Information security remains one of the more challenging endeavours for any company. With network breaches and ransomware increasing at alarming rates, ISO 27001 compliance is a deliberate and aggressive countermeasure to protect corporate data.
The International Organization for Standardization (ISO) has introduced its ISO 27001 certification as a way for organisations to develop and document their information security processes. ISO 27001:2013 is the latest version and serves as a guide for standardising those processes within any organisation.
The modular nature of ISO 27001 means your organisation is free to develop the strategies that best suit its needs while also conforming to robust processes that reduce security risks while remaining open to continuous improvement.
- What Is ISO 27001 Compliance?
- What Are ISO 27001 Requirements?
- What Is ISMS?
- How Long Does ISO Certification Take?
- ISO 27001 Compliance: 10-Step Checklist
- Further Technology Articles
This article provides a high-level overview of obtaining ISO 27001 certification and breaks the process into ten simple steps.
What Is ISO 27001 Compliance?
ISO 27001 is an information security management standard published by the ISO and the International Electrotechnical Commission (IEC). ISO 27001 defines how organisations should best manage the plethora of risks surrounding information security. Compliance includes detailed security policies, procedures, and staff training.
It contains security guidelines and requirements that protect the company’s data assets from unauthorised access or loss. Achieving certification is the definitive statement that an organisation openly commits to information security management.
The ISO 27001 standards include several components. These components include an organisational structure, a risk assessment process, access control mechanisms, information classification, safeguards for equipment and technologies, information security procedures and policies, and monitoring and reporting guidelines.
What Are ISO 27001 Requirements?
Two essential mandatory requirements for ISO 27001 are scoping your Information Security Management System (ISMS) and conducting a risk assessment. Within your ISMS scope, you will define what data assets need protecting. You’ll likely find more information stored at various points than you anticipated. Therefore, taking time to scope your organisation is necessary and incredibly beneficial.
Next, you’ll need to conduct a risk assessment describing how your organisation will identify security threats. Your documentation should also define how you’ll mitigate those risks.
What Is ISMS?
An Information Security Management System (ISMS) is an efficient, holistic, risk-based approach that keeps your information assets secure, mainly through regular information security assessments.
IT is technology-neutral in that it focuses on processes rather than tools and comprises of documented policies that address the roles of people, processes, and technology within that approach.
How Long Does ISO Certification Take?
The ISO 27001 implementation and certification process depends on the size and complexity of your management system. In most cases, a small to mid-sized company can complete the process within 6–12 months. The larger the company, the more time it will take to define the scope and gather all the needed information.
There are additional factors that determine how long the certification process takes, such as the quality of the information already gathered and the level of security capability and knowledge within the organisation.
Regardless of scope, achieving ISO 27001 certification should be managed as a project. Many organisations manage this in-house, while others seek the support of a certified ISO 27001 consultant, please get in touch if you need some guidance.
ISO 27001 Compliance: 10-Step Checklist
Below are ten essential steps to follow for achieving ISO 27001 certification.
Before you dive in, it’s best to educate yourself as to the concepts and processes involved in achieving certification. This begins with an understanding of ISO 27001. Visit the ISO website to learn more about ISO 27001 and its requirements. If you’re in the United Kingdom, we found IT Governance’s information about ISO 27001 really helpful.
Another invaluable resource, if you have access, is to appoint an ISO 27001 champion, someone who has been through this process before. This individual can be someone within your company or a third party who can assist in implementing an ISMS and managing the certification process.
2. Objectives and Scope
As with any project, you need to establish the project and ISMS objectives from the beginning, including costs and completion dates.
Are you managing the project yourself, inviting a third-party champion, or using an online mentor for some or all stages of the project? An online mentor can ensure your project succeeds while saving the expense of a full-time consultant.
You need to decide if the scope of the ISMS extends to the entire organisation or only specific departments or locations. Defining scope means considering the requirements and needs of the involved parties, such as employees, stakeholders, government entities, and regulators.
Have you defined your context? Context details the internal and external factors that may impact your organisation’s information security, such as company culture, risk acceptance criteria, existing systems, current processes, etc.
3. Management Framework
You’ll need to define your implementation plan as well as your management framework. The management framework includes your organisation’s processes to meet its ISO 27001 implementation goals.
Processes include your methods for maintaining accountability of the ISMS, the project schedule, and regular audits that support continuous improvement.
The implementation plan covers the specific processes required to set the plan in motion. Your designated implementation team creates a detailed outline of information security objectives and a detailed description of the ISMS. Policies will include roles and responsibilities, continuous improvement guidelines, and communication guidelines for raising project awareness.
4. Risk Assessment
While ISO 27001 doesn’t specify a particular risk assessment methodology, it does require you to incorporate risk assessment as a formal process. Furthermore, the process must be documented and planned, with the resulting data and analysis results being recorded.
Before beginning a risk assessment, you must establish baseline security criteria. In other words, define your organisation’s legal, business, and regulatory requirements and contractual obligations regarding information security.
5. Risk Mitigation
Once the risk assessment is complete and the relevant risks identified, your organisation must decide how to treat (or tolerate), terminate, or transfer risks. Regardless of the action taken, you should document all risk responses. The auditor will review risk responses are part of the certification audit.
ISO requires two specific reports as part of the risk assessment: the Statement of Applicability (SoA) and the Risk Treatment Plan (RTP).
6. Training and Staff Awareness
ISO 27001 certification requires that staff awareness programs be in place to raise awareness about information security among all employees. Training should be informative and provide policies that lead to good habits pertaining to information security.
Safety suggestions can be as simple as keeping work areas clear and locking computers whenever employees leave their desks. Company-wide staff awareness e-learning courses are easy to implement and ensure that all employees receive information security training.
7. Procedure Reviews and Updates
You must collect complete documentation to support the required ISMS processes, procedures, and policies, which is perhaps the most challenging task and should include the following:
- Evidence of audit programs and audit results
- Evidence of competence
- Evidence of the nonconformities and actions taken
- Monitoring and results measurements
- Management reviews results
- Internal audit process
- Information security policy
- Information security risk assessment process
- Information security objectives
- Information security risk treatment process
- Evidence of the results of corrective actions taken
- ISMS scope
- Operation planning and control
- Information security risk assessment and treatment results
Fortunately, ISO provides documentation templates, which simplifies much of the necessary work for you.
ISO 27001 supports the concept of continual improvement, meaning that you must constantly analyse and review the performance of your ISMS to ensure its effectiveness. You also must ensure its compliance with and identify improvements to existing processes and controls.
9. Security Audit
ISO 27001:2013 requires you to complete internal audits of your ISMS at planned intervals. Thus, your manager must have a working knowledge of the lead audit process. ISO offers the Online Certified ISO 27001 Lead Auditor course, which teaches you how to plan and oversee an effective information security audit according to ISO 27001:2013.
You will also need to select a registrar if you have not already done so. Registration audits must be conducted by an independent registrar accredited by your country’s respective accreditation authority.
10. ISO 27001 Registration
There are two stages to the audit:
– Stage One
During Stage One, the auditor assesses your documentation and determines whether it meets the requirements of ISO 27001. They will also identify any areas of nonconformity and recommend potential improvements to your management system. You will implement those recommendations and then move to Stage Two of the registration audit.
– Stage Two
During Stage Two, the auditor conducts a complete assessment to determine whether you comply with the ISO 27001 standard. If so, then your organisation receives certification.
Time and effort are needed to gain ISO 27001 certification, though your organisation gains more than just the credibility the certification carries. It provides enterprises of any size the opportunity to either create or refine their information security processes.
Although ISO offers resources and guidance at every stage of the documentation and auditing process, using a knowledgable consultancy can speed up the entire process.
ISO27001 is a specialist accreditation, Securus are well placed to advise on all aspects of the certification needs. Engaging a recognised body to take you through the process is highly recommended due to the intensive nature of the requirements. Securus can introduce you to a number of certification partners, just drop us a line if this is of interest.
Securus Communications has worked with numerous ISO 27001 certified companies, offering guidance on every aspect of information security. If you would like to discuss your requirements in more detail with one of our security professionals, please don’t hesitate to get in touch.