Frameworks

ISO 27001: do you need certification, or just the structure?

ISO 27001 is the one framework on this page most people have actually heard of, usually because a customer or tender has asked for it. Most mid-size New Zealand organisations and small businesses do not need full certification. Some do. Knowing which camp you're in saves a lot of unnecessary cost.

What ISO 27001 actually is

ISO 27001 is an international standard for an information security management system, a structured way of identifying risks, applying controls, and continually reviewing them. Unlike NIST CSF, it is a certifiable standard: an accredited body can formally assess an organisation and issue a certificate that customers and regulators recognise.

Alignment versus certification

Certification involves a real, ongoing cost: an initial assessment, annual surveillance audits, and the internal resourcing to maintain the management system between them. For many mid-size organisations and small businesses, the practical answer is to align controls to ISO 27001's structure, getting most of the risk-reduction benefit, and only pursue formal certification if a specific enterprise customer, government tender, or international contract genuinely requires the certificate itself.

When certification is worth it

If your growth plan depends on selling into enterprise, government, or overseas markets where ISO 27001 is a standing requirement in procurement, certification stops being optional and becomes a cost of doing business in that market. In that case it is worth planning for properly rather than scrambling once a deal is on the table and a compliance deadline is attached to it.

How this fits into an audit

Our Standard and Complex audit tiers can map findings against ISO 27001's structure, and for organisations actively pursuing certification we scope a dedicated certification-readiness review, which is a different depth of work to a standard audit. We'll tell you plainly which of the two you actually need before you commit to either.

Common questions

ISO 27001 FAQs

Do we need ISO 27001 certification?+

Most mid-size organisations and small businesses do not need formal certification unless a specific customer, tender, or contract requires it. Many benefit from aligning to ISO 27001's structure without paying for the certification audit itself, then pursuing certification later if a deal genuinely depends on it.

What is the difference between alignment and certification?+

Alignment means your controls follow ISO 27001's structure and would likely pass an assessment. Certification means an accredited external body has formally assessed and certified you, which involves a more extensive audit, ongoing surveillance audits, and a real cost in both money and staff time. Alignment is usually the sensible starting point.

How long does ISO 27001 certification take?+

For a mid-size organisation or small business starting from a reasonable baseline, certification typically takes three to nine months, depending on how much of an information security management system already exists. Businesses starting from nothing should expect it to take longer.

How does a cyber security audit help with ISO 27001?+

Our audit checks your current controls against ISO 27001's structure and tells you honestly how far you are from either alignment or certification, with a prioritised list of what would need to change. If certification turns out to be the right move, you go into that process knowing the real scope and cost rather than guessing.

Not sure if you need certification?

We'll give you a straight answer, and a fixed-price scope either way.

Book an Audit