r/ISO27001

I am giving my ISO 27001 final exam tomorrow. what all do i need to know, can i use my phone?

Just finished ISO 27001 certification (EU, ~35 employees) using a large “all-in-one” GRC platform and a well-known auditor. Sharing a quick lesson learned:

We trusted the GRC tool too much.

During the audit we had to adjust evidence (in agreement with the auditor). None of these were critical alone, but together they nearly became a non-conformity:

- Scope template incorrectly included the company name by default.

- Scope lacked clear climate-related references.

- SoA template missed basics (company name, applicability yes/no, proper control descriptions).

- Built-in risk scenarios were far too high-level.

- Risk management policy template lacked risk acceptance criteria.

- Third-party management template didn’t clearly address vendor lock-in prevention.

- Templates were overly formal and outdated (e.g. ISMS councils SMBs don’t have, DVDs as asset examples).

- Cloud integrations (AWS, Microsoft, etc.) were great, but auto-generated scan evidence was hard for auditors to interpret, requiring manual explanations.

Individually manageable. Combined, almost a finding. Also learned that auditors interpret some things differently, after disccusion the above with the grc-platform provider.

Posting this as a heads-up for others that are planning ISO 27001 certification with a GRC platform.

TL;DR:

GRC tools help a lot, but their templates are not “audit-safe by default”. Review scope, SoA, risk models, and auto-generated evidence carefully — don’t follow templates blindly.

Hi everyone

I’m a UK based comms pro (15+ years experience at senior level across corp, regulated and govt sectors - most recently tech) and have taken a career break to pivot to cyber GRC.

I’ve passed CC and security+ and am now looking at arranging my ISO 27k Lead Implementer exam. I’ll be looking at instructor led course as, whilst I’ve led BC and IM from a comms perspective, I don’t have the technical experience I’m assuming most do and want to ensure the learning is fully embedded.

Do you have any providers and/or accreditors you recommend? Or any other words of wisdom?

In all honesty, this has been a big step and I’ve had a fair few wobbles along the way so any advice or guidance would be very appreciated!

Thanks in advance

Edit: I am British and will remain UK based for the next 5 years. Will eventually be working remotely from a base in Europe.

Has anyone here successfully implemented ISO27001 internally without hiring external consultants?
I have some experiacnes in writing policies and also I did my master in cybersecurity which I am familier with writing the policy based on a framework,

I’m currently looking into handling the implementation myself for our company, including policies, risk assessments, controls, internal audits, and certification prep. We already have some processes in place, but I’m still fairly new to ISO27001 implementation.

I’m currently using the CertiKit ISO27001 toolkit to help structure everything.

If anyone has recommendations on:

• How to learn ISO27001 properly from scratch
• Good courses, YouTube channels, books, or resources
• Best way to approach implementation step-by-step
• Common mistakes to avoid
• Whether implementing internally is realistic for a small team

…I’d really appreciate it.

Would also love to hear from people who’ve gone through the process themselves and whether you’d do it in-house again.

Thanks!

Hi everyone,

I run a small IT MSP company and I’m looking to achieve ISO 27001 certification.

In the Netherlands, there are agencies that support companies through the certification process, but the costs I’ve seen are quite high: around €25,000 to €30,000 for a six-month project, including the external audit.

I’m trying to understand how much of the preparation work I can realistically do myself before involving a consultant or certification body, so I can keep the overall cost as low as possible.

For context, I want to become certified so I can demonstrate to customers that my company has a proper ISMS in place and handles customer data in line with ISO 27001 requirements.

For those who have gone through this process, what would you recommend as a practical roadmap? Which parts are worth doing yourself, and where is it better not to cut corners?

Any advice, lessons learned, templates, tooling recommendations, or cost-saving tips would be greatly appreciated.

Kind regards

For my IT MSP company, I want to obtain ISO 27001 certification. In the Netherlands, there are usually agencies that help companies achieve these certifications, but they are extremely expensive, or perhaps I am not assessing their value correctly. They charge between €25,000 and €30,000 for a six-month process, including obtaining the certificate through an external audit.

I can do a lot of the preparation myself so that I do not have to pay the full amount. What can I do, and what should my roadmap be, to minimize the costs as much as possible?

I want to obtain the certification so that my company has it and I can show my customers that I am ISO 27001 certified and that I handle my customers’ data in accordance with ISO 27001.

I hope you can help me.

Kind regards,

Got approached by two VC firms out of nowhere, not sure what to make of it.

I run a small security consultancy and wasn't really expecting this. Two separate VC firms reached out recently. one wants help evaluating portco security during due diligence, the other asked if we offer "perks" for their portfolio companies (still not 100% sure what that means practically).

I said yes to both but I'm kind of figuring it out as I go. Has anyone navigated this before? What does the engagement actually look like day-to-day? Any landmines I should know about before I'm in too deep?

Hi everyone,

I’m currently doing the ISO 27001 Lead Auditor course from TÜV SÜD and wanted to ask people who have already completed it:

• How difficult is the final exam overall?
• Is it mostly theory/memory based or scenario based?
• Is the exam live video proctored?
• Are screen monitoring/webcam checks involved?
• Is it realistically possible to use notes/AI tools during the exam, or is it strictly monitored?
• How hard is it to pass for someone who studies properly?

Would really appreciate honest experiences from people who actually gave the exam recently. Thanks!