Looking to become certified to the ISO 27001 standard? In this article you will learn what ISO 27001 is, the key terms and definitions, information security risks you need to consider, and the process for meeting your compliance and certification requirements.Table of Contents
At the time of this publication there is an upcoming update to the ISO 27002 supplementary standard (ISO 27002:2022). ISO 27002 is a reference guide for implementing the optional security controls listed in Annex A of ISO 27001. These controls help companies create an ISMS (information security management system) that complies with the Standard.
Examples of Proposed Changes
While these updates will not have an immediate impact on the ISO 27001:2013 framework, they will provide added context and clarity for those seeking ISO/IEC 27001 certification in 2022, particularly as it relates to modern data security practices such as cloud security.
Mostly likely not at this time. As ISO 27002:2022 is a Code of Practice that cannot be certified against any updates are a matter of recommendation rather than a requirement.
At the time of this writing (08 Nov 2021) a decision to revise ISO/IEC 27001:2013 has not been made, though there may be announcements in the near future.
When the time comes for your organization to recertify you will need to verify that no updates have been made to the ISO 27001 framework itself. Any updates to the Standard may require amendments to your ISMS.
“ISO/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in ISO/IEC 27001:2013 are generic and are intended to be applicable to all organizations, regardless of type, size or nature.”– International Organization for Standardization
ISO 27001 (ISO/IEC 27001:2013) is an international standard for information security that is developed and maintained by the International Organization for Standardization (ISO). ISO 27001 provides organizations with the requirements for building and maintaining an information security management system (ISMS).
Though there are more than a dozen standards in the ISO/IEC 27000 series (also known as the ISO/IEC 27000 Family of Standards or ISO27K), ISO 27001 is the framework that organizations will be certified against to demonstrate that their ISMS is aligned with information security best practices. The majority of the other standards within the series provide further guidance in meeting and evaluating ISO 27001 standards.
Being certified in the Standard provides two key benefits for organizations, their partners, clients, and the data subjects that are responsible to protect.
To become certified an organization must demonstrate that its information security practices are sufficiently mature to prevent, detect, contain and respond to threats to information assets. By meeting these standards an organization will be more capable of protecting sensitive information.
Since ISO 27001 is an internationally recognized standard, certified organizations can readily demonstrate their commitment to information security to customers, governments, and regulatory bodies.
Many organizations opt for certification as part of their client or contractual requirements. Industries that handle sensitive classifications of data (such as medical and financial fields) often demand that their vendors and other third parties meet ISO 27001 compliance requirements.
At its core, the ISO 27001 framework is about developing a mature and resilient information security management system. Before seeking certification an organization must have existing information systems and security practices in place.
The information security aspects of the networks used to support the organization must include adequate information security controls and risk management processes. These span beyond specific tools to further include internal communications, operational standardization, employee training, HR risk management, and other non-technical controls.
To best align your organization’s ISMS (information security management system) with the ISO 27001 data security standard you will need to purchase official ISO 27001 documentation from the International Organization for Standardization. This documentation will inform your organization’s ISMS development strategy and ensure it addresses all of the relevant controls based on the applicable information security risks.
Examples of Key Components for an ISO 27001 Compliant ISMS
The documentation for ISO 27001 breaks down the best practices into 14 separate controls. These controls may be further consolidated or refined based on the amendments to ISO 27002 (ISO 27002:2022).
Risk assessments and risk management are a core part of every ISO 27001 compliance project. A Risk Treatment Plan (RTP) documents the processes an organization will take to identify and respond to known threats.
To meet ISO 27001 compliance requirements, the organization must have someone who will take ownership over each risk. This includes identifying who is responsible for approving the risk treatment plans and accepting the level of residual risk.
Key Elements of an RTP:
All relevant parties must be aware of their responsibilities within the organization’s ISMS. This includes end-user security awareness training, adherence to company policies, and vendor agreements.
Risk management is a critical component of compliance with ISO 27001. Before seeking certification from a reputable certification body (CB), organizations should use the ISO 27001 standard as a guide to perform internal audits of their existing systems.
These will act as a performance evaluation and discovery session of the organization’s current security standard.
Examples of Items to Review
This best practice will help the organization identify gaps in its policies, procedures, tools, and other controls that will need to be addressed before being eligible for certification.
Tip: During the initial evaluation the CB will be reviewing your organization’s existing documentation. Ensure that you have all of the mandatory documents within a knowledge management system to simplify internal communication and to demonstrate the security/policy awareness of your personnel.
Further Reading: 7 Tips for Passing Your Next IT Security Audit
Several months after developing, auditing, and implementing your ISMS you will be prepared for an external audit from an accredited CB.
The CurrentWare Suite consists of 4 security software modules that can be purchased individually for the greatest flexibility or as a full suite for the best value. These modules provide the web filtering, data theft prevention, and user activity monitoring controls you need to help protect sensitive data as part of your ISO 27001 compliance strategy.
CurrentWare’s removable media device control software AccessPatrol provides data security controls that alert administrators to suspicious file operations and prevents the use of unauthorized USB devices by users that have access to sensitive data.
Blocking data egress points such as portable storage devices is a critical data leakage prevention method. Without USB restriction, data theft is as simple as an insider threat effortlessly smuggling in a personal portable storage device and copying sensitive files to it.
Employee monitoring with BrowseReporter provides continuous oversight of end-user activities as they perform their job functions, providing a method for identifying suspicious or unsafe computer usage.
Following the discovery of unwanted behavior, employee monitoring data provides your organization with the precedence for taking corrective actions to prevent unlawful or unsafe behavior that puts sensitive data at risk.
ISO 27001 Control: A.12.6.2 Restrictions on Software Installation
ISO 27002 Control: 8.22 Web filtering
ISO 27002 Control: 8.12 Data Leakage Prevention (DLP)
Blocking websites with BrowseControl is essential for securing your network against malicious websites and preventing employees from transferring data to unauthorized cloud storage platforms.
BrowseControl includes a port filter to close unused or undesirable network ports such as those used for FTP and P2P, an application blocker to prevent employees from launching Windows applications, and a download filter to block files from being downloaded from the internet.
ISO 27001 Control: A.12.4 Logging and Monitoring
enPowerManager provides remote power management features and time stamped device activity reports that detail when employees log in, log out, startup, shutdown, sleep, or hibernate their computers.
CurrentWare’s solutions can be installed on-premises or on your own self-managed cloud virtual machine, allowing you to retain full control over your deployment and any user activity data that you collect.
Organizations that would like to use CurrentWare to monitor and manage employees that are working from home can still do so even with an on-premises deployment. See this article for more information.
CurrentWare offers a variety of free resources that your business can implement to make the certification process easier. These resources include information security policies and cybersecurity best practice tips for your workforce.
Achieving ISO 27001 certification is highly advantageous for organizations that want to work with international partners, demonstrate their commitment to following information security best practices, and build an ISMS that keeps their sensitive data secure.
While the ISO 27K family does not prescribe specific tools and vendors, key security controls such as web filtering and device control solutions are valuable assets for protecting sensitive data against insider threats and other common data security risks.
Need to block websites and removable media devices in your organization? Get started today with a FREE trial of CurrentWare’s security solutions.
No, from a legislative standpoint compliance with ISO 27001 certification standards is not mandatory. However, organizations that work with any highly sensitive classifications of data may require their partners and vendors to meet ISO 27001 compliance requirements.
While it is not mandatory, acquiring ISO 27001 certification is a valuable resource for demonstrating that an organization has implemented information security best practices.
Clause 4.2 of ISO 27001 stipulates that the needs and expectations of interested parties must be considered when developing an Information Security Management System (ISMS).
In the context of ISO 27001, these are stakeholders that are affected by the organization’s information security practices.
Examples of these stakeholders include employees who are expected to be compliant with the ISMS. Customers have a vested interest in the organization’s security practices as it relates to the protection of their personal information.
ISO 27001:2013 certification is valid for 3 years once it has been achieved. During this time the ISMS must be continually monitored and managed to ensure that it is meeting the organization’s information security requirements.
Throughout the certification there will be continuous internal compliance audits and external surveillance audits from the independent certification body.
To renew its ISO 27001 certification the organization must audit its practices for nonconformities, rectify any issues, and apply for a recertification audit. This recertification helps ensure that the organization has updated its ISMS to address new threats and vulnerabilities as well as maintaining compliance with updates to the ISO standards.
ISO 27001 certification is not free. The costs of meeting certification requirements are highly variable depending on factors such as the current cyber maturity of the organization, the availability of internal resources, whether or not a consultant is hired, and the costs associated with an independent third-party certification body.
IT Governance estimates that the certification costs alone may cost up to £14,250 for an organization with 1551-2025 employees (Estimated costs for the USA are $27k). These costs do not include fees following the initial certification audit, the costs to implement new controls, and other factors.
They provide further information on the costs associated with this security standard in their 2018 ISO 27001 Global Report.
Other costs to implement the Standard include:
The International Organization for Standardization (ISO) is a global body that collects and manages various standards for different disciplines. Membership of ISO is only open to national standards institutes or similar organizations that represent standardization in their country.
Learn More: ISO General FAQs
In 2017 there were over 33,000 companies that were ISO 27001 certified. You can learn more about the adoption of ISO 27001 certification in The ISO Survey.
To find out if a specific company is ISO 27001 certified, you can contact the applicable accreditation body. Each country has its own accreditation body that is selected and appointed by the International Accreditation Forum (IAF). For example, America’s national accreditation body is the ANSI National Accreditation Board (ANAB)—their directory can be found here.
No. While the security requirements of ISO 27001 should satisfy the General Data Protection Regulation (GDPR) security standards, there is also a privacy component of the GDPR that will not be sufficiently addressed with ISO 27001 certification alone.
Combining your existing certification with the ISO 27701 data privacy framework will help your organization be better prepared to meet data privacy compliance requirements as new laws and regulations emerge.
“This document specifies requirements and provides guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS) in the form of an extension to ISO 27001 and ISO 27002 for privacy management within the context of the organization.
This document specifies PIMS-related requirements and provides guidance for PII controllers and PII processors holding responsibility and accountability for PII processing.” – Official Description of ISO 27701
Learn More: GDPR Chapter 3—Rights of the Data Subject
Annex A is an optional series of controls you can implement to meet ISO 27001 compliance standards. In ISO 27001 Annex A consists of 1-2 sentences per control; ISO 27002 further examples on Annex A with an average of one page per control.
Examples of Annex A Controls:
An ISMS is a holistic approach to ensuring the confidentiality, integrity, and availability of an organization’s information assets.
Though an ISMS is a combination of policies, procedures, tools, and other controls, in the context of ISO 27001 compliance an ISMS is entirely vendor and technology neutral.
The ISO 27001 standard emphasizes that an effective ISMS is not the sole responsibility of any one department or vendor; it is a combination of people, processes and technology from within all aspects of the organization.
A Statement of Applicability (SoA) is one of the mandatory documents for ISO 27001 certification. In an SoA the organization demonstrates which ISO 27001 controls are applicable based on the organization’s context.