How long does it take to get ISO certified?
Security certifications are always positive steps forward for your business, opening doors to new business and new partnerships. Still, those certifications don’t come easily, so you may have a difficult pro/con analysis to determine if a certification is worth it. Part of that pro/con analysis is the time involved, so it’s natural to ask, “How long does it take to get ISO certified?”
First, let’s clarify: ISO, or the International Organization for Standardization, has many standards across a range of industries. In this case, we’re talking about ISO 27001, the information security standard that documents the thoroughness of your information security management system (ISMS).
How long does it take to get ISO certified?
Your staff’s time (or the time of contractors you hire to help with your ISO 27001 compliance) is a limited resource, so how much time can you expect to dedicate to ISO 27001 certification? It varies tremendously based on your organization’s operations and the complexity of your ISMS. In general, though, expect the process to take three to twelve months. Smaller organizations that are committed to making this a priority can complete their readiness in closer to three months, some even faster.
The ISO 27001 certification process
ISO 27001 certification can be a complicated process, so what can you expect for the road ahead? While the specific will vary, plan on going through these general steps.
1. Prepare your organization
Starting your certification process on stable footing can set the stage for a smoother project all the way through, so don’t look at your certification as a side project to work on when time allows. Appoint a staff member or a team to focus on ISO 27001 certification so it is their primary focus. If they aren’t already an expert in ISO 27001, give them dedicated time to learn about the standard and what it involves.
Additionally, an important component of ISO 27001 is assigning responsibility to an ISMS owner who is responsible for ensuring compliance with the standard and reporting to top management. Identify the owner and assign responsibility in order to drive the effort forward.
2. Determine where you stand
Before you can start updating and fortifying your security system to meet ISO 27001 compliance, you need to know which boxes you already check and which ones you need to address. While some companies do this with a time-consuming manual assessment, a more thorough and time-saving way is to use a compliance automation software like Vanta.
Vanta scans and evaluates your ISMS, comparing it against the ISO 27001 controls. It gives you a clear picture of the standards you’ve already met and, most importantly, a clear list of the controls and policies you need to implement to reach the compliance level you need.
3. Implement the needed security controls and protocols
Using your Vanta report as a guide, your team can now begin implementing all the controls and protocols you’re missing one by one. Some of these may be quick while others may require a project of their own, like developing security protocols for staff to follow and training all staff members on those protocols.
4. Re-assess your readiness
After you’ve followed Vanta’s guide and implemented the security controls you were missing, it’s time to check your work. Run a Vanta scan again to assess where you now stand with your compliance readiness. Ideally, it will indicate that you meet all the necessary requirements so you can move ahead with the certification process.
5. Hire a certification provider
Now that you’re confident that you are compliant with all the components of ISO 27001 that apply to your organization, it’s time to begin with the certification itself. The ISO does not directly provide certification for its standards, so you will need to hire a third-party organization that provides ISO 27001 certification.
Note that while the ISO doesn’t provide certification, it does have a set of standards that it outlines for certifying organizations. It’s important to make sure that the ISO Certification Body that you select is fully accredited in accordance with your company's requirements. Vanta has several high-quality, well-priced certification bodies that we can refer you to.
6. Perform an internal audit
In order to obtain ISO 27001 certification, all organizations must perform an internal audit of their security program. You may choose to engage a third-party consultant to perform the internal audit, or a member of your organization, who is qualified and independent of the control owners, may perform the audit.
7. Complete a full certification audit
This is the key piece of your ISO 27001 certification: the full audit. Your certification organization will conduct an in-depth investigation of your ISMS to evaluate your ISO 27001 compliance. This can be an extensive on-site process.
Keep in mind, though, that compliance automation software like Vanta can make this process simpler. As it scans your system, Vanta compiles and documents evidence of your compliance, so your auditor will have all this documentation in one convenient place.
8. Receive your certification
If your auditor determines that you adhere to all the necessary components of ISO 27001, you will officially receive your certification.
Maintain your ISO 27001 certification
It’s important to understand that ISO 27001 certification is not a one-time process. Your certification will need to be renewed to some degree every year.
These certificates use a three-year cycle. One year after your first certification, your certification organization will conduct a less extensive audit to check a few key controls. If you pass this, you’ll retain your certification. If not, the organization will conduct a full, intensive audit as they did in the first year.
The same is true for the second year after your initial certification: A brief assessment that retains your certification if you pass or refers you for a full audit if you don’t pass. The third year after your initial certification, you will need to complete the full certification process again, just as you did the first year. This starts the three-year cycle again.
Make your ISO 27001 certification simpler
ISO 27001 certification will always be a significant process because it’s designed to be a rigorous assessment of your information security. Still, using an ISO 27001 compliance platform can make it far simpler, smoother, and more cost-effective.
Learn more about ISO 27001
PCI Compliance Selection Guide
Determine Your PCI Compliance Level
If your organization processes, stores, or transmits cardholder data, you must comply with the Payment Card Industry Data Security Standard (PCI DSS), a global mandate created by major credit card companies. Compliance is mandatory for any business that accepts credit card payments.
When establishing strategies for implementing and maintaining PCI compliance, your organization needs to understand what constitutes a Merchant or Service Provider, and whether a Self Assessment Questionnaire (SAQ) or Report on Compliance (ROC) is most applicable to your business.
Answer a few short questions and we’ll help identify your compliance level.
Does your business offer services to customers who are interested in your level of PCI compliance?
Identify your PCI SAQ or ROC level
The PCI Security Standards Council has established the below criteria for Merchant and Service Provider validation. Use these descriptions to help determine the SAQ or ROC that best applies to your organization.
Good news! Vanta supports all of the following compliance levels:
A SAQ A is required for Merchants that do not require the physical presence of a credit card (like an eCommerce, mail, or telephone purchase). This means that the Merchant’s business has fully outsourced all cardholder data processing to PCI DSS compliant third party Service Providers, with no electronic storage, processing, or transmission of any cardholder data on the Merchant’s system or premises.
Get PCI DSS certified
A SAQ A-EP is similar to a SAQ A, but is a requirement for Merchants that don't receive cardholder data, but control how cardholder data is redirected to a PCI DSS validated third-party payment processor.
Learn more about eCommerce PCI
A SAQ D includes over 200 requirements and covers the entirety of PCI DSS compliance. If you are a Service Provider, a SAQ D is the only SAQ you’re eligible to complete.
Use our PCI checklist
A Report on Compliance (ROC) is an annual assessment that determines your organization’s ability to protect cardholder data. If you’re a Merchant that processes over six million transactions annually or a Service Provider that processes more than 300,000 transactions annually, your organization is responsible for both a ROC and an Attestation of Compliance (AOC).
Automate your ROC and AOC
The compliance news you need. Delivered securely to your inbox.