The ISO 27001 is a different accreditation than the Cyber Essentials, it is a more process-oriented review to show you have certain security controls. This is more in terms of documentation and. For example, demonstrating backups for this accreditation can vary between all of your cloud systems to only one of them – depending on the auditor.

The ISO 27001 is typically achieves by medium and large businesses, or by SMEs who are contractually required to demonstrate some business process competence on their IT systems.

The ISO 27001 is particular to your business and systems, it is therefore a more nuanced accreditation which reflects your business needs. Core documentation and processes must be demonstrated, alongside technical controls where the BSI believes technology is sufficiently mature to not need have manual processes for adherence.

In other words, the ISO is a moving-target which changes to actively reflect solutions available on the market. As an accreditation issued by the International Standards Organisation (ISO), the ISO 27001 is well-suited to businesses which need to demonstrate competencies in international markets or for buyers with an international presence.

What it achieves

The ISO 27001 is typically required of any organisation which is processing large amounts of personal information on behalf of larger institutions, such as healthcare firms which work with the NHS. Many established institutions also mandate successful ISO 27001 accreditation to even have the opportunity work with them.

This international standard is most suitable for medium and large businesses which wish to demonstrate international competence on IT security controls, both process-driven and those achieved through technical systems (e.g. backups). As with the Cyber Essentials accreditation, there is an expectation that you have visibility and control over all areas of the your IT estate.

Aside from being mandatory for more lucrative commercial agreements, achieving the ISO 27001 allows your business to rest assured that it is resilience in an increasingly dangerous security landscape. It is very typical for areas this standard covers to be raised when seeking cyber insurance.

How we can help

The ISO 27001 standard is admittedly complex, it takes significant due-diligence and in-depth exploration of your IT estate to achieve. It is typically achieve through an internal audit, then an external audit by an accredited certifying body. Unlike the Cyber Essentials accreditation which has broadly fixed-costs, this ISO certification can vary in price depending on the maturity of your business.

Suzaku Consulting have helped a wide range of regulated businesses successfully achieve their ISO 27001, including those in the legal, defence and healthcare sectors. It is most appropriate to call us to discuss your specific requirements as this accreditation is quite bespoke to every business.