Strengthening Information Security

ISO 27001 is an internationally recognized framework for establishing, implementing, managing, and maintaining an Information Security Management System (ISMS). It helps organizations systematically protect sensitive data, manage risks, and demonstrate a commitment to security best practices.

What We Do

Our Lead Implementer Services guide organizations through the successful establishment and maintenance of an ISMS aligned with ISO 27001 requirements. We provide strategic support to ensure compliance, reduce security risks, and achieve certification.

The ISO 27001 Journey

Achieving ISO 27001 certification involves several key phases:

1. Implementation

This phase involves designing and implementing the ISMS based on ISO 27001 standards. Key steps include:

  • Defining the scope of the ISMS

  • Conducting a risk assessment and establishing a risk treatment plan

  • Developing and implementing policies, procedures, and controls

  • Establishing continuous monitoring and improvement mechanisms

2. Internal Audit

Before undergoing formal certification, an internal audit helps identify gaps and areas for improvement. This step includes:

  • Evaluating whether policies, processes, and controls are effectively implemented

  • Identifying nonconformities and corrective actions

  • Ensuring the ISMS is ready for external certification

3. Certification Audit

The certification audit is conducted by an accredited external auditor and happens in two stages:

  • Stage 1 – A preliminary review of ISMS documentation and readiness

  • Stage 2 – A full assessment of ISMS implementation, effectiveness, and compliance with ISO 27001

4. Certification & Ongoing Maintenance

Upon passing the audit, the organization receives ISO 27001 certification, valid for three years, subject to:

  • Surveillance audits (typically annual) to ensure continued compliance

  • Continual improvement by addressing evolving security risks and regulatory changes

Why ISO 27001?

ISO 27001 certification enhances data security, regulatory compliance, and customer trust, making it a valuable framework for organizations of all sizes.

ISO 27001

Compliance Approach

Frequently asked questions

What’s the difference between ISO 27001 and SOC 2?

● ISO 27001: A global certification standard with strict requirements—ideal for international clients or regulated industries.

● SOC 2: A U.S.-based attestation report focused on customer trust—popular with SaaS companies.

If clients ask for a certification, they usually mean ISO 27001.

What are the essential policies?

At minimum:

● Information Security Policy

● Risk Management Policy

● Access Control

● Incident Management

● Backup and Recovery

● Acceptable Use / BYOD

● Asset Management

● Supplier Security

● Internal Audit Procedure

● Corrective Action

● Business Continuity / Disaster Recovery

How long does implementation take for a 1–10 person company?

Typically 6 - 12 months, depending on:

● How mature your existing processes are

● Whether you already have policies

● How much time you can dedicate weekly

Do we need special software to get certified?

No. Many small orgs use spreadsheets, shared folders, or Google Drive. Tools help—but are optional.

Do we have to implement all the Annex A controls?

No. You only need to implement controls that address your specific risks. All exclusions must be justified in your Statement of Applicability (SoA).

We have an office but no infrastructure—can it still be remote?

Yes, if everything is cloud-based. You’ll just show evidence of:

● Physical security (if applicable)

● Device policies

● Cloud configuration controls

How long does certification take?

After your ISMS is ready:

● Stage 1 (Docs Review): ~2–4 weeks

● Stage 2 (Implementation Review): ~4–6 weeks

● Certificate Issued: ~1–2 weeks after Stage 2 (if no major issues)

What are the key ISO 27001 documents we need?

Examples include:

● ISMS Scope Statement

● Information Security Policy

● Risk Assessment & Treatment Plan

● Statement of Applicability (SoA)

● Access Control Policy

● Incident Response Plan

● Backup / Disaster Recovery Policy

● Internal Audit Reports

● Management Review Minutes

● Corrective Actions Log

● Asset Inventory, and more

What is a surveillance audit?

● Year 2: Focuses on key controls and previous nonconformities

● Year 3: Broader check as you prepare for re-certification in Year 4

Can we implement and do our own internal audit?

You can implement yourself, but your internal audit must be independent—either:

● A team member not involved in implementation, or

● An external consultant

How long is certification valid?

● Valid for 3 years

● Requires annual surveillance audits to maintain

How many policies do we need?

Small companies typically have 10–20 core policies and procedures, often consolidated.

Is the internal audit mandatory before certification?

Yes. It shows you’ve validated the ISMS is working before the external auditor reviews it.

Can we exclude AWS or Azure from scope?

No. If you use cloud providers for core systems, they are within scope. You must manage the risk (e.g., review their security certifications).

Can we do remote audits?

Yes. Both internal and external audits can be done remotely via:

● Screen sharing

● Secure document sharing

● Video walkthroughs

What if we don’t have a physical office?

Totally fine. Just ensure you cover:

● Device security

● Remote access (VPNs, MFA, encryption)

● Cloud account management

Do we need to include a sister company in scope?

Only if they store or process information relevant to your ISMS.

Can I certify if I’m a solo founder?

Yes. You’ll need to:

● Document your responsibilities

● Show segregation of duties (via automation or outsourcing internal audit, for example)

Can we get certified for our product or service?

No. ISO 27001 certifies an organization or part of it—not a product.

But you can define the scope as the team/systems supporting the product. Example:

“The software engineering and DevOps functions responsible for the secure design, development, and deployment of [Product Name].”

Need help with implementation or audit readiness?
Visit www.impactriskadvisor.com to get expert help with:

● Full ISO 27001 implementation

● Internal audits

● Security documentation

● Risk assessments and SoA

● Certification preparation

Contacts

Info@impactriskadvisor.com

Socials
Subscribe to our newsletter
Privacy Policy