What is an ISO 27001 Certification?
There are a lot of people out there who would like your company not to be ISO 27001 certified.
Hackers, for one. Also, scammers, financial criminals, and various denizens of the dark web.
ISO 27001 is an audit that assesses your company’s ability to keep its data secure. The International Standards Organization awards certification to any company found to be in compliance with a rigorous set of standards.
Pursuing ISO 27001 certification frustrates folks on the dark web. It can also bring in new customers, inspire confidence in your shareholders, and protect you from the significant risk of a high-profile data breach.
If you want to take action to prevent being the next headline, you’ve come to the right place. Here’s everything you need to know about ISO 27001 certification.
What is ISO 27001?
ISO 27001 is a set of standards for determining whether an organization has built an infrastructure capable of protecting sensitive data.
It’s inseparable from the concept of an information security management system (ISMS). An ISMS is more than just the hardware and software you use to keep information safe. It’s an entire set of rules that govern how you use information. This includes how you store and retrieve it, how you assess and mitigate risks, and how you continuously improve data security.
If an independent auditor affirms that your company’s ISMS meets the standards, you are considered ISO 27001 compliant.
Compliance comes with a whole host of perks. You might win access to business clients who’d be hesitant to work with you otherwise. You’ll demonstrate to all your customers that you take their personal information seriously. You’ll even make sure that you’re compliant with legal standards like HIPAA and GDPR.
Most importantly, though, you’ll have a secure system that you and all your partners can trust — one that’s too valuable to put a price on.
What does ISO stand for?
ISO stands for “International Standards Organization.”
It’s a global, apolitical entity founded in 1946 by delegates from 25 countries who wanted to ensure that national borders didn’t interfere with humanity’s ability to develop reliable technology. Today, ISO unites standardization boards from 165 countries, reporting to a central government in Switzerland.
Its work can be seen everywhere, from shipping containers (which can be loaded and unloaded at almost any port thanks to ISO standards) to cameras (whose light sensitivity is measured in units called ISOs).
What is the purpose of ISO 27001 certification?
ISO 27001’s complete name is “ISO/IEC 27001:2017 Information technology — Security techniques — Information security management systems — Requirements.”
The standard was established in 2005 and revised in 2013 and 2017 through a partnership with the International Electrotechnical Commission (IEC), another standards organization.
ISO created ISO 27001 in response to the rising prevalence of information technology in businesses of all kinds. In order to counter increasingly sophisticated methods of attacking systems and stealing valuable private data, companies needed to hold themselves to a comprehensive set of rigorous security standards.
The rise of information security regulations also fueled the adoption of ISO 27001. Laws like the Health Insurance Portability and Accountability Act (HIPAA) in the United States and the General Data Privacy Regulation (GDPR) in the European Union impose strict penalties for preventable data breaches.
Examples of the price for non-compliance are everywhere. In July 2019, British Airways was fined 183 million pounds for failing to prevent a phishing attack that used a fake version of its website. Marriott Hotels was fined 100 million pounds just two days later after hackers stole reams of sensitive personal data from improperly secured guest records.
It’s obvious that the cost of failing to secure customer data can be severe — and not just in lost trust or business.
Is ISO 27001 certification mandatory?
No, it’s not. But following the law is.
While the government won’t require a company to undergo an ISO 27001 audit, it’s often the easiest way to comply with laws like GDPR.
If your business model relies on providing IT services to other companies, you might find that many clients don’t want to work with you without some kind of certificate. That’s usually either ISO 27001 or the similar SOC 2.
However, many companies that understand the importance of ISO 27001 still don’t get certified, fearing the complexity of the process. If you’re still on the fence, keep reading to learn exactly what ISO certification entails.
How long does it take to get ISO 27001 certified?
It depends on the size of your company and the complexity of the data you maintain. A small-to-medium-sized business can expect to be audit-ready in an average of four months, then through the audit in six months. Larger organizations might require more than a year.
Your yearlong quest for ISO 27001 certification will take you through the following steps:
- Build your ISMS: This isn’t technically part of the ISO 27001 timeline since it’s something you should be doing from the moment you establish your company.
When you’ve only got three employees, your ISMS might be as simple as “nobody but Dave knows the passwords.” As your company grows, you need increasingly detailed rules to keep personal information safe. While most startups form an ISMS naturally, an ad hoc system is unlikely to be enough to guarantee compliance.
- Build an ISO 27001 team: Appoint members of your staff to take charge of the compliance process. The ISO 27001 team will determine the scope of your ISMS, establish processes for documenting it, get senior management support, and work directly with the auditor, among other duties.
- Do a risk assessment and implement controls. ISO 27001 requires the company under audit to document an active, ongoing effort to identify and mitigate threats. Conduct an internal analysis of all potential threats to your information security. Judge the likelihood of each risk and the severity of its consequences.
With a completed risk assessment in hand, it’s time to document what you’re doing about each risk. Expand your ISMS to include mitigation strategies for each risk the analysis turns up.
- Document as extensively as possible. The more work you do to shore up your documentation before the audit, the better your chances of passing are. You’ll also have less work to do on the back end.
Documentation can be grueling work, so it’s better to get started early. When your ISMS is in presentable shape, plan and execute an internal audit as a dress rehearsal for the real thing.
During this phase, your ISO 27001 team should be educating your general staff about information security, your ISMS, and ISO 27001 certification in particular. By having your whole staff pull together, you vastly reduce the likelihood of a hole in your ISMS.
- Get a stage one audit: It’s been about four months at this point, and you’re finally ready to invite an external auditor to review your ISMS. Your ISO 27001 auditor will come from a certification body accredited by ISO.
The official audit process has two stages. In stage one, the auditor reviews the company’s documentation to see if all the required materials are there. Once they’re finished, they’ll point out anywhere your ISMS fails to meet an ISO 27001 standard.
- Implement the stage one audit recommendations: Rectify any parts of your ISMS that the auditor marked for improvement. If you’re missing any information security controls outright, put them into practice and document them thoroughly. Make sure to address every one of the auditor’s points — or have an incredibly good reason not to.
- Get a stage 2 audit: Invite the auditor back to your premises, this time to look at your real-world information security practices. Their goal is to see if you’re practicing what you preach in your ISMS. Well-documented processes are worthless if they aren’t being followed.
- After getting ISO 27001 certification, make a plan for regular internal audits: An ISO 27001 certificate lasts for three years. During that time, ISO 27001 requires organizations to conduct a “surveillance audit” each year to ensure their commitment to a compliant ISMS hasn’t lapsed.
The above isn’t comprehensive — we’ve condensed a few of the usual steps — but it should give you an idea of why ISO 27001 certification can take up to 12 months.
How much does ISO 27001 certification cost?
Like the timeline, the cost of an ISO 27001 audit can vary widely depending on the size and scope of your company and your information security management system.
The biggest cost associated with ISO 27001 compliance is that you’ll have to take employees off other projects or hire new ones. You’ll also need to pay for training materials and the audit itself.
In total, an average company can expect to pay up to $40,000 for the pre-certification process, $10,000 for the audit itself, and $15,000 per year for maintenance and surveillance audits after achieving certification.
What are the ISO 27001 requirements?
Now that you understand the process for ISO 27001 certification, the next step is to review the actual standards your information security management system needs to comply with.
The actual ISO/IEC 27001:2017 document is broken into several sections, called clauses, and appendices called annexes. The ones you need to worry about are clauses 4 through 10 and Annex A.
Clauses 4 through 10 list every requirement an ISMS must meet before it can be ISO 27001 certified. Annex A lists 114 security controls that might go toward meeting those requirements. In this article, we’ll go through the clauses — for details on the security controls of Annex A, check out our article on ISO 27001 controls.
Clause 4: Context of the organization
The ISMS should clearly document what it’s supposed to be doing. Why are there information assets under the care of your company in the first place, and what do you use them for?
The auditor can only make an accurate assessment of the effectiveness of your ISMS once they understand its goals. A company that manages customer names in a guest registry needs a very different ISMS than a firm that collects client social security numbers for tax services.
To meet the requirements of Clause 4, document what your organization does, what customers need from you, and the scope of your ISMS.
Clause 5: Leadership
For an ISMS to be effective, it has to have the full support of senior management. ISO 27001 auditors want to know that senior leaders feel accountable for the success of the ISMS. It’s also vital that they feel bound by it and don’t believe their executive roles place them above ISMS policies.
If senior managers aren’t directly involved, dedicated leaders should be assigned to monitor, test, and improve information security processes continually. There should never be any doubt about who is responsible for each aspect of the ISMS.
Clause 6: Planning
Clause 6 deals with risk management. Documentation should show how you identify and analyze each information security risk, your process for choosing how to respond to each risk, and what risk avoidance, tolerance, and mitigation look like for your team.
Clause 6 is also about opportunity. In addition to mitigating risks, ISO 27001 certification asks you to name goals for your ISMS and make plans to achieve them. To meet Clause 6 requirements, you should be able to define success for your ISMS.
Clause 7: Support
Reaching the level of sophistication that ISO 27001 requires from an ISMS demands a lot of support. Clause 7 asks for a plan to ensure support resources will always be available.
Chief among those resources is human expertise. Any time your organization is working with customer data, somebody should be on hand who understands how the ISMS works in the appropriate context.
Clause 7 also details one of the most crucial requirements in ISO 27001 — a communication system. The people responsible for information security should have dedicated, always-open channels to talk to each other about implementing ISMS policies.
Clause 8: Operations
Clause 6 was about risk assessment and analysis. Clause 8 builds on those requirements to discuss how risk assessments are put into practice and how your battle plans survive contact with the enemy (i.e., real-world security risks).
To meet the requirements in Clause 8, build on your work from Clauses 6 and 7. In fact, if you were thorough in those sections, your work on 8 should be close to finished already. Think of 8’s documentation as pulling together disparate elements into a coherent start-to-finish plan.
Clause 9: Performance evaluations
The final two clauses, 9 and 10, are a matched set. They ask you to document how you plan to continually improve your organization’s ISMS over time. The landscape of digital security is constantly in flux, so these clauses represent fundamental building blocks of ISO 27001.
Clause 9 deals with monitoring. To start, you’ll need to document how you measure the effectiveness of your ISMS and how to know whether you’re getting reliable results. Processes like penetration testing often make an appearance here.
You’ll also need a plan for conducting internal audits to ensure you remain ISO 27001 compliant after your third-party audit is complete.
Clause 10: Improvement
Clause 10 is all about damage control. If you spot a nonconformity in your ISMS (defined as any failure to follow established ISMS policies), how do you react?
A nonconformity could be the result of an honest mistake. It could also come from a hostile outsider attempting to steal data from your system. To effectively head off risks, you need a consistent plan for dealing with any observed aberration.
Clause 10 requires an ISMS to plan beyond individual problems. Once you’ve resolved an issue, how do you shore up the system so it doesn’t happen again? A good ISMS should be in a constant state of growth and improvement without any overt failures.
ISO 27001 may seem daunting at first, but the benefits significantly outweigh the drawbacks. When you consider the massive liability payments that can result from data breaches and the hard work of damage control, there’s a good chance the certification process will actually save you money and time.
That said, if you found anything in this article overwhelming, we have good news — you can work with trained professionals to make it easier, just like doing your taxes.
Secureframe uses automation and trained professional help to get you ready for your own ISO 27001 certification process. Contact us today for a demo.