What is ISO 27001 certification?

ISO/IEC 27001:2022 is the international standard for an Information Security Management System (ISMS). Certification is independent, accredited proof that your organisation manages information-security risk to a globally recognised benchmark across people, process and technology controls.

How long does ISO 27001 implementation take?

For most South African organisations it takes about three to twelve months, depending on the scope of the ISMS, how mature your current controls are, and how much documentation already exists. The ISMS must also operate for a period before the certification audit.

Is ISO 27001 required for POPIA compliance?

No — POPIA does not mandate ISO 27001. But POPIA Section 19 (Condition 7) requires 'appropriate, reasonable technical and organisational measures', and ISO 27001 is a recognised, certifiable framework whose controls map directly onto that duty, making it the cleanest way to evidence Section 19 compliance.

What is the difference between ISO 27001 implementation and certification?

Implementation is building and operating the ISMS — the work LDD does for you. Certification is the independent audit and certificate issued by a separate, SANAS-accredited certification body. The roles are deliberately kept separate; we get you ready to pass, the accredited body certifies you.

What is the Statement of Applicability (SoA) in ISO 27001?

The SoA lists all 93 Annex A controls and records, for each one, whether it applies and why — justified by your risk assessment. It is the most heavily scrutinised document in an ISO 27001 audit, which is why getting it right matters.

How many controls are in ISO 27001:2022?

ISO/IEC 27001:2022 Annex A contains 93 controls grouped into four themes: organisational, people, physical and technological. Your risk assessment determines which apply to your organisation; you do not implement all 93 by default.

Does LDD issue the ISO 27001 certificate?

No. LDD is your implementation partner — we design, document and implement the ISMS and prepare you for audit. The certificate itself is issued by an independent, SANAS-accredited certification body after a successful Stage 1 and Stage 2 audit.

What happens after we get certified?

ISO 27001 certification is valid for three years, but you must pass annual surveillance audits to keep it live, with full recertification every three years. LDD can maintain and continually improve your ISMS between audits so certification never lapses.

ISO 27001 Compliance & System Design in South Africa

Home›Services›ISO 27001 Compliance & System Design

ISO 27001 consulting in South Africa: ISMS implementation, gap analysis, risk assessment, policies and certification readiness — POPIA-aligned. Get a quote.

Get a quote WhatsApp sales

What is ISO 27001, and what does it do for a South African business?

ISO/IEC 27001:2022 is the international standard for an Information Security Management System (ISMS) — a structured, auditable way to protect the confidentiality, integrity and availability of your information. Certification is independent proof that your organisation manages cyber and data risk to a globally recognised benchmark. For South African businesses it does three concrete things: it wins and protects contracts (enterprise and government tenders increasingly demand it), it gives you a defensible answer to POPIA’s Section 19 security-safeguards duty, and it turns ad-hoc IT security into a managed system that survives staff turnover and audits.

LDD is your implementation partner, not your certifier. The two roles are deliberately separate: an independent, SANAS-accredited certification body issues the certificate, and we build the ISMS that earns it. After 20+ years securing and running infrastructure for South African organisations, we know what auditors actually look for — and we get you there without the consultant-theatre and shelf-ware that sinks most first attempts.

ISO 27001 consulting and implementation services we deliver

An end-to-end engagement, scoped to your size and risk — from a single-product SaaS team to a multi-site enterprise. We can run the full programme or slot in at any stage:

Gap analysis & readiness assessment — where you stand today against all clauses and the 93 Annex A controls, with a prioritised, costed remediation roadmap.
ISMS scoping & project planning — defining the boundary, context, interested parties, objectives and a realistic timeline so you certify the right things, not everything.
Information security risk assessment & treatment — a repeatable risk methodology, a populated risk register, and a risk treatment plan that maps each risk to controls.
Security & system architecture design — practical control design across access management, network segmentation, encryption, logging, backup and resilience — engineered to be operated, not just documented.
Policies, procedures & documentation — the full ISMS document set: information security policy, Statement of Applicability (SoA), acceptable use, access control, supplier, incident response, business continuity and more — written for your business, not generic templates.
Control implementation support — hands-on help standing up the technical and organisational controls, including monitoring, evidence collection and supplier/vendor management.
Staff awareness & training — practical security-awareness and role-based training so the people controls hold up under audit.
Internal audit & management review — running your mandatory internal audit and management review, logging findings and closing nonconformities before the auditor sees them.
Certification readiness & audit support — a mock Stage 1/Stage 2 dry-run, then sitting alongside you through the certification audit and corrective actions.
Surveillance & continual improvement — keeping the ISMS live between annual surveillance audits and the three-year recertification, so certification doesn’t lapse.

ISO 27001:2022 explained: clauses, the 93 Annex A controls and the SoA

The current version, ISO/IEC 27001:2022, has two parts. The management-system clauses (4–10) define how you run the ISMS — context, leadership, planning, support, operation, performance evaluation and improvement. Annex A then lists 93 security controls grouped into four themes:

Organisational controls — policies, roles, supplier and information-handling rules.
People controls — screening, awareness, responsibilities and remote-working.
Physical controls — secure areas, equipment, media and facilities.
Technological controls — access control, cryptography, logging, secure development and resilience.

You don’t blindly implement all 93. Your risk assessment decides which controls apply, and the Statement of Applicability (SoA) records every control with a justification for inclusion or exclusion. The SoA is the single most heavily scrutinised document in the audit — getting it right is where an experienced partner earns their fee.

The ISO 27001 certification process in South Africa, step by step

Certification in South Africa follows a defined, two-stage external audit after the ISMS is built and operating:

Gap analysis — baseline your current posture and build the roadmap.
ISMS design & documentation — scope, risk assessment, treatment plan, policies and the SoA.
Implementation & operation — deploy the controls and start generating records and evidence (the ISMS must be seen to operate for a period before audit).
Internal audit & management review — mandatory before certification; finds and fixes gaps early.
Stage 1 audit — the certification body reviews your documentation and readiness.
Stage 2 audit — the full certification audit: the auditor tests that the controls in your SoA are genuinely implemented and effective (typically scheduled a few weeks after Stage 1).
Certification — the SANAS-accredited body issues your ISO 27001 certificate, valid for three years.
Surveillance & recertification — annual surveillance audits keep it live, with full recertification every three years.

SANAS (the South African National Accreditation System) accredits the certification bodies that issue ISO 27001 in South Africa. Insist on a SANAS-accredited (or otherwise internationally accredited) certifier — only an accredited certificate carries weight in tenders and supply chains. LDD prepares you to pass; the accredited body certifies you.

ISO 27001 and POPIA: how the standard supports SA compliance

ISO 27001 and POPIA are complementary. POPIA’s Condition 7 (Security Safeguards), given effect by Section 19, requires every responsible party to secure personal information with “appropriate, reasonable technical and organisational measures” and to follow generally accepted information-security practice. ISO 27001 is exactly that — a recognised, certifiable framework whose Annex A controls map cleanly onto POPIA’s security-safeguard requirements.

ISO 27001 does not certify POPIA compliance (no certificate does), but implementing the ISMS operationalises Section 19 in a form you can evidence to the Information Regulator: a documented risk assessment, defined safeguards, supplier obligations, incident response and breach-notification readiness. It also lifts you toward the Cybercrimes Act obligations. One ISMS, multiple compliance outcomes — that’s the South African business case for doing this properly.

Why LDD as your ISO 27001 implementation partner

Most ISO consultancies hand you a folder of policies and disappear. We’re an engineering firm first — we build and run the systems the controls describe, then prove them under audit:

20+ years of South African IT — real infrastructure, security and compliance experience, not a certificate-printing front.
Build, don’t just document — we engineer working controls (monitoring, access, backup, resilience) so your ISMS is real, not shelf-ware.
Auditor-ready evidence by design — our managed security platform, ThreatPulse, gives you continuous log collection, threat detection and the audit trail Annex A and your auditor demand.
Technical proof on tap — our in-house penetration testing practice validates your technical controls and supplies the test evidence both ISO 27001 and POPIA reward.
POPIA-fluent — every engagement is framed around your South African legal duties, not a generic global template.
Independent of the certifier — we have no stake in a certification body, so our only job is getting you ready to pass.

How much does ISO 27001 certification cost in South Africa?

There is no single flat price, because two very different costs are involved.

The accredited certification itself — the external audit and certificate issued by an accredited certification body — typically costs around R65,000 to R120,000 in South Africa, depending on your organisation’s size and number of sites.
The ISMS build, system design and audit-readiness work — what LDD does to get you ready to pass — is scoped to your size, complexity and current security maturity, and is quoted separately. For larger organisations this implementation work is typically higher than the certification itself.

LDD scopes the implementation precisely to your environment, so you pay only for what you need. Request a quote and we will size it for your business.

Get ISO 27001 ready with LDD

Whether you’re starting from zero or recovering a stalled certification attempt, LDD takes you from gap analysis to a certification-ready ISMS — POPIA-aligned and built to last. We work with organisations across Johannesburg, Cape Town, Pretoria, Durban and nationwide.

Get a quote: message us on WhatsApp at +27 62 503 0200 or request a quote online. Strengthen the technical side too with our penetration testing and VAPT services and audit-ready monitoring from ThreatPulse.

ISO 27001 Support for Clients Beyond South Africa

South Africa is our home market, but ISO 27001 is an international standard and our consulting and system design are delivered remotely, so we support clients wherever they operate. From our base in South Africa we help organisations across the rest of Africa, Ireland, Portugal, the UK, the EU and worldwide build the policies, controls and evidence trails that an ISO 27001 certification audit demands.

Because the work is remote-first, distance is not a barrier. We run workshops over video, collaborate in shared documents and tooling, and fit around your time zone and your auditors. We also align the same information security management system with the regulations that matter to you, mapping POPIA for South African data and GDPR for clients handling EU, Irish, Portuguese and UK personal data, so you satisfy your certification and your legal obligations in one coherent programme.

Gap assessment and scoping against ISO 27001, run remotely with your team.
ISMS design and documentation — policies, risk treatment plans and Statement of Applicability.
POPIA and GDPR alignment built into the same controls, not bolted on afterwards.
Audit readiness and ongoing support through remote workshops and collaborative reviews.

Whether you are certifying for the first time or maintaining an existing ISMS, we can help. Request a quote and tell us where you operate, and we will tailor the engagement to your market.

Ready to get started? Talk to LDD.

Get a quote WhatsApp sales