The International Organization for Standardization (ISO) is a global body that collects and manages various standards for different disciplines. In today’s world, with so many industries now reliant upon the internet and digital networks, more and more emphasis is being placed on the technology portions of ISO standards.
In particular, the ISO 27001 standard is designed to function as a framework for an organization’s information security management system (ISMS). This includes all policies and processes relevant to how data is controlled and used. ISO 27001 does not mandate specific tools, solutions, or methods, but instead functions as a compliance checklist. In this article, we’ll dive into how ISO 27001 certification works and why it would bring value to your organization.
- How to Become ISO 27001 Certified
- ISO 27001 Compliance Standards
- ISO 27001 Compliance Audit Controls
- How to Maintain ISO 27001 Compliance
- ISO 27001 Compliance FAQ + Resources
Intro to ISO 27001
The ISO first released its family of standards in 2005 and since then has made periodic updates to the various policies. For ISO 27001, the latest major changes were introduced in 2013. Ownership of ISO 27001 is actually shared between the ISO and the International Electrotechnical Commission (IEC), which is a Swiss organization body that focuses primarily on electronic systems.
The goal of ISO 27001 is to provide a framework of standards for how a modern organization should manage their information and data. Risk management is a key part of ISO 27001, ensuring that a company or non-profit understands where their strengths and weaknesses lie. ISO maturity is a sign of a secure, reliable organization which can be trusted with data.
Companies of all sizes need to recognize the importance of cybersecurity, but simply setting up an IT security group within the organization is not enough to ensure data integrity. An ISMS is a critical tool, especially for groups that are spread across multiple locations or countries, as it covers all end-to-end processes related to security.
An ISMS (information security management system) should exist as a living set of documentation within an organization for the purpose of risk management. Decades ago, companies would actually print out the ISMS and distribute it to employees for their awareness. Today, an ISMS should be stored online in a secure location, typically a knowledge management system. Employees need to be able to refer to the ISMS at any time and be alerted when a change is implemented. When seeking ISO 27001 certification, the ISMS is the chief piece of reference material used to determine your organization’s compliance level.
ISO 27001 can serve as a guideline for any group or entity that is looking to improve their information security methods or policies. For those organizations who are looking to be best-in-class in this area, ISO 27001 certification is the ultimate goal. Full compliance means that your ISMS has been deemed as following all best practices in the realm of cybersecurity to protect your organization from threats such as ransomware.
In certain industries that handle very sensitive classifications of data, including medical and financial fields, ISO 27001 certification is a requirement for vendors and other third parties. Tools like Varonis Data Classification Engine can help to identify these critical data sets. But regardless of what industry your business is in, showing ISO 27001 compliance can be a huge win. Specifically, the certification will prove to customers, governments, and regulatory bodies that your organization is secure and trustworthy. This will enhance your reputation in the marketplace and help you avoid financial damages or penalties from data breaches or security incidents.
What happens if you don’t comply with ISO 27001? If your organization has previously received a certification, you could be at risk of failing a future audit and losing your compliance designation. It could also prevent you from operating your business in certain geographical areas.
How to Become ISO 27001 Certified
Receiving an ISO 27001 certification is typically a multi-year process that requires significant involvement from both internal and external stakeholders. It is not as simple as filling out a checklist and submitting it for approval. Before even considering applying for certification, you must ensure your ISMS is fully mature and covers all potential areas of technology risk.
The ISO 27001 certification process is typically broken up into three phases:
- The organization hires a certification body who then conducts a basic review of the ISMS to look for the main forms of documentation.
- The certification body performs a more in-depth audit where individual components of ISO 27001 are checked against the organization’s ISMS. Evidence must be shown that policies and procedures are being followed appropriately. The lead auditor is responsible for determining whether the certification is earned or not.
- Follow-up audits are scheduled between the certification body and the organization to ensure compliance is kept in check.
What are the ISO 27001 Standards?
Before embarking on an ISO 27001 certification attempt, all key stakeholders within an organization should become very familiar with how the standard is arranged and used. ISO 27001 is broken into 12 separate sections:
- Introduction – describes what information security is and why an organization should manage risks.
- Scope – covers high-level requirements for an ISMS to apply to all types or organizations.
- Normative References – explains the relationship between ISO 27000 and 27001 standards.
- Terms and Definitions – covers the complex terminology that is used within the standard.
- Context of the Organization – explains what stakeholders should be involved in the creation and maintenance of the ISMS.
- Leadership – describes how leaders within the organization should commit to ISMS policies and procedures.
- Planning – covers an outline of how risk management should be planned across the organization.
- Support – describes how to raise awareness about information security and assign responsibilities.
- Operation – covers how risks should be managed and how documentation should be performed to meet audit standards.
- Performance Evaluation – provides guidelines on how to monitor and measure the performance of the ISMS.
- Improvement – explains how the ISMS should be continually updated and improved, especially following audits.
- Reference Control Objectives and Controls – provides an annex detailing the individual elements of an audit.
What are the ISO 27001 Audit Controls?
The documentation for ISO 27001 breaks down the best practices into 14 separate controls. Certification audits will cover controls from each one during compliance checks. Here is a brief summary of each part of the standard and how it will translate to a real-life audit:
- Information Security Policies – covers how policies should be written in the ISMS and reviewed for compliance. Auditors will be looking to see how your procedures are documented and reviewed on a regular basis.
- Organisation of Information Security – describes what parts of an organization should be responsible for what tasks and actions. Auditors will expect to see a clear organizational chart with high-level responsibilities based on role.
- Human Resource Security – covers how employees should be informed about cybersecurity when starting, leaving, or changing positions. Auditors will want to see clearly defined procedures for onboarding and offboarding when it comes to information security.
- Asset Management – describes the processes involved in managing data assets and how they should be protected and secured. Auditors will check to see how your organization keeps track of hardware, software, and databases. Evidence should include any common tools or methods you use to ensure data integrity.
- Access Control – provides guidance on how employee access should be limited to different types of data. Auditors will need to be given a detailed explanation of how access privileges are set and who is responsible for maintaining them.
- Cryptography – covers best practices in encryption. Auditors will look for parts of your system that handle sensitive data and the type of encryption used, such as DES, RSA, or AES.
- Physical and Environmental Security – describes the processes for securing buildings and internal equipment. Auditors will check for any vulnerabilities on the physical site, including how access is permitted to offices and data centers.
- Operations Security – provides guidance on how to collect and store data securely, a process that has taken on new urgency thanks to the passage of the General Data Protection Regulation (GDPR) in 2018. Auditors will ask to see evidence of data flows and explanations for where information is stored.
- Communications Security – covers security of all transmissions within an organization’s network. Auditors will expect to see an overview of what communication systems are used, such as email or videoconferencing, and how their data is kept secure.
- System Acquisition, Development and Maintenance – details the processes for managing systems in a secure environment. Auditors will want evidence that any new systems introduced to the organization are kept to high standards of security.
- Supplier Relationships – covers how an organization should interact with third parties while ensuring security. Auditors will review any contracts with outside entities who may have access to sensitive data.
- Information Security Incident Management – describes the best practices for how to respond to security issues. Auditors may ask to run a fire drill to see how incident management is handled within the organization. This is where having software like SIEM to detect and categorize abnormal system behavior comes in handy.
- Information Security Aspects of Business Continuity Management – covers how business disruptions and major changes should be handled. Auditors may pose a series of theoretical disruptions and will expect the ISMS to cover the necessary steps to recover from them.
- Compliance – identifies what government or industry regulations are relevant to the organization, such as ITAR. Auditors will want to see evidence of full compliance for any area where the business is operating.
One mistake that many organizations make is placing all responsibilities for ISO certification on the local IT team. Although information technology is at the core of ISO 27001, the processes and procedures must be shared by all parts of the organization. This concept lies at the heart of the idea of transitioning devops to devsecops.
When preparing for an ISO 27001 certification audit, it is recommended that you seek assistance from an outside group with compliance experience. For example, the Varonis group has earned full ISO 27001 certification and can help candidates prepare the required evidence to be used during audits. Varonis also offers software solutions like Datalert to help put an organization’s ISMS into practice.
Tips to Maintain ISO 27001 Compliance
Earning an initial ISO 27001 certification is only the first step to being fully compliant. Maintaining the high standards and best practices is often a challenge for organizations, as employees tend to lose their diligence after an audit has been completed. It is leadership’s responsibility to make sure this doesn’t happen.
Given how often new employees join a company, the organization should hold quarterly training sessions so that all members understand the ISMS and how it is used. Existing employees should also be required to pass a yearly test that reinforces the fundamental goals of ISO 27001.
In order to remain compliant, organizations must conduct their own ISO 27001 internal audits once every three years. Cybersecurity experts recommend doing it annually so as to reinforce risk management practices and look for any gaps or shortcomings. Products like Datadvantage from Varonis can help to streamline the audit process from a data perspective.
An ISO 27001 task force should be formed with stakeholders from across the organization. This group should meet on a monthly basis to review any open issues and consider updates to the ISMS documentation. One outcome from this task force should be a compliance checklist like the one outlined here:
- Obtain management support for all ISO 27001 activities.
- Treat ISO 27001 compliance as an ongoing project.
- Define the scope of how ISO 27001 will apply to different parts of your organization.
- Write and update the ISMS policy, which outlines your cybersecurity strategy at a high level.
- Define the Risk Assessment methodology to capture how issues will be identified and handled.
- Perform risk assessment and treatment on a regular basis once issues have been uncovered.
- Write a Statement of Applicability to determine which ISO 27001 controls are applicable.
- Write a risk treatment plan so that all stakeholders know how threats are being mitigated. Using threat modeling can help to achieve this task.
- Define the measurement of controls to understand how ISO 27001 best practices are performing.
- Implement all controls and mandatory procedures as outlined in the ISO 27001 standard.
- Implement training and awareness programs for all individuals within your organization who have access to physical or digital assets.
- Operate the ISMS as part of your organization’s everyday routine.
- Monitor the ISMS to understand whether it is being used effectively.
- Run internal audits to gauge your ongoing compliance.
- Review audit outcomes with management.
- Set corrective or preventive actions when needed.
ISO 27001 Quick Guide: FAQ
The process and scope of ISO 27001 certification can be quite daunting, so let’s cover some commonly asked questions.
Q: What are ISO 27001 requirements?
A: In order to earn an ISO 27001 certification, an organization is required to maintain an ISMS that covers all aspects of the standard. After that, they can request a full audit from a certification body.
Q: What does it mean to be ISO 27001 certified?
A: To be ISO 27001 certified means that your organization has successfully passed the external audit and met all compliance criteria. This means you can now advertise your compliance to boost your cybersecurity reputation.
Q: What is the latest ISO 27001 standard?
A: The latest standard is known officially as ISO/IEC 27001:2013. It was published in 2013 as the second official edition of ISO 27001. The standard was last reviewed and confirmed in 2019, meaning no changes were required.
Q: Is ISO 27001 GDPR compliant?
A: Because ISO 27001 is mainly a framework for developing an ISMS, it will not cover all of the specific rules of the General Data Protection Regulation (GDPR) instituted by the European Union. However, when paired with ISO 27701, which covers the establishment of a data privacy system, organizations will be able to fully meet the requirements specified in GDPR.
Q: What are the main similarities or differences between SOX and ISO 27001?
A: While ISO 27001 covers the general management of information and data, the Sarbanes–Oxley Act (SOX) is specific to how financial information is disclosed in the United States. Fortunately for companies who have a wide scope of data management, earning ISO 27001 certification will also help to prove compliance to SOX standards.
Q: What is the purpose of other ISO?
A: The ISO maintains a full set of standards that sit underneath ISO 27001. These all take concepts from the framework and dive into more specific guidelines of how to institute best practices within an organization.
- Green Paper on how ISO 27001 can reduce cyber risk
- Webinar on how to ensure a successful ISO 27001 audit
- Case studies about ISO 27001 compliance
No matter the size of your company or what industry you work in, gaining ISO 27001 certification can be a huge win. However, it is a challenging task so it’s important to leverage other stakeholders and resources during a compliance project. With tools like Varonis Edge, you can halt cyberattacks before they reach your network while also showing evidence of your ISO 27001 compliance.