How to achieve ISO 27001

Header image for article explaining how to achieve ISO 27001.

July 27th, 2022


5 min read.

How long will ISO 27001 take?

Similar to asking:

“How long will it take to get to Glasgow”

…an honest answer would be:

“Where will you be travelling from?”

There is no absolute correct answer to how long it will take to prepare for ISO 27001. It will depend on:

  • What you already have in place

  • How you work

  • How big your business is

  • ...Spread over how many sites, with

  • ...How many departments, and

  • What internal resource do you have available

All of these will be factors in "guestimating" a timescale. To help with a very rough timescale, this site may be


What will it cost?

Well, similar to “How long will it take”, this too is a tricky fish!

We can tell you that your costs should be considered in four main categories:

1. Consultant

If you decide to use one, (e.g. ADL!), then it’s perhaps more helpful to consider this an investment rather than a cost (see what we did there?!). A good consultant should save you money (by streamlining your implementation and saving you wasting time on the wrong things), over and above their fees.

2. Internal resource

There will be things that people within the business need to do that can’t be done for you by your consultant (e.g. implement log monitoring…that kind of thing)

3. Internal systems

We may identify software/systems that are helpful or required to support our work and/or to meet compliance.

4. Audit cost

Your consultant should include an Internal Audit (required) towards the end of the implementation.

This is different to the external audit, which has to be conducted by a certifying body. You may like your consultant to be involved/present for the audits (we’d certainly recommend that), but this is usually priced separately to the implementation, as is the audit itself.

For a more accurate estimate of implementation costs, a Gap Analysis against the requirements of ISO 27001 can give a clearer indication of the work required.

How does ISO 27001 certification work?

Step 1: Implementation

The business implements an "Information Security Management System" that meets the requirements of ISO 27001 (That's the bit that I help with - implementation). Once the ISMS is built and has been running for a while (to build a body of evidence of it working) you can move to audit.

Step 2: Audit

The initial ISO 27001 audit is split into a "Stage 1" and a "Stage 2" audit. The Stage 1 audit essentially makes sure you have everything that you need to be ready for the Stage 2 audit, and if not, gives you pointers as to what you need to have in place before you get to the Stage 2 audit.

The Stage 2 audit is pretty brutal - they will want to see evidence that everything you say you are doing is actually being done - which is why you want the ISMS running for a bit before you get audited.

Step 3: Maintenance

Assuming you pass the Stage 2 audit, you get the certification, and then proceed to the maintenance part. Here you will be obliged to carry out "Internal audits", at least once a year, but probably more frequently than that.

You will also be checked annually by an external auditor (like the Stage 1 and Stage 2 audits) in what's called a "Surveillance Audit". These are to make sure that the ISMS is still operational, and that you are still doing what you said you would do at the start. Failing these can result in losing the certification, so they're pretty important, but equally should be fairly easy if you are maintaining the ISMS.

Step 4: Recertification

Year 0 - Stage 1 and Stage 2 audits.
Years 1 and 2, Surveillance Audits.
Year 3, you start the process again.

The Stage 1 and Stage 2 audits are the UKAS accredited bit. Whoever helps you with the implementation bit cannot then audit their own work. So, if we help you, we can do the internal audits, but cannot do the certification audit - for that you would need a certification body, such as ACCS, BAB, BSI etc.- and this is charged separately to any implementation work.

The number of days required for the external audit varies depending on the scope of the ISMS and its complexity - i.e. how many staff, over how many sites, and the complexity of the operations that fall within the scope of your ISMS.

The duration is dictated by UKAS, but assessment bodies have discretion on potential reductions. In theory it should only be the auditor day rate that affects the cost, rather than varying days required, but it's worth getting a few quotes!

Sounds good, lets go!

If you'd like to work with us, we'd love to hear from you. Please get in touch:

t. 01530 637 833

Andy Larkum

Managing Director

Registered Office: 6 Hinckley Road, Ibstock, Leicestershire, LE676PB, UK

Company Registration No: 06684621

VAT No: 140 0539 56

© ADL Consulting Ltd 2023. All rights reserved.