r/ISO27001

My background:
12+ years of Software Engineer (Principal, Senior, Lead, whatever you want to call a role which is IC level of doing almost anything by himself) on different levels, simple coding up to leading teams, different areas. I'm looking for a way to step up my career and decided to acquire several certificates to bake up my education and experience (In Germany, EU scope mostly). I'm aiming into Architect, Tech Co-founder, Higher Technical roles (not product, not BA, but like cross team technical/business expertise). Therefore, my first two choices fell onto ISO 27001 Lead Implementer and TOGAF EA (1 + 2) certificates. TOGAF I had for a quite a time on my horizon to acquire, wile ISO 27001 seems like a good starting point for general security start. Later I'm planning to expand a bit on more concrete frameworks and approaches.

Now:
I'm wrapping up udemy course on Lead Implementer rn and all the specs, and looking up for proper certification. Initially I was aiming to Lead Implementer role and thought it is one time thing and basically forever, but then found (yeah, bad initial research from me) out that it requires annual fees and CPE credits. Annual fees are not that big deal, but CPE I'm not fully sure. So I've looked that I can get practitioner certificate and reduced fees and no need for CPE. My questions with regards to all that would be:

1. What is a "best" (meaning highest in certification hierarchy) possible certificate I can get excluding LI? Just implementer? Can I upgrade it later without reexamination by providing required 400+ hours of CPE later?
2. Does it really make sense for me to get LI rn considering my goals? I'm also not sure if LI would be that much beneficial for me rn to invest ~700 Euro in the certification and all the hustle with hours.
3. If I get a practitioner certificate, can I upgrade it later up to LI? Might be that I'll be pivoting to full security roles. I'm just laying the foundation. I'm assuming I'll have to basically do everything as if I didn't have certificate anyway, right?
4. Is practitioner certificate have a huge gap in perceived value than an LI? Asking because I have vague feeling about it. I'm assuming LI is more suitable if I plan to do more consulting work, and if I'm more of a full-time employee then practitioner might be better cost/value ratio then.

For those who have been through ISO 27001 audits:

What are the most significant human / leadership failures you’ve seen that led to major findings or near audit failure?

Not technical gaps, but things like:

- control owners not actually performing controls

- managers bypassing or not enforcing processes

- low-quality or unreliable evidence being submitted

- lack of accountability or follow-through

How did auditors pick it up, and how was it written up?

Also, have you ever seen some people getting fired after a failed audit, and how did it happen?

Thanks.

Hello Indian Guys,

I'm currently looking for Cheap ISO 27001 LA Certification, But i don't want that mastermind assurance one, because it's trash.

On a website - knowlathon, i found its exam voucher for 20000 rupees.. it's from TUV rheinland..is it worth or i can find more cheap anywhere else..?

I believe that i can easily pass this without training because it's MCQ Based.. am i right?

Your small help can help alot.. thanks

Hello,

I am preparing for the the ISO lead auditor. I have access to the 4 day training with the PECB. I didnt start yet what would appreciate your feedback if anyone took it recently and is it really an ope book exam ?

Hi guys, I'm planning to get the ISO 27001 Lead Auditor training certificate before flying overseas for my Master in Cyber Security in ECU Australia. I'd appreciate a sanity check on my plan to ensusre i got nothing wrong.

So there are 2 phases. Phase 1, self study at home 3 documents: ISO 27001:2022, ISO27002:2022, ISO 19011:2018. Phase 2, enroll in the official in-person or video training course from a training provider. Take it and pass the exam to get the Certificate of Achievement. Status registration will only happen once i get the experience in the future.

My questions:

1. Is the self-study order (27001 → 27002 → 19011) correct, or would you sequence differently?
2. CQI/IRCA vs Exemplar Global — does it matter which I pick if I'm targeting GRC roles in Australia and Hong Kong?
3. Is 6 months of self-study realistic, or am I over/underestimating?
4. Anything obvious I'm missing?

Background: graduating with a Bachelor's in Electrical Engineering this month. Targeting GRC analyst / internal IT audit roles, not external Big 4 audit. Thank you.

Edit: Thank you everyone. I will do 27001->19011->27002, and take a IRCA course.

We’re a small organization and we handle two main types of data:

• Client data – data our clients explicitly entrust to us
• Survey data – data we collect ourselves through surveys

As part of our ISO 27001 work, we’ve identified client data as the most critical asset, and therefore the primary driver for scope. Survey data is considered lower risk by comparison.

Our long-term goal is to have the entire company ISO 27001 certified. Realistically though, that’s not feasible right now because many of our internal processes aren’t documented yet. So our plan is to start by scoping ISO 27001 around client data only, get certified for that, and then expand the scope over time.

From a technical perspective, this is where it gets tricky:

• Client data is stored in AWS databases, managed by an external party who is ISO27001 certified → clearly in scope
• Survey data is stored at another external party, who is not ISO27001 certified → in our view, out of scope
• We also have a data warehouse in a separate AWS cluster where both datasets are ingested

This raises a few questions for us.

Normally, the rule of thumb seems to be: once in-scope data “touches” a system, that system becomes in scope. However, we really want to avoid putting the entire data warehouse in scope, especially since it’s maintained by a single person and would significantly increase the certification effort.

So the questions we’re struggling with are:

1. Is it acceptable to define partial scope within a data warehouse? For example, certain schemas or databases being in scope (those containing client data), and others explicitly out of scope?
2. If that is acceptable, how is this typically implemented and justified during an audit?
   • Logical separation?
   • IAM controls?
   • Tagging and documentation?
3. If auditors decide the entire data warehouse must be in scope, does that automatically mean the survey data pulled into it also becomes in scope? My assumption is that it wouldn’t, but I’d like to sanity-check that. In addition, how would the auditors generally check that? Would we need to provide something for the entire data warehouse? Tags? Documentations? Access controls?

I’d really appreciate hearing from anyone who’s dealt with ISO 27001 scoping in mixed-data environments, especially with shared analytics platforms or warehouses. Any practical advice would be very welcome.

Asking for tips and tricks and feedback on my plan. The plan is simplified here, feel free to ask for more information and if I have forgotten anything or is unclear, please let me know.

Context

• small company (100 employees) med-tech
• ISO 27001-certified ISMS that no one has worked with full-time before
• I started 6 months ago to mature the ISMS, I have long experience in IT and cybersecurity operations, but am new to implementing ISO 27001 ISMS. CISSP certified if that says something.
• ISMS is a few years old and is built using different generic templates;
• the policies often mixes SOP-sections all the documentation is pretty hard to read.
• Also, we have 24 policies, 99 risk entries(!)

There has been an attempt to do some kind of Integrated Management System and combining policies and SOPs with ISO 13485 QMS,. This, of course, added even more complexity and adopted stricter procedures than the ISMS standard requires.

This makes it hard to work systematically and risk-based due to the overwhelming administrative load.

Suggested plan to fix this (before my head explodes)

1. Keep the full scope for now
2. Decouple as much as possible from QMS (ISO 13485) to bring down dependencies and administrative load
3. Centralize requirements into the ISMS guide, such as roles and responsibilities, to make the policies easier to read
4. Move out any SOP information from policies into a new template. Policies shrink from about 5-8 pages to 2 pages.
5. Consolidate policies from 24 to 8-12 policies
6. Rewrite the entire risk register (current risks makes no sense) from 99 risks to 25 high-level risks.
7. Update ISMS hierarchy to make SOPs more general, see image from ISMS Guide draft. This is to give teams flexibility to interpret implementation of Policy/SOP requirements in Operational Work Instruction. (current SOPs are managed by QMS requirements, makes them hopelessly complex and hard to update due complex document system, signature requirements. People hates it and few SOPs are correct or even useful)

https://preview.redd.it/u5mdgorcfkzg1.png?width=1442&format=png&auto=webp&s=a08ea117ccd35b9497cdaa1c1e9e4c4f32b38ba0

ease

Any holes in this plan? (especially number 7)

Any other tips or tricks to make the ISMS more effective?

Many thanks in advance! 🙏

Got approached by two VC firms out of nowhere, not sure what to make of it.

I run a small security consultancy and wasn't really expecting this. Two separate VC firms reached out recently. one wants help evaluating portco security during due diligence, the other asked if we offer "perks" for their portfolio companies (still not 100% sure what that means practically).

I said yes to both but I'm kind of figuring it out as I go. Has anyone navigated this before? What does the engagement actually look like day-to-day? Any landmines I should know about before I'm in too deep?

I’m looking for a reality check from people working in cyber GRC, compliance, assurance, or information security management.

My background is 25+ years in regulated technical environments: pharma/aseptic manufacturing, cleanrooms, environmental monitoring systems, validation, calibration, audit readiness, controlled documentation, supplier/customer assurance, and project/service management. I’ve worked with GMP, ISO 9001, ISO 14644, ISO 17025, ISO 21501-4, Annex 1, 21 CFR Part 11, IQ/OQ/PQ, FAT/SAT, risk assessments, evidence trails, and regulated software/system handovers.

I’ve also completed ISC2 CC, and I now have GDPR Practitioner and ISO 20001 Lead Implementer training/qualifications.

I’m trying to move into remote or mostly remote cyber GRC / compliance / assurance roles rather than technical SOC work. Target roles would be things like Cyber GRC Analyst, Information Security Compliance Analyst, Cyber Assurance Analyst, ISO compliance support, vendor/security questionnaire work, audit evidence coordination, or junior ISMS-type roles.

Given my background plus these qualifications, how realistic is it to land remote work in this area? What job titles should I search for, and what gaps would you expect employers to challenge me on?

Any blunt advice welcome.

Hi Everyone,

I'm preparing for ISO 27001 Lead Implementer exam, I'm studying the course from Udemy by Aron Lange, is this going to be enough to take the exam.

Also I'm an information Security Analyst with experience with digital forensics and threat hunting and this is my first time taking and GRC based certificate, so if someone could walke through the exam experience and the difficulty.

Hi everyone,

I’m currently doing the ISO 27001 Lead Auditor course from TÜV SÜD and wanted to ask people who have already completed it:

• How difficult is the final exam overall?
• Is it mostly theory/memory based or scenario based?
• Is the exam live video proctored?
• Are screen monitoring/webcam checks involved?
• Is it realistically possible to use notes/AI tools during the exam, or is it strictly monitored?
• How hard is it to pass for someone who studies properly?

Would really appreciate honest experiences from people who actually gave the exam recently. Thanks!

Hi everyone,

I run a small IT MSP company and I’m looking to achieve ISO 27001 certification.

In the Netherlands, there are agencies that support companies through the certification process, but the costs I’ve seen are quite high: around €25,000 to €30,000 for a six-month project, including the external audit.

I’m trying to understand how much of the preparation work I can realistically do myself before involving a consultant or certification body, so I can keep the overall cost as low as possible.

For context, I want to become certified so I can demonstrate to customers that my company has a proper ISMS in place and handles customer data in line with ISO 27001 requirements.

For those who have gone through this process, what would you recommend as a practical roadmap? Which parts are worth doing yourself, and where is it better not to cut corners?

Any advice, lessons learned, templates, tooling recommendations, or cost-saving tips would be greatly appreciated.

Kind regards

For my IT MSP company, I want to obtain ISO 27001 certification. In the Netherlands, there are usually agencies that help companies achieve these certifications, but they are extremely expensive, or perhaps I am not assessing their value correctly. They charge between €25,000 and €30,000 for a six-month process, including obtaining the certificate through an external audit.

I can do a lot of the preparation myself so that I do not have to pay the full amount. What can I do, and what should my roadmap be, to minimize the costs as much as possible?

I want to obtain the certification so that my company has it and I can show my customers that I am ISO 27001 certified and that I handle my customers’ data in accordance with ISO 27001.

I hope you can help me.

Kind regards,