Become a security expert.
Get the latest articles on startup security and compliance best practices delivered straight to your inbox.Get a Secureframe demo
There are a lot of people out there who would like your company not to be ISO 27001 certified.
Hackers, for one. Also scammers, financial criminals, and other denizens of the dark web.
What is ISO 27001 certification, exactly? And how does it protect your organization from these threats?
ISO 27001 is a security framework created by the International Organization for Standardization that assesses a company’s ability to keep its data safe. To achieve certification, companies must complete an audit to verify that they comply with ISO 27001’s rigorous standards.
Pursuing ISO 27001 certification holds a lot of benefits for growing businesses — aside from keeping your data safe from a breach. It can also build trust with your customers, inspire confidence in your shareholders, and give you a powerful competitive advantage.
If you’re interested in what it takes to get ISO 27001 certified, you’ve come to the right place.
In this article, we’ll cover what an ISO 27001 certification is, the benefits and requirements of compliance, and the process and costs of getting certified.
When it comes to IT security, ISO 27001 certification is one of the most respected standards internationally.
ISO 27001’s full name is “ISO/IEC 27001:2017 Information technology — Security techniques — Information security management systems — Requirements.”
The standard was established in 2005. It was revised in 2013 and 2017 through a partnership with the International Electrotechnical Commission (IEC), another standards organization.
The ISO 27001 framework determines whether an organization has built an information security management system (ISMS) capable of protecting sensitive data.
An ISMS is more than just the hardware and software you use to keep information safe. It’s an entire set of rules that govern how you use information. This includes how you store and retrieve it, how you assess and mitigate risks, and how you continuously improve data security.
If an independent auditor affirms that your company’s ISMS meets the standards, you are ISO 27001 certified.
Certification comes with a whole host of perks.
You might win access to clients who’d be hesitant to work with you otherwise. You’ll demonstrate to all your customers that you take their personal information seriously. ISO 27001 can also help your organization comply with other regulations like GDPR (although implementing ISO doesn't mean you're inherently GDPR compliant).
Most importantly, though, you’ll have a system that you and all of your partners can trust.
ISO stands for “International Organization for Standardization”.
It’s a global, apolitical entity founded in 1946. Delegates from 25 countries came together to ensure that national borders don’t interfere with humanity’s ability to develop reliable technology.
Today, ISO unites standardization boards from 166 countries, reporting to a central government in Switzerland.
Its work can be seen everywhere: from shipping containers that can be loaded and unloaded at almost any port to cameras whose light sensitivity is measured in units called ISOs.
ISO created ISO 27001 to counter increasingly sophisticated attacks against information systems. To protect valuable private data, companies needed to hold themselves to a comprehensive set of rigorous security standards.
The rise of information security regulations also fueled the adoption of ISO 27001. Laws like the Health Insurance Portability and Accountability Act (HIPAA) in the United States and the General Data Protection Regulation (GDPR) in the European Union impose strict penalties for preventable data breaches.
The price for non-compliance is steep. In July 2019, British Airways was fined £183 million for failing to prevent a phishing attack that used a fake version of its website. Marriott Hotels was fined £100 million just two days later after hackers stole sensitive data from improperly secured guest records.
No, it’s not. But following the law is.
While the government won’t require a company to undergo an ISO 27001 audit, it’s often the easiest way to comply with laws like GDPR.
If your business model relies on providing IT services to other companies, you might find that many clients don’t want to work with you without some kind of security certification. That’s usually either ISO 27001 or SOC 2.
However, many companies that understand the importance of ISO 27001 still don’t get certified, fearing the complexity of the ISO 27001 certification process.
If you’re still on the fence, keep reading to learn exactly what ISO certification for information security entails.
It depends on the size of your company and the complexity of the data you maintain.
A small-to-medium-sized business can expect to be audit-ready in an average of four months, then through the audit process in six months. Larger organizations might require a year or more.
Those four months of audit preparation typically involve scoping your ISMS, conducting risk assessments and gap analyses, designing and implementing controls, training staff, and preparing documentation.
The six-month certification audit is broken down into two stages. During Stage 1 audits, the auditor reviews ISMS documentation to make sure policies and procedures are designed properly. They may also make suggestions for how the organization can improve its ISMS to make it more secure.
During a Stage 2 audit, the auditor reviews business processes and controls to ensure compliance with ISO 27001’s ISMS and Annex A requirements.
Your quest for ISO 27001 certification will take you through the following steps:
1. Establish an ISO 27001 team. Appoint members of your staff to take charge of the certification process.
The ISO 27001 team will determine the scope of your ISMS, establish processes for documenting it, get support from senior management, and work directly with the auditor, among other duties.
2. Scope your ISMS. Each business is unique and houses different types of data. Before building your ISMS, you’ll need to determine exactly what kind of information you need to protect.
For some companies, the scope of their ISMS includes their entire organization. For others, it induces only a specific department or system.
Your team will need to discuss what you want to be represented in the scope statement of your ISO 27001 certificate.
Start by asking yourself: “What service, product, or platform are our customers most interested in seeing as part of our ISO 27001 certificate?”
3. Complete a risk assessment and implement controls. ISO 27001 requires companies to document an active, ongoing effort to identify and mitigate threats.
Conduct an ISO 27001 risk assessment to identify potential threats to your information security. Judge the likelihood of each risk and the severity of its consequences.
With a completed risk assessment in hand, it’s time to document what you’re doing about each risk. Expand your ISMS to include mitigation strategies for each risk your analysis uncovers.
4. Document and collect evidence. The more work you do to shore up your documentation before the audit, the better your chances of achieving certification.
Documentation can be grueling work without the help of automation, so it’s better to get started early. Undergo an internal audit as a dress rehearsal for the real thing.
During this phase, your ISO 27001 team should be educating your general staff about information security, your ISMS, and ISO 27001 certification in particular. By having your whole staff pull together, you greatly reduce the likelihood of leaving unaddressed gaps in your ISMS.
5. Complete a Stage 1 audit. It’s been about four months at this point, and you’re finally ready to invite an external auditor to review your ISMS. Your ISO 27001 auditor will come from a certification body with ISO accreditation.
The official audit process has two stages.
6. Implement Stage 1 audit recommendations. Fix any aspects of your ISMS that the auditor marked for improvement. If you’re missing any information security controls outright, put them into practice and document them thoroughly.
7. Undergo a Stage 2 audit. This time your auditor will examine how your information security functions. Their goal is to see if you’re practicing what you preach regarding your ISMS. Well-documented processes are worthless if they aren’t being followed.
After a successful Stage 2 audit, you’ll receive your ISO 27001 certification, which is valid for three years.
8. Maintain ISO 27001 compliance. After getting ISO 27001 certification, make a plan for regular internal audits. ISO 27001 requires organizations to conduct a “surveillance audit” each year to ensure their commitment to a compliant ISMS hasn’t lapsed.
At the end of the third year, you can complete a recertification audit to maintain your ISO 27001 certification for another three years.
Each company’s path to ISO 27001 certification can vary slightly. Some may choose to hire a consultant or opt for a penetration test over vulnerability scanning. But this overview should give you an idea of the steps to ISO 27001 certification and why the process can take up to 12 months.
Like the timeline, the cost of an ISO 27001 audit can vary widely depending on the size and scope of your company and your information security management system.
The biggest cost associated with ISO 27001 compliance is that you’ll have to take employees off other projects or hire new ones. You’ll also need to pay for security training materials and the audit itself.
In total, an average company can expect to pay up to $40k for pre-certification preparation, $10k for the certification audit itself, and $15,000 per year for maintenance and surveillance audits after achieving certification.
Now that you understand the process for ISO 27001 certification, the next step is to review the actual standards your information security management system needs to comply with.
The official ISO/IEC 27001:2017 standards document is broken into several sections, called clauses, and appendices called annexes. The ones you need to know about are clauses 4-10 and Annex A.
Clauses 4-10 list every requirement an ISMS must meet before it can be ISO 27001 certified. Annex A lists 114 security controls that can go toward meeting those requirements.
In this article, we’ll go through the clauses. For details on the security controls of Annex A, check out our article on ISO 27001 controls.
The ISMS should document what it’s supposed to be doing.
Why are there information assets under the care of your company in the first place, and what do you use them for?
The auditor can only make an accurate assessment of the effectiveness of your ISMS once they understand its goals. A company that manages customer names in a guest registry needs a very different ISMS than a firm that collects social security numbers for tax services.
To meet the requirements of Clause 4, document what your organization does, what customers need from you, and the scope of your ISMS.
For an ISMS to be effective, it has to have the full support of senior management.
ISO 27001 auditors want to know that senior leaders feel accountable for the success of the ISMS. It’s also vital that they feel bound by it and don’t believe their executive roles place them above ISMS policies.
If senior managers aren’t directly involved, dedicated leaders should be assigned to monitor, test, and improve information security processes. There should never be any doubt about who is responsible for each aspect of the ISMS.
Clause 6 deals with risk management. Documentation should show:
Clause 6 is also about opportunity. In addition to mitigating risks, ISO 27001 certification asks you to name goals for your ISMS and make plans to achieve them. To meet Clause 6 requirements, you should be able to define success for your ISMS.
Reaching the level of sophistication that ISO 27001 requires from an ISMS demands a lot of support. Clause 7 asks for a plan to ensure support resources will always be available.
Chief among those resources is human expertise. Any time your organization is working with customer data, somebody should be on hand who understands how the ISMS works in the appropriate context.
Clause 7 also details one of the crucial requirements of ISO 27001: a communication system. The people responsible for information security should have dedicated, always-open channels to discuss implementing and improving ISMS policies.
Clause 6 is about risk assessment and analysis. Clause 8 builds on those requirements to discuss how risk assessments are implemented.
To meet the requirements in Clause 8, build on your work from Clauses 6 and 7. Clause 8’s documentation pulls together the elements laid out in Clauses 6 and 7 into a coherent, start-to-finish plan.
The final two clauses, 9 and 10, are a matched set. They ask you to document how you plan to continually improve your organization’s ISMS over time.
Clause 9 deals with monitoring. To start, you’ll need to document how you measure the effectiveness of your ISMS and how to know if you’re getting reliable results. Processes like penetration testing often make an appearance here.
You’ll also need a plan for conducting internal audits to ensure you remain ISO 27001 compliant after your certification audit is complete.
Clause 10 is all about damage control. How do you react if you spot a nonconformity in your ISMS (defined as any failure to follow established ISMS policies)?
A nonconformity could be the result of simple human error. It could also come from a hostile outsider attempting to steal data from your system. To effectively head off risks, you need a consistent plan for dealing with an aberration.
Once you’ve resolved an issue, how do you shore up the system, so it doesn’t happen again? A good ISMS should be in a constant state of growth and improvement.
ISO 27001 may seem daunting at first, but the benefits significantly outweigh the effort.
When you consider the liability payouts that can result from data breaches - not to mention the cost of damage control - there's a good chance the certification process will save you money and time.
That said, if you found anything in this article overwhelming, we have good news.
Secureframe’s compliance automation platform and team of security compliance experts can get you ready for your own ISO 27001 certification faster and with fewer headaches. Request a demo to learn more.