The ISO 27001 standard was developed to assist any size organization in securely managing digital information. It is part of the ISO 27000 family of more than a dozen information security standards, which specifically protect information assets ranging from intellectual property and financial information to personnel and payroll data and more. The standards are promulgated and maintained by the International Standards Organization (ISO).
The ISO 27000 series of standards governing information security is sometimes known as the ISO/IEC 270001 family of standards, published by the ISO and the International Electrotechnical Commission (IEC). For purposes of this article, we will use the shorter ISO reference.
What is ISO 27001 and Why is it Important?
The standard known as ISO 27001 was expressly designed to delineate the requirements of an effective Information Security Management System (ISMS).
This standard, accepted globally throughout the information security industry, provides a recommended list of controls that can help any organization confirm that all necessary risk mitigation measures are in place, whether for legislative, business, contractual, or regulatory purposes.
Implementing a compliant Information Security Management System in your organization provides numerous advantages and benefits, which we’ll outline in a moment.
Taking it an important step further, having your ISMS independently audited by an approved certification body can result in achieving Certified ISMS status. Being able to point to your Certified Information Security Management System will provide irrefutable evidence to customers, suppliers, potential clients and other stakeholders that your organization has taken the steps required to protect their information. Not only is certification status reassuring to stakeholders, but it can also be a significant competitive advantage for any organization.
About the International Standards Organization
All ISO Standards, including ISO 27001, are promulgated and maintained by the International Standards Organization (ISO), which was founded in 1947 with headquarters in Geneva, Switzerland.
The ISO published is first ISO Journal in 1952. It published its first Quality Standard in 1987, its first Information Security Standard in 2005 as the digital age exploded, and its new Information Privacy Standard in 2019. The ISO also has standards for freight shipping containers, environmental stewardship, food safety, energy management, social responsibility, and many other aspects of our increasingly complex, commercial, connected world.
In 2017, the ISO celebrated its 70th anniversary, with a milestone of 163 members and more than 21,000 standards in place. Today, the family of ISO standards provides guidance and requirements for virtually all aspects of technology and business.
Business Case for Compliance
Many organizations have chosen to implement the ISO 27001 Standard in order to ensure robust, comprehensive information security. This standard may be applied in conjunction with other regulatory requirements, such as the HIPAA Security Rule, the new ONC and CMS Rules, GLBA, FFIEC, and other regulations with provisions for information and data security.
While certification to the ISO 27001 Standard is optional, some organizations decide to take this step in order to reassure stakeholders that the standard has been properly implemented to protect their assets.
Many organizations around the world are certified to ISO 27001.There are innumerable advantages to implementing and maintaining a well-designed and well-documented Information Security Management System, and then having your ISMS certified. Among them:
- Protects proprietary, confidential, and other sensitive information from the wide range of threats to the security of that information.
- Helps to prevent and counteract interruptions to business activities.
- Protects critical business processes from the effects of information security incidents, disasters, and major system failures.
- Reduces the impact of any potential data security breach and facilitates the timely resumption of normal operations.
- Strengthens an organization’s resistance to cyberattacks.
- Helps control and may even reduce the overall information security budget.
In today’s hyper-connected digital environment, it’s no longer a question of whether or not your organization will experience a security breach—but rather when it will happen and how far-reaching the impact will be. An Information Security Management System that meets ISO 27001 requirements will help you weather that storm. All the better if your ISMS is certified.
New Information Privacy Standard
Companies who are concerned about information security frequently are concerned about information privacy as well. The two are often interrelated, as we know from years of studying the HIPAA Security and Privacy Rules, among others.
For organizations interested in developing an information management system that also speaks specifically to privacy safeguards and controls, the ISO 27701 Standard was recently created as part of the ISO 27000 family. The 27701 Standard conveniently attaches privacy process controls to the ISO 27001 Information Security Management System standard.
The need for an international, privacy-specific standard arose from the General Data Protection Regulation (GDPR), which was implemented in 2018 to address data protection and privacy in the European Union and European Economic Area. It also governs the transfer of data outside the EU and EEA.
While the GDPR requires the adoption of appropriate technical and organizational measures to protect personal data, it provides no detailed guidance as to how data privacy should be protected, leaving each organization to figure it out on their own.
The ISO 27701 Standard was developed to bridge this gap and it effectively meets the need for detailed guidance for all organizations subject to the GDPR. It also illustrates one of the many advantages of having an international standards organization that is truly international in scale and scope.
What to Know About Certification
The ISO does not perform certification assessments, nor does it provide certificates verifying that an Information Security Management System meets the standard requirements. These activities are the domain of independent third-party auditors.
As an aid, the ISO Committee on Conformity Assessment (CASCO) has published standards governing certification, and these standards are employed by authorized certification agents (i.e., third-party auditors) in performing certification assessments.
As of the ISO’s 2019 survey, more than 36,300 certificates had been awarded to ISO 27001 ISMS implementations worldwide, with the highest growth occurring in the U.S. This isn’t really surprising, considering our popularity as a target for hackers, spammers, scammers and other bad actors.
Following are a few tips for selecting a certification agent to perform your audit and issue your certificate if the audit is successful. It is always a good idea to evaluate several certification entities before selecting one.
- To find an accredited certification body, contact the national accreditation body in your country. There are five accredited certification bodies in the U.S., as listed on the International Accreditation Forum website.
- Check to make sure that your potential certification body uses the CASCO certification standard related to ISO 27001.
- Confirm whether the agent is accredited. Although not mandatory, accreditation does provide independent confirmation of competence, without implying that non-accredited certification bodies are not competent.
Five Essential Steps To ISO 27001 Certification
The path to certification consists of five essential steps, as described briefly below.
Learn something about the ISO 27001 requirements by purchasing and reading the standard itself. This will enable you to speak knowledgeably with any individuals you’ll be working with to implement your Information Security Management System. Assuming you currently have some form of information security system in place, you’ll need to understand what enhancements and additions may be required to meet the standard.
You don’t have to become an expert in ISO 27001, but you will need to be able to talk to the experts. In any case, knowledge is power!
Conduct a Gap Assessment between your current state and ISO 27001 controls. A formal gap assessment will help you identify what tasks you need to do in order to be ready for ISO 27001 certification.
Although large companies have IT teams who may perform in-house assessments, best practice suggests that your gap assessment be conducted by an experienced, objective third-party.
The gap assessment should evaluate the adequacy of security controls you have in place and compare it with the requirements for ISO27001 certification. And every gap assessment should produce a detailed report of findings along with actionable recommendations for addressing them.
Implement measures to address the findings in the gap assessment report. In reviewing the identified risks, you may choose to address various gaps differently, based on the severity ratings and priorities suggested in the findings report.
Be sure to document every decision for purposes of review during the certification audit. Maintain the gap assessment reports and other related documentation for the same reason, as well as all relevant policies, procedures, network diagrams, data flows, incident response plans, lists of software and applications, and similar documentation. (And be sure to update documentation as system changes occur.)
Educate employees in information security to ensure that any improvements to the Information Security Management System, as well as the importance of security compliance, are understood and observed by all. Training can be customized specifically to the ISO 27001 Standard, and comprehensive cybersecurity training is also readily available from experienced cybersecurity firms.
To accommodate the diversity of employee learning methods, multiple types of training should be leveraged, ranging from classroom training to online webinars to self-paced web-based training. And any effective training program will also offer a program of regular email reminders and quizzes to employees along with follow-up testing to ensure that the education and training remain effective.
Now that you’re prepared, contact an authorized certification body to make arrangements for your certification audit, as described in the “What to Know About Certification” section above. Allow approximately one year to complete the certification audit process, which will begin with an initial audit of your Information Security Management System documentation against the ISO 27001 Standard, followed by remediation activities to bring the documentation (and system, as needed) into compliance. A final, thorough evaluation will verify that the necessary changes have been made and will result in a determination as to compliance and certification.
For more details on the process of becoming ISO 27001-compliant and certified, please contact a cybersecurity expert for a free consultation.
The ISO maintains innumerable standards, accepted internationally, governing the technology and business aspects of our increasingly complex, commercial, connected world. The ISO 27000 family of standards is specific to information security, and ISO 27001 details the requirements for Information Security Management Systems. A complementary information privacy standard, ISO 27701, was developed in 2019 to aid in complying with the European GDPR.
Any organization, of any size and type, can reap substantial benefits from implementing an ISO 27001-compliant system for information security management. Those wishing to go the extra mile may seek and achieve ISO 27001 certification in a five-step process. Reliable, highly experienced resources are available to assist you in a successful journey to compliance and certification.