controls are across 14 families, while the new version contains 93
applicable to your organization and therefore, included controls across 4 families:
in your scope.

A Statement of Applicability should: People

List the controls an organization

has selected to mitigate risk

Organizational

Explain why these controls

were chosen for your ISMS

Technological

State whether the controls

have been fully implemented
Physical

Explain why any controls were excluded

The decrease in the number of controls is due to many
controls being merged.

SC Y TA L E | T HE I SO 270 01 B IBLE 11 / 15
 STEP 7
Cultivating a culture
of data security
Turning your risk management blueprint into reality
is about more than simply following a plan. The whole
organization needs to effectively adapt to the new ways of
working. For startups, this may seem like a drastic culture
shift at first but will set a foundation for information
security excellence as the business grows.
STEP 8
Measuring
and monitoring
ISO 27001 isn’t meant to simply work on paper. It’s a
practical toolkit for delivering robust real-world data
security. Ongoing monitoring and reviewing of all policies,
procedures and security controls are essential to help
ensure your ISMS is functioning properly and delivering
the results you require and your customers demand.

STEP 9
It’s time to get certified
One reason ISO 27001 is such a respected global standard
is that your compliance is carefully audited by an
independent third party. To become certified, you must
appoint a respected and accredited auditor, which will
issue certification following a successful audit.

As we can see from the steps above, a successful audit

depends on careful preparation and expert guidance.

SC Y TA L E | T HE I SO 270 01 B IBLE 12 / 15
 05
How long does it
take to get ISO
27001 certified?
In the first phase of the independent assessment, the auditor
reviews the design of your ISMS to determine whether they
are fit for the purpose for which they are designed.
After reviewing the design, the auditor issues an interim
audit report. This report specifies whether there are any
major or minor shortcomings in the design of the ISMS and
proposes ways to address these issues.
The preliminary audit report can therefore provide an
important opportunity for the company to improve its
security posture and practices and enhance implementation
before the official audit.
SC Y TA L E | T HE I SO 270 01 B IBLE
Assessing operating effectiveness
In the second phase of the review, the auditor assesses the
actual operating effectiveness of your ISMS, possibly through
the company Statement of Applicability (SOA). The auditor
determines both that the controls have been implemented
correctly and that they are operating effectively.
The independent auditor will carefully review your controls
and policies and procedures against the criteria of ISO 27001
compliance.
If your information security standards meet this criteria, this
should be the final step before certification. However, the audit
process does not stop there. Ongoing reviews, in the form of
surveillance audits, are the norm in ISO 27001 certification.
13 / 15
 06
Trends, statistics,
and studies
The International Organization for Standardization
survey shows that in 2020
44,486
valid ISO 27001
certificates were
issued at 84,166 sites.
Of course, those are not the only reasons to adopt ISO 27001.
Market pressure also plays a critical role. As one researcher
points out, most companies adopt an information security
framework to meet clients’ demand. That is, many clients
prefer, or even require, suppliers to implement a standard such
as ISO 27001.
In Europe, the standard is especially prized for helping to meet
regulatory requirements and to meet customers’ procurement
standards.
While total financial losses may be larger for big corporations,
smaller businesses, in particular, may struggle to recover from
the lasting reputational damage of a serious breach.
SC Y TA L E | T HE I SO 270 01 B IBLE
However, it is no surprise that more companies are taking
measures to enhance their data security. Information security
is not simply a theoretical concern. It’s a critical business risk
issue. The IBM Cost of a Data Breach Report for 2021 reveals
that the average cost of a data breach is an eye-watering
$4.24
million.
The highest cost in the history of the report.
However, as a UK government report indicates, large
organizations tend to have enhanced cybersecurity capabilities.
Smaller businesses and startups do not always have adequate
protection in place.
Fortunately, as the IBM report makes clear, automation
is transforming compliance. In fact, the report says that
automation and AI “provide the biggest cost mitigation”
against breaches.
14 / 15
 07
Summary
The benefits of ISO 27001 compliance and certification are
clear. Certified businesses can be confident that they comply
with the highest standard of information security and enjoy
a competitive advantage in global markets. And customers
gain the reassurance and trust that they are partnering with a
company that cares about information security.

Best of all, ISO 27001 compliance is now in reach of more

businesses, including ambitious startups who want to lay a solid
information security foundation. With compliance automation,
expert advice, and an effective strategy, any company can take
advantage of ISO 27001 compliance. For startups, compliance
automation is a particularly useful way to ensure the highest
standards of information security, as efficiently and time-
effective as possible, making the process

90%
faster
and the total cost of
compliance half the price.

SC Y TA L E | T HE I SO 270 01 B IBLE 15 / 15