ISO 27001 FAQs – Frequently Asked Questions

Why do companies pursue SOC 2?

It’s a common requirement for service providers handling customer data, especially in the U.S. tech market.

What is SOC 2 consulting?-

Assistance with meeting SOC 2 requirements around security, availability, confidentiality, and privacy.

Who needs ISO 27701 certification?

Any organizations that process sensitive personal privacy data and want to demonstrate accountability. ISO 27001 is a “pre-requisite” standard before your organization can implement and certify to ISO 27701.

What is ISO 27701 consulting?

Guidance to extend ISO 27001/27002 controls for privacy management and GDPR alignment.

Why is ISO 27018 important?

It reassures clients that their personal data is handled responsibly in cloud environments.

What is ISO 27018 consulting?

Support for implementing privacy controls in cloud services to protect personally identifiable information (PII).

Who should consider ISO 27017?

Cloud providers and businesses using cloud services that require enhanced data security.

What is ISO 27017 consulting?

Advisory services to implement cloud-specific security controls based on ISO 27017.

How does ISO 22301 benefit businesses?

It improves resilience and ensures recovery from operational disruptions.

What is ISO 22301 consulting?

Expert support to implement and certify a BCMS under ISO 22301.

Why is HIPAA compliance critical?

It protects patient private data and avoids heavy regulatory fines. It’s a requirement of any organization that works with patients and their health privacy.

What is HIPAA consulting?

Guidance for healthcare providers and vendors to ensure compliance with HIPAA’s privacy and security rules. You can look this up google it. We need better content but I am not the expert.

Who benefits from CSA STAR?

Organizations and Cloud service providers seeking third-party validation of their security practices.

What is CSA STAR consulting?

Assistance with implementing the cloud security alliance framework and performing an internal audit to get ready for CSA’s official attestation audit.

Why is CMMC compliance important?

Non-compliance can disqualify companies from DoD contracts.

What is CMMC consulting?

Support for defense contractors to meet Department of Defense cybersecurity requirements under CMMC.

Who needs CCPA consulting?

Companies serving California residents that collect or process personal data.

Why use SecuraStar’s Proven Implementation System (toolkit)?

It reduces effort, ensures alignment with standards, and helps teams focus on execution. We have hundreds of clients to prove it.

What is CCPA consulting?

Professional guidance to help businesses comply with California’s privacy law, covering consumer rights and data handling.

What is an ISO 27001 toolkit (SecuraStar Proven System)?

A custom documentation system to meet the ISO 27001 Clause 4-10 Auditable Requirements that is customized and/or integrated with the organizations current info sec program. A ISO 27001 Toolkit may ensure ISO 27001 success by meeting all the requirements and speeding up the timeline to ISO 27001 Certification.

Does ISO 27001 improve business value?

Yes, certification often leads to compliance requirements in RFP’s, contracts and also new opportunities, especially in regulated or global markets.

What are the main benefits of ISO 27001?

Stronger data security, regulatory compliance, customer trust, and competitive advantage.

Some of the ISO/IEC 27001 certification benefits

• Keeps intellectual property and valuable information secure
• Secures exchange of information
• Ensures you are meeting your legal obligations
• Manages and minimizes risk exposure
• Cost savings for rework, damages, and waste

How do white papers help organizations?

They provide insights for decision-makers and practical guidance for teams.

What are ISO 27001 white papers?

Authoritative guides explaining concepts, best practices, and benefits of ISO 27001.

Why is a roadmap important?

It provides clarity, deliverables, timelines, and accountability for project success also known as who, what, where, when and how.

What is an ISO 27001 roadmap?

A phased project plan outlining milestones for achieving ISO 27001 certification typically following the Clause 4-10 auditable requirements for implementing a information security management system (ISMS).

Why use a control diagram?

It helps organizations visualize, plan, and communicate Policies, processes and procedures to its employees. A ISO 27001 Control diagram is a form of information security architecture.

What is an ISO 27001 control diagram?

A visual representation of how ISO 27001’s controls map into Policies, Processes and procedures.

How long does ISO 27001 implementation take?

Typically 5–8 months, depending on company size, the size of the scope and ability of the organizations management to make decisions, implement controls, build records / evidences and perform the first internal audit. The number of assets in scope vs the number of employees and number of locations are critical factors that may affect the implementation timeline.

What are the steps to implement ISO 27001?

Typically ISO 27001 follows the chronological order of ISO 27001 Clause 4-10 auditable requirements to build a Information Security Management System (ISMS). That includes defining the scope, create and asset inventory, assess risks, chose controls, implement policies, processes and procedures, train staff, implement business continuity perform internal audits, and achieve ISO 27001 certification.

Why use ISO 27001 software?

It simplifies compliance, reduces manual work, and ensures consistent recordkeeping for audits.

What is ISO Manager software?

An all-in-one Governance, Risk, and Compliance (GRC) solution that helps manage ISO 27001 requirements, documents, and audits in one place.

Is business continuity mandatory under ISO 27001?

Yes, organizations must plan for continuity and disaster recovery as part of risk management controls. However, ISO 27001 business continuity requirement is a “generic requirements) and this it is not “prescriptive”. Each organization has the ability to choose a level of business continuity adherence within their own organizations risk tolerance, budget, resources unless they have a Legal, Regulatory or Contractual Agreement that defines the minimum business continuity requirement.

How does ISO 27001 support business continuity?

It builds a framework to protect critical assets, reduce downtime, and ensure resilience against disruptions. Business continuity is a form of preserving “Availability” which is a key component of information security which is defined as the “Preservation of Confidentiality, Integrity and Availability of information in any form”.

Who should perform the internal audit?

Trained internal auditors or external auditors (certification auditors) whom are “independent and objective” of your ISMS. Although certification auditors are not required by ISO to perform the ISO 27001 Internal Audits, they are the most qualified to catch and non-conformities. SecuraStar ONLY uses qualified ISO Certification Auditors for all internal audits.

Why is an internal audit required for ISO 27001?

It ensures compliance, identifies weaknesses, and prepares the organization for external certification audits. How else would you know if your ISMS is working?

How often should risk assessments be done?

At least annually or whenever major changes occur in business processes, IT systems, or regulations occur.

What is the purpose of an ISO 27001 risk assessment?

To identify, evaluate, and treat security risks that could affect your business data and operations. Risk assessment is a requirement of ISO 27001 Clause 6 Planning. The output of the risk assessment includes mapping info security controls to Annex A Controls in the required Statement of Applicability (SOA) and categorizing similar controls in related Policies, Processes and Procedures.

What is an ISO 27001 gap assessment?

A Gap Assessment / Gap Analysis is performed to identify any gaps in the required ISO Clause 4-10 auditable documentation requirements. After a Gap Assessment, we provide a detailed project plan of deliverables and timeline to reach ISO 27001 Certification.

Why conduct a gap assessment before certification?

It helps prioritize remediation and prevents costly delays during certification audits.

How can ISO 27001 experts help a business get started?

We request an initial meeting with decision makers to determine the goals of the organization so we can propose implementation consulting options and business strategies to help you get there.

Who are ISO 27001 experts?

All of SecuraStar’s experts are Certified trainers, certification auditors and have many years of experience.  We are the trainer not the student, and we are the certification auditor, not a one week lead auditor course.  Our experts have achieved the highest bar in ISO.

Why hire Securastar’s ISO 27001 consultants?

We bring expert consultants and a proven documentation system to save your organization time and money to achieve ISO 27001 certification.

What do ISO 27001 consulting services include?

End-to-end implementation consulting and guidance support for planning, implementing, and maintaining an ISO 27001 ISMS customized to your organization.  SecuraStar has a proven documentation system we integrate and/or customize with your existing documentation.

What training is required to be a ISO 27001 Certification Auditor?

The minimum training to become an accredited ISO 27001 Certification Auditor is:

1. PECB - ISO 27001 Lead Auditor Training
2. PECB - Certified Management System Auditor (CMSA)
3. 300 Management System Audit hours (per audit log).  Each Certification Body may recognize some audit hours from other related ISO management system standards, internal audit hours, certification audit hours, industry experience, etc.

Who should take ISO 27001 Training Classes?

Who should take ISO 27001 Training Classes?

1. Anyone auditing ISO 27001 management systems including ISO 27001 internal auditors and/or certification auditors.
2. Anyone implementing ISO 27001 management systems such as an ISO 27001 Consultant, Information Security Manager, ISMS Manager.
3. Anyone maintaining ISO 27001 management systems such as an ISMS Manager.
4. Anyone managing or performing ISO 27001 Risk Assessment Process.
5. Anyone managing or performing ISO 27001 Business Continuity Requirements (Availability) including Business Impact Analysis (BIA), Business Continuity Plan (BCP), Disaster recovery, etc within the Context of the Organization (Scope) of ISO 27001 registration.
6. Information Security students, consultants, managers, etc.

What ISO 27001 Training should I take?

There are three main training classes for ISO 27001 Management Systems including:

1. ISO 27001 Lead Auditor Training - How to "Audit" ISO 27001 Management Systems
2. ISO 27001 Lead Implementer Training  - How to "Implement" ISO 27001 Management Systems
3. ISO 27001 Lead Risk Manager Training - How to "Manage" the ISO 27001 Risk Assessment Process

Depending on your career path and job requirements, all PECB accredited training classes can be of great value to your experience, knowledge and resume / CV.  Each training course will help you understand the many options to meet the ISO 27001 clause 4-10 auditable generic requirements.

What is a information security management system (ISMS)?

Information security is defined as the "preservation of confidentiality, integrity and/or availability (CIA) for information in any form".  Thus, an information security management system (ISMS) is simply a Management System (plan, do, check, act) umbrella over the "preservation of CIA".

The international organization of standards (ISO) auditable requirements for information security management systems (ISMS) is known as ISO 270001.  The entire ISO 27000 series of standards are all focused on information security including:  vocabulary, definitions, implementation guidance for each ISO 27001 clause 4-10 generic requirements and specific controls for certain industries or types of assets.

What is the definition of Information Security?

Information security is defined as the "Preservation of Confidentiality, Integrity and/or Availability (CIA) of Information in any form".

What does ISO stand for?

ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO standards are the result of collaboration and consensus among a group of more than 160 countries around the globe.

What is information?

Information is that which informs or resolves uncertainty. Information is a business asset that has a value to an organization and thus has to be protected. Information can be found in any form including:

• Electronic - email, data stored, websites, etc.
• Physical - paper files, cds, photos, USB drive, etc.
• Verbal - phone conversations, in-person conversations, meetings, etc.
• Knowledge - employee knowledge (in their heads)

What is information security?

Information Security is known as the process of protecting information assets against the loss of confidentiality, integrity and availability (CIA) or preservation of CIA.

What is an Information Security Management System (ISMS)?

A framework of processes and procedures used to protect against the loss of confidentiality, integrity and availability (CIA) of information in any form.

What is ISO 27001?

ISO 27001 is the international standardization of auditable requirements for an information security management system (ISMS). ISO 27001 has two main parts including Sections 4-10 and Annex A.

What are the ISO 27001 ISMS requirements?

The ISO 27001 ISMS requirements are found in Sections 4-10. These section 4-10 requirements are also known as the international standardization of information security management system (ISMS) requirements. These requirements are "generic" and intended to be applicable to any type and size of organization in the world. These generic requirements are very high level and allow for a wide variety of implementation options for how to build an ISMS. These generic requirements are why most organizations need help implementing ISO 27001 / ISMS.

What is Annex A?

Annex A is the international standardization of control objectives (14) and controls (114). It is a comprehensive minimum baseline of information security controls that all information security management systems shall consider when selecting controls to mitigate information security risks. ISO 27001 requires that organizations map which Annex A controls apply to them in the statement of applicability (SoA). Annex A is also somewhat generic in that it is only a mid-level control description. There is a wide variety of options regarding which low-level controls you actually choose and implement to reduce risk under the Annex A description, which is why you may seek guidance from an experienced ISO 27001 consultant.

What is the ISO 27000 series of standards?

All ISO standards consist of a series of standards that apply to a specific management system category. The ISO 27000 series of standards specifically address information security management systems (ISMS).

It is typically the first standard in each ISO series that contain the management system requirements. Thus, it is typically only the 1st standard in each series that is "certifiable" such as;

• ISO 27001 = Information Security Management Systems (ISMS)
• ISO 9001 = Quality Management Systems (QMS)
• ISO 22301 = Business Continuity Management Systems (BCMS)

*All of the other standards in each ISO series are typically reference / guidance to support one or more of the management system requirements. Some commonly used ISO 27000 reference standards include:

• ISO 27002 = reference / guidance for information security controls (code of practice)
• ISO 27004 = reference / guidance for information security measurement
• ISO 27005 = reference / guidance for risk assessment

*there are many more reference / guidance standards available in the 27000 series

What is ISO 27002?

ISO 27002 also known as "code of practice" is a low level reference / guide for implementing controls to mitigate information security risks. It exactly cross-references Annex A control objectives (14) and controls (114) without referencing the A in front of each control number. It is much lower level and descriptive than Annex A.

What is ISO 27001 Scope of Registration?

ISO 27001 scope of registration can be defined as "the information you want to protect". It is this information within scope that you build an information security management system (ISMS) around. The scope is derived from careful consideration of the documenation requirements defined within Section 4 - Context of the Organization. The scope should meet business requirements and give value to products and services. The scope will have a significant impact on the timeline and costs of implementation, certification and management of the ISMS.

Does ISO 27001 require legal and contractual compliance?

Yes! ISO 27001 requires compliance to any legal / regulatory or contractual obligation that is applicable to the scope of registration. The risk assessment process typically addresses this as the risk of non-compliance. Compliance requirements such as FISMA, HIPAA, PCI DSS, are often mapped to Annex A for audit and applicability purposes.

What is ISO 27001 Asset Inventory?

The asset inventory includes all the assets that exist within the scope. The scope statement typically includes all underlying assets which may include people, networks, cables, facilities, hardware, software, etc. These assets collect, store, access and distribute information within the scope. Thus, we must assess the risk to these assets and apply appropriate controls to mitigate the risk. The asset inventory also tells us where to apply controls including the asset owner and location.

What is ISO 27001 Risk Assessment?

ISO 27001 Risk Assessment requires an organization to measure the risk (threats and vulnerabilities) to assets within the scope. There are two types of risk assessed within ISO 27001.

1. Risk to the loss of confidentiality, integrity and availability (CIA) or preservation of CIA.
2. Risk of non-compliance including legal / regulatory and contractual compliance.

The outputs of risk assessment include the risk treatment plan (RTP), statement of applicability (SoA) and also populate the ISMS controls such as policies, processes, training and awareness, business continuity, etc.

How long does it take to become ISO 27001 Certified?

It typically takes anywhere from 3 - 12 months to implement and certify ISO 27001 requirements for an information security management system (ISMS). This can vary from organization to organization based on size of the scope of registration including number of locations, status of the current information security program, company size, internal resources and focus, etc. SecuraStar's ISO 27001 Software (ISMS Manager) can often speed the process by several months due to the efficiencies built into the risk management process and its automatic outputs including the risk treatment plan, statement of applicability, policy creation, compliance mapping and task management.

How much does it cost to Implement ISO 27001?

The cost to implement ISO 27001 can vary from organization to organization based on size of the scope of registration including number of locations and status of the current information security program. Total costs may also include hiring a consultant, buying software, employee time, salary benefits, control implementation, performing internal audits, etc. This can range as low as a few thousand dollars for a do-it-yourself implementation to well over $100,000+ for a large organization who hires a consultant.

How much does it cost to certify ISO 27001?

The cost to certify ISO 27001 after implementation can vary from organization to organization based on size of the scope of registration including number of locations. Most registrars calculate their costs based on audit days so the larger the scope and number of locations, the larger the cost. Quotes from certification bodies typically cover a 3 year period which includes a full audit (stage 1 and 2) the 1st year and a smaller annual surveillance audit in years 2 and 3. Costs can range as low as $6,000 for a small scope with one location to over $50,000+ for a large organization with a large scope and many locations worldwide. Surveillance audits in years 2 and 3 are typically around half to one-third the cost of the 1st year full audit.