
How to Do an ISO 27001 Risk Assessment
Read articleOpen any news app and you’ll quickly see why information security is more important than ever. A new cyberattack is launched every 39 seconds, and each one costs companies an average of $8.64 million.
If your company handles sensitive data, you need to earn and keep your customers’ trust. That’s where ISO 27000 security standards come in.
The ISO 27000 family of standards is comprised of several sets of guidelines, all aimed at certifying a company’s information security policies. ISO 27001 is the central international standard, while the others provide information security guidelines independent auditors and certification bodies can use to certify your internal information security controls.
An ISO 27000 certificate is one of the best ways to show prospective clients that you can be trusted to safeguard their data. If you’re wondering how an audit works or what details you’ll need to document, this guide has all the answers you need.
The ISO 27000 series of standards is published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission to help organizations improve their information technology security by building a strong information security management system (ISMS).
This ISMS is designed to mitigate risk across three pillars of information security: people, processes, and technology.
The ISO/IEC 27000-series is comprised of 46 individual standards, including ISO 27000 itself.
At its core is ISO 27001, which details requirements for implementing an ISMS. ISO IEC 27001:2013 is the only standard in the ISO 27000 series that companies can be audited and certified against.
While not every ISO standard will apply to your organization, it’s helpful to get an overall understanding of ISO 27000 and its core principles, including requirements for building an ISMS.
The concept of an ISMS is fundamental to ISO 27000, so let’s define it in more detail.
An information security management system is the entire set of processes an organization uses to interact with secure data. An ISMS should protect information assets from unauthorized access, proactively identify and mitigate risk, and ensure data availability.
Most people think of an ISMS in the context of hardware and software. Under ISO 27000, the definition is broader, including workflows, policies, plans, and culture.
If you’re looking to build a compliant ISMS and achieve certification, this guide has all the details you need.
Download ebookThe ISO 27000 standards list includes 12 separate standards. If you’re looking for a certificate, ISO 27001 is the only mandatory set. But working knowledge of the others can help you decide which apply to you.
ISO 27000 outlines the security techniques necessary to properly safeguard customer data. ISO 27001 is where those principles meet the real world. Businesses implement the requirements outlined in ISO 27000 standards and verify the effectiveness of their ISMS through an ISO 27001 audit.
ISO 27001 lists the requirements for building a compliant ISMS. The ISMS must be:
Annex A of lists 114 specific ISO 27001 controls that an organization might use to meet these requirements.
ISO 27002 builds on the controls discussed in Annex A of ISO 27001. While Annex A provides a quick rundown of each control, ISO 27002 describes them all in full.
ISO 27002 is useful because the company under ISO 27001 audit only needs to address the controls relevant to them. For example, if you don’t have any employees who work remotely, you likely don’t need to implement controls on leaving company computers in public spaces.
ISO 27003 provides general guidance on building an ISMS. It’s an excellent resource for the pre-audit phase when you can use its guidelines to conduct a gap analysis and determine what your company still needs to do in order to reach ISO 27001 compliance.
ISO 27004 builds on ISO 27003 by suggesting ways to evaluate and monitor the security of your ISMS. It also helps organizations determine which of the controls in ISO 27002 might be useful for audit preparation.
ISO 27005 is a code of practice devoted to information security risk management. Since forecasting, analyzing, and mitigating risk is a crucial part of ISO 27001 certification, it pays to study this one in as much detail as possible. Sections cover assessing risks; choosing whether to mitigate, accept, or avoid them; and monitoring risk responses over time.
ISO 27006 is a set of information security standards that determine whether a firm is qualified to perform ISO 27001 audits. Unless your business relates directly to performing compliance audits, this series isn’t likely to be meaningful for you.
This new pair of information security standards was introduced in 2011 and revised in 2020. They build on ISO 27006 by providing guidelines for accredited organizations to conduct ISMS audits.
If you’re seeking an ISO 27001 certificate for your company, it’s a good idea to read these over. They’ll give you a sense of what your auditor will consider while they evaluate your ISMS.
This pair of information security standards first appeared in 2014, near the beginning of the cloud services boom. They provide controls for securing any data your organization stores in the cloud.
ISO 27017 and ISO 27018 are to cloud data what ISO 27002 is to data managed on-premises. You’re free to use both sets of controls in parallel — ISO 27002 for your on-site data as well as ISO 27017 and ISO 27018 for data stored in the cloud.
The code of practice in ISO 27033 governs network security. ISO 27002 includes several controls for securing a company’s internal network; ISO 27033 builds on these controls and offers specification and implementation guidance.
This series centers on application security controls data structure and your assurance prediction framework.
This series covers information security incident management, including your organization’s incident response plan.
How will you ensure business continuity if a breach occurs? Every company should clearly map out responsibilities and communication plans in the event of a security incident.
One of the newest ISO standards, ISO 27701 focuses on privacy. It was created in response to the EU strengthening GDPR and requiring organizations to take “appropriate measures” to secure users’ private information.
ISO 27701 explains what those appropriate measures might be. In essence, it’s about building a privacy information management system (PIMS) in conjunction with your ISMS.
Technically, you don’t.
Just to clear up any remaining confusion, there’s no such thing as ISO 27000 certification. ISO 27001 is the standard that lays out instructions for certifying an organization as compliant with any part of ISO 27000.
With that out of the way, how do you get ISO 27001 certified?
Start the ISO 27001 certification process by understanding ISO 27000 standards in detail. For example, if you store part of your infrastructure in the cloud, study ISO 27017 and ISO 27018. If your customers are in the EU, study ISO 27701, etc.
Your next step is to make sure your ISMS is up to par. ISO 27003 will be helpful here. If your documented ISMS fits all relevant controls in each section of ISO 27000 (at least on paper), it’s time for the risk assessment.
Develop your risk assessment process using the guidelines in ISO 27005 to help you along. It will reveal areas in which your ISMS falls short of compliance, illuminating which unmitigated risks carry the greatest potential consequences.
How to Do an ISO 27001 Risk Assessment
Read articleISO 27001 compliance requires documentation of both the risk management process and the decision made regarding each risk — whether to avoid, mitigate, absorb, or transfer.
The last step is to document a process for continuously improving your ISMS. Use ISO 27004 as your guiding light for adapting your ISMS to constantly evolving information security threats.
At this point, if you’ve got all the required documentation and digital evidence, you’re ready for a Stage 1 audit. Choose an auditor who has experience working in your industry, and who’s a good fit for your corporate culture.
During the Stage I audit, the auditor will conduct a preliminary review of your documentation and ISMS and point out any shortfalls you may have missed. You’ll have a chance to review the initial report and rectify any mistakes before the final certification audit.
The auditor will then conduct a Stage 2 audit, which involves an on-site evaluation of your ISMS. Your auditor will also ensure that your company is following the policies and procedures they reviewed during Stage 1.
If you’re found to be in compliance with all relevant ISO 27000 standards, the auditor will then issue you an ISO 27001 certificate.
During an ISO 27001 audit, a professional auditor accredited by ISO examines an ISMS and its documentation to see if it satisfies ISO 27001 standards. Based on the auditor’s evaluation, the business is rewarded with an ISO 27001 certificate.
Is ISO 27000 mandatory? No.
Yet more than 33,000 organizations are currently ISO 27001 certified, and the reason is simple: the benefits outweigh the cost. Here are some of the advantages of ISO 27000 compliance:
In the end, every organization that seeks ISO 27000 compliance through ISO 27001 certification has its own reasons. Only you can decide if it’s the right choice for your business.
When embarking on an audit using the ISO 27000 standard, here are a few ways to set yourself up for success:
ISO 27000 is a rigorous set of standards for a reason — in an evolving cybersecurity landscape, it’s necessary to keep data secure.
If you’re considering ISO 27001 certification, a compliance platform can clarify and streamline the entire process. Schedule a demo today for expert help understanding the intricacies of ISO 27000.