ISO 27001

Keep your information assets secure


ISO/IEC 27001 is the best-known standard providing requirements for an information security management system (ISMS).

An ISMS is a systematic approach to managing sensitive company information so that it remains secure. It includes people, processes and IT systems by applying a risk management process.

ISO/IEC 27001 was originally published on 2005 and derived from BS 7799 Part 2, first published as such by the British Standards Institute in 1999. It was extensively revised in 2013, bringing it into line with the other ISO management systems standards.

The standard specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in ISO27001:2013 are generic and are intended to be applicable to all organizations, regardless of type, size or nature.

Elements of the standard

The ISO27001:2013 follows the High Level Structure (Annex SL) which is the common framework for all revised and future ISO management system standards including the latest versions of ISO9001:2015, ISO14001:2015, ISO45001:2018.

The standard is aligned with the principles of risk management as defined in ISO31000.

The main sections of the standard are that set requirements are:

  • Clause 4: Context of the organization
  • Clause 5: Leadership
  • Clause 6: Planning
  • Clause 7: Support
  • Clause 8: Operation
  • Clause 9: Performance evaluation
  • Clause 10: Improvement


There are numerous benefits associated with a certified ISO 27001 management system that include:

  • reduce information security and data protection risks to your organisation
  • win new customers and retain existing business showing to your customer that you value security
  • boosts a reputation and builds trust in the organisation
  • saving time and money
  • Improve employee work ethic and confidentiality
  • Is the proper response to customer and legal requirements such as the GDPR and potential security threats including: Cyber crime, Fire / damage, Misuse, Theft, Viral attack, Personal data breaches, terrorist acts.
  • It is structured according to the high level structure document (Annex SL) that renders it compatible with other management systems such as ISO9001, ISO14001, etc.


Step 1: Proposal for Certification – Contact AVRV and exchange of preliminary information. AVRV provides you a proposal based on the size and nature of your organization, detailing the cost and time involved.

Step 2: Optional pre-audit – You may decide to perform pre-audit to assess the readiness of your organization for the audit. This stage is optional

Step 3: Stage 1 Audit – AVRV auditors team during stage 1 shall obtain a sufficient understanding of the design of the ISMS in the context of the client’s organization, risk assessment and treatment (including the controls determined – Statement of Applicability), information security policy and objectives and, in particular, of the client’s preparedness for the audit.

The results of stage 1 are documented in a written report by the Lead Auditor. The stage 1 report includes the further types of information and records that may be required for detailed examination during stage 2.

A positive result following an independent review and evaluation of the above shall allow planning for stage 2.

Step 4: Stage 2 Audit – Evaluation of the implementation and systems effectiveness through observation of working practices, infrastructure utilized, IT systems, personnel interviews and examination of records including for example

  • information security performance and the effectiveness of the ISMS, evaluating against the information security objectives;
  • correspondence between the determined controls, the Statement of Applicability and the results of the information security risk assessment and risk treatment process and the information security policy and objectives;
  • implementation of controls (see Annex D), taking into account the external and internal context and related risks, the organization’s monitoring, measurement and analysis of information security processes and controls, to determine whether controls are implemented and effective and meet their stated information security objectives;
  • determination of control objectives and controls based on the information security risk assessment and risk treatment processes;

At the end of this stage all audit finding will be presented to you by the lead auditor that include nonconformities, opportunities for improvement and positive aspects.

Step 5: Recommendation for Certification – The assigned Lead Auditor shall propose the recommendation based on the evaluation and review of the effective implementation of corrections and corrective actions on findings raised during the audit. The final audit report is forwarded for the review and decision.

Step 6: Technical Review and Issue of Certificate subject to successful audit –Appointed independent and impartial expert team of AVRV reviews the audit report and the recommendation of the audit team and decides further on granting or not certification.

Step 7: Awarding Certification –The client is informed on the results of the certification decision and following successful certification a three years certification cycle is initiated and a certificate is issued

Step 8: Surveillance audit – Each year the validity of the certification remains subject to successful surveillance audits. Every twelve months we will verify that the management system conforms to the requirements of the standard.

Step 9: Re-certification – After 3 years and before the expiry of your certification our routine visit will be extended to enable a re-certification audit.

The technical review and decision of certification includes granting, refusing, maintaining, renewing, suspending, restoring or withdrawing certification or expanding or reducing the scope of the certification.

Certification Flowchart

The roadmap of the certification process is summarized as follows


The technical review and decision of certification includes granting, refusing, maintaining, renewing, suspending, restoring or withdrawing certification or expanding or reducing the scope of the certification

Send Email

You can contact us through email for any request or information. Email: Alternatively, you can fill in the form in our Contact page..

Direct Support

For immediate communication with us concerning Services, Support or Quotes, please call us on working hours by Telephone: (+30) 210-6047-411
or by Fax: (+30) 210-6046-507.