ISO 27001 certification has shifted from a "nice-to-have" to a prerequisite for doing business with enterprise clients, government agencies, and regulated industries in Alberta. If you're a Calgary-based company preparing for your first Information Security Management System (ISMS) audit, here's what you actually need to know — without the jargon.
What ISO 27001 Actually Requires
ISO/IEC 27001:2022 requires you to establish, implement, maintain, and continually improve an Information Security Management System. In practical terms, this means:
- Define your scope: What parts of your organization, which systems, and what data are covered by the ISMS?
- Conduct a risk assessment: Identify information security risks, evaluate their likelihood and impact, and document how you'll treat each one.
- Implement controls: The standard includes 93 controls across four categories (Organizational, People, Physical, Technological). You don't need all 93 — but you need to justify which ones apply through a Statement of Applicability (SoA).
- Document everything: Policies, procedures, risk registers, evidence of control operation, management reviews, and internal audit results.
- Demonstrate continuous improvement: Show that your ISMS isn't static — you're identifying nonconformities, taking corrective action, and improving over time.
The Typical Timeline
For a mid-sized Alberta company (50-200 employees), expect:
- Gap assessment: 2-4 weeks
- System design and documentation: 8-16 weeks
- Implementation and evidence collection: 8-12 weeks
- Internal audit and management review: 2-4 weeks
- Stage 1 audit (documentation review): 1-2 days
- Stage 2 audit (operational assessment): 3-5 days
Total timeline: roughly 6-9 months from kickoff to certification, assuming dedicated effort. Companies that try to rush it in under 3 months typically end up with documentation that doesn't reflect actual operations — and auditors catch this immediately.
Common Gaps Calgary Companies Miss
- Risk assessment methodology: Many companies perform a risk assessment but can't explain their methodology. Auditors want to see a repeatable, documented process — not a one-time spreadsheet exercise.
- Access control evidence: You need to demonstrate that access reviews happen regularly, not just that you have an access policy. Quarterly access reviews with documented results are the standard expectation.
- Supplier management: If you use cloud services (AWS, Azure, Microsoft 365), you need documented security requirements for each supplier and evidence that you've assessed their security posture.
- Incident response testing: Having an incident response plan isn't sufficient. You need evidence that you've tested it — tabletop exercises, simulated incidents, or actual incident records with lessons learned.
- Management commitment: The standard requires "top management" to demonstrate leadership and commitment. This means documented management reviews, resource allocation decisions, and security objectives that are actually tracked.
What Auditors Actually Look For
Auditors aren't trying to catch you out. They're looking for evidence that your ISMS is:
- Real: Controls are actually operating, not just documented.
- Consistent: What you say you do matches what you actually do.
- Improving: You're identifying issues and fixing them systematically.
The most common reason for minor nonconformities? Documentation that describes a process the organization doesn't actually follow. Write your policies to reflect reality, then improve reality — not the other way around.
Why It Matters for Alberta Businesses
Alberta's energy sector increasingly requires ISO 27001 from service providers handling operational technology data. Healthcare networks mandate it for systems processing patient information under PIPEDA and Alberta PIPA. Financial institutions expect it as a baseline for vendor risk management.
If you're competing for enterprise contracts in Calgary, Edmonton, or across the province, ISO 27001 certification removes the biggest objection in procurement: "How do we know your data security is adequate?"