There are a lot of people out there who would like your company not to be ISO 27001 certified.
Hackers, for one. Also scammers, financial criminals, and other denizens of the dark web.
What is ISO 27001 certification, exactly? And how does it protect your organization from these threats?
ISO 27001 is a security framework created by the International Organization for Standardization that assesses a company’s ability to keep its data safe. To achieve certification, companies must complete an audit to verify that they comply with ISO 27001’s rigorous standards.
Pursuing ISO 27001 certification holds a lot of benefits for growing businesses — aside from keeping your data safe from a breach. It can also build trust with your customers, inspire confidence in your shareholders, and give you a powerful competitive advantage.
If you’re interested in what it takes to get ISO 27001 certified, you’ve come to the right place.
In this article, we’ll cover what an ISO 27001 certification is, the benefits and requirements of compliance, and the process and costs of getting certified.
What does it mean to be ISO 27001 certified?
When it comes to IT security, ISO 27001 certification is one of the most respected standards internationally.
ISO 27001’s full name is “ISO/IEC 27001:2017 Information technology — Security techniques — Information security management systems — Requirements.”
The standard was established in 2005. It was revised in 2013 and 2017 through a partnership with the International Electrotechnical Commission (IEC), another standards organization.
The ISO 27001 framework determines whether an organization has built an information security management system (ISMS) capable of protecting sensitive data.
An ISMS is more than just the hardware and software you use to keep information safe. It’s an entire set of rules that govern how you use information. This includes how you store and retrieve it, how you assess and mitigate risks, and how you continuously improve data security.
If an independent auditor affirms that your company’s ISMS meets the standards, you are ISO 27001 certified.
Certification comes with a whole host of perks.
You might win access to clients who’d be hesitant to work with you otherwise. You’ll demonstrate to all your customers that you take their personal information seriously. ISO 27001 can also help your organization comply with other regulations like GDPR (although implementing ISO doesn't mean you're inherently GDPR compliant).
Most importantly, though, you’ll have a system that you and all of your partners can trust.
What does ISO stand for?
ISO stands for “International Organization for Standardization”.
It’s a global, apolitical entity founded in 1946. Delegates from 25 countries came together to ensure that national borders don’t interfere with humanity’s ability to develop reliable technology.
Today, ISO unites standardization boards from 166 countries, reporting to a central government in Switzerland.
Its work can be seen everywhere: from shipping containers that can be loaded and unloaded at almost any port to cameras whose light sensitivity is measured in units called ISOs.
What is the purpose of ISO 27001 certification?
ISO created ISO 27001 to counter increasingly sophisticated attacks against information systems. To protect valuable private data, companies needed to hold themselves to a comprehensive set of rigorous security standards.
The rise of information security regulations also fueled the adoption of ISO 27001. Laws like the Health Insurance Portability and Accountability Act (HIPAA) in the United States and the General Data Protection Regulation (GDPR) in the European Union impose strict penalties for preventable data breaches.
The price for non-compliance is steep. In July 2019, British Airways was fined £183 million for failing to prevent a phishing attack that used a fake version of its website. Marriott Hotels was fined £100 million just two days later after hackers stole sensitive data from improperly secured guest records.
Is ISO 27001 certification mandatory?
No, it’s not. But following the law is.
While the government won’t require a company to undergo an ISO 27001 audit, it’s often the easiest way to comply with laws like GDPR.
If your business model relies on providing IT services to other companies, you might find that many clients don’t want to work with you without some kind of security certification. That’s usually either ISO 27001 or SOC 2.
However, many companies that understand the importance of ISO 27001 still don’t get certified, fearing the complexity of the ISO 27001 certification process.
If you’re still on the fence, keep reading to learn exactly what ISO certification for information security entails.
How long does it take to get ISO 27001 certified?
It depends on the size of your company and the complexity of the data you maintain.
A small-to-medium-sized business can expect to be audit-ready in an average of four months, then through the audit process in six months. Larger organizations might require a year or more.
Those four months of audit preparation typically involve scoping your ISMS, conducting risk assessments and gap analyses, designing and implementing controls, training staff, and preparing documentation.
The six-month certification audit is broken down into two stages. During Stage 1 audits, the auditor reviews ISMS documentation to make sure policies and procedures are designed properly. They may also make suggestions for how the organization can improve its ISMS to make it more secure.
During a Stage 2 audit, the auditor reviews business processes and controls to ensure compliance with ISO 27001’s ISMS and Annex A requirements.
The ISO 27001 certification process
Your quest for ISO 27001 certification will take you through the following steps:
1. Establish an ISO 27001 team. Appoint members of your staff to take charge of the certification process.
The ISO 27001 team will determine the scope of your ISMS, establish processes for documenting it, get support from senior management, and work directly with the auditor, among other duties.
2. Scope your ISMS. Each business is unique and houses different types of data. Before building your ISMS, you’ll need to determine exactly what kind of information you need to protect.
For some companies, the scope of their ISMS includes their entire organization. For others, it induces only a specific department or system.
Your team will need to discuss what you want to be represented in the scope statement of your ISO 27001 certificate.
Start by asking yourself: “What service, product, or platform are our customers most interested in seeing as part of our ISO 27001 certificate?”
3. Complete a risk assessment and implement controls. ISO 27001 requires companies to document an active, ongoing effort to identify and mitigate threats.
Conduct an ISO 27001 risk assessment to identify potential threats to your information security. Judge the likelihood of each risk and the severity of its consequences.
With a completed risk assessment in hand, it’s time to document what you’re doing about each risk. Expand your ISMS to include mitigation strategies for each risk your analysis uncovers.
4. Document and collect evidence. The more work you do to shore up your documentation before the audit, the better your chances of achieving certification.
Documentation can be grueling work without the help of automation, so it’s better to get started early. Undergo an internal audit as a dress rehearsal for the real thing.
During this phase, your ISO 27001 team should be educating your general staff about information security, your ISMS, and ISO 27001 certification in particular. By having your whole staff pull together, you greatly reduce the likelihood of leaving unaddressed gaps in your ISMS.
5. Complete a Stage 1 audit. It’s been about four months at this point, and you’re finally ready to invite an external auditor to review your ISMS. Your ISO 27001 auditor will come from a certification body with ISO accreditation.
The official audit process has two stages.
6. Implement Stage 1 audit recommendations. Fix any aspects of your ISMS that the auditor marked for improvement. If you’re missing any information security controls outright, put them into practice and document them thoroughly.
7. Undergo a Stage 2 audit. This time your auditor will examine how your information security functions. Their goal is to see if you’re practicing what you preach regarding your ISMS. Well-documented processes are worthless if they aren’t being followed.
After a successful Stage 2 audit, you’ll receive your ISO 27001 certification, which is valid for three years.
8. Maintain ISO 27001 compliance. After getting ISO 27001 certification, make a plan for regular internal audits. ISO 27001 requires organizations to conduct a “surveillance audit” each year to ensure their commitment to a compliant ISMS hasn’t lapsed.
At the end of the third year, you can complete a recertification audit to maintain your ISO 27001 certification for another three years.
Each company’s path to ISO 27001 certification can vary slightly. Some may choose to hire a consultant or opt for a penetration test over vulnerability scanning. But this overview should give you an idea of the steps to ISO 27001 certification and why the process can take up to 12 months.
How much does ISO 27001 certification cost?
Like the timeline, the cost of an ISO 27001 audit can vary widely depending on the size and scope of your company and your information security management system.
The biggest cost associated with ISO 27001 compliance is that you’ll have to take employees off other projects or hire new ones. You’ll also need to pay for security training materials and the audit itself.
In total, an average company can expect to pay up to $40k for pre-certification preparation, $10k for the certification audit itself, and $15,000 per year for maintenance and surveillance audits after achieving certification.
A faster, easier way to get ISO 27001 certified
ISO 27001 may seem daunting at first, but the benefits significantly outweigh the effort.
When you consider the liability payouts that can result from data breaches - not to mention the cost of damage control - there's a good chance the certification process will save you money and time.
That said, if you found anything in this article overwhelming, we have good news.
Secureframe’s compliance automation platform and team of security compliance experts can get you ready for your own ISO 27001 certification faster and with fewer headaches. Schedule a demo to learn more.
FAQs
What is ISO 27001 certification?
ISO 27001 is the global standard for information security. It provides guidelines for organizations to establish, maintain, and continually improve their information security management system (ISMS). ISO 27001 certification is issued by an accreditation body after an organization undergoes an audit that shows their ISMS meets ISO 27001 requirements. It's important to note that organizations may implement ISO 27001 and not go through the certification process.
Why is ISO 27001 certification important?
ISO 27001 certification is important for demonstrating your commitment and ability to manage information securely and safely to customers and other stakeholders. While implementing ISO 27001 requirements can do that as well, taking the extra step to go through the certification process can provide an additional layer of assurance.
What is the difference between ISO certification body and accreditation body?
An ISO certification body can provide third-party confirmation that an organization's ISMS meets ISO 27001 requirements via an audit. An ISO accreditation body audits certification bodies to confirm their compliance with International Accreditation Forum (IAF) certification audit requirements. This provides independent confirmation of the certification body’s competence. Certification bodies that complete this evaluation are known as accredited certification bodies. Those that don't are known as unaccredited certification bodies.
Organizations that use an accredited certification body will receive their ISO 27001 certifications with the accreditation body and IAF seal included.
How do I get ISO 27001 certified?
To achieve ISO 27001 certification, companies must complete a Stage 1 and Stage 2 audit to verify that they comply with ISO 27001’s rigorous standards.
How much does ISO 27001 certification cost?
The cost of an ISO 27001 certification depends on the size and scope of your company and your information security management system. On average, a company can expect to pay up to $40k for pre-certification preparation and $10k for the certification audit itself. There are additional costs for maintenance and surveillance audits after achieving certification.
How long does ISO 27001 certification take?
How long it takes to get ISO 27001 certified depends on the size of your company and the complexity of the data you maintain. On average, it takes a small-to-medium sized business about four months to get audit-ready and another six months to complete the audit process. Larger organizations take a year or more on average.