ISO/IEC 27001:2022 – Certification of information security management systems

The length of the ISO/IEC 27001 certification process depends on various factors: for example, the size and complexity of the company, the competence of the employees involved, the software solution and the time available to develop the system. It typically takes between six and twelve months to work through the processes and applicable documents and prepare for the certification audit. The audit lasts at least a day, while for larger companies, it can take several days.

After successful initial certification, the company receives a certificate valid for three years. In each of the two subsequent years, a maintenance audit is carried out, which is smaller in scope. This audit ensures that the requirements of the norm are being met on an ongoing basis and that the company is continuing to develop. Before the certificate expires, a recertification audit is carried out, and a new cycle begins.

The costs depend on various factors: for example, the size and complexity of the company, the number of full-time employees and the number of sites that are to be certified. One-off or recurring costs for developing and operating the system should be taken into account, for example internal human resource expenditure, training for staff, consultation fees and licences for process management software. We recommend preparing a statement of costs in advance. IOS/IEC 27001 certification is of strategic importance and represents an investment in the future of the company.

SQS is a certification body licensed by the Swiss Accreditation Service (SAS). Consequently, we are prohibited from advising you when developing an ISMS. The separation between advice and certification is critical to our independence and hence for the credibility of our certificates. Despite this, we do offer tutorials on designing and further developing management systems. These tutorials are conducted by our auditors, all of whom have the necessary practical experience.

The certification body is responsible for carrying out the certification audit in accordance with regulatory provisions and for examining the company for compliance with the requirements of ISO/IEC 27001. It is important to opt for a certification body like SQS, which is recognised by a national accreditation service. This is the only way to ensure that your certificate will enjoy widespread (including international) recognition.

All valid certificates issued by SQS can be found on our website under Certified organisations. To search for a company, enter the registration number.

Yes, a company can have multiple certifications simultaneously, for management systems in accordance with ISO 9001 (quality management), ISO 14001 (environmental management), ISO 45001 (occupational health and safety), ISO/IEC 27001 (information security) and others. These norms complement one another and enable companies to create an integrated management system that takes into account the different requirements of customers, employees and other stakeholders.

If the requirements of the norm are not fulfilled and the lead auditor raises so-called major or minor nonconformities, the company must remedy these within a pre-defined period. If the company is not able to do this, the certification body may impose a suspension of a maximum of six months or abandon the certification process. However, these cases are extremely rare.

The company should ensure that all employees understand the requirements of the norm and are able to implement them in their daily operations. Tutorials and training programmes can help to raise awareness of the norm and its benefits and, in this way, to ensure the ISMS is operated effectively and efficiently.

The European Union General Data Protection Regulation (GDPR) is also relevant for many organisations in Switzerland. An information security management system (ISMS) in accordance with ISO/IEC 27001 supports compliance with GDPR requirements in a variety of ways. It implements robust security measures that protect personal data against unauthorised access and loss. A structured risk management system enables companies to identify and systematically minimise potential risks when handling data. An ISMS is designed to aid compliance with legal and regulatory requirements by continually monitoring and improving relevant processes. In addition, it supports comprehensive documentation and transparency in data processing, which is essential when it comes to meeting GDPR provisions.

ISO/IEC 27001:2022 contains multiple important changes compared to ISO/IEC 27001:2013. The main changes include updating the controls in Annex A to align with the changing technological and threat landscapes, the introduction of new controls to mitigate cloud security risks and improvements to the risk management process. Furthermore, clarifications and improvements were made to simplify the implementation and use of the norm. These changes are designed to make information security more effective and in keeping with the times. A transition phase of 36 months was specified to convert the ISMS according to the adapted norm.

An ISMS in accordance with ISO/IEC 27001 is particularly valuable for SMEs, which often do not have the same IT resources as large companies. It provides a structured approach to information security, incorporating tailored and cost-effective SME solutions. This norm helps companies systematically and efficiently identify and minimise risks, whereby data integrity and confidentiality are guaranteed. By implementing clear security guidelines and undergoing regular audits, compliance with legal requirements is ensured, the trust of customers and partners is strengthened and operational efficiency is improved. An ISMS enables SMEs to achieve a high level of security and protect themselves against various cyber threats, even with limited resources.

ISO/IEC 27001 provides a comprehensive framework into which security requirements of cloud environments can also be integrated. The norm contains updated controls that address risks such as unauthorised access, data loss and security breaches in the cloud. Organisations are called on to develop and implement clear security guidelines and protocols which conform to the highest security standards, including for cloud services.  Regular audits help improve these measures continually and adapt them to new threats. This ensures that sensitive data in the cloud remains protected and compliance with the relevant security standards and legal requirements is guaranteed.

ISO/IEC 27001 and ISO/IEC 42001 complement one another and provide comprehensive protection and principles for information and AI systems. By implementing both standards, companies can ensure that their AI systems are not only secure, but also ethically sound and therefore responsible. While ISO/IEC 27001 covers general information security and protection against cyber threats, ISO/IEC 42001 focuses on the specific challenges of AI, such as transparency, fairness and ethics. This combination strengthens the trust of customers and partners alike and ensures compliance with legal and regulatory requirements, resulting in a more robust and more responsible use of information and AI technologies.