ISO 27001

ISO 27001:2013, Information security management systems requirements, is a definitive global model for best practice in managing information safely and securely.

How do I get ISO 27001?

Don’t be put off by thinking it is too complex a thing to do. We aren’t saying it’s simple, but with us doing the bulk of the work for you, including managing the whole process, it is relatively straightforward.

There are essentially 6 stages to becoming and staying certified to ISO 27001:

  1. Establish a system that complies with the standard
  2. Identify which of the 114 control objectives, in 13 categories, apply to your business, why, and what you are doing to control them
  3. Make everyone aware of the system and any changes in ways of working that have come about
  4. Operate the system to
    a. Make sure it works efficiently
    b. Build evidence of compliance with the requirements of the standard
    c. Get staff familiar with it
  5. Appoint a “certification body” to independently assess whether you comply with the standard. We recommend you choose a UKAS accredited body (see below)
  6. Keep using the system once it has been certified (to keep the certificate)

There is more detailed information below about the various stages you need to go through.

Your ISO 27001 certification journey

Group 161

Getting Started

  1. Provide a comprehensive briefing of what the standard asks you to do in simple to understand terms
  2. Begin to understand in detail how you operate
  3. Set a timetable and stick to it
  4. Decide what you want covered by the certificate – which sites, products and services.
  5. Put the right resources in place
  6. Collect all existing documentation
  7. Establish a dedicated client portal on our collaboration and document sharing platform
  8. Begin to identify which of the 114 control mechanisms apply and how to address them
  9. Begin identifying and recording all your information assets
  10. Begin creating an Information security asset register
  11. Begin understanding what legislation applies & what you do to comply
Group 162


  1. Establish a detailed project plan in our online project management platform (and stick to it)
  2. Undertake a technical audit of your system (with our cyber security/info sec partner)
  3. Carry out a Data Protection Impact Assessment (good practice and mandatory for GDPR)
  4. Decide with you what you need operationally
  5. Map out your business processes
  6. Complete a gap analysis between what the standard requires and what you have/do already
  7. Implement the system
  8. Complete required documentation (Statement of Applicability, Asset register, etc.)
  9. Submit the system to Episode Head Office for final QC checks
  10. We return it you for your final approval
  11. Separate consultant Internally audit the system
  12. Carry out a management review
Group 163


  1. Work with you to select and appoint a UKAS accredited certification body.
  2. Be onsite throughout the certification process
  3. Address any issues that arise during the audit
  4. Brief you on post-certification activity
    a. 3 year cycle of annual surveillance audits and
    b. what you need to do throughout the year to maintain the system
  5. Agree where the finished, certified system should be housed

Episode guarantees certification


What if I haven’t got IT or info sec expertise in the business?

Episode has plenty of experience, and some really helpful tools to deal with most requirements.

As part of any information security project undertaken by Episode, we get our info sec/cyber security expert partner to undertake a detailed audit of your system (using penetration tests, network sniffers, etc.) to identify any issues.  If you feel you need their help rectifying issues, they will give you a fixed fee proposal for the work.

Will it create red tape and take too much time?

Done wrong, absolutely. Too many systems we see have a form or document to cover every aspect of the standard. That’s the easy way to build a system, and an equally easy way to cripple you operationally. You know when this is the case when you spend a  month “updating” (i.e. creating false) records, etc. before the auditor next comes.

Done right, as we will make sure it is, the system should be at the core of how you work. Remember, we make ISO work for you, not the other way around.

How long will it take?

It is difficult to give precise timescales, as it depends on a number of things such as how complex the business is, how close you are to complying with the standard already, and so on. We recommend planning for it taking at least 4 to 6 months.

Why should I choose Episode?

For a fixed cost we will do as much of the work as possible, and guarantee certification.

Episode has worked with over 40 clients, many of whom have more than one standard they comply with (one has 5). All have been successfully certified and many  subsequently ask us to help them maintain certification, and get more out of the system.

How much will it cost?

There are the following costs that will arise

  1. External consultants

Episode always gives a fixed fee proposal for a project, and we include guaranteed certification. A typical ISO 27001 project is about £9,500, but this does depend on the size and complexity of your business.

  1. Certification costs

You will need an external company certify the system as being compliance with the standard. There are over 100 UKAS accredited bodies in the UK, and a range of prices. All UKAS accredited bodies will get you to where you need to be (i.e. issued with a UKAS accredited certificate). We will manage this process for you, and typical costs for a single standard range from £2,500 to £3,000 for a single standard, depending on size and complexity of the business.

  1. Internal business costs.

There may well be IT and other infrastructure work that needs doing, and we will give you a list of requirements as the first stage of any project.

To speak to an expert to discuss your requirements call us on 0113 801 9001

What is quality management and ISO 27001?

ISO 27001:2013, Information security management systems requirements, provides a framework for an Information Security Management System [ISMS], helping you to maintain and improve your information security needs. It also aids compliance with data protection legislation and provide assurance to your stakeholders. It provides a best practice

An ISMS is a systematic approach to managing sensitive company information so that it remains secure. It includes people, processes and IT systems by applying a risk management process.

It can help small, medium and large businesses in any sector keep information assets secure.

Beyond the ancillary system administration requirements (policy, objectives, document control procedure, internal audit procedure, etc.), the key aspects of an ISMS are

  • reviewing the organisation’s status with regards to Annex A – Control Objectives and Controls (a list of 114 entries)
  • produce a Statement of Applicability that contains the necessary controls and justification for inclusions, whether they are implemented or not, and the justification for exclusions of controls from Annex A.
  • produce an asset register (including people and buildings, as well as the more obvious IT infrastructure)

Simply put, you must review the 114 points, grouped under 13 headings. We must decide if they apply (if not, why not), how you intend to comply with that requirement and a plan to constantly improve performance against them.

When done correctly, gaining and maintaining ISO certification is not as complicated as most think. Trust Episode to make ISO work for you, not the other way around.

Contact us today on 0113 8019001 or click here to email us


It was only by utilising the expert guidance and experience of ‘Episode Ltd.’ That Thurston Group was able to attain certification within an exceptionally challenging time frame. We therefore offer our thanks to Episode Ltd. For the diligent and professional services provided. We also look forward to working with them again soon and would not hesitate to recommend their services."


Peter Spieight, Senior Divisional Director, Thurston Group, Wakefield

Roger's support was invaluable in terms of gap analysis, recommendations for improvement, and facilitation of the certification process. I would strongly recommend Roger to any organisation wishing to develop or improve its management systems, in a way which minimizes bureaucracy, and focuses on best serving the needs of the organization.

Gary Evans, Flour Corporation, Abu Dhabi