ISO 27001 Compliance: What You Need to Know for Your Certification

Looking to become certified to the ISO 27001 standard? In this article you will learn what ISO 27001 is, the key terms and definitions, information security risks you need to consider, and the process for meeting your compliance and certification requirements.

Does My Information Security Management System Need to Be Updated for ISO 27002:2022?

Mostly likely not at this time. As ISO 27002:2022 is a Code of Practice that cannot be certified against any updates are a matter of recommendation rather than a requirement. 

At the time of this writing (08 Nov 2021) a decision to revise ISO/IEC 27001:2013 has not been made, though there may be announcements in the near future.

When the time comes for your organization to recertify you will need to verify that no updates have been made to the ISO 27001 framework itself. Any updates to the Standard may require amendments to your ISMS.

Your SoA and internal audit plan may need to be amended to address the new controls (Data leakage prevention, web filtering, etc).

What is ISO 27001?

“ISO/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in ISO/IEC 27001:2013 are generic and are intended to be applicable to all organizations, regardless of type, size or nature.”

– International Organization for Standardization

ISO 27001 (ISO/IEC 27001:2013) is an international standard for information security that is developed and maintained by the International Organization for Standardization (ISO). ISO 27001 provides organizations with the requirements for building and maintaining an information security management system (ISMS).

Though there are more than a dozen standards in the ISO/IEC 27000 series (also known as the ISO/IEC 27000 Family of Standards or ISO27K), ISO 27001 is the framework that organizations will be certified against to demonstrate that their ISMS is aligned with information security best practices. The majority of the other standards within the series provide further guidance in meeting and evaluating ISO 27001 standards.

Benefits of ISO 27001 Compliance/ISO 27001 Certification

Being certified in the Standard provides two key benefits for organizations, their partners, clients, and the data subjects that are responsible to protect.

1) Cyber Resilience

To become certified an organization must demonstrate that its information security practices are sufficiently mature to prevent, detect, contain and respond to threats to information assets. By meeting these standards an organization will be more capable of protecting sensitive information.

2) Competitive Advantage

Since ISO 27001 is an internationally recognized standard, certified organizations can readily demonstrate their commitment to information security to customers, governments, and regulatory bodies. 

Many organizations opt for certification as part of their client or contractual requirements. Industries that handle sensitive classifications of data (such as medical and financial fields) often demand that their vendors and other third parties meet ISO 27001 compliance requirements.

How to Meet ISO 27001 Requirements

Key Takeaways

1. Certification is not as simple as deploying specific tools; it requires ongoing commitment to continually improve from all levels and departments within the organization.
2. The vast majority of meeting the compliance requirements for the Standard is thorough documentation of the organization’s risks, processes, and information security controls.
3. The certification process is a significant investment, with associated costs of $30,000+. The estimated costs of the process include multiple audits, purchasing the required documentation, optional consultant fees, employee training, and time investments.
4. Preparing for certification is a lengthy process, with many certifications taking multiple years to complete. There is a need for historical evidence that the ISMS is embedded in all of the aspects in the business including supplier relationships, relationships with third parties, asset management practices, job descriptions, etc. well before an accredited certification body (CB) will consider issuing certification to an organization.

The ISO 27001 Certification Process

1. Purchase official ISO 27001 documentation from the International Organization for Standardization
2. Create and implement an ISMS
3. Perform internal audits of the ISMS
4. Find an accredited Certification Body (CB) for an initial review of the ISMS
5. Implement any requested changes from the initial review
6. Get an in-depth audit from the CB
7. Participate in follow-up internal and external audits

Purchase the ISO 27001 Standard & Develop an ISMS

At its core, the ISO 27001 framework is about developing a mature and resilient information security management system. Before seeking certification an organization must have existing information systems and security practices in place. 

The information security aspects of the networks used to support the organization must include adequate information security controls and risk management processes. These span beyond specific tools to further include internal communications, operational standardization, employee training, HR risk management, and other non-technical controls.

To best align your organization’s ISMS (information security management system) with the ISO 27001 data security standard you will need to purchase official ISO 27001 documentation from the International Organization for Standardization. This documentation will inform your organization’s ISMS development strategy and ensure it addresses all of the relevant controls based on the applicable information security risks.

Examples of Key Components for an ISO 27001 Compliant ISMS 

1. Genuine Involvement: You must operate the ISMS as part of the organization’s everyday routine. 
2. Performance Evaluation: You must regularly perform information security risk assessments to verify that ISMS is effective and being used effectively.
3. Mandatory Documents: including information security policies, a Statement of Applicability (SoA), information security risk assessment/treatment processes, and the acceptable use of assets.
4. Information Security Incident Management: How management establishes responsibilities and procedures to ensure an effective response to vulnerabilities and security incidents.
5. Physical and Environmental Security: The access control methods that are in place to prevent unauthorized physical access to information systems (office buildings, server rooms, etc)
6. Communications Security: Network security management processes and tools that are in place to manage and control the network. They protect the organization’s systems and applications
7. Operations Security: Ensure correct and secure operations of information processing facilities through documentation of standard operating procedures and accessibility of documentation. 
8. Business Continuity Management: The information security aspects of business continuity management. This describes how the organization will ensure information security during a crisis, such as a healthcare entity developing and training employees on a paper-based system to mitigate the effects of a ransomware attack or power outage.
9. Human Resource Security: Pre and post-employment processes that mitigate the potential for insider threats. This includes pre-employment screening, onboarding/offboarding processes, end-user training, and role change management.

The documentation for ISO 27001 breaks down the best practices into 14 separate controls. These controls may be further consolidated or refined based on the amendments to ISO 27002 (ISO 27002:2022).

Further Reading: IT Governance—How to Implement and Maintain an ISO 27001-Compliant ISMS

Risk Treatment Plan (RTP)

Risk assessments and risk management are a core part of every ISO 27001 compliance project. A Risk Treatment Plan (RTP) documents the processes an organization will take to identify and respond to known threats.

To meet ISO 27001 compliance requirements, the organization must have someone who will take ownership over each risk. This includes identifying who is responsible for approving the risk treatment plans and accepting the level of residual risk.

Key Elements of an RTP:

• The risk assessment methodology, risk measuring criteria, and risk acceptance criteria that will be used to identify and evaluate potential risks. This will be largely based on the organization’s context (e.g. legal/contractual obligations)
• A list of known threats and vulnerabilities to the organization’s information assets and the controls that are in place to mitigate these risks
• Justifications for any accepted risks and controls that are not fully implemented in the ISMS based on the organization’s risk analysis and determination of need (compensating controls, applicability to the organization, approvals for externalizing risks, etc)

ISMS Training & Awareness

All relevant parties must be aware of their responsibilities within the organization’s ISMS. This includes end-user security awareness training, adherence to company policies, and vendor agreements. 

Removable Media
Policy Template

• Set data security standards for portable storage
• Define the acceptable use of removable media
• Inform your users about their security responsibilities

Get started today—Download the FREE template and customize it to fit the needs of your organization.

Get the FREE Template

Perform Internal Audits

Risk management is a critical component of compliance with ISO 27001. Before seeking certification from a reputable certification body (CB), organizations should use the ISO 27001 standard as a guide to perform internal audits of their existing systems.

These will act as a performance evaluation and discovery session of the organization’s current security standard.

Examples of Items to Review

• A risk assessment to identify business security risks
• A gap analysis to identify any security aspects of business processes that need to be bolstered (e.g. implement a new tool or management process)
• Evaluation of physical and environmental security
• Identifying what aspects of business continuity need to be better addressed
• What information security incident management practices comply with ISO and which need further refinement

This best practice will help the organization identify gaps in its policies, procedures, tools, and other controls that will need to be addressed before being eligible for certification.

Tip: During the initial evaluation the CB will be reviewing your organization’s existing documentation. Ensure that you have all of the mandatory documents within a knowledge management system to simplify internal communication and to demonstrate the security/policy awareness of your personnel. 

Further Reading: 7 Tips for Passing Your Next IT Security Audit

Get Your ISMS Audited by an Accredited Certification Body

Several months after developing, auditing, and implementing your ISMS you will be prepared for an external audit from an accredited CB. 

1. Find an accredited Certification Body
2. The CB performs an initial review of the ISMS, with a focus on how the organization’s documentation and controls support their compliance requirements.
3. Following a satisfactory initial review, the CB will perform an in-depth audit to verify that the documented controls and procedures are efficient and have been followed and implemented correctly. 
4. After receiving its certification the organization will continue to participate in follow-up internal and external audits throughout the certification period (typically 3 years)
5. The organization will later apply for recertification, which will consist of similar external audits.

How CurrentWare Helps With ISO 27001 Compliance

The CurrentWare Suite consists of 4 security software modules that can be purchased individually for the greatest flexibility or as a full suite for the best value. These modules provide the web filtering, data theft prevention, and user activity monitoring controls you need to help protect sensitive data as part of your ISO 27001 compliance strategy.

As of CurrentWare v7.0.2, admin activity within the CurrentWare Suite is kept in an audit log, allowing you to meet the ISO27001 control A.12.4.3 Administrator & Operator Logs as it relates to your security policies within the CurrentWare Suite.

Here’s how you can use CurrentWare to meet ISO 27k compliance requirements.

Removable Media Data Leakage Prevention

CurrentWare’s removable media device control software AccessPatrol provides data security controls that alert administrators to suspicious file operations and prevents the use of unauthorized USB devices by users that have access to sensitive data.

• Receive alerts of high-risk USB device usage straight to your inbox
• Restrict access to peripheral devices such as removable storage, Bluetooth, and WiFi
• Maintain auditable records of files that are copied, created, renamed, or deleted on portable storage devices
• Block file transfers to portable storage devices based on file type and file name

Blocking data egress points such as portable storage devices is a critical data leakage prevention method. Without USB restriction, data theft is as simple as an insider threat effortlessly smuggling in a personal portable storage device and copying sensitive files to it.

User Activity Monitoring

Employee monitoring with BrowseReporter provides continuous oversight of end-user activities as they perform their job functions, providing a method for identifying suspicious or unsafe computer usage.

• Monitor web usage for suspicious URLs such as cloud storage sites
• Track application usage for shadow IT and other unauthorized software usage
• Track bandwidth consumption for anomalous spikes in data sent or received

Following the discovery of unwanted behavior, employee monitoring data provides your organization with the precedence for taking corrective actions to prevent unlawful or unsafe behavior that puts sensitive data at risk.

Web Filtering, Port Filtering, and App Blocking

Blocking websites with BrowseControl is essential for securing your network against malicious websites and preventing employees from transferring data to unauthorized cloud storage platforms. 

• Block websites based on URL, domain, IP address, or content category
• Restrict internet access to authorized websites only with the Allowed List
• Customize restrictions for each user, computer, or organizational unit
• Block access to Dropbox and other file sharing services to prevent users with temporary network access from leaking sensitive files.

BrowseControl includes a port filter to close unused or undesirable network ports such as those used for FTP and P2P, an application blocker to prevent employees from launching Windows applications, and a download filter to block files from being downloaded from the internet.

Audit Logon Activity

enPowerManager provides remote power management features and time stamped device activity reports that detail when employees log in, log out, startup, shutdown, sleep, or hibernate their computers. 

• Track logon activity for local and domain accounts
• Monitor logins for suspicious activity, such as user accounts or computers being logged into after hours. 
• Remotely startup, shutdown, and restart computers to help apply critical security updates

On-Premises Deployment

CurrentWare’s solutions can be installed on-premises or on your own self-managed cloud virtual machine, allowing you to retain full control over your deployment and any user activity data that you collect.

What about remote workers?

Organizations that would like to use CurrentWare to monitor and manage employees that are working from home can still do so even with an on-premises deployment. See this article for more information.

ISO IEC 27001 Security & Policy Resources from CurrentWare

CurrentWare offers a variety of free resources that your business can implement to make the certification process easier. These resources include information security policies and cybersecurity best practice tips for your workforce.

A.8.1.3 Acceptable Use of Assets

• Acceptable Use Policy
• Removable Media Policy
• 5 Ways to Enforce Your Acceptable Use Policy (AUP)

A.9.2.1 User Registration and Deregistration

• Employee Offboarding Checklist & Best Practices

A.9.3 User Responsibilities

• Safe Computing Tips for Employees

A.11.2.6 Security of Equipment and Assets Off-Premises

• Work From Home Policy Template
• Cybersecurity Tips for Protecting Your Hybrid Workforce

Learn More on the CurrentWare Blog

Conclusion & More Resources

Achieving ISO 27001 certification is highly advantageous for organizations that want to work with international partners, demonstrate their commitment to following information security best practices, and build an ISMS that keeps their sensitive data secure.

While the ISO 27K family does not prescribe specific tools and vendors, key security controls such as web filtering and device control solutions are valuable assets for protecting sensitive data against insider threats and other common data security risks.

Need to block websites and removable media devices in your organization? Get started today with a FREE trial of CurrentWare’s security solutions.

More Resources:

• IT Governance – ISO 27001 Training and Qualifications
• IT Governance – The 14 Control Sets of Annex A (Infographic)
• Praxiom – ISO 27001:2013 Translated Into Plain English
• International Organization for Standardization (ISO) – ISO 27001:2013 (Full Text)

ISO 27001 FAQ, Terms, and Definitions

Is ISO 27001 Certification Mandatory?

No, from a legislative standpoint compliance with ISO 27001 certification standards is not mandatory. However, organizations that work with any highly sensitive classifications of data may require their partners and vendors to meet ISO 27001 compliance requirements.

While it is not mandatory, acquiring ISO 27001 certification is a valuable resource for demonstrating that an organization has implemented information security best practices.

Who Are Interested Parties in ISO 27001?

Clause 4.2 of ISO 27001 stipulates that the needs and expectations of interested parties must be considered when developing an Information Security Management System (ISMS). 

In the context of ISO 27001, these are stakeholders that are affected by the organization’s information security practices. 

Examples of these stakeholders include employees who are expected to be compliant with the ISMS. Customers have a vested interest in the organization’s security practices as it relates to the protection of their personal information.

How Long Does ISO 27001 Certification Last?

ISO 27001:2013 certification is valid for 3 years once it has been achieved. During this time the ISMS must be continually monitored and managed to ensure that it is meeting the organization’s information security requirements. 

Throughout the certification there will be continuous internal compliance audits and external surveillance audits from the independent certification body.

To renew its ISO 27001 certification the organization must audit its practices for nonconformities, rectify any issues, and apply for a recertification audit. This recertification helps ensure that the organization has updated its ISMS to address new threats and vulnerabilities as well as maintaining compliance with updates to the ISO standards.

How Much Does ISO 27001 Certification Cost? Is It Free?

ISO 27001 certification is not free. The costs of meeting certification requirements are highly variable depending on factors such as the current cyber maturity of the organization, the availability of internal resources, whether or not a consultant is hired, and the costs associated with an independent third-party certification body.

IT Governance estimates that the certification costs alone may cost up to £14,250 for an organization with 1551-2025 employees (Estimated costs for the USA are $27k). These costs do not include fees following the initial certification audit, the costs to implement new controls, and other factors. 

They provide further information on the costs associated with this security standard in their 2018 ISO 27001 Global Report.

Other costs to implement the Standard include:

• Purchasing ISO 27001 requirements documents (~$130 USD)
• Hiring a consultant (~$38,000 USD)
• Ongoing surveillance audits throughout the certification period
• Internal ISMS risk assessment audits and a gap analysis (or costs of outsourcing) to continually improve risk management
• The costs of internal efforts for creating, implementing, and maintaining the ISMS

What Is the ISO?

The International Organization for Standardization (ISO) is a global body that collects and manages various standards for different disciplines. Membership of ISO is only open to national standards institutes or similar organizations that represent standardization in their country.

Learn More: ISO General FAQs

Which Companies Are ISO 27001 Certified?

In 2017 there were over 33,000 companies that were ISO 27001 certified. You can learn more about the adoption of ISO 27001 certification in The ISO Survey.

To find out if a specific company is ISO 27001 certified, you can contact the applicable accreditation body. Each country has its own accreditation body that is selected and appointed by the International Accreditation Forum (IAF). For example, America’s national accreditation body is the ANSI National Accreditation Board (ANAB)—their directory can be found here.

If I’m ISO 27001 Certified, Am I Also GDPR Compliant?

No. While the security requirements of ISO 27001 should satisfy the General Data Protection Regulation (GDPR) security standards, there is also a privacy component of the GDPR that will not be sufficiently addressed with ISO 27001 certification alone.

Combining your existing certification with the ISO 27701 data privacy framework will help your organization be better prepared to meet data privacy compliance requirements as new laws and regulations emerge.  

“This document specifies requirements and provides guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS) in the form of an extension to ISO 27001 and ISO 27002 for privacy management within the context of the organization.

This document specifies PIMS-related requirements and provides guidance for PII controllers and PII processors holding responsibility and accountability for PII processing.” –  Official Description of ISO 27701

Learn More: GDPR Chapter 3—Rights of the Data Subject

What is Annex A? Is It Mandatory to Implement It?

Annex A is an optional series of controls you can implement to meet ISO 27001 compliance standards. In ISO 27001 Annex A consists of 1-2 sentences per control; ISO 27002 further examples on Annex A with an average of one page per control.

Examples of Annex A Controls:

• Annex A.8 – Asset Management
• Annex A.9 – Access Control
• Annex A.13 – Communications Security
• Annex A.14: System Acquisition, Development and Maintenance
• Annex A.15 – Supplier Relationships

What Is an Information Security Management System (ISMS)?

An ISMS is a holistic approach to ensuring the confidentiality, integrity, and availability of an organization’s information assets.

Though an ISMS is a combination of policies, procedures, tools, and other controls, in the context of ISO 27001 compliance an ISMS is entirely vendor and technology neutral. 

The ISO 27001 standard emphasizes that an effective ISMS is not the sole responsibility of any one department or vendor; it is a combination of people, processes and technology from within all aspects of the organization.

What is a Statement of Applicability (SoA)?

A Statement of Applicability (SoA) is one of the mandatory documents for ISO 27001 certification. In an SoA the organization demonstrates which ISO 27001 controls are applicable based on the organization’s context.