HIPAA, CMMC, PCI, ISO, NIST - the range of potential security frameworks and certifications an organization has to choose from these days is an acronym soup that can make even a compliance specialist’s head spin!Amid an ever-growing list of country and industry-specific options, the ISO 27001 standard has remained a popular choice because of its applicability across both continents and business verticals. If your organization is considering embarking on the ISO 27001 compliance journey, read on to learn more about what this standard is, how you can become ISO 27001 certified, and how Varonis can help!
Get the Free Essential Guide to US Data Protection Compliance and Regulations
- Quick review: What is ISO 27001?
- How to become ISO 27001 certified
- ISO 27001 clauses and controls
- ISO 27001 Annex A: Reference control objectives and controls
- Tips to maintain ISO 27001 compliance
- How Varonis can help with ISO 27001 compliance
- ISO 27001 FAQs
Quick review: What is ISO 27001?
The ISO 27001 standard, more formally known as ISO/IEC 27001:2013 Information Security Management, focuses primarily on the implementation and management of an information security management system (ISMS). A joint product of the International Standards Organization (ISO) and the International Electrotechnical Commission (IEC), ISO 27001 is the most well-known of more than a dozen published standards in the ISO/IEC 27000 family. It’s also the only member of the family against which an organization can be certified, with ISO 27002 and beyond serving primarily as guidance and reference material for the “main” standard.
In contrast to some other standards and frameworks, achieving and demonstrating ISO 27001 compliance does not require strict adherence to specific technical controls. Instead, the focus is on risk management and taking a holistic and proactive approach to security across the entire organization. You’ll find more than a dozen controls listed in the standard’s “Annex A”, but there is no expectation that all ISO 27001 certified organizations will have implemented each and every one of these controls. Rather, each organization will apply an appropriate subset of these controls based on the unique risks to their business operations.
The ISO also makes a very deliberate attempt to portray the ISO 27001 framework as an “information security” framework rather than a cybersecurity one. While a great deal of a modern organization’s “information” exists in a digital form, policies and procedures, proprietary knowledge, and even buy-in from senior leadership are less tangible assets that can still adversely affect an organization were they to be lost or co-opted. The policies, procedures, people, documentation, and controls intended to maintain the Confidentiality, Integrity, and Availability of an organization’s information are known collectively as an Information Security Management System (ISMS).
Is ISO 27001 compliance or certification mandatory?
The simple answer is no. While some mistakenly conflate ISO 27001 compliance with legal requirements, only a few countries have laws on the books requiring organizations to implement the framework. Nothing in life is that simple, of course, and there may be instances in which your organization is required to have an ISO 27001 certification. Contracts and vendor procurement policies can and often do require ISO 27001 compliance, especially in sensitive industries like healthcare and finance. There are also market sectors where ISO 27001 certification is generally expected, even if not formally required. Varonis, for example, knows that enterprise customers looking at data security solutions will expect any potential vendor to have their own house in order, so we make all of our certifications, including ISO 27001, easily accessible on our trust page.
How to become ISO 27001 certified
The road to ISO 27001 certification can be a long one, with the entire journey often taking a year or more. The ISO itself does not hand out ISO 27001 certifications. Instead, third-party auditors or assessors validate that an organization has effectively implemented all of the relevant best practices in accordance with the published ISO standard. This arrangement, as well as the framework’s emphasis on risk management rather than prescribed technical controls, means that there is not a universal “ISO 27001 compliance checklist” that guarantees certification. It’s up to each organization to decide how to implement the framework, and auditors will use a certain amount of professional discretion in how they evaluate each case.
There is, however, an established process for achieving certification once an organization is ready to bring in an auditor or certification body. It’s divided into three phases:
- Phase one: The external auditor or certification body performs a high-level review of the organization’s ISMS. Much of the work in this phase serves to determine whether the organization is ready to move onto the more detailed second phase. Lack of key documentation, weak support from management, or poorly identified metrics can all bring an ISO 27001 audit to a screeching halt.
- Phase two: A much more detailed audit is performed, examining how specific security controls are applied at the organization to meet the requirements spelled out in the standard. In this phase, an auditor will be looking for evidence that an organization is actually implementing everything in the documentation that was evaluated in phase one.
- Phase three: Following official certification, an organization must undergo annual surveillance audits to maintain ISO 27001 compliance. While these audits are not as rigorous as those carried out in phase two, non-conformance to any of the requirements can lead to the revocation of an organization’s ISO 27001 certification before its listed expiration date.
As you can probably tell, the certification process is fairly rigorous, and any organization wanting to become certified will need to do quite a bit of legwork before engaging a certification body. The cost and time commitment from employees required for this can vary. Outside consultants are frequently brought in to help a company prepare for a formal audit. Unofficial “gap analysis” audits are often recommended to help prepare for the official certification audit.
ISO 27001 clauses and controls
The most recent revision of the ISO 27001 standard, published in 2013, consists of 11 clauses numbered “0” through “10”, plus an “Annex A” that lists specific security controls. Each of the main clauses contains a number of sub-clauses except for the introduction. Clauses 4 through 10 are considered “mandatory”, and an organization cannot claim ISO 27001 compliance without meeting the requirements spelled out in these sections. These 11 main clauses are listed below:
- Introduction: Introduces the standard and its purpose.
- Scope: Provides a very high-level view of the information security management system and risk treatment requirements specified within the rest of the standard. Also clarifies that the standard is intended to be generic and applicable across different industries and business sizes.
- Normative references: Explains the relationship between ISO 27000 and 27001 standards.
- Terms and definitions: Covers the terminology that is used within the standard.
- Context of the organization: The first mandatory clause. Covers stakeholders, internal and external issues, and regulatory and compliance requirements. An organization must also define the scope, boundaries, and applicability of the ISMS as part of this clause.
- Leadership: True ISO 27001 compliance requires full support from top management. The leadership clause explains the responsibilities of senior executives in implementing and maintaining a functional ISMS. The audit process will involve interviews with top executives, which means the commitment from management must be truly genuine.
- Planning: The planning clause covers risk assessment, risk treatment, and the creation of objectives to measure the performance of an ISMS in relation to the company’s greater business objectives. An organization will need to define and document its criteria for assessing and analyzing risks, and also specify how the identified risks will be addressed.
- Support: This clause addresses the resources needed to successfully implement and support the ISMS. Think well-trained employees, effective communication of policies, and standardized procedures for creating and updating documentation.
- Operation: In the operation clause, an organization will put much of the work developed during the Planning clause into action. Where clause 6 consisted of defining criteria for risk assessments, clause 8 is where the assessments are actually performed and documented. This is also the clause under which the mandated Risk Treatment Plan is implemented.
- Performance evaluation: Measuring the performance of your ISMS is crucial for getting the most out of your ISO 27001 implementation. Clause 9 includes requirements for how to monitor and evaluate the policies, procedures, and controls that make up the management system. This clause also calls for regular internal audits and management reviews.
- Improvement: The final mandatory clause covers both nonconformity to the other sections of the standard and continual improvement of the information security program.
ISO 27001 Annex A: Reference control objectives and controls
In addition to the primary clauses, the official ISO 27001 document contains an annex of control objectives and controls that can be used to support an organization’s information security program. The annex contains 114 controls organized into 14 key groups. Note that these controls and control objectives are provided as reference material for best practices. An ISO 27001 compliance audit may examine whether an organization implements each control, but will do so through the lens of how each control meets the requirements in the mandatory clauses.
A brief summary of these reference controls is provided below:
- Information security policies: Covers how policies should be written, approved, and distributed both in the ISMS and throughout the organization. Auditors will be looking to see how your procedures are documented and reviewed on a regular basis.
- Organization of information security: ISO 27001 compliance requires clearly defined roles and responsibilities. This section also touches on other organizational issues like teleworking and project management.
- Human resource security: No information security program can live in a vacuum. This category covers the “human element”, and touches on everything from background checks to security awareness training. The goal is to make sure the organization’s workforce is aware of and carrying out their responsibilities in line with the organization’s larger objectives and goals.
- Asset management: Describes the processes involved in managing assets and how they should be protected and secured. Auditors will check to see how your organization keeps track of hardware, software, and databases. Evidence should include any common tools or methods you use to ensure data integrity.
- Access control: This section provides guidance on how employee access should be limited to different types of data, systems, and applications. Auditors will need to be given a detailed explanation of how access privileges are set and who is responsible for maintaining them. Safeguarding of authentication information is also covered.
- Cryptography: Covers best practices in encryption. Auditors will look for parts of your system that handle sensitive data and the type of encryption used, such as DES, RSA, or AES.
- Physical and environmental security: Describes the processes for securing buildings and internal equipment. Auditors will check for any vulnerabilities on the physical site, including how access is permitted to offices and data centers.
- Operations security – This category covers many aspects of operational security, with controls for everything from malware protection to vulnerability management and backup procedures.
- Communications security: Covers security of all transmissions within an organization’s network, as well as the transfer of information to third parties like customers or suppliers. Auditors will expect to see an overview of what communication systems are used, such as email or videoconferencing, and how their data is kept secure.
- System acquisition, development and maintenance: Details the processes for managing systems in a secure environment. Auditors will want evidence that any new systems introduced to the organization are kept to high standards of security.
- Supplier relationships: Covers how an organization should interact with third parties while ensuring security. Auditors will review any contracts with outside entities that may have access to sensitive data.
- Information security incident management: Describes the best practices for how to respond to security issues. Auditors may ask to run a fire drill to see how incident management is handled within the organization. This is where having software like SIEM to categorize abnormal system behavior comes in handy.
- Information security aspects of business continuity management: Covers how business disruptions and major changes should be handled. Auditors may pose a series of theoretical disruptions and will expect the ISMS to cover the necessary steps to recover from them.
- Compliance: Identifies what government or industry regulations are relevant to the organization, such as ITAR. Auditors will want to see evidence of full compliance for any area where the business is operating.
Tips to maintain ISO 27001 compliance
An ISO 27001 certification is only valid for three years, and even during those three years, annual surveillance audits are required. The framework is, therefore, not a one-off project but an ongoing effort that demands continuous attention. As the business continues to grow and evolve, the ways in which the ISMS applies will also change. Consider an enterprise that’s moved from on-premises to cloud applications over the last decade: the ways in which information security is approached will naturally look very different.
To maintain ISO 27001 compliance, an organization may wish to form a “task force” composed of different stakeholders from across the company. This group should meet on a regular basis to review any open issues and consider updates to the ISMS.
- Build compliance into day-to-day business operations. Don’t look at the framework as something that only needs to be addressed periodically to maintain compliance.
- Keep senior management involved throughout the entire lifecycle. Buy-in from top-level stakeholders cannot end once initial certification is achieved.
- Monitor and evaluate the framework and the ISMS as part of your overall security posture. Security incident? Evaluate how your ISMS impacted the outcome, and document any corrective action.
- Stay on top of new risks. Remember that the ISO 27001 standard is largely about risk management. Risks are not static and evolve as new cyber threats emerge and the business continues to mature. The organization should continually evaluate and analyze new risks as they emerge.
- Perform regular internal audits and gap analysis. Recertification by an auditor is not the time to discover a critical control is no longer being applied.
- Involve other parts of the business. Did you notice that one of the items in Annex A covers HR Security? This means that HR and other departments in the company must be involved in your ongoing ISO 27001 maintenance, not just IT.
- Document, Document, Document. Many of the actions your organization takes anyway will be applicable to the ISMS, but without proper documentation, they won’t help with future audits.
- Continue to follow through on what's in the documentation. Remember that during a phase two or recertification audit, the auditor will look for evidence that what’s spelled out in the documentation is actually put into action. If the company’s policy says employees should receive annual security awareness training, they must actually be receiving that training.
- Evaluate the scope on an ongoing basis. If the company is opening a new business unit or jumping into a new region, will ISO 27001 compliance need to extend to this new part of the company?
- Don't forget the supply chain! If cloud or SaaS services are a key part of your business processes, you need to address them in your ISMS as well.
How Varonis can help with ISO 27001 compliance
Identifying and addressing risks is at the heart of the ISO 27001 standard. But you can’t reduce risks that you can’t see. Organizations that lack visibility into who is accessing sensitive data, as well as how that access is occurring, can’t adequately identify or mitigate risk. Varonis DatAdvantage is the perfect tool to deliver this visibility. DatAdvantage Cloud provides an unprecedented look into overexposures and misconfigurations that can cause harm beyond the enterprise perimeter. As your company continues down the path of ISO 27001 maturity, other components of the Varonis Data Security Platform can boost efficiency and help you maintain compliance.
ISO 27001 FAQs
Q: What are ISO 27001 requirements?
A: ISO 27001 is an information security standard. In order to earn an ISO 27001 certification, an organization is required to maintain an information security management system (ISMS) that covers all aspects of the standard. After that, they can request a full audit from a certification body.
Q: What does it mean to be ISO 27001 certified?
A: To be ISO 27001 certified means that your organization has successfully passed an external audit and met all compliance criteria. This means you can now advertise your compliance to boost your cybersecurity reputation.
Q: What is the process to be ISO 27001 compliant?
While an organization can choose to implement the ISO 27001 framework without undergoing formal certification, “ISO 27001 compliant” generally refers to an organization that has been independently audited and certified to meet all the requirements of the standard. Compliance must be maintained on a continual basis.
Q: What is the latest ISO 27001 standard?
A: The latest standard is known officially as ISO/IEC 27001:2013. It was published in 2013 as the second official edition of ISO 27001. The standard was last reviewed and confirmed in 2019, meaning no changes were required.
Q: Is ISO 27001 GDPR compliant?
A: Because ISO 27001 is mainly a framework for developing an ISMS, it will not cover all of the specific rules of the General Data Protection Regulation (GDPR) instituted by the European Union. However, when paired with ISO 27701, which covers the establishment of a data privacy system, organizations will be able to fully meet the requirements specified in GDPR.
Q: What are the main similarities or differences between SOX and ISO 27001?
A: While ISO 27001 covers the general management of information and data, the Sarbanes–Oxley Act (SOX) is specific to how financial information is disclosed in the United States. Fortunately for companies who have a wide scope of data management, earning ISO 27001 certification will also help to prove compliance to SOX standards.
Q: What is the difference between NIST and ISO 27001?
The National Institutes of Standards and Technology (NIST), a US government agency, publishes several standards related to cybersecurity and data security, such as NIST 800-53 and NIST 800-171. These publications differ from the ISO 27001 standard in their focus on U.S. federal agencies and contractors and their more prescriptive, control-based structure. Compliance with a NIST standard generally requires implementing all controls as specified in the standard, while ISO 27001 compliance emphasizes a risk-based approach that allows an organization to tailor the controls to their unique needs.
Q: What is the purpose of other ISO?
A: The International Standards Organization (ISO) publishes standards on everything from energy management to healthcare. While ISO 27001 is the most well-known information security standard, dozens of other ISO standards cover specific security technologies like cloud services. Some ISO standards also provide guidance or best practices on implementing their better-known peers.
Achieving full ISO 27001 compliance may seem like a daunting task, but in a world where customers, partners, and employees are increasingly concerned about their confidential data, it can be a substantial asset. Certification to the standard demonstrates a strong commitment to data security. And remember, Varonis is here to help you on your ISO 27001 journey with tools like DatAdvantage and DatAlert.
What you should do now
Below are three ways we can help you begin your journey to reducing data risk at your company:
- Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
- Download our free report and learn the risks associated with SaaS data exposure.
- Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Twitter, Reddit, or Facebook.
Robert is an IT and cyber security consultant based in Southern California. He enjoys learning about the latest threats to computer security.