Build trust with ISO 27001 in 2024

Demonstrate a high standard of information security through ISO 27001 certification.

soc2-explained-video-cover
SOC 2 STANDARD

Is this the year you grow with SOC 2?

There’s no better standard to baseline your information security and earn trust with a broad customer base.

AssuranceLab is a registered CPA and CA firm ready to help you earn trust with SOC 2 in the US and globally.

We provide end-to-end readiness and audit services, with a cloud-native and agile approach that enables you to work at your own pace.

alab-network-countries-and-employees

You’re in great company. We work with hundreds of fast-growing software companies across 13 countries, ranging in size from 2 to 26,000 employees.

alab-network-countries-and-employees-1

You’re in great company. We work with hundreds of fast-growing software companies across 20+ countries, ranging in size from 2 to 26,000+ employees.

ISO 27001 CERTIFICATION

Is this the year you

grow with ISO 27001?

ISO 27001 certifications demonstrate an effective information security management system.

AssuranceLab is a certification body ready to help you earn trust with ISO 27001 globally.

We provide audit pre-assessments through to certifications for ISO 27001 that can be combined with many other global standards to remove the usual duplication.

alab-soc2-image
Sine-logo
Plexure-logo
salestrekker-logo
Nano-logo
Livepro-logo
Livehire-logo
Inlogik-logo
Humanforce-logo
Data-zoo-logo
Enboarder-logo
Dropsuite-logo
Checkbox-logo
Bravura-solutions-logo
rockt-logo
Civic Ledger Logo_Navy_Official

THE BENEFITS

Clear reasons to act

alab-international-credibility-icon

International
credibility

A globally recognised certification
to build trust at scale

alab-customer-confort-and-trust-icon

Customer comfort
and trust

AssuranceLab is a certified audit firm and trusted audit provider

alab-minimal-business-disruption-icon

Minimal business
disruption

Agile and flexible audits leveraging technology to help minimise the disruption 

alab-choice-of-goalposts-icon

Broadened coverage

Optionally add ISO 27017, 27018, or 27701 to increase your coverage

alab-multi-standard-compliance-icon

Multi-standard
compliance

Audits that can combine
multiple related frameworks,
standards and certifications

alab-recognition-of-partial-progress-icon

Recognition of
progress

Audit reports and status letters that keep your customers informed of your progress

THE PROCESS

Six Phases of ISO 27001

left arrow right arrow
ISO 27001 Pre-Assessment

Pre-Assessment

An optional assessment for those pursuing ISO 27001 certification for the first-time. We assess your readiness to undergo the following Stage 1 and Stage 2 audits.

alab-soc2-audit-01-icon

Stage 1 Audit

Audits your key ISMS documentation from a design standpoint to confirm it satisfies the mandatory requirements of ISO 27001. A report is issued with any non-conformities, process improvements and observations to consider while implementing the remaining ISMS activities.

alab-soc2-audit-02-icon

Stage 2 Audit

Audits the complete ISMS against the mandatory requirements and Annex A controls in your Statement of Applicability. A report is issued with any non-conformities, process improvements and observations. Minor non-conformities require a management action plan and agreed timeframe, with up to 90 days given to address prior to the certification decision.

alab-recognition-of-partial-progress-icon

Certification Decision

The certification decision is conducted at the mutually agreed date, up to 90 days after the Stage 2 audit is complete. This allows time to remediate any non-conformities that may adversely impact the decision. Upon a successful certification decision, the certification documents are issued.

Surveillance audits

Surveillance audits

To ensure ongoing conformity of your ISMS with ISO 27001, surveillance audits are performed for the following two years while the certification remains valid. We follow a risk-based approach to confirming ongoing conformance to the ISO 27001 requirements, by rotating areas of focus and combining with a general assessment of its ongoing operation.

Recertification audit

Re-certification audit

The certification expires in three years. The recertification audit is conducted prior to the expiry to ensure continuous certification. The recertification audits assess the full ISMS mandatory requirements and Annex A controls in the Statement of Applicability.

Get started your way.
We’re ready when you are!

FAQ

Your questions answered

What is the ISMS and SOA?

The ISO 27001 standard is made up of requirements for operating an effective information security management system (ISMS). That management system needs to be assessed and to adhere to those requirements to achieve certification. Those requirements extend to the implementation of specific information security controls, which can be selected from a prescribed appendix A in the ISO 27001 standard. The controls selected and implemented from that are included in a Statement of Applicability (SoA) to demonstrate how that mix of controls supports the ISMS objectives and forms a key part of meeting the ISMS requirements.

When am I ready for Stage 1?

A Stage 1 audit should be commenced once you’ve implemented the mandatory requirements of the ISO 27001 standard; namely the ISMS. That will give you feedback on how it is set up, to ensure you’re on track for the Stage 2 audit and can address any identified non-conformities prior.

When am I ready for Stage 2?

The Stage 2 should commence once you’ve implemented all controls in the statement of applicability or justified their exclusion. Any major non-conformities from the Stage 1 should have been remediated. You should also complete at least one cycle of the information security management system, including a management review and internal audit.

What are non-conformities?

Major non-conformities are where your ISMS does not meet the requirements of the ISO 27001 standard. That is generally significant gaps in the management system's overall design or the controls in the statement of applicability. In contrast, minor non-conformities may undermine the effectiveness of the ISMS or have a minor impact on the requirements of the ISO 27001 standard but doesn’t prevent it achieving its goals or meeting the key requirements of the ISO 27001 standard.

Can we get certified if we have non-conformities?

Yes, it is possible to get certified with open non-conformities. That will generally only include minor non-conformities that have a clear and reasonable action plan for when and how those non-conformities will be remediated. If there are a high number of minor non-conformities or major non-conformities, you are given up to 90 days to remediate those prior to the certification decision.

How does the three year certification period work?

ISO 27001 follows a 3 year certification cycle. In the first year is the full certification audit. That’s either an initial certification audit when it’s the first time, or a re-certification audit if it’s following a previous 3-year certification cycle. These full certification audits cover all areas of your ISMS and review all controls in your Statement of Applicability. In the following two years, surveillance audits are conducted that are a scaled down audit to review the operation of the ISMS and some areas of the Statement of Applicability.

Can we reduce the audit work by using a compliance platform?

Yes, and no. ISO 27006 that guides the ISO 27001 standard, prescribes audit days based on the company size and complexity factors. It allows for adjustments of +/- 30% based on that complexity and other factors. A compliance platform with a centralised and well monitored ISMS, is a factor that can reduce the audit days. However, compared to SOC 2 and other audits, the potential reduction in audit time is less significant as it still prescribes a minimum level of effort and duration for the audit days conducted to support certification.

OTHER STANDARDS

Earn trust with other leading standards

alab-blended-audits-icon

SOC 1 / SOX ITGC

Satisfy publicly listed customers regulated by Sarbanes Oxley and supporting financial reporting requirements.

alab-hipaa-icon

HIPAA

The de facto global and best practice standard for proving secure handling of electronic protected health information (ePHI).

alab-custom-framework-icon

Custom Frameworks

Manage any compliance obligations from customers, regulators or your own internal risk requirements with custom frameworks.

alab-iso-27001-icon

ISO 27001

An international framework to apply a structured and best practice methodology for managing information security.

alab-csa-star-icon

CSA STAR

A comprehensive, best practice standard for cloud security to achieve Level Two accreditation in the security, trust and risk (STAR) register.

alab-cdr-icon

Consumer Data Right

Access consumer data in Australia’s economy-wide open data regime with Consumer Data Right accreditation.

alab-esg-icon

ESG Reporting

A flexible and lightweight framework to report up to 500+ positive impact activities supporting environmental, social and governance (ESG) objectives.

alab-gdpr-icon

GDPR

The global gold-standard for privacy. GDPR is regulated for personal data collected from EU citizens, and an effective framework to satisfy enterprise customers globally.

alab-soc1-sox-itgc-icon

SOC 2

Trust services criteria to satisfy a broad customer base globally for security, availability, confidentiality, privacy and processing integrity.

alab-gdpr-icon

GDPR

The global gold-standard for privacy. GDPR is regulated for personal data collected from EU citizens, and an effective framework to satisfy enterprise customers globally.

GET IN CONTACT

Get started your way

We’re ready when you are

Can’t wait?

Our free products help you get started without any fuss:

pillar-tab-button-normal

The always-free GRC platform that powers trust for hundreds of technology companies.

policytree-tab-button-normal (1)

Our 40-minute policy generator; a better alternative to cookie-cutter templates.