+ What does ISO 27001 cost?

There are two sets of costs. Actual costs vary from company to company depending on a variety of factors including size, complexity, existing control maturity etc.

Firstly there are certification fees that you pay to the UKAS-accredited audit body for carrying out the external audit, issuing the certificate and undertaking ongoing surveillance audits (sometimes called continuous assessment visits). We can arrange for the certification body of your choice to provide a quote that is tailored to your circumstances.

Secondly there are project implementation and on-going maintenance costs to implement and maintain the ISO 27001 Information Security Management System (ISMS).

If you get in touch we would be happy to have a chat about your particular circumstances.

+ How long does it take to get ISO 27001 certified?

Typical implementation projects take 3-6 months but can take longer or be completed more quickly depending on particular circumstances. Our experience of working on a large number of projects, for companies of all sizes, in a variety of different industries helps us implement an ISMS in the most efficient way possible.

+ Where do I start with ISO/IEC 27001?

A good start is a chat with one of our consultants who will be able to advise on the benefits and steps that you would need to take.

+ What does UKAS-accredited mean?

UKAS is the sole national accreditation body for the UK. Its role is to check that organisations providing conformity assessment services such as certification, testing, inspection and calibration services, are meeting a required standard of performance. The assessment criteria used by UKAS are internationally recognised as being the best indicators of accurate, impartial and consistent performance.

UKAS accreditation demonstrates an organisation’s competence, impartiality and performance capability against internationally recognised standards. UKAS is a signatory to global accreditation groups including the European co-operation for Accreditation (EA), The International Accreditation Forum (IAF) and The International Laboratory Accreditation Cooperation (ILAC). This reduces the need for multiple assessments of suppliers, and so helps to reduce barriers to trade for organisations that have UKAS accreditation.

By ensuring that your ISO 27001 certificate is issued by a UKAS-accredited provider, you are proving to your customers that you have had an independent assessment that they can trust.

+ What are the benefits of ISO 27001?

The benefits of ISO 27001 fit into 4 broad categories - Reputation; Engagement; Compliance and Risk Management.

Reputation - improved reputation and stakeholder confidence; better visibility of risk amongst interested parties; builds trust and credibility in the market to help you win more business.

Engagement - Improved information security awareness amongst all relevant parties; reduces likelihood of staff-related information security breaches; shows commitment to information security at all levels of the business.

Compliance - Reduces the likelihood of fines or prosecution; helps you comply with relevant legislation and helps make sure you keep up-to-date.

Risk Management - helps you protect your information so you can continue business as usual and minimize disruptions; gives cost savings by minimizing incidents; ensures information is protected, available, and can be accessed.

+ What are the principles of ISO 27001?

Principles of information protection according to ISO 27001 are based on three principles of information security:

• Confidentiality - information is accessible only to those who are allowed

• Integrity - there is accuracy and completeness of the information

• Availability - authorized users have access to information when they need it

+ What areas of the country do you cover?

We work with customers all over the UK including those in the South East, South West, Midlands, and North of England, and East Anglia.

We have also worked with international clients with offices in Europe, Asia and the Americas.

+ How do I choose the right ISO 27001 consultant?

There are a variety of factors when selecting any supplier, but for ISO 27001 to be most effective for an organisation it is important that the consultants can understand and adapt their approach to your culture, and form effective long term relationships with staff at all levels in your organisation based on mutual trust.

+ Why should I choose Spritzmonkey for my ISO 27001 certification?

Spritzmonkey have provided the skills and knowledge required to deliver a succesful programme to achieve and maintain certification to ISO 27001 to many different customers in different sectors.

We have a 100% successful track record of implementations achieving the certification, and provide a flexible, tailored, cost-effective service to provide you with the assistance you need in the way that you need it. From the outset we aim to build open and straighforward relationships with clients. By listening to you and adopting a flexible approach, we ensure that ISO 27001 works for you and is not a burden. We work with you to understand your business, how it works and its culture. That way, no matter what industry you are in, we can tailor our services to suit your needs and fit in with how you and your teams work.

Our technical background working in IT and Cyber Security across many different sizes and types of organisation means that we have the knowledge of best practice guidance and current threat landscape to not just understand the standards but as technical people we can apply them effectively to your business in a way that maximises the benefits.

By working with one of our experienced consultants you are more likely to succeed using our tried and tested methods and can avoid over complicating the process. Unaided projects typically take longer and cost more.

+ What is ISO 27001 compliance?

ISO 27001 is an internationally recognised best practice framework for an information security management system (ISMS). It helps you identify risks and puts in place security measures that are right for your business, so that you can manage or reduce risks to your information.

By achieving ISO 27001 certification you can demonstrate that your ISMS meets international best-practice and show customers, suppliers, and the market place that your organisation has the ability to handle information securely.

ISO 27001 is known more formally as ISO/IEC 27001

+ Where can I get the ISO 27001 standard?

The ISO 27001 standard can be purchased in electronic or paper format from us via our partnership with BSI. Click here for more information.

+ What does ISO mean?

The International Organization for Standardization (ISO) is an international standard-setting body composed of representatives from various national standards organizations. ISO standards are internationally recognised way of doing a variety of things, for example 27001 covers Informations Security Management and 9001 covers Quality Management.

+ What is ISO/IEC 27001?

ISO/IEC 27001 is an internationally recognised best practice framework for an information security management system (ISMS). It helps you identify risks and puts in place security measures that are right for your business, so that you can manage or reduce risks to your information.

By achieving ISO/IEC 27001 certification you can demonstrate that your ISMS meets international best-practice and show customers, suppliers, and the market place that your organisation has the ability to handle information securely.

ISO/IEC 27001 is known more informally as simply ISO 27001.

+ How many controls are in ISO 27001?

Controls are outlined in Annex A of the ISO 27001 standard. There are 114 ISO 27001 Annex A controls, divided into 14 categories. The controls cover:

• Information Security Policies
• Organisation of Information Security
• Human Resource Security
• Asset Management
• Access Control
• Cryptography
• Physical and Environmental Security
• IT Operations Security
• Communications Security
• Systems acquisition, development, maintenance
• Supplier relationships
• Information security incident management
• Information security aspects of business continuity management
• Compliance

+ What is ISO 27002?

ISO 27002 is an additional standard that provides guidance on the implementation of the controls listed in Annex A of ISO 27001. It includes how each control works, what its objective is, and how you can implement it.

+ What is an ISMS?

An ISMS is an Information Security Management System. This is a systematic approach consisting of processes, technology and people that helps you protect and manage your organisation’s information through effective risk management.

+ Why should I certify my company against ISO 27001?

The benefits of ISO 27001 fit into 4 broad categories - Reputation; Engagement; Compliance and Risk Management.

Reputation - Improved reputation and stakeholder confidence; better visibility of risk amongst interested parties; builds trust and credibility in the market to help you win more business.

Engagement - Improved information security awareness amongst all relevant parties; reduces likelihood of staff-related information security breaches; shows commitment to information security at all levels of the business.

Compliance - Reduces the likelihood of fines or prosecution; helps you comply with relevant legislation and helps make sure you keep up-to-date.

Risk Management - Helps you protect your information so you can continue business as usual and minimize disruptions; gives cost savings by minimizing incidents; ensures information is protected, available, and can be accessed.

+ What is the certification process for ISO 27001?

The certification process for ISO 27001 normally consists of the following steps:

• Gap Analysis
• Implementation
• Formal Assessment - Stage 1 audit and Stage 2 audit
• Certificate issued
• Maintenance / Continuous Improvement

+ How can I persuade senior management to invest in an ISO27001 project?

We would recommend that you focus on the benefits of ISO 27001 to the business, using language that they understand. The benefits of ISO 27001 fit into 4 broad categories - Reputation; Engagement; Compliance and Risk Management. Although it is a technical standard, it is best to avoid tech speak and focus more on concepts they will understand such as risk management, process improvement, reputational risk. The board will be aware of regulatory compliance in relation to you business, and you should explain how ISO 27001 will help with compliance with GDPR, DPA etc.