Ultimate Guide to ISO 27000
ISO 27000 is a series comprised of several sets of guidelines, all aimed at certifying a company’s information security policies.
Open any news website, and you’ll quickly see why information security (infosec) is a bigger issue than ever. Serious data breaches are becoming as common as the weather.
If your business is taking care of sensitive data for other businesses, you need to work harder than ever to build trust in your customer base.
That’s where an ISO 27000 series audit comes in. ISO 27001 is the central standard, while the others, from ISO 27002 to ISO 27799, cover different information security aspects, providing a set of guidelines an independent auditor can use to certify your infosec controls.
An ISO 27000 series certificate is one of the best ways to show prospective clients that you have their best interests at heart. If you’re wondering how an audit works or what details you’ll need to document, this guide has all the answers you need.
What is ISO 27000?
ISO 27000 is a series of standards. At its core is ISO 27001, a set of specifications for building an information security management system (ISMS). Every other standard in the series exists to supplement or adjust ISO 27001 in some way.
ISO stands for “International Standards Organization.” Founded with 25 member states, and now including over 160, ISO exists to advance human technology through standardization. The results of ISO’s work can be seen everywhere, from computer science to art to transportation (they set the original standards for the globally ubiquitous shipping container).
ISO 27000 was first developed in 1995 and most recently revised in 2017 (though largely with cosmetic revisions over the 2013 version). Every ISO 27000 standard covers a different aspect of information security.
The concept of an ISMS is fundamental to ISO 27000, so let’s define it in more detail.
An information security management system is the entire set of processes an organization uses to interact with secure data. An ISMS should protect that data from breaches, proactively identify and mitigate risks, and make sure the data is available to accomplish the organization’s goals.
Most people think of an ISMS in the context of hardware and software. Under ISO 27000, the definition is broader: not just tools but also workflows, policies, plans, and culture.
So, ISO 27000 is a broad set of standards defining what makes a good ISMS. It’s a system that can defend secure customer data against the increasing threat of hacks and breaches. But how does it work in practice?
ISO 27000 meets the real world through an ISO 27001 audit, the process by which businesses seek ISO 27001 certification.
A professional auditor accredited by ISO examines an ISMS and its documentation to see if it lives up to ISO 27001 standards. If any other standards in the ISO 27000 series are relevant, the auditor will consider them as well.
The certification itself, however, is governed entirely by ISO 27001. If your business manages to pass the audit, your reward is an ISO 27001 certificate.
The standards in ISO 27000 are strict, and certification is completely optional, so why would anybody bother? We’ll unpack that in the next section.
What is the purpose of an ISO 27001 audit?
At this point, you might be wondering why anybody would go to the trouble of getting an ISO 27001 audit or meeting any of the ISO 27000 standards.
More than 33,000 organizations are currently ISO 27001 certified, so what is the reasoning here?
The reason is simple: the benefits outweigh the costs. Here are some of the rewards you can reap for seeking ISO 27000 compliance:
- Comply with the law: Restrictions such as the European Union’s General Data Privacy Regulation (GDPR) and the United States’ Health Insurance Portability and Accountability Act (HIPAA) impose strict fines for violations. An ISO 27001 certificate ensures your organization complies with all data privacy laws.
- Attract more customers: Potential clients and customers are well aware of the growing risks posed by data breaches. When deciding what partners to work with, clients take information security into account. ISO 27001 certification and compliance with the relevant ISO 27000 series standards make great market differentiators.
- Make your employees more confident: The benefits aren’t just external but apply within your team as well. Your employees will be more relaxed and loyal if they know their data is being taken care of — and you’ll be able to attract better talent to your team.
- Prevent costly hacks: A high-profile data breach can be devastating for a public-facing business even without the fines. Hacks are followed by bad press, loss of value, employee defections, and lost productivity as the whole team shifts to damage control.
In the end, every organization that seeks ISO 27000 compliance through ISO 27001 certification has its own reasons. Only you can tell if it’s the right choice for your business.
How is ISO 27000 different from SOC?
Before we continue, we’d like to clear up a common point of confusion — the difference between ISO 27000 and the Service Organization Control (SOC) set of standards.
SOC is a set of criteria overseen by the American Institute of Certified Public Accountants (AICPA). Instead of the pre-written control checklists published in ISO 27000, SOC presents flexible standards for each organization under audit.
Ultimately, though, their values are about the same, with 95% of controls duplicated in both ISO 27000 and SOC criteria. The best choice for your company depends mostly on its location: a SOC report carries more prestige in the United States, while ISO 27001 certification is more popular in the rest of the world.
What are the ISO 27000 standards?
12 separate standards comprise ISO 27000. If you’re looking for a certificate, ISO 27001 is the only mandatory set. However, you should have a working knowledge of the others to decide which ones apply to you.
ISO 27001 lists the requirements for building a compliant ISMS. If you don’t meet these standards, you can’t get a certificate.
ISO 27001 details its requirements in seven clauses. It asks that an ISMS be clearly documented, supported by senior leadership, capable of anticipating and mitigating risks, supplied with all the resources it needs to function, and be regularly reviewed and updated.
Annex A of ISO 27001 lists specific controls that an organization might use to meet these requirements. It consists of 114 ideas your company might find relevant.
ISO 27002 builds on the controls discussed in Annex A of ISO 27001. While Annex A provides a quick rundown of each control, ISO 27002 describes them all in full.
ISO 27002 is useful because the company under ISO 27001 audit only needs to address the controls relevant to them. For example, if you don’t have any employees who work remotely, you don’t need to implement controls on leaving company computers in public spaces.
ISO 27003 provides general guidance on building an ISMS. It’s an excellent resource for the pre-audit phase when you can use its guidelines to conduct a gap analysis. That is when you research what your company still needs to do in order to reach ISO 27001 compliance.
ISO 27004 builds on ISO 27003 by suggesting ways to evaluate and monitor the security of your ISMS. It also helps organizations determine which of the controls in ISO 27002 might be useful for audit preparation.
ISO 27005 is devoted to risk management. Since forecasting, analyzing, and mitigating risk is a crucial part of ISO 27001 certification, it pays to study this one in as much detail as possible. Sections cover assessing risks, choosing whether to mitigate, accept, or avoid them, and monitoring risk responses over time.
ISO 27006 is a set of standards that determine whether a firm is qualified to perform ISO 27001 audits. Unless your business relates directly to performing compliance audits, this series isn’t likely to be meaningful for you.
ISO 27007 and ISO 27008
ISO introduced this new pair of standards in 2019. They build on ISO 27006 by providing guidelines for accredited organizations to conduct ISMS audits.
If you’re seeking an ISO 27001 certificate for your company, it’s a good idea to read these over. They’ll give you a sense of what your auditor will think while they evaluate your ISMS.
ISO 27017 and ISO 27018
This pair of standards first appeared in 2015, near the beginning of the cloud services boom. They provide controls for securing any data your organization stores in the cloud.
ISO 27017 and ISO 27018 are to cloud data what ISO 27002 is to data managed on-premises. You’re free to use both sets of controls in parallel — ISO 27002 for your on-site data and ISO 27017 and ISO 27018 for data in the cloud.
The standards in ISO 27033 govern network security. ISO 27002 includes several controls for securing a company’s internal network; ISO 27033 builds on these controls and offers advice for implementing them.
One of the newest ISO standards, ISO 27701 focuses on privacy. It was created in response to the EU strengthening GDPR and requiring organizations to take “appropriate measures” to secure users’ private information.
ISO 27701 explains what certain appropriate measures might be. In essence, it’s about building a privacy information management system (PIMS) in conjunction with your ISMS.
How do I get ISO 27000 certified?
Technically, you don’t.
Just to clear up any remaining confusion, there’s no such thing as ISO 27000 certification. ISO 27000 is a series of standards. ISO 27001 is the standard that lays out instructions for certifying an organization as compliant with any part of ISO 27000.
With that out of the way, how do you get ISO 27001 certified?
Start the process by understanding ISO 27000 in detail. Understand every part of ISO 27001 and any other standards series that relates directly to your business. For example, if you store part of your infrastructure in the cloud, study ISO 27017 and ISO 27018. If you’re in the EU, study ISO 27701, and so on.
Your next step is to make sure your ISMS is up to par. ISO 27003 will be helpful here. If your documented ISMS fits all relevant controls in each section of ISO 27000 (at least on paper), it’s time for the risk assessment.
Develop your risk assessment process using the guidelines in ISO 27005 to help you along. It will reveal areas in which your ISMS falls short of compliance, illuminating which unmitigated risks carry the greatest potential consequences.
ISO 27001 compliance requires documentation of both the risk management process and the decision made regarding each risk — whether to avoid, mitigate, absorb, or transfer.
With these documents in hand, the last step is to document a process for continuously improving your ISMS. Use ISO 27004 as your guiding light for adapting your ISMS to constantly evolving information security threats.
At this point, if you’ve got all the required documentation on file, you’re ready for a Stage 1 audit. Choose an auditor who has experience working in your industry, and who’s a good fit for your corporate culture.
The auditor will conduct a preliminary review of your documentation and ISMS and point out any shortfalls you may have missed. You’ll have a chance to review the initial report and rectify any mistakes before the final certification audit.
After the final certification audit, if you’re found to be in compliance with all relevant ISO 27000 standards, you’ll receive the coveted ISO 27001 certificate. The whole process can take up to a year, so it’s not surprising that many organizations choose to hire expert help.
How much does ISO 27000 cost?
The cost of an ISO 27001 audit depends on the size of the organization. A larger company usually builds an ISMS with a greater scope, which takes longer to audit. The longer the auditor spends at your offices, the more they cost.
A company with 50 or fewer employees can expect to spend between $5,000 and $10,000 on a certification audit lasting three to six days. From there, add approximately $1,800 for each extra day of the audit. For example, a company with 500 employees can expect about 11 days of auditing at a cost of $19,000.
However, the absolute price of the audit doesn’t tell the whole story. An audit may take one to two weeks, but preparation might take up to six months at a mid-sized company. For those six months, you either need to hire new contract employees or take some current employees from their normal duties.
Suppose you build an ISO 27000 compliance team consisting of an IT engineer, a lawyer, a tech writer, and your VP in charge of security. Those are all high-value employees; in six months, they probably make over $200,000 combined. The cost of ISO 27000 preparation should reflect that — plus the loss of revenue from none of them being able to contribute to your product.
Going about ISO 27001 certification the traditional way can rack up labor costs quickly. The best way to keep the price down is to automate as much of that work as possible.
How can I pass my ISO 27001 audit?
When embarking on an audit using the ISO 27000 series, here are a few ways to set yourself up for success:
- Choose the right auditor: Picking an auditor is an important and often overlooked part of the process. Approach the search as though you’re hiring an employee because, in a way, you are.
- Do an internal audit first: This won’t just help you prepare for the Stage 1 and certification audits; it’ll also get you ready to maintain your ISO 27001 certification after you receive it. ISO 27001 requires certified organizations to conduct internal audits at regular intervals. It’s a good idea to practice.
- Choose the right controls: Look through every series in ISO 27000, not just ISO 27001. They’re all in there for a reason, whether it’s to give you advice, help you peek into your auditor’s mind, or offer controls that will be perfect for your company’s unique situation.
- Consider automation tools: Compliance automation makes it easier than ever to prepare for an ISO 27001 audit. With Secureframe, you can integrate all the technology in your ISMS, scan automatically for risks and potential violations, and constantly improve your security.
ISO 27000 is a rigorous set of standards for a reason. Not every ISMS meets them, but that’s what we need to keep data secure.
If you’re concerned about the cost of an ISO 27001 certificate, automation is the best way to go. Secureframe helps your ISMS provide total security coverage while freeing up your employees to do what they do best.
Talk to Secureframe today for expert help understanding ISO 27000 and ace your ISO 27001 audit.