Become a security expert.
Get the latest articles on startup security and compliance best practices delivered straight to your inbox.Get a Secureframe demo
Information is the currency of the modern world.
Sadly, many organizations lack the proper controls and standards to protect their information assets.
This is especially dangerous for companies that deal with confidential user data. A data breach can be a painful hit — one many organizations won’t recover from.
ISO 27001 helps you implement a solid information security management system (ISMS) to protect your most valuable information assets and mitigate security risks.
We interviewed Mahtab Haider, the director of ISO Service Line at The Cadence Group, and asked him seven questions about maintaining your ISO 27001 certification.
Before we dive into the actual interview questions, let’s start with a quick recap of the ISO 27001 standard.
ISO 27001 is an international standard that explores an organization’s security controls and processes to ensure they protect users’ confidential information.
To do this, ISO 27001 analyzes an organization’s security performance in three main areas:
ISO 27001 provides you with the guidelines and requirements you need to implement an information security management system (ISMS) the right way.
An organization’s ISMS represents the collection of all security controls in your business. That is, everything you’re doing to manage and coordinate your internal security controls, including:
Now that we've covered the basics of ISO 27001, let’s dive into the interview questions.
Haider explains: “ISO 27001 certification lasts three years. The first year comprises a full certification audit while the second and third years are surveillance audits.”
What does this mean?
Once an auditor reviews your controls and issues your certification, you’re compliant for three years. But, it doesn’t mean you shouldn’t do anything to maintain that certification.
Here’s how it goes:
If one of your controls fails while your certificate is still valid, you’re obligated to document the incident, inform relevant stakeholders, and fix the issue. Otherwise, you can lose your certification.
In other words, getting your ISO 27001 certification is just the first step of an ongoing process.
“Continued review and updates to its information security policies and procedures along with process and control implementation are needed to maintain ISMS,” says Haider.
The ISO 27001 standard suggests implementing an internal auditing program. This way, you can spot potential problems and fix them before they start snowballing into bigger issues that can threaten your certification.
You should designate an internal auditor that will be responsible for evaluating your controls periodically.
At this stage, performance analysis can help you understand how your controls are working and improve your actions accordingly.
We suggest you also perform periodic gap analyses to determine whether your controls are still meeting ISO 27001 requirements.
On top of that, define a specific calendar for internal audits and schedule meetings to document and review your findings.
According to Haider, “Organizational changes are inevitable. Once certified, companies must maintain in-house knowledge of ISMS documentation and processes. It’s a common pitfall for organizations to lose sight of control compliance and policy effectiveness while going through people processes and organizational changes.”
This is especially relevant for large organizations dealing with multiple departments. Siloed, cross-departmental information can open you up to vulnerabilities. Why? Lack of control over your change management processes can lead to poor communication and potential security issues.
We suggest you adopt a project management solution that helps you centralize your information into a single source of truth. This way, you can improve organization-wide transparency, remove silos between departments, and ensure ISMS adoption.
According to Haider, yes. “Information security risk assessment is another venue where information security threats can be registered and monitored for appropriate mitigation actions.”
If you discover a new threat that can jeopardize your information security, you must update your documentation describing the threat and the potential contingency plans and actions you can take to mitigate risk.
ISO 27001 Clause 6 states that organizations must analyze and consider any potential risk and threat involved with any security control.
You should also document a clear schedule of action to deal with risks in case they materialize.
“Incident management domain requirements of ISO 27001 certification standard require organizations to document and inform stakeholders of any security incidents that take place during the certification period. If they do not follow the incident management plan/policy during a surveillance audit, this could be categorized as major non-conformity, which will lead to the discontinuation of ISO certification,” says Haider.
This is why you should constantly be monitoring the performance of your controls.
Cyber-attacks have skyrocketed since the pandemic hit. The FBI reports a 300% increase in cybercrime over the past year alone. Cybersecurity is expected to cost businesses approximately $6 trillion globally by the end of this year.
Many organizations ignore the importance of monitoring and evaluating security controls after getting ISO certification. The problem is that a data breach can often cost you more than a certification. It can tank your entire business.
At this point, you already understand the basics to maintain your ISO 27001 certification. Now the question becomes, what can you do once it expires?
Fortunately, renewing your certification isn’t that complicated.
In the words of Haider, “Certification bodies keep track of their certification clients accreditation. Auditors will work with you to plan, schedule, and renew ISO 27001 certification.”
In other words, make sure to keep in continuous communication with your current auditor to anticipate your next security audit.
Haider shares one last word of advice: “Having a compliance technology platform can provide organizations the necessary process structure to implement ISO 27001 certification.”
Other important things to consider include:
Getting your ISO 27001 certification is an important step for any organization. Keeping that certification over the long term, though, is crucial.
By following the ideas and guidelines provided in this interview, you’ll be able to stay compliant and keep your confidential information secure.
If you’re looking for further guidance on your certification process, Secureframe can help you streamline your ISO 27001 compliance and save you lots of headaches along the way.