ISO 27001 | Information Security Certification | NQA

ISO 27001 is the International Standard for Information Security Management Systems (ISMS).

Helps you with

Asset Protection, Security Policy, Cyber Security Strategy, IT Governance, Incident Management, Threat Mitigation, Downtime Reduction, Loss Prevention, Data Breaches, Compliance Checklist, Management System, GDPR.

WHAT IS ISO 27001?

The ISO 27001:2013 (formally known as ISO/IEC 27001:2013) standard provides a framework for an Information Security Management Systems (ISMS) that enables the continued accessibility, confidentiality and integrity of information as well as legal compliance. ISO 27001 certification is essential for protecting your most vital assets. 

ISO 27001 implementation is an ideal response to customer and legal requirements such as the Data Protection Act and potential security threats including:

  • Cyber crime
  • Personal data breaches
  • Vandalism / Terrorism
  • Fire / damage
  • Misuse
  • Theft
  • Viral attack

The ISO 27001 standard is also structured to be compatible with other management systems standards, such as ISO 9001 and it is technology and vendor neutral, which means it is completely independent of any IT platform. As such, all members of the company should be educated on what the standard means and how it applies throughout the organization. 


An ISMS is a systematic approach to managing sensitive company information so that it remains secure. It includes people, processes and IT systems by applying a risk management process.

It can help any size organization within any industry keep business information assets secure.


The ISO security standards can help organizations address a number of important issues in various ways:

  • Regulatory compliance. The UK Data Protection Act is just one of many regulations currently pertaining to information security in the UK. ISO 27001 implementation helps to ensure compliance with all applicable laws and regulations. This reduces the likelihood of fines and other penalties due to non-compliance or the occurrence of a data breach.

  • Data breaches. One data breach can do irreparable damage to your company’s reputation. An ISO 27001 audit helps you limit the possibility of a breach by identifying the areas in which you are most vulnerable. It also provides a sound information management security risk framework. As mentioned, adhering to ISO 27001 standards reduces the likelihood of incurring fines or facing criminal prosecution due to non-compliance with any applicable laws and regulations.

  • Low risk management confidence. How confident are you in your organization’s ability to effectively manage data/information security risks? ISO 27001 registrations provide companies with an effective framework for identifying risks and threats, as well as for establishing the appropriate internal controls for minimising or even eliminating them. This will give you and your stakeholders greater assurance that you are doing everything possible to safeguard your organization’s vital information. 

  • Access to information. A critical element of any data security effort is effectively controlling who has access to information at any given time. ISO 27001 certification provides a framework for ensuring that all authorized users can get the information they need when they need it, while also preventing unauthorized users from accessing private or confidential data. This also helps to establish stakeholder trust and credibility, while enhancing your company’s recovery operations in the event of a breach or other catastrophic event.

  • Meeting high customer expectations. Understandably, your customers are likely to have high expectations in terms of protecting their private or sensitive information. ISO 27001 standards act as a blueprint for establishing customer-friendly policies and procedures that reduce your company’s risk of a breach, helping to put your customers’ minds at ease. This can be advantageous in terms of improving customer retention and generating new business. It can also reduce the level of third-party scrutiny regarding your information security practices. 

  • Creating a security mindset. Information security must be a point of focus for every member of your organization. The action of ISO 27001 implementation sends a clear message throughout your organization that security is a top priority. By increasing awareness, you’ll be helping to establish a security mindset that will spread to every level of your company, which can also reduce the likelihood of staff-related security breaches.


It’s right for you and your organization if you need the evidence or assurance that your most important asset is protected from misuse, corruption, or loss.

We have certified organizations to ISO 27001 in a diverse range of sectors including Royal Mail Group, Smart Water Technology, Barcode Warehouse and the Northern Ireland Council for Curriculum, Examinations and Assessment.

“ISO 27001 certification is widely recognised and we regard the Standard as a commercial necessity.” Smart Water

GDPR and ISO 27001

The General Data Protection Regulation (GDPR) has a much more extensive scope than the current Data Protection Act (DPA) and has been introduced to stay in touch with the modern digital landscape. The Regulation affords more data rights to individuals and requires organisations to develop defined policies, procedures and to adopt relevant technical and organisational controls to protect personal data.

The GDPR applies to two types of users, of which we will undoubtedly all fall; Controllers and Processors. Briefly put; the controller determines how and why the personal data is used or processed and the processor acts on the controllers behalf, much like many organisations relying on the services of an IT service provider. Processors have more legal obligations placed on them in the case of a breach however a controller will be responsible for ensuring the contracts with the processor comply with the GDPR.

This is not a complete overview of the new regulation and should not be used as such.
Article 42 of the GDPR details demonstrating compliance with the regulation through; “data protection certification processes”. ISO 27001 compliant Information Security Management Systems are a risk based approached that address specific security threats facing an organisation taking into account – people, processes and technology. 

Key Changes and how they Map to ISO 27001

So what are the key changes? Below are a list of relevant changes and how these changes relate to ISO 27001; however this is by no means definitive:

  • The way individuals are identified encompasses others factors such as their genetic, mental, economic, cultural or social identity. Companies will need to take measures to reduce the amount of identifiable information they store. Parental consent will be required to process the personal data of children under 16 years old.

Clear policies should be in place with regards to handling of individual identifiable information, with clearly defined retention timescales. ISO 27001 Annex A Control Measures specifically A.18.1.4 – Privacy and Protection of Personally Identifiable Information, mentions compliance obligations relating to the privacy and protection of personal information (formally known as Personally Identifiable Information PII).

  • Organisations not based in the EU that do business in the EU with EU subjects data will also be required to comply with the regulation.

The regulation has a global reach – If the organisation has customer/clients in the EU they must also comply with the regulation, especially if they collect personal information. Again covered in A.18.1.4.

  • Clear and affirmative consent to the processing of personal data must be sought. Inactivity or silences are no longer valid forms of consent.

There is a requirement to request informed consent for processing or stop processing! Demonstration of this fact must be available. Defined procedures and records must be in place to show this. A number of control measures  are relevant  here; A.8.2.3 – Handling of Assets, A.12.1.1 – Documented Operating Procedures,  A.18.1.3 – Protection of Records, A.14.1.1 – Information Security Requirements Analysis and Specifications, A.8.3.2 – Disposal of Media.

  • If a breach occurs that is likely to represent a risk to the freedom of the data subjects in question the organisation must report this to their data protection authority (Information Commissioners Office –ICO) within 72 hours, unless there are exceptional circumstance which must be justified. If the risk is high the data subject must also be notified however a specific timescale detailing when this must happen has not been detailed.

Breaches must be reported as soon as determined to be a breach not just a false alarm. Security incidents are referred to in section A.16 – Information Security Incident Management. Control measure A.18.1.4. - Privacy and Protection of Personally Identifiable Information

  • Data Protection impact risk assessments have become mandatory before undertaking higher-risk data processing activities. Where privacy breach risks are high, data controllers will be required to conduct privacy impact assessments to analyse/minimise the risk to the data subject.

ISO 27001 or an Information Security Management System is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation's information risk management processes. The planning clause of the standard, clause 6 details actions to address risks and opportunities, more notably 6.1.2. – Information Security Risk Assessment and 6.1.3. – Information Security Risk Treatment. Control measure A.8.2.1 – Classification of Information.

  • Certain companies will be mandated to appoint a Data Protection Officer (DPO). Article 35 of the GDPR states that DPO’s must be appointed for all public authorities. This will also be the case where the core activities of the controller or processor involve “regular and systematic monitoring of data subjects on a large scale” or where the organisation conducts large scale processing of “special categories of personal data”.  Credentials for this role have not been specified however the GDPR require that DPO’s have “expert knowledge of data protection law and practices”.

The responsibilities and authorities for roles relevant to information security should be assigned and communicated as stated in clause 5.3 – Organizational Roles, Responsibilities and Authorities. A.6.1.1 – Information Security Roles and Responsibilities also applies.

  • Data subjects have the right to be forgotten, where information relates to their identity must be erased or destroyed.

This is a form or withdrawing consent and implies system and process control requirements to enable erasure of specific stored information and demonstrate/record this function. This can also relate to archives or backups. Relevant controls include; 6.1.2 Information Security Risk Assessment, A.14.1.1 – Information Security Requirements Analysis and Specifications, A.8.3.2 – Disposal of Media, A.16 – Information Security Incident Management, A.12.3 – Backup.

  • Data processors can be held liable for breaches and will direct legal obligations and responsibilities. Contractual arrangements will need to be reviewed and updated. The stipulation of responsibilities and liabilities between the controller and processor will be an important factor in future agreements as parties will need to document their responsibilities more clearly.

Privacy and Information security aspects much be addressed when managing relationships with business partners. This could include for example; joint investigation of data breaches, resolving privacy incidents and achieving & maintaining an assured level of GDPR compliance. Numerous clauses and control address this issue such as; 5.3 – Organizational Roles, Responsibilities and Authorities, 9.1 – Monitoring, Measurement, Analysis and Evaluation, A.13.2 – Information Transfer, A.15 – Supplier Relationship, A.16 - Information Security Incident Management, A.18 – Compliance.

  • The principle of privacy by design must become a cornerstone to the way processes are built. Systems and processes must consider compliance with the principles of data protection under GDPR. Privacy by design is in essence – privacy in a service or product should be taken into account from inception rather than the point of delivery.

Privacy by design and by default are examples of privacy principles underpinning each aspect of the project – specification, design, development, operation and maintenance. This includes relationships with third parties such as Internet Service Providers. Clause 6 – Planning and almost all of the control measures in Annex A apply.

The above is just a small list giving a taster of things to come and it should not be used as a compliance checklist. Organisations should plan for GDPR now!

Increased Penalties and Consequences

The maximum fine that can currently be imposed under the DPA is £500,000. Under the GDPR the upper limit could reach €20 Million or 4% of the annual global turnover of an organisation - whichever is higher. For some business this could posed a threat of bankruptcy or even closure.

With only 9 months to go to bring an organisation to a state of compliance with the new regulation, it is imperative that preparations begin now!


  • Customer satisfaction. Give customers confidence that their personal information is protected and confidentiality upheld.

  • Business continuity. Avoid downtime with management of risk, legal compliance and vigilance of future security issues and concerns.

  • Legal compliance. Understand how statutory and regulatory requirements impact your organization and its customers and reduce risk of facing prosecution and fines.

  • Improved risk management. Ensure customer records, financial information and intellectual property are protected from loss, theft and damage through a systematic framework.

  • Proven business credentials. Independent verification against a globally recognised industry standard speaks volumes.

  • Ability to win more business. Procurement specifications often require certification as a condition to supply, so gaining certification opens doors.

“In partnership with NQA, we have developed a rigorous and systematic approach to our information security management.” Nextira One


Application for registration is made by completing the ISO 27001 Quote Request Form. This provides information about your organization so we can accurately define the scope of assessment.

Assessment to ISO 27001 is undertaken by NQA - this consists of two mandatory visits that form the Initial Certification Audit (explained below). Please note that you must be able to demonstrate that your management system has been fully operational for a minimum of three months and has been subject to a management review and full cycle of internal audits.

Certification to ISO 27001 is issued by NQA and maintained through a programme of annual surveillance audits and a three yearly recertification audit.

For further information on the audit stages click here.


Client Success Stories - We've helped thousands of clients to improve performance with standards certification – read their success stories here, including:

ISO 27001 Training - We have expert ISMS tutors who provide awareness, implementation and auditor training options to suit your needs and budget. These give you the skills to implement, audit and manage an effective information security management system.

Gap Analysis - We can undertake a gap analysis to help you determine the likely workload and timescale for implementing a information security management system that will achieve ISO 27001 certification. You can use this to plan implementation or brief a consultant.

Consultancy - We don't provide consultancy but we can help you choose a reputable consultant from the NQA Associate Consultant Register.

Talk to Us 

You can complete a quick quote online or complete a full ISO 27001 quotation request form and email it directly to our sales team.

Call our business advisors on 0800 052 2424 or contact us to discuss your certification requirements in more detail.


Fill Out This Short Form 
And A Team Member Will Be In Touch!

Or Call Us: 0800 052 2424

ISO 27001 by the Numbers