What is ISO 27001 certification?

ISO/IEC 27001 is the international standard for information security management systems (ISMS). Certification is the recognition, issued by an accredited certification body after an audit, that the organisation has defined a scope, assessed its risks, selected and implemented the applicable Annex A controls and manages them continuously. The current version is ISO/IEC 27001:2022.

What is the difference between compliance and ISO 27001 certification?

Compliance means operating according to the requirements of the standard; certification is the independent verification by an accredited third party that attests that compliance with a certificate. You can be compliant without being certified, but it is certification that provides the proof you can use with clients, tenders and authorities. In both cases the real work is the same: designing and running the controls.

How long does ISO 27001 certification take and what does the process involve?

The typical path is: gap analysis against the standard, definition of scope and risk assessment, drafting of the Statement of Applicability, implementation of the controls, a period of ISMS operation collecting evidence, then the two-stage certification audit (Stage 1 documentary, Stage 2 on site) and, afterwards, the annual surveillance audits. The duration depends on the starting maturity: for an already structured organisation it is months, starting from scratch takes longer.

How much does ISO 27001 certification cost?

The cost depends on objective factors: the breadth of the scope, the number of sites and people, the complexity of the infrastructure, the maturity of the controls already in place and the share of work still to implement. Two items should be distinguished: the cost of the certification body (which issues the certificate) and the cost of the technical and organisational implementation needed to be ready for the audit. We work on the latter, sizing it to the real context of the company.

Does AtWorkStudio issue the ISO 27001 certificate?

No. The certificate is issued by an accredited, independent certification body — not by whoever implements the controls, for obvious reasons of impartiality. We are the technical implementer: we design and set up the ISMS and the controls, on-prem and in the cloud, and prepare the evidence for the audit. AtWorkStudio is itself certified ISO/IEC 27001, 27017, 27018 and ISO 9001 (body CSQA): we work on ground we practise every day.

Is ISO 27001 certification enough for NIS2 compliance?

No: it is a solid foundation but not sufficient. ISO 27001 covers much of what NIS2 requires, but several obligations of the Italian Legislative Decree 138/2024 remain uncovered — including the personal liability of top management, the incident notification timeframes to the CSIRT, and registration and categorisation on the ACN platform. For those already certified the advantage is real: the organisational engine is assembled, it needs realigning and completing.

Information security. For real.

ISO 27001 certification

ISO/IEC 27001 is the international standard for information security. Getting certified does not mean signing forms: it means designing and running the right controls. AtWorkStudio is the technical implementer that sets up the management system — on-prem and in the cloud — alongside your consultants, sized to the real context of your company. We know it because we are certified ISO/IEC 27001, 27017, 27018 and ISO 9001.

Request a consultation

See the process

Free online assessment

Where do you stand on information security?

Find out in 15 minutes with our assessment based on the NIST Cybersecurity Framework 2.0. It is a concrete starting point to see how close you are to the requirements of an ISO 27001 management system and where the gaps are.

106 questions · Instant report · No commitment

Start the free assessment

What ISO 27001 is

The standard, in plain words

ISO/IEC 27001:2022 is not a product to buy or a certificate to hang on the wall: it is the structured way an organisation manages its information security, based on risk, controls and evidence. Here are the concepts you need to get your bearings.

A management system (ISMS)

The heart of the standard is the ISMS (Information Security Management System): policies, roles, processes and controls that govern security through a cycle of continuous improvement, not as a one-off exercise.

Risk, scope and Annex A

The organisation defines the scope, assesses the risks and declares in the Statement of Applicability which Annex A controls it applies, justifying exclusions. It is a tailored approach, not a universal checklist.

Compliance vs certification

Being compliant means operating according to the standard; certification is the independent verification by an accredited body that attests it. The technical work is the same: certification is the usable proof of it.

Who really needs it

Those who handle client data, take part in tenders, supply regulated entities or want a demonstrable security posture. It is increasingly a contractual requirement that cascades down from the more structured clients.

The 27017 and 27018 family

For those operating in the cloud, ISO 27001 extends with 27017 (cloud service security) and 27018 (protection of personal data in the cloud). AtWorkStudio is certified on all three, plus ISO 9001.

An asset, not a cost

Done well, certification reduces incidents, speeds up sales to demanding clients and builds the foundations for other obligations — from NIS2 to GDPR — reusing the same framework.

How to obtain it

The certification process, step by step

From the initial snapshot to the certificate, the path is predictable. What changes the outcome is the quality of the technical implementation in between: that is where we work.

1. Gap analysis and scope

We photograph the state against the standard, define the scope to be certified and the risk assessment. The output is a plan with priorities, timelines and a realistic estimate of the work to do.

2. Implementing the controls

We set up the missing Annex A controls — technical and organisational — on-prem and in the cloud: identity and access, encryption, backup, logging, hardening, supplier management, procedures. This is where it is won or lost.

3. ISMS in operation and evidence

The Statement of Applicability, policies and processes go live and start producing the evidence (records, reviews, internal audits) that the certification body will want to see.

4. Stage 1 and Stage 2 audits

The accredited body first verifies the documentation (Stage 1), then the implementation on site (Stage 2). We prepare you for the audit and support you during the checks and in closing any findings.

5. Certificate and surveillance

Once the certificate is obtained, the standard requires annual surveillance audits and renewal every three years. We keep the ISMS alive over time, so certification stays real and does not become a document that ages.

What drives the cost

Scope, number of sites and people, infrastructure complexity, starting maturity. We always distinguish the cost of the certification body from that of implementation, and size the latter to your real context.

Our role

Technical compliance, not bureaucratic

The compliance consultant tells you what is needed. We design and build the how: the controls that satisfy that requirement in a sensible, sustainable way, suited to your structure, your processes, your infrastructure and your budget — both on-prem at your premises and by delivering cloud services. We work alongside your consultants, turning requirements into solutions that actually work.

From requirement to a solution that holds

A security requirement can be met well or badly. «Strong authentication is needed» is not solved by forcing a password change every day: it is solved with MFA and Conditional Access proportionate to the risk, that people use without fighting the tool.

Backups that actually restore

«Backups are needed» is not a USB drive carried to a safe: it is an immutable backup, with the 3-2-1 rule, tested restore and measured recovery times. The difference shows on the day of the incident, not on paper.

On-prem and cloud, as needed

We implement the controls where it makes sense for you: at your premises, in the cloud, or in a hybrid model. It is the technical solution that follows the requirements and the context — not the other way round.

ISO 27001 and NIS2

An excellent starting point, not the finish line

ISO 27001 certification covers much of what NIS2 requires, but not everything. If your company falls within the scope of the Italian Legislative Decree 138/2024, certification is the right organisational engine to start from — but it must be realigned and completed against the specific obligations of the directive. Read the deep dive on the seven gaps between ISO 27001 and NIS2.

Where ISO 27001 covers

Policies, risk management, incident management, supply chain security, business continuity, cryptography, access control, training: the ENISA mapping shows a broad overlap with the NIS2 requirements.

Where NIS2 asks for more

Personal liability of top management, incident notification to the CSIRT within 24/72 hours, registration and categorisation on the ACN platform: obligations the standard does not provide for and that must be added.

How we support you

We realign the existing ISMS to the NIS2 obligations and complete it, avoiding duplication. See also our page on NIS2 consulting and compliance.

Why AtWorkStudio

We practise what we implement

AtWorkStudio is certified ISO/IEC 27001, 27017, 27018 and ISO 9001 (body CSQA). We do not make you sign forms: we build the infrastructure and the evidence that certification requires, because it is the same work we do on ourselves every day.

Our certifications

Frequently asked questions about ISO 27001 certification

The answers to the most common questions about what it is, how to get it and what it really takes.

Want ISO 27001 certification? Let’s start from the facts

Contact us for a dedicated consultation: gap analysis, an implementation plan with priorities and timelines, and the controls set up on the ground — on-prem and in the cloud — to arrive ready for the audit.