Businesses today store massive amounts of different types of information, and while there are standards that cover specific types of information, like HIPAA with personal health information and GDPR with EU citizens’ information, data such as your company’s financial information, intellectual property, and your employees’ information must also be kept secure.
Information security is expected by today’s consumers, and in response, the International Organization for Standardization (ISO) created ISO 27001—security standards that businesses can utilize to keep their information secure.
While ISO 27001 isn’t a legally mandated security standard, compliance is standard and expected, and virtually all businesses will benefit from ISO 27001 compliance. In this article, we’ll discuss what the standard is, who benefits from certification, and how to obtain your ISO 27001 certification.
What does ISO 27001 cover?
ISO 27001 is one of a few dozen standards published by the ISO regarding information security standards. This family of standards is known as the ISO/IEC 27000-series, and it provides best practices for information security management.
ISO 27001 is one of the first, and most in-depth, standards in this family of standards. In short, it provides guidelines companies can use to create an information security management system, or ISMS.
Many businesses have some type of information security standards in place, but without a consistent ISMS, those solutions can be disjointed and have a lot of gaps in them that can lead to information leaks and data breaches. Additionally, businesses may not be putting security in place for things like hard copies of paperwork or intellectual property because they’re focusing on IT-related issue specifically. This standard is designed to cover more than just IT security. It also helps businesses protect all of their confidential and sensitive information, whether it’s internal or external, no matter where or how it is stored.
ISO 27001 requires three things:
- Systematic examination of the organization’s information security risks, taking account of the threats, vulnerabilities, and impacts.
- Designing and implementing a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable.
- Adopting an overarching management process to ensure that the information security controls continue to meet the organization’s information security needs on an ongoing basis.
ISO 27001 is one of the most widely used and implemented standards and organizations expect their B2B vendors and partners to safeguard sensitive information. With few exceptions, almost every business will benefit from ISO 27001 compliance and should develop the required security standards.
Should I become certified?
While an ISO 27001 certification does have its benefits, the time and money involved in becoming certified may not be necessary for every business. For example, many banks and financial institutions are ISO 27001 compliant but not certified. Regulations in many countries require that these organizations adopt very strict information security processes and procedures, and they will use the ISO 27001 framework to achieve compliance. So, after meeting the requirements for their country’s governments regulations, there’s no reason to pursue an ISO 27001 certificate.
However, here’s why some businesses may find it beneficial to be certified.
Getting certified is a way to show your customers that you are taking their information security seriously, and it can give you a leg up on your competitors who haven’t completed their audit. You might even find that your B2B customers require it and you could lose out on business if you don’t pursue the certification.
Certification can also help you protect your reputation in the event of a data breach. When customer data is accessed or stolen, reputations suffer. However, showing that your business is compliant with one of the most stringent security standards can help you demonstrate your good faith efforts to protect their data and privacy.
Finally, if your business is ISO 27001 compliant, it’s highly likely that you’re compliant with other security standards, including legally mandated ones. Maintaining an ISO 27001 certificate can help you ensure you’re compliant in other areas on a continual basis.
What do the ISO 27001 Standards include?
Before you attempt to pursue an ISO 27001 certification, everyone involved in the process should become familiar with the key sections of ISO 27001:
- Introduction — describes what information security is and why an organization should manage risks
- Scope — covers high-level requirements for an ISMS to apply to all types of organizations
- Normative references — outlines the relationship between ISO 27000 and ISO 27001 standards
- Terms and definitions — covers the terminology used throughout the standard
- Context of the organization — explains what stakeholders should be involved in the creation and maintenance of the ISMS
- Leadership — describes how leadership’s responsibilities in relation to uploading ISMS policies and procedures
- Planning — covers what your business needs to plan to adequately recognize and address risks.
- Support — describes how to raise awareness about information security and assign responsibilities
- Operation — covers the requirements for your ISMS’s operation and what plans, documentation and controls you need to have in place to ensure your ISMS is meeting audit standards
- Performance evaluation — provides guidelines on how to monitor and measure the effectiveness of the ISMS
- Improvement — explains how the ISMS should be continually updated and improved, especially after audits
- Reference Control Objectives and Controls — provides an annex detailing the individual elements of an audit.
How does ISO 27001 certification fit into my compliance program?
Along with SOC 2, ISO 27001 is often one of the first security standards businesses choose because it covers such a wide scope of practices and information.
Unlike some compliance standards, such as GDPR or HIPAA, it doesn’t cover just one type of data, like personal health information or customer information. ISO 27001 encompasses all kinds of confidential and sensitive data, from internal financial information to customer data to information stored or processed by a third party. So if your business is ISO 27001 compliant, it’s likely that you will be compliant with many other security standards and have security in place that will meet those standards in the event of an audit.
The same can be said for the security controls and processes required for compliance: instead of covering only one type of information or storage method, ISO 27001 covers many different types of information that are stored electronically, as hard copies, or with third parties. When you become compliant with ISO 27001, the processes you’ll build will include what you need to be compliant with many other frameworks.
At Hyperproof, we have set a goal to become ISO 27001 Certified in the next 12 months. As a compliance operations software, we feel it is especially important that we’re taking steps to keep our information as secure as possible and show our clients how seriously we take compliance. This is one of the first three compliance standards we’ve set (along with SOC 2 and HIPAA), and we anticipate that it will help us build the rest of our compliance program successfully because of the broad protections we will put into place to become compliant.
Whether or not you decide to pursue certification, ISO 27001 compliance should be a building block of your compliance program. It provides a strong foundation for other compliance frameworks and gives you an obtainable goal. Instead of asking yourself every year, “How can I change my compliance program to stay up to date with multiple frameworks?” you can focus on maintaining ISO 2700 compliance as a starting point. This will help you centralize your compliance efforts and make it easier on your team and the stakeholders in your company.
The path to ISO 27001 certification
The certification process has three stages:
Stage 1 is an informal review of the ISMS that confirms key documentation is created and complete. This includes a review of things such as the information security policy and the risk treatment plan. This stage is designed to ensure that the policies and written procedures are in place and compliant with ISO 27001.
Stage 2 is a review of actual practices and activities to ensure the compliance activities are in line with both the ISO 27001 standard and the documents reviewed in Stage 1 of the audit. This is done to ensure that a business isn’t simply writing up documents with compliance processes on it that aren’t being carried out in practice.
At this point, if your audit has been successful, you will be awarded with an ISO 27001 certificate of compliance. But that’s not the end of the compliance process.
Stage 3. The final stage of ISO 27001 certification is ongoing and involves follow-up reviews or audits to make sure that the business continues to carry out their compliance program. Typically, maintaining certification requires a yearly re-check, but for quickly growing businesses or those that are early on in their compliance efforts, they might have follow-up audits performed more often.
In addition to the follow-up audits, you’ll want to hold regular training sessions to educate new hires so they can do their part in protecting your organization’s information assets. Lastly, you’ll want to create an ISO 27001 task force and hold monthly meetings to review to open issues and to consider updates to the ISMS documentation.
How to choose an auditor
When you’re looking for an auditor to perform your ISO 27001 audit, you should always select a firm or auditor that is accredited in your country. In the US, they should be ANAB-accredited; other countries will have other accreditation boards for ISO 27001 auditors. This accreditation is important for a few reasons.
Accredited vs. Non-Accredited auditors
First, non-accredited audits will often offer both audit and consulting services, which might seem convenient, but can cause significant conflicts of interest. If an organization is both consulting on your compliance program and auditing that program for compliance, they have reason to cover up mistakes they make or push your business to make decisions you might not normally choose.
Accredited auditors will not offer consulting, although, like many auditors, they may offer some informal reviews of your documentation that aren’t part of the audit. However, they will be impartial and focused on ensuring you’re aware of any flaws in your program.
Second, non-accredited auditors aren’t subject to the same performance and competence reviews that accredited auditors are, so you can’t be sure that those auditors are held to the same standards.
Other ISO standards to know
As we mentioned before, the ISO 27001 standard does not mandate specific information security controls, but it provides a checklist of controls that should be considered in the accompanying code of practice: ISO/IEC 27002:2005. This second standard describes a comprehensive set of information security control objectives and a set of generally accepted good practice security controls. ISO 27002 includes 12 key elements:
- Risk Assessment
- Security policy
- Organization of information security
- Asset management
- Human resources security
- Physical and environmental security
- Communications and operations Management
- Access control
- Information systems acquisition, development and maintenance
- Information security incident management
- Business continuity management
How compliance operations software can help you get compliant faster
Maintaining compliance with ISO 27001 over time can seem like a daunting task, but it doesn’t have to be.
Hyperproof can help your organization achieve and maintain ISO 27001 compliance in the most efficient way. Hyperproof’s Compliance Operations application provides:
- ISO 27001 requirements and illustrative controls to help you get started faster
- Tools to help you map common controls across multiple compliance standards (e.g., between SOC 2 and ISO 27001)
- Integrations to Excel, Outlook, Gmail, G-Drive, Dropbox and many other productivity tools organizations are using today
- A central, secure place to store, collect and manage all compliance evidence
Want to learn more? Let’s talk.