ISO 270012025-06-19T08:36:35+02:00

ISO 27001 certification

Introduction

ISO 27001 certification, project management, and support for implementing an information security management system

ISO 27001 is part of a series of standards that cover the protection of various types of information assets. The complete series consists of around fifty different standards, covering everything from network security to incident management, risk management, and software security. By working with a management system, your entire organization gains standardized protection for its information assets.

Kontakta oss

Vill du veta mer om våra tjänster och lösningar? Kontakta oss så hjälper vi dig.

How we can help

We help your organization with the management system

Our consultants have extensive experience with ISO 27001 and possess deep knowledge of management systems. Together, we’ve guided both large and smaller companies toward certification. Since ISO 27001 also relates to many of our other services, it’s an area where we truly excel.
Here’s how we support you in an ISO 27001 certification:

  • Planning and project management
  • Education and assistance
  • Guidance and oversight
  • Assistance with ISO 27001 certification

Fundamentals

Protecting invaluable assets, such as personal data or customer information, is a given in today’s information society. However, safeguarding the assets that store, transmit, or process that information within a network is more challenging.

This is where ISO 27001 comes in. With a clear understanding of which assets are worth protecting, we can design a tailored system of policies and procedures for your organization that helps strengthen information security. This system is also based on a risk assessment, allowing us to focus efforts on managing incidents that are likely to occur and could have serious consequences for the business. Some aspects are also governed by laws or requirements from customers or suppliers, which we must keep in mind when shaping the governance framework.

Scope

An ISO 27001 project can become a highly extensive undertaking. That’s why it’s important to clearly define a specific scope within which we want to improve information security.

Smaller organizations may include all of their processes, while larger companies benefit from selecting specific areas. This could include, for example, a data center, the case management process, or IT operations. Doing so makes it easier to move forward while gradually building knowledge about information security and ISO 27001 within the organization. Often, information security requirements from customers or other stakeholders are directed at a particular part of the business—making it worthwhile to start there.

Implementation phase

A common approach within ISO 27001 is to focus on technical solutions from the very beginning. While technical measures are highly useful for addressing certain risks, they can complicate matters in other contexts.

Excessive requirements for passwords, two-factor authentication, document encryption, and restricted access to certain premises often steal valuable time from core operations and can make people feel distrusted and disengaged. We’ve also seen that employees may find their own insecure workarounds to bypass overly strict security measures.

It can be just as effective to educate staff, avoid handling overly sensitive data, or shift responsibility to suppliers or customers through agreements. Some risks can also be accepted without putting customers or business at risk. ISO 27001 imposes very few absolute requirements—instead, it allows organizations to design their protection based on their specific needs.

Några av våra kunder

What our customers say

Secify has supported Oneflow on the journey toward certification in ISO 27001, ISO 14001, and ISO 9001. Secify provided expert knowledge and valuable input on how to best implement the requirements in a way that fits our day-to-day operations. I initially expected the collaboration to be more formal than it actually was. I truly appreciate the Secify team—not only for their expertise but also as colleagues. Without a doubt, Secify made our journey smoother, and I can highly recommend their expertise to other organizations.

Axel Ideström, Oneflow
Stefan Jernberg

We chose to work with Secify because of their strong expertise in information security and GDPR, specifically related to the healthcare sector. Secify’s experts are helping us both comply with GDPR and implement ISO 27001.

Stefan Jernberg, Carasent

I believe that embedding information security into the organizational culture is a key foundation for successful information security work.
(We supported WinLas in their journey toward ISO 27001 certification.)

Victoria Ronge, WinLas

Kundcase inom ISO27001

The process

The path to ISO 27001 certification

The standard sets clear requirements for the systematic approach and criteria for risk analysis and measures. The criteria come first, followed by the identification and systematic evaluation of risks. When the criteria are established upfront, there is less uncertainty and discussion about what actually needs to be addressed once the risk evaluation begins. This is an example of what a plan for ISO 27001 might look like.

Kick-off for the ISO 27001 implementation

We start the ISO project by conducting an ISO analysis. This gives us a clearer picture of how your organization operates and highlights the needs, expectations, and goals in place. After that, we agree on which part or parts of the organization (scope) will be included in the ISO project.

Planning / analysis

We develop a plan for how to move forward with the management system and establish processes for identifying, analyzing, and managing security risks within the organization.

Implementation phase

We develop a plan for how to move forward with the management system and establish processes for identifying, analyzing, and managing security risks within the organization.

Continuous improvement

All plans and processes are set in motion. This is when the operational security work begins and the management system is implemented into the organization’s daily operations.

Questions and answers

Here you’ll find answers to the most frequently asked questions about ISO 27001. Do you have a question that is not listed? Use the contact form further down the page.

Are there other information security management standards?2022-10-27T21:44:12+02:00

Yes, there are more information security management systems, including NIST CSF and ISF.

What happens after you become certified within ISO 27001?2022-10-27T21:44:13+02:00

After you have been certified, you undergo annual audits to ensure that the organization continues to meet the requirements of ISO 27001. Every three years, recertification is done, which is a slightly larger audit.

What is the purpose of ISO 27001?2022-10-27T21:44:13+02:00

The purpose of ISO 27001 is to increase safety in the organization through the work of the management system.

Do you have to have ISO 27001?2022-10-27T21:44:13+02:00

No, not everyone currently needs to have an ISO 27001 certification. But there is a strong indication that some organizations covered by NIS2 will have management systems work as a requirement.

What is required to become ISO 27001 certified?2022-10-27T21:44:13+02:00

In order to be certified, it is required that you work with information security in a systematic way and meet the requirements set by ISO 27001. The word certification itself means approved audit. In order to be certified, it is then required that you first undergo a certification audit.

When do you need a management system?2022-10-27T21:44:13+02:00

The need for a management system for information security (LIS) often comes in the form of a requirement from a supplier, subcontractor, partner, authority or regulation.

How does ISO 27001 increase my security?2022-10-27T21:44:14+02:00

ISO 27001 gives the organization a standardized way of working with safety. In other words, the organization begins to work from a best-practice way that is developed by IT and information security experts on how best to work with security in their organization.

Can you work with ISO 27001 without being certified?2022-10-27T21:44:14+02:00

It is absolutely possible to work towards a certification without necessarily being certified. What you gain from such work is increased security that permeates all layers of the organization.

How do you start working towards an ISO 27001 certification?2022-10-27T21:44:14+02:00

It is possible to carry out an ISO work without external help. Unfortunately, that route often takes much longer than hiring a consultant. A good idea is to buy the standard and then read through and build your own framework that you implement in your organization through various efforts such as processes and routines, training and security-enhancing measures.

What does the certification process look like?2022-10-27T21:44:14+02:00

After the management system has been introduced and the organization has passed an internal audit, an independent certification body must review and assess the organization / management system to ensure that the requirements are met. If the audit is approved by the independent body, the certification is granted.

How long does it take to be certified?2022-10-27T21:44:14+02:00

How long it takes to be certified depends above all on how security mature you are as an organization, i.e. if you have worked with information security before and have certain processes already completed. Other parts that affect are how big you are as a company, what priority the certification has and which scoop we choose to be certified. As a rule, it takes an estimated 6-12 months, but we have had projects that have taken longer.

What do you gain by being certified?2022-10-27T21:44:14+02:00

The entire organization becomes more resilient to cyber attacks. Awareness, technical and organizational measures to increase security are put in focus and permeate the entire organization. In addition to that, a certified organization fulfills many of the requirements that partners can set for a collaboration.

What is ISO 27001?2022-10-27T21:44:15+02:00

ISO 27001 is a management system for information security. By using it in your organization, you get a standardized way of working based on all aspects of security.

Get in touch!

Go to Top