Information security is important to everyone. Many of your current and future clients may add ISO 27001 certification as a condition of doing business with you, putting you in a position where you need to start assessing your policies, processes, and procedures.
While ISO 27001 alone won’t guarantee you have effective information security practices in place (sad, but true), and it won’t make a hacker think twice before targeting your organisation, getting the certification is a (small) step towards understanding just how secure your organisation is.
ISO 27001 is an international standard for information security management within organisations. ISO 27001 was published jointly by the International Organisation for Standardisation (ISO), and the International Electrotechnical Commission in 2005, and updated in 2013 and 2017.
ISO 27001 sets out requirements for organisations to establish, implement, maintain and continually improve an information security management system (ISMS) based on their specific information security needs. ISO 27001 is a living framework which is improved and updated regularly based on experience, new information, and annual audit results.
Any organisation who handles information, and is of all sizes, and operates in all sectors can get ISO 27001 certification.
ISO 27001 is not compulsory for any organisation, but yet many organisations have their reasons for going for ISO 27001 certification.
ISO 27001 certification provides a clear framework for information security management. The information security management system sets out your key risk areas including network security, endpoint security, security monitoring and events management, anti-malware controls, secure software development and testing on operational environments, information backup, and more, and supports your efforts to mitigate them.
While ISO 27001 does not fulfill all the requirements of the GDPR, gaining ISO 27001 certification demonstrates that you adhere to the principles of information security and data protection. It may also help you avoid GDPR fines, which are usually accompanied by negative publicity, which in turn damage reputations, and lead to falling client bases and income.
In today’s world with constant information security breaches, customers, clients, and partners need constant reassurance that you take information security seriously and are doing everything you can to protect their data. ISO 27001 is recognised worldwide as a sign of commitment to information security best practices.
Some of your clients may require ISO 27001 certification because they themselves are subject to regulations. If you don’t have it, they will not do business with you, and you will miss out.
ISO 27001 certification is validated by external audits of your information security management system. Certification is only awarded when the external auditors are satisfied that your ISMS provides adequate data protection.
Responsibility for information security often falls on your IT and R&D teams (or even just one person in those teams). ISO 27001 states that information security and data protection is the responsibility of everyone across the entire organisation.
ISO 27001 is a living, breathing certification. You will need to constantly update documents, train new and long-term staff, and ensure that your cybersecurity practices are up to date. There is no right way to stay on top of these requirements, with some companies preferring to keep it all in house, while others use the services of external advisors for ISO 27001 certification and compliance.
ISO 27001 certification requires a clear project plan with clear roles and tasks for stakeholders across the organisation.
Prepare for the ISO 27001
Before you start the ISO 27001 certification process, make sure you understand what ISO 27001 is and what the requirements are. Next, create a project team of stakeholders from across the entire organisation, a project plan, and project risk register.
ISO 27001 gap analysis
Identify how your current information security measures perform against the ISO 27001 standard, what areas need improvement, and where controls are missing and need to be implemented.
Create the ISMS
The information security management system sets out your organisation’s approach to information security, including all the policies and procedures you have in place. Everyone in your organisation must have access to it to understand their information security roles.
Develop the documentation for ISO 27001
ISO 27001 requires you to have information security policies, procedures, and controls in place. The list of controls is summarised below.
Assess, review, and audit your information security
ISO 27001 requires you to regularly review, test, and audit your information security in order to ensure that your controls are working correctly, and to test the robustness of incident response plans.
In order to achieve ISO 27001 certification, your organisation’s information security must meet the requirements set out in clauses 4.1 to 10.2 of the standard. There are 22 requirements in ISO 27001 including:
Some requirements overlap, but as a whole, ISO 27001 requires your organisation to take a full and robust approach to information security.
In addition to the ISO 27001 requirements, Annex A (A.5 to A.18) sets out the controls you may wish to create as a result of your information security risk assessment and the actions you need to carry out to mitigate those risks.
ISO 27001 audit controls include information security policies, asset management, access control, operations security, information security incident management procedures, compliance, and more.
ISO 27001 certification usually takes between three and six months but it can take up to a year. The time taken depends on the size of the organisation, and the information security policies and procedures already in place before starting the ISO 27001 certification process, and most importantly, the commitment of your management and internal teams.
ISO 27001 certification lasts for one year. Since the ISMS is designed to be a living document, it must be updated and maintained, and your ISO 27001 accreditation body may audit you every year.
ISO 27001 certification requires extensive work and considerable expertise to achieve and maintain. While the task may appear daunting, both the process of gaining ISO 27001 certification, and the accreditation itself will have major benefits for your organisation that go far beyond information security.
But don’t think you are alone in the process. A dedicated information security company can guide you through every stage of the journey from gap analysis and risk assessments to the creation of the ISMS and other relevant documentation, policies, and procedures.
Good luck on your journey to demonstrating your dedication to information security with ISO 27001 certification.