What Is ISO 27001 Certification?
ISO 27001 Certification is simply about protecting information. And that should matter to everyone. But people often make the mistake of assuming this standard is only for IT companies.
While plenty of IT industry members are accredited, IT companies complete the ISO 27001 certification because they see it as beneficial to their businesses. And it’s good for yours too.
In this article, we break down the essential components of ISO 27001 certification so you can use your InfoSec program as a substantial business advantage.
What Does “ISO 27001” Mean?
It’s published by the International Organization for Standardization (ISO) in partnership with the International Electrotechnical Commission (IEC). And ISO 27001 is one of the most widely recognized, internationally accepted independent security standards. Which, if you’re compliant, increases your business opportunities! It details requirements for establishing, implementing, maintaining, and continually improving an organization’s information security management system (ISMS).
The fundamental goal of ISO 27001 is to protect three aspects of information:
- Confidentiality: only authorized individuals have the right to access information.
- Integrity: only the authorized persons can make changes to the information.
- Availability: the data must be accessible to authorized persons whenever it is needed.
How ISO 27001 Works
An accredited certification body independently audits your organization. To achieve certification, you’ll undergo an ISO 27001 audit, and to pass, you’ll need to have implemented several critical items. Maintaining certification requires yearly audit reports to prove you’re still ISO compliant, followed by a surveillance audit for the next two years. And the recertification audit process continues as long as you wish to prove compliance.
Who’s Involved in the ISO Process?
IT does play a significant role, most obviously in technology and developing processes and policies that ensure correct use.But the process needs the expertise of people from across your entire organization. We recommend creating a multi-departmental team to oversee the ISO 27001 implementation process.
You’ll also need an independent auditor from an accredited certification body.
Choosing an ISO 27001 Auditor
There’s a lot that goes into choosing the right auditor for you. But one of the most simple things to save you time is this. Some certification bodies specialize in specific industries. For example, they may be fluent in the retail sector’s needs but aren’t aware of your business’s specifics. As a result, you’ll end up losing time explaining the ins and outs of your organization.
Other tidbits to keep in mind are the auditor’s accreditation, specializations, and experience, as well as their reputation. Do your due diligence and spend a little time shopping around for an auditor that’s right for you.
So What’s Involved In the ISO Audit Process?
To gain your ISO 27001 certification, you need to complete a two-stage external audit:
- Stage 1 is a preliminary, informal/desktop review of your ISMS. Auditors and organizations become familiar with one another and keep it reasonably simple. Auditors generally look over whether your organization has established the ISMS by auditing the mandatory clauses. They’ll also verify your information security policies against ISO 27001 requirements, Statement of Applicability (SoA), and Risk Treatment Plan (RTP). We get into the nitty-gritty down below!
- Stage 2 is a formal compliance audit. Auditors will revisit your policies and test applicable ISMS controls listed in the SoA against ISO 27001 requirements. And they collect evidence validating your management system is appropriately designed and implemented. Passing this stage results in ISO 27001 certification!
Certification is valid for three years, and companies are required to do surveillance audits for two years. And in year three, they’ll complete a recertification audit.
How fast Can I Get ISO 27001 Certification?
As with any certification, time varies from company to company and depends heavily on your existing circumstances.
Stage 1, where auditors focus mainly on documentation, can take up to six months (ten employees or less) to 14 months (over 200 employees) of preparation before the audit. The audit itself only takes a day or two to complete. Your auditor will leave you with a document citing nonconformities to address before the next audit.
A month after Stage 1, the auditor returns to evaluate the management system’s implementation. And the list of issues to address that they left you with. The Stage 2 audit typically takes around a week. It’s very in-depth and involves going through your ISMS, talking with employees, and digging deeply into all your policies. The auditors will summarize their findings, especially the non-conformances, in an audit report.
ISO certification is valid for three years, and companies are required to do surveillance audits for two years, and in year three, they’ll complete a recertification audit.
But What’s an Information Security Policy?
The policy’s primary purpose is for senior management to clearly define what it wants to achieve with information security. But your policy needs to reflect your company’s security requirements. Copying and pasting a document from a large manufacturing company and using it for a tech startup won’t fly! It needs to define your framework for setting information security objectives.
The policy covers how it supports the organization’s security objectives and outlines your approval and review process. It’s a living document, so a designated document owner needs to be responsible for keeping the policy up to date.
What’s in a Statement of Applicability (SoA)?
This is the central document that defines how you will implement a large part of your information security. There are 114 suggested controls or security measures from ISO 27001 Annex A. But don’t let that number boggle you- there’s more info below! Your SoA, written properly, is an overview/list/justification/description of the what, why, and how of your chosen controls.
Risk Treatment Plan (RTP)
This mandatory report documents how your organization will respond to threats you’ve identified as part of the risk assessment process. Upon completion, you have a list of “unacceptable” threats to address.
ISO 27001 recommends that you take one of the following actions:
- Mitigate the risk: implement controls to reduce possibility of occurrence.
- Avoid the risk: cease any activity that creates the risk.
- Transfer the risk: use a third party and outsource security efforts or purchase cyber insurance to ensure you have funds in the event of a breach.
- Accept the risk: accept the risk and consider the cost of treating it greater than possible damage.
Most often, mitigating the risk is the best course of action. Typically it offers the most practical combination of security and cost.
114 Annex A Controls Is Information Overload!
Don’t worry—it’s not as bad as it seems! Controls are the more actionable tasks that you implement, and they prove compliance. The 114 Annex A Controls are divided into 14 categories. I know it’s a lot to wrap your head around. But basically, it’s a catalog of security controls.
Based on your Risk Assessment (RA), you address only the ones that apply to your company:
- Information security policies: how policies are written and reviewed.
- Organization of information security: the assignment of responsibilities of specific tasks.
- Human resource security: ensuring employees understand their responsibilities before employment.
- Asset management: identifying information assets and defining appropriate protection responsibilities.
- Access control: ensuring employees can only view data relevant to their position.
- Cryptography: encryption and key management of sensitive info.
- Physical and environmental security: securing the organization’s premises and equipment.
- Operations security: ensuring information processing tools are secure.
- Communications security: how to protect information in networks.
- System acquisition, development, and maintenance: ensuring that information security is a central part of the organization’s systems.
- Supplier relationships: the agreements to include in contracts with third parties.
- Information security incident management: how to report disruptions and breaches, and who’s responsible.
- Information security aspects of business continuity management: how to address business disruptions.
- Compliance: how to identify the laws and regulations that apply to your organization.
So Who Should Get ISO 27001 Certification?
This standard applies to any organization that wants to formalize and improve its processes around guarding its data assets. Some vendors may require some companies to attain certification before starting a working relationship, but many companies obtain ISO 27001 by choice. Any organization that collects sensitive information, small or large, government or private, profit or non-profit, can advance their business from ISO certification.
Did you know that we’re ISO 27001 certified? Tugboat Logic’s goal has always been to demystify the complexities of information security. While no one enjoys audits but this inevitability is what fuels us to improve upon our product constantly. So while we didn’t have an external party requiring us to be ISO 27001 certified, we decided to pursue it ourselves.
Where Can I Get More Guidance on ISO 27001
Don’t be put off by the time, cost, or 114 Annexes of the ISO 27001 certification. Look at ISO as a sales feature. You’re showing the world you value an environment where secure file transfers are a priority, and having an evolving ISMS in place matters.
With a bit of guidance and proper tools to assist you, achieving ISO 27001 certification is a breeze. The process can be demystified and simplified with Tugboat Logic! We have over 100 years of combined experience working in security. So let our team of ex-auditors and security veterans assist you on your compliance journey.