ISO 27001

How do we do a risk assessment for ISO 27001?

A practical ISO 27001 risk assessment starts by identifying information assets, understanding how they are used, and listing threats and vulnerabilities. You then estimate the likelihood and impact of each risk and decide which controls are needed, based on Annex A and your own context.

The Garek 10 method uses straightforward registers and scoring so SMEs can carry out risk assessments consistently without over-complicating the process.

Do we need penetration testing to get ISO 27001 certified?

Penetration testing is not a mandatory requirement in ISO 27001, but it can be a useful control where it matches your risks and technology. Certification focuses on whether you have identified and treated risks in a structured way, chosen appropriate controls and can show evidence that those controls are working. For some organisations, that may include penetration testing, for others, it may be more about configuration reviews, monitoring and access control.

How do we align ISO 27001 with ISO 9001?

ISO 27001 and ISO 9001 share the same high-level structure and several common requirements, such as context, leadership, competence, communication, documented information, internal audit and management review. Alignment is achieved by using shared processes for these common areas and then adding specific information security elements such as asset registers, risk treatment plans and incident handling.

The Garek 10 Framework is designed to integrate standards in this way so one management system can support quality, information security and other disciplines together.

Who needs ISO 27001 certification?

ISO 27001 certification is often needed by organisations that handle customer data, provide digital services, work in supply chains with high security expectations or respond to tenders that specify information security requirements. Many SMEs adopt ISO 27001 to demonstrate that they manage information risks in a structured, independently assessed way.

What evidence do we need for an ISO 27001 audit?

Auditors typically look for evidence such as asset and risk registers, a statement of applicability for Annex A controls, implemented policies and procedures, access control and logging records, incident and change records, training and awareness activities, internal audit results and management review outputs.

Frameworks like Garek 10 link these records back to specific clauses so it is easier to prepare and present evidence during audits.

How long does ISO 27001 implementation usually take for an SME?

Implementation time depends on the size and complexity of the organisation and the maturity of existing controls. Many SMEs move from initial gap analysis to certification over several months, working in phases.

Using a structured implementation model such as the Garek 10 Framework helps focus effort on the highest risks and the controls that matter most, rather than trying to address everything at once.

Will ISO 27001 slow down our day-to-day work?

ISO 27001 can be implemented in a way that fits existing workflows rather than blocking them. Most changes involve clarifying responsibilities, strengthening access control, improving how changes and incidents are handled and making sure key decisions are recorded.

An integrated approach, such as that used in Garek 10, aims to embed these controls into day-to-day activities instead of adding separate, parallel processes.