Why and How to Achieve ISO 27001 Certification


The security of sensitive information should be a top priority for any business. From client phone numbers to financial details, if this data is breached and lands in the wrong hands, it can have a very serious negative impact on your business. Ask yourself: if sensitive information is leaked, would it hurt your business? Put yourself in the clients’ shoes and determine how you would feel if your information was stolen by hackers. Would it affect your trust in that vendor? Would you do business with them again?

If you want to protect your sensitive information, then you must have an adequate information security program.

ISO 27001:2013 (ISO 27001) is one of the industry-leading standards used to implement a strong information security management system (ISMS). ISO 27001 will help your company determine where the most important risks are and implement a process to mitigate or reduce those risks. An ISMS gives you the freedom to grow and innovate, while remaining confident that your sensitive information remains protected.

Do you know where your most important and sensitive information is housed? Are you aware of its vulnerabilities? If you need help getting started with a security program, reach out to our team and we’ll help lay the foundation to achieving ISO 27001 compliance.

ISO 27001 can help your company:

  1. Identify risks and put controls into place to reduce or mitigate them
  2. Ensure compliance with relevant laws, regulations and contractual agreements
  3. Reduce potential vulnerabilities to the organization and lower the probability of a successful breach
  4. Improve information security awareness
  5. Demonstrate compliance and earn the confidence of your clients
  6. Gain a competitive advantage
  7. Build a culture of security within your organization
  8. Allow for the secure exchange of information

One of the most important benefits of ISO 27001 certification is that it helps answer questions prospective clients may have about your security posture and compliance standards. Many organizations we work with regularly have new clients asking specific questions about the security program they run. Since certification requires you to be audited by a third party governing body like British Standards Institute (BSI) Toronto, it is easy to let your clients know you’ve already been audited by a verified third party, confirming that you are compliant with the regulations.

Who does ISO 27001 apply to?

ISO 27001 applies to businesses that are interested in organizational effectiveness, as it can help your company gain a competitive advantage and increase attractiveness to clients. ISO 27001 can help protect informational assets, whether those include financial information, intellectual property or employee information. ISO 27001 helps ensure that your organization has best practices in place to protect that company information.

What is involved in an ISO 27001 Implementation?

Step #1: Decision

  • Certification needs to be a unanimous decision that senior management can stand behind.
    • This decision should be communicated internally, as it speaks to the intentions of the organization to pursue best practices.

Step #2: Apply Project Management

  • An individual, preferably a manager, that is knowledgeable about the controls and milestones required for qualification should be in charge of the ISO 27001 implementation for the company.

Step #3: Define the Scope

  • The size of the organization will impact how the ISO 27001 is implemented within the company.
    • In a large company, it may be more practical to implement the ISO 27001 standard over specific departments within the organization.

Step #4: Gap Analysis and Risk Assessment

  • Once the scope of the implementation has been determined, the company is now ready to conduct a risk assessment.
  • This determines any potential risks that could jeopardize the confidentiality, integrity or availability of information within the organization.

Step #5: ISMS Policy

  • Documentation is important! Policy forms the basis for the criteria that the company will be measured against to meet the ISO standard.
    • This must address all relevant milestones and individual controls.

Step #6: Internal ISO 27001 Audit

  • The company is assessed to determine how successful they have been at the implementation of ISO 27001 within the organization.

Step #7: ISO 27001 Certification

  • An independent auditor will examine whether the organization has successfully implemented the standards laid out in ISO 27001, and if so, they will issue a certificate that the company is compliant and has achieved ISO 27001 certification.

Achieving ISO 27001 certification is no small undertaking. If you don’t have the internal resources or bandwidth to handle the necessary steps to reaching compliance, it may be daunting to get to the finish line of achieving and maintaining certification. CDW’s expert risk advisory team can help.

We offer project management, risk assessment, preparation and assistance through audits, and will assign a dedicated team whose goal is to help you reach compliance. We take the time to understand your business’ assets, and which information is most important to you and your clients. We’ll ensure that you not only achieve ISO 27001 compliance, but that you’re able to maintain the standards across the organization.