ISO 27001 certification is one of the possible ways to reassure customers and clients that ISO recommendations have been followed [Boe09]. In the beginning, the adoption of ISO 27001 was among IT services and software development, and only large organisations applied for ISO 27001 certification because of high implementation complexity and certification costs [NEF08]. The number of ISO 27001:2013 certifications is steadily growing each year. For example, in December 2015, 27536 certificates were
issued around the world, which increased 20% compared to 2014, based on the ISO survey 2015 [Int15]. Most of the countries with a high number of ISO 27001 certificates are among top economies in the world, for example, China, and they are interested in information security standards because of their global activities, for example, the UK or Japan. The USA, which has the biggest national economy, was ranked relatively lower compared to the top 10 countries with the highest annual growth of ISO 27001 certification. Figure 2.2 summarises the procedure of getting an ISO 27001 certificate.
Organisations have three different options for certification:
1. They can declare compliance to the standard by themselves.
2. They can ask clients to confirm their compliance with the standard.
3. An independent external auditor can verify the conformity [SW09].
The ISO introduces a list of RCBs (Registered Certification Bodies) for certification procedure as authorised certification organisations [HWL16]. These RCBs help organisations to determine the extent to which there already conforming with ISO 27001 and further actions required for successful certification, as an examination [CW08].
Afterwards, the necessary measures for ISO 27001 conformity should be defined in a preparation project. External experts are required for a certification process, for the essential level of knowledge and experience in implementing ISO 27001 policies and controls [Cal13]. Initially, the RCB reviews all the documents, such as security policy and process description. The main audit follows this preparation phase [Dis13], which consists of several steps; for instance, interviewing all responsible employees to examine their understanding of the security policy. Based on the findings of these interviews, the certification organisation generates a report escribing the audit results and improvement measures before conducting the next audit.
Finally, the company receives an official certificate of the ISMS conformity with ISO 27001 requirements, in case of overall positive results. The implementation phase duration varies from a few months to some years, based on the level of the IT security management maturity in an organisation. An ISO 27001 certificate is valid for three years, and recertification mainly requires less effort than the initial certification [HWL16]. The RCBs can withdraw or suspend ISO 27001 certificates when serious deviations are observed from the requirements of ISO 27001 during a monitoring audit [HWL16]. There are some national alternatives to RCBs, such as the German BSI (federal office for the information security) in Germany. The German BSI offers ISO 27001 certification based on the IT baseline protection guideline since 2006, which provides conformity with
both ISO 27001 and an assessment of the IT security measures against the IT baseline protection catalogues.
After introducing ISMS and describing the process of developing ISO 27001, the relationship between ISO 27001 and culture is described briefly.