ISO 27001 Compliance: What You Need to Know for Your Certification

Looking to achieve ISO 27001 certification? In this article you will learn key information that you will need as part of your ISO 27K compliance process including what ISO 27001 is, the key terms and definitions, information security risks you need to consider, and the process for meeting your compliance and certification requirements.

CurrentWare’s ISO 27001 Compliance Software

CurrentWare’s data leakage prevention, web filtering, and user activity monitoring solutions provide critical security controls for organizations to achieve compliance with ISO 27001. Contact the CurrentWare team today for a custom demo or a free trial of our solutions to see how we’ll help you secure your IT environment against cyber attacks and insider threats.

• Prevent Data Leakage
  Control removable media devices, restrict file transfers, and monitor file activities
• Endpoint Security Controls for Defense-in-Depth
  Minimize the attack surface of endpoints to protect sensitive data
• Insider Threat Detection
  Mitigate the risks of insider threats with advanced awareness and control over user activities

Examples of How CurrentWare Helps With ISO 27001 Compliance

The CurrentWare Suite consists of 4 security software modules that can be purchased individually for the greatest flexibility or as a full suite for the best value. These modules provide the web filtering, data theft prevention, and user activity monitoring controls you need to help protect sensitive data such as personally identifiable information as part of your ISO 27001 compliance strategy.

This section will overview the key features of CurrentWare that will help your organization meet ISO 27k compliance requirements by addressing a variety of security controls

NOTE: This list is not exhaustive; the CurrentWare team releases quarterly product updates introducing new capabilities. For the most up-to-date information, see our release notes.

Removable Media Control & Data Leakage Prevention

ISO 27001:2013 Control: A.8.3.1 Management of Removable Media / A.8.3 Media Handling
ISO 27001:2013 Control: A.12.4 Logging and Monitoring
ISO 27001:2013 Control: A.12.2.1 Controls Against Malware
ISO 27002:2013/2022 Control: 8.12 Data Leakage Prevention (DLP)
ISO 27002:2013/2022 Control: 8.16 Monitoring activities
ISO 27002:2013/2022 Control: 6.3 Information Security Awareness, Education, and Training

ISO 27001:2022 Control: A.8.12 Data Leakage Prevention
ISO 27001:2022 Control: 7.10 Storage media

AccessPatrol, CurrentWare’s DLP and removable media device control software, provides data security controls that alert administrators to suspicious file operations and prevent users with access to sensitive data such as personally identifiable information from using unauthorized USB devices.

• Prevent file transfers to cloud storage services
• Receive alerts of high-risk USB device usage straight to your inbox
• Restrict access to peripheral devices such as removable storage, Bluetooth, and WiFi
• Maintain auditable records of files that are copied to/from portable storage devices, network share drives, and more
• Allow/Block file transfers to portable storage devices based on file type and file name
• Display a warning message when removable media drives are blocked or inserted

Try It For Free Learn More

Blocking data egress points such as portable storage devices is a critical data leakage prevention method. Without USB restriction, data theft is as simple as an insider threat effortlessly smuggling in a personal portable storage device and copying sensitive files to it.

User Activity Monitoring

ISO 27001:2013 Control: A.12.4 Logging and Monitoring

ISO 27001:2022 Control: 8.15 Logging
ISO 27002:2013/2022 Control: 8.16 Monitoring activities

Employee monitoring with BrowseReporter provides continuous oversight of end-user activities as they perform their job functions, providing a method for identifying suspicious or unsafe computer usage.

• Monitor web usage for suspicious URLs such as cloud storage sites
• Track application usage for shadow IT and other unauthorized software usage
• Track bandwidth consumption for anomalous spikes in data sent or received
• Take screenshots of employee desktops based on triggers, at set intervals, or ad-hoc during live screen viewing

Get My Free Trial

Get a Quote

Following the discovery of unwanted behavior, real-time user activity data gives your organization the precedence for taking corrective actions to prevent unlawful or unsafe behavior that puts sensitive data such as personally identifiable information at risk.

Web Filtering, Port Filtering, and App Blocking

ISO 27001:2013 Control: A.12.6.2 Restrictions on Software Installation 
ISO 27001:2013 Control: A.12.2.1 Controls Against Malware
ISO 27002:2013/2022 Control: 8.22 Web filtering
ISO 27002:2013/2022 Control: 8.12 Data Leakage Prevention (DLP)


ISO 27002:2022 Control: 8.19 Installation of Software on Operational Systems.

Blocking websites with BrowseControl is essential for securing your network against malicious websites and preventing employees from transferring data to unauthorized cloud storage platforms. 

• Block websites based on URL, domain, IP address, or content category
• Restrict internet access to authorized websites only with the Allowed List
• Customize restrictions for each user, computer, or organizational unit
• Block access to Dropbox and other file sharing services to prevent users with temporary network access from leaking sensitive files.

Start Blocking Websites Today Learn More

Block File Downloads/Uploads

ISO 27001:2013 Control: A.12.6.2 Restrictions on Software Installation 
ISO 27001:2013 Control: A.12.2.1 Controls Against Malware
ISO 27002:2013/2022 Control: 8.12 Data Leakage Prevention (DLP)

ISO 27002:2022 Control: 8.19 Installation of Software on Operational Systems.

With BrowseControl’s file filter you can prevent users from uploading or downloading files from the internet, software apps, and more.

Audit Logon Activity

ISO 27001:2013 Control: A.12.4 Logging and Monitoring
ISO 27002:2013/2022 Control: 8.16 Monitoring activities

ISO 27001:2022 Control: 8.15 Logging

enPowerManager provides remote power management features and time stamped device activity reports that detail when employees log in, log out, startup, shutdown, sleep, or hibernate their computers. 

• Track logon activity for local and domain accounts
• Monitor logins for suspicious activity, such as user accounts or computers being logged into after hours. 
• Remotely startup, shutdown, and restart computers to help apply critical security updates

Two-Factor Authentication (2FA) for CurrentWare Operators

This feature aligns with the ISO 27001:2013 control A.6.1.1 User Authentication Procedures, which requires organizations to establish and implement procedures for verifying a user’s claimed identity before granting access to information systems or resources. The ISO 27001:2022 equivalent is A.6.1.5 – Multi-factor Authentication (MFA).

Admin Activity Logs / Audit Logs

CurrentWare’s audit logs help you determine “who did what, where, and when” regarding configuration changes and data access within the CurrentWare Suite.

With the audit log, the CurrentWare Suite documents every change made to your CurrentWare security policies and configurations, including which operator was responsible for the change and when it occurred.

This feature aligns with the ISO 27001:2013 control A.12.4.3 Administrator and Operator Logs, which states, “The activity of the System Manager and System Operator is to be logged, and the logs kept safe and monitored closely.” The ISO 27001:2022 equivalent is 8.15 – Logging

On-Premises Deployment

CurrentWare’s solutions can be installed on-premises or on your own self-managed cloud virtual machine, allowing you to retain full control over your deployment and any user activity data you collect.

What about remote workers?

Organizations that want to use CurrentWare to monitor and manage employees working from home can still do so even with an on-premises deployment. See this article for more information.

Does My ISMS Need to Be Updated for ISO 27002:2022?

Most likely not at this time. As ISO 27002:2022 is a Code of Practice that cannot be certified against any updates are a matter of recommendation rather than a requirement. 

At the time of this writing (08 Nov 2021) a decision to revise ISO/IEC 27001:2013 has not been made, though there may be announcements in the near future.

When the time comes for your organization to recertify, you will need to verify that no updates have been made to the ISO 27001 framework itself. Any updates to the Standard may require amendments to your ISMS.

Your SoA and internal audit plan may need to be amended to address the new controls (Data leakage prevention, web filtering, etc).

What is ISO 27001?

“ISO/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in ISO/IEC 27001:2013 are generic and are intended to be applicable to all organizations, regardless of type, size or nature.”

– International Organization for Standardization

ISO 27001 (ISO/IEC 27001:2013) is an international standard for information security that is developed and maintained by the International Organization for Standardization (ISO). ISO 27001 provides organizations with the requirements for building and maintaining an ISMS.

Though there are more than a dozen standards in the ISO/IEC 27000 series (also known as the ISO/IEC 27000 Family of Standards or ISO27K), ISO 27001 is the framework that organizations will be certified against to demonstrate that their ISMS is aligned with information security best practices. The majority of the other standards within the series provide further guidance in meeting and evaluating ISO 27001 standards.

Benefits of ISO 27001 Compliance/ISO 27001 Certification

Achieving ISO 27001 certification requires a significant investment of time and resources, but the benefits can be substantial for organizations, their partners, clients, and the data subjects they are responsible for protecting.

Cyber Resilience

To become certified, an organization must demonstrate that its information security practices are sufficiently mature to prevent, detect, contain, and respond to threats to information assets such as personally identifiable information.

By achieving ISO certification, you’ll systematically identify and manage information security gaps, making your organization less vulnerable to data breaches. This equips your organization to adequately ensure the confidentiality, integrity and availability of information.

Competitive Advantage

Since ISO 27001 is an internationally recognized standard, certification demonstrates to clients and partners that you take information security seriously and have a robust system in place. This can give you a competitive edge by increasing trust and speeding up the sales cycle by removing security and compliance as an objection.

Many organizations opt for certification as part of their client or contractual requirements. Industries that handle sensitive data (such as medical and financial fields) often demand that their vendors and other third parties achieve compliance with ISO 27001.

Improved Internal Processes

The framework encourages a structured approach to information security, which can streamline procedures and improve overall efficiency.

Reduced Risk of Data Breaches

The average cost of a data breach globally was $4.35 million in 2022. By addressing security gaps in alignment with the ISO 27K family of standards, organizations are less likely to experience significant security events that cause significant reputational and financial damage.

Third-Party Security Assessments

ISO certification provides an expert third-party risk assessment of your security controls, data governance, and policies, ensuring security gaps are adequately addressed.

How to Meet ISO 27001 Requirements

Key Takeaways

1. Certification is not as simple as deploying specific tools; it requires ongoing commitment to continually improve from all levels and departments within the organization.
2. The vast majority of meeting the compliance requirements for the Standard is thorough documentation of the organization’s risks, processes, and security controls.
3. The certification process is a significant investment, with associated costs of $30,000+. The estimated costs of the process include multiple audits, purchasing the required documentation, optional consultant fees, employee training/security awareness, and time investments.
4. Preparing for certification is a lengthy process, with many certifications taking multiple years to complete. There is a need for historical evidence that the ISMS is embedded in all of the aspects in the business including supplier relationships, relationships with third parties, asset management practices, job descriptions, etc. well before an accredited certification body (CB) will consider issuing certification to an organization.

The ISO 27001 Certification Process

1. Purchase official ISO 27001 documentation from the International Organization for Standardization
2. Create and implement an ISMS
3. Perform an internal audit of the ISMS
4. Find an accredited Certification Body (CB) for an initial review of the ISMS
5. Implement any requested changes from the initial review
6. Get an in-depth audit from the CB
7. Participate in follow-up internal and external audits

Purchase the ISO 27001 Standard & Develop an ISMS

At its core, the ISO 27001 framework is about developing a mature and resilient ISMS. Before seeking certification an organization must have existing information systems and security practices in place. 

The information security aspects of the networks used to support the organization must include adequate information security controls and risk management processes. These span beyond specific tools to further include internal communications, operational standardization, employee training, HR risk management, and other non-technical controls.

To best align your organization’s ISMS with the ISO 27001 data security standard, you will need to purchase official ISO 27001 documentation from the International Organization for Standardization. This documentation will inform your organization’s ISMS development strategy and ensure it addresses all of the relevant controls based on the applicable information security risks.

Examples of Key Components for an ISO 27001 Compliant ISMS 

1. Genuine Involvement: You must operate the ISMS as part of the organization’s everyday routine. 
2. Performance Evaluation: You must regularly perform information security risk assessments to verify that ISMS is effective and being used effectively.
3. Mandatory Documents: including information security policies, a Statement of Applicability (SoA), information security risk assessment/treatment processes, and the acceptable use of assets.
4. Information Security Incident Management: How management establishes responsibilities and procedures to ensure an effective response to vulnerabilities and security incidents.
5. Physical and Environmental Security: The access control methods that are in place to prevent unauthorized physical access to information systems (office buildings, server rooms, etc)
6. Communications Security: Network security management processes and tools that are in place to manage and control the network. They protect the organization’s systems and applications
7. Operations Security: Ensure correct and secure operations of information processing facilities through documentation of standard operating procedures and accessibility of documentation. 
8. Business Continuity Management: The information security aspects of business continuity management. This describes how the organization will ensure information security during a crisis, such as a healthcare entity developing and training employees on a paper-based system to mitigate the effects of a ransomware attack or power outage.
9. Human Resource Security: Pre and post-employment processes that mitigate the potential for insider threats. This includes pre-employment screening, onboarding/offboarding processes, end-user training, and role change management.

The documentation for ISO 27001 breaks down the best practices into 14 separate controls. These controls may be further consolidated or refined based on the amendments to ISO 27002 (ISO 27002:2022).

Further Reading: IT Governance—How to Implement and Maintain an ISO 27001-Compliant ISMS

ISO 27001 Risk Assessment & Risk Treatment Plan (RTP)

Risk assessments and risk management are core to every ISO 27001 compliance project. A Risk Treatment Plan (RTP) documents an organization’s processes to identify and respond to known threats.

To meet ISO 27001 compliance requirements, the organization must have someone who will take ownership of each risk. This includes identifying who is responsible for approving the risk treatment plans and accepting the level of residual risk.

This assessment identifies potential threats to your organization’s information assets, evaluates their likelihood and impact, and guides the implementation of appropriate security controls.

Why is Risk Assessment Crucial for ISO 27001?

• Proactive Approach: By proactively identifying risks, you can prioritize security measures and address them before they cause damage.
• Informed Decision Making: Risk assessments provide data to justify security investments and select the most effective controls.
• Compliance Requirement: ISO 27001 demands a systematic approach to information security risk management.

Steps in an ISO 27001 Risk Assessment

1. Identify Assets: Catalog all information assets your organization possesses, including electronic data, paper documents, and intellectual property.
2. Threat Identification: Brainstorm potential threats that could exploit vulnerabilities in your assets. This could include cyberattacks, human error, natural disasters, or physical theft.
3. Vulnerability Assessment: Analyze how identified threats could exploit weaknesses in your systems and processes.
4. Likelihood and Impact: Evaluate the probability of each threat occurring and the potential consequences on the confidentiality, integrity, and availability of your information (CIA triad).
5. Risk Calculation: Using a risk matrix, combine the likelihood and impact scores to determine the overall risk level for each scenario.
6. Risk Treatment: Develop a plan to mitigate identified risks. This might involve implementing security controls, reducing vulnerabilities, or transferring the risk if acceptable.
7. Risk Acceptance: Document your organization’s risk tolerance and acceptance for residual risks that remain after applying controls.
8. Continuous Monitoring: Regularly review your risk assessments to account for evolving threats, changes in your information assets, and the effectiveness of implemented controls.

Benefits of a Strong Risk Assessment

• Enhanced Security Posture: By proactively addressing risks, you create a more secure environment for your information assets.
• Improved Decision Making: Data-driven risk assessments guide informed choices regarding security investments and resource allocation.
• Demonstrated Compliance: A documented risk assessment process is a key element for achieving and maintaining ISO 27001 certification.

Remember: Risk assessment is an ongoing process. Regularly revisit your assessments to stay ahead of evolving threats and ensure the continued effectiveness of your ISMS.

Key Elements of an RTP:

• The risk assessment methodology, risk measuring criteria, and risk acceptance criteria that will be used to identify and evaluate potential risks. This will be largely based on the organization’s context (e.g. legal/contractual obligations)
• A list of known threats and vulnerabilities to the organization’s information assets and the controls that are in place to mitigate these risks
• Justifications for any accepted risks and controls that are not fully implemented in the ISMS based on the organization’s risk analysis and determination of need (compensating controls, applicability to the organization, approvals for externalizing risks, etc)

ISMS Training & Awareness

An effective ISMS hinges on a knowledgeable and vigilant workforce. ISMS training and awareness programs equip employees with the understanding and skills necessary to identify and mitigate information security risks. These programs should address topics like password hygiene, phishing scams, data classification, and reporting suspicious activity. By fostering a culture of security awareness, employees become active participants in protecting your organization’s valuable information assets.

All relevant parties must know their responsibilities within the organization’s ISMS. This includes end-user security awareness training, adherence to company policies, and vendor agreements. 

FREE DOWNLOAD
Removable Media Policy Template

• Set data security standards for portable storage
• Define the acceptable use of removable media
• Inform your users about their security responsibilities

Get started today—Download the FREE template and customize it to fit the needs of your organization.

Get the FREE Template

Perform An Internal Audit

Risk management is a critical component of compliance with ISO 27001. Before seeking certification from a reputable certification body (CB), organizations should use the ISO 27001 standard as a guide to perform internal audits of their existing systems.

These will act as a performance evaluation and discovery session of the organization’s current security standard.

Examples of Items to Review

• A risk assessment to identify business security risks
• A gap analysis to identify any security aspects of business processes that need to be bolstered (e.g. implement a new tool or management process)
• Evaluation of physical and environmental security
• Identifying what aspects of business continuity need to be better addressed
• What information security incident management practices comply with ISO and which need further refinement

This best practice will help the organization identify gaps in its policies, procedures, tools, and other controls that will need to be addressed before being eligible for certification.

Tip: During the initial evaluation the CB will be reviewing your organization’s existing documentation. Ensure that you have all of the mandatory documents within a knowledge management system to simplify internal communication and to demonstrate the security/policy awareness of your personnel. 

Further Reading: 7 Tips for Passing Your Next IT Security Audit

Get Your ISMS Audited by an Accredited Certification Body

Several months after developing, auditing, and implementing your ISMS, you will be prepared for an external audit by an accredited Certification Body (CB). 

To secure certification, an external audit by an accredited certification body is essential. These independent auditors meticulously assess your ISMS against the ISO 27001 standard, ensuring your controls and processes effectively safeguard your information assets. A successful audit culminates in certification, demonstrating your dedication to information security excellence.

1. Find an accredited Certification Body
2. The CB performs an initial review of the ISMS, focusing on how the organization’s documentation and controls support its compliance requirements.
3. Following a satisfactory initial review, the CB will perform an in-depth audit to verify that the documented controls and procedures are efficient and have been followed and implemented correctly. 
4. After receiving its certification the organization will continue to participate in follow-up internal and external audits throughout the certification period (typically 3 years)
5. The organization will later apply for recertification, consisting of similar external audits.

ISO IEC 27001 Security & Policy Resources from CurrentWare

CurrentWare offers a variety of free resources that your business can implement to make the certification process easier. These resources include information security policies and cybersecurity best practice tips for your workforce.

A.8.1.3 Acceptable Use of Assets

• Acceptable Use Policy
• Removable Media Policy
• 5 Ways to Enforce Your Acceptable Use Policy (AUP)

A.9.2.1 User Registration and Deregistration

• Employee Offboarding Checklist & Best Practices

A.9.3 User Responsibilities

• Safe Computing Tips for Employees

A.11.2.6 Security of Equipment and Assets Off-Premises

• Work From Home Policy Template
• Cybersecurity Tips for Protecting Your Hybrid Workforce

Conclusion & More Resources

Achieving ISO 27001 certification is highly advantageous for organizations that want to work with international partners, demonstrate their commitment to following information security best practices, and build an ISMS that keeps their sensitive data secure.

While the ISO 27K family does not prescribe specific tools and vendors, key security controls such as web filtering and device control solutions are valuable assets for protecting sensitive data against insider threats and other common data security risks.

Need to block high-risk websites, monitor user activity, and prevent data leakage in your organization? Get started today with a FREE trial of CurrentWare’s security solutions.

More Resources:

• IT Governance – ISO 27001 Training and Qualifications
• IT Governance – The 14 Control Sets of Annex A (Infographic)
• Praxiom – ISO 27001:2013 Translated Into Plain English
• International Organization for Standardization (ISO) – ISO 27001:2022 (Full Text)
• ISMS Online – The Ultimate Guide to ISO 27001
• Cyber Essentials – Learn about this cybersecurity scheme from the UK government

ISO 27001 FAQ, Terms, and Definitions

Is ISO 27001 Certification Mandatory?

No, from a legislative standpoint compliance with ISO 27001 certification standards is not mandatory. However, organizations that work with any highly sensitive classifications of data may require their partners and vendors to meet ISO 27001 compliance requirements.

While it is not mandatory, acquiring ISO 27001 certification is a valuable resource for demonstrating that an organization has implemented information security best practices.

How long does it take to get ISO 27001 certification?

The time it takes to achieve ISO 27001 certification can vary depending on several factors, but here’s a general breakdown:

Factors Affecting Timeline:

• Organization Size and Complexity: Larger organizations with more complex data environments and processes will naturally take longer to implement an ISMS and prepare for audits compared to smaller businesses.
• Existing Security Controls: Organizations with a strong foundation of existing security controls will have a head start and can potentially achieve certification faster.
• Resource Allocation: The amount of time and resources dedicated to the certification process significantly impacts the timeline. A dedicated team focused on ISMS development will expedite the process.
• External Consultant Involvement: Hiring an experienced ISO 27001 consultant can provide guidance and expertise, potentially accelerating the certification process.

General Timeframes:

• Small Businesses: For smaller businesses with a good understanding of information security, achieving certification within 3-6 months might be possible.
• Medium-Sized Businesses: For medium-sized organizations, the timeframe could range from 6 months to a year.
• Large Enterprises: Large enterprises with complex IT infrastructure may require 1 year or more to achieve certification.

Key Stages and Timeline:

Here’s a simplified breakdown of the key stages involved and their typical timeframes:

1. Gap Analysis & ISMS Development (2-4 months): Assess current security posture against ISO 27001 requirements, develop an ISMS, and document information security policies and procedures.
2. Internal Audit (1-2 months): Conduct an internal audit to identify any gaps or inconsistencies in the implemented ISMS.
3. Stage 1 Certification Audit (1 month): A certification body auditor reviews ISMS documentation to ensure it meets the standard’s requirements.
4. Remediation & Improvement (Variable): Address any non-conformities identified during the Stage 1 audit. The time for this can vary depending on the number of issues found.
5. Stage 2 Certification Audit (1-2 months): The certification body auditor assesses the ISMS’s implementation and effectiveness.

Remember: These are just estimates, and the actual time for your organization may differ. It’s crucial to carefully assess your specific situation and resource availability to determine a realistic timeline for achieving ISO 27001 certification.

Who Are Interested Parties in ISO 27001?

Clause 4.2 of ISO 27001 stipulates that the needs and expectations of interested parties must be considered when developing an ISMS. 

In the context of ISO 27001, these are stakeholders that are affected by the organization’s information security practices. 

Examples of these stakeholders include employees who are expected to be compliant with the ISMS. Customers have a vested interest in the organization’s security practices as it relates to the protection of their personal information.

How Long Does ISO 27001 Certification Last?

ISO 27001:2013 certification is valid for 3 years once it has been achieved. During this time the ISMS must be continually monitored and managed to ensure that it is meeting the organization’s information security requirements. 

Throughout the certification there will be continuous internal compliance audits and external surveillance audits from the independent certification body.

To renew its ISO 27001 certification the organization must audit its practices for nonconformities, rectify any issues, and apply for a recertification audit. This recertification helps ensure that the organization has updated its ISMS to address new threats and vulnerabilities as well as maintaining compliance with updates to the ISO standards.

How Much Does ISO 27001 Certification Cost? Is It Free?

ISO 27001 certification is not free. The costs of meeting certification requirements are highly variable depending on factors such as the current cyber maturity of the organization, the availability of internal resources, whether or not a consultant is hired, and the costs associated with an independent third-party certification body.

IT Governance estimates that the certification costs alone may cost up to £14,250 for an organization with 1551-2025 employees (Estimated costs for the USA are $27k). These costs do not include fees following the initial certification audit, the costs to implement new controls, and other factors. 

They provide further information on the costs associated with this security standard in their 2018 ISO 27001 Global Report.

Other costs to implement the Standard include:

• Purchasing ISO 27001 requirements documents (~$130 USD)
• Hiring a consultant (~$38,000 USD)
• Ongoing surveillance audits throughout the certification period
• Internal ISMS risk assessment audits and a gap analysis (or costs of outsourcing) to continually improve risk management
• The costs of internal efforts for creating, implementing, and maintaining the ISMS

What Is the ISO?

The International Organization for Standardization (ISO) is a global body that collects and manages various standards for different disciplines. Membership of ISO is only open to national standards institutes or similar organizations that represent standardization in their country.

Learn More: ISO General FAQs

Which Companies Are ISO 27001 Certified?

As of 2022, 71549 companies are ISO 27001 certified. The ISO Survey can provide more information about the adoption of ISO 27001 certification.

You can contact the applicable accreditation body to find out if a specific company is ISO 27001 certified. Each country has its own accreditation body that is selected and appointed by the International Accreditation Forum (IAF). For example, America’s national accreditation body is the ANSI National Accreditation Board (ANAB)—their directory can be found here.

If I’m ISO 27001 Certified, Am I Also GDPR Compliant?

No. While the security requirements of ISO 27001 should satisfy the General Data Protection Regulation (GDPR) security standards, there is also a privacy component of the GDPR that will not be sufficiently addressed with ISO 27001 certification alone.

Combining your existing certification with the ISO 27701 data privacy framework will help your organization be better prepared to meet data privacy compliance requirements as new laws and regulations emerge.  

“This document specifies requirements and provides guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS) in the form of an extension to ISO 27001 and ISO 27002 for privacy management within the context of the organization.

This document specifies PIMS-related requirements and provides guidance for PII controllers and PII processors holding responsibility and accountability for PII processing.” –  Official Description of ISO 27701

Learn More: GDPR Chapter 3—Rights of the Data Subject

What is Annex A? Is It Mandatory to Implement It?

Annex A is an optional series of controls you can implement to meet ISO 27001 compliance standards. In ISO 27001 Annex A consists of 1-2 sentences per control; ISO 27002 further examples on Annex A with an average of one page per control.

Examples of Annex A Controls:

• Annex A.8 – Asset Management
• Annex A.9 – Access Control
• Annex A.13 – Communications Security
• Annex A.14: System Acquisition, Development and Maintenance
• Annex A.15 – Supplier Relationships

What Is an Information Security Management System (ISMS)?

An ISMS is a holistic approach to ensuring the confidentiality, integrity, and availability of an organization’s information assets.

An Information Security Management System (ISMS) is a framework that helps organizations systematically manage and control the security of their information assets. It’s essentially a set of policies, procedures, and controls that ensure the confidentiality, integrity, and availability of information.

Here’s a breakdown of what an ISMS does:

• Confidentiality: Protects information from unauthorized access, ensuring only authorized individuals can view or modify it.
• Integrity: Safeguards the accuracy and completeness of information, preventing unauthorized modification or manipulation.
• Availability: Ensures information is accessible and usable by authorized personnel when needed.

An ISMS is not just about technology; it’s a holistic approach that considers people, processes, and technology. Here are some key aspects of an ISMS:

• Risk Assessment: Identifying and evaluating threats and vulnerabilities to information assets.
• Security Policies: Formal documents outlining information security guidelines and expectations for employees.
• Access Controls: Limiting access to information systems and data based on user roles and permissions.
• Incident Management: A structured process for identifying, reporting, and responding to security incidents.
• Business Continuity: Plans to ensure critical business functions can continue even after a security incident.

Benefits of an ISMS:

• Reduced Risk of Data Breaches: By implementing strong security controls, organizations can significantly reduce the risk of data breaches and cyberattacks.
• Improved Compliance: An ISMS can help organizations meet compliance requirements from industry regulations or data privacy laws like GDPR.
• Enhanced Customer Trust: Demonstrating a commitment to information security can build trust with customers and partners.
• Better Decision-Making: The risk assessments conducted as part of an ISMS can inform better decision-making regarding information security investments.

What is a Statement of Applicability (SoA)?

In the context of ISO 27001, a Statement of Applicability (SoA) is a vital document that bridges the gap between risk assessment and information security controls within your organization’s Information Security Management System (ISMS).

Here’s a breakdown of its key points:

• Function: The SoA details which information security controls from the ISO 27001 standard (specifically Annex A) your organization has chosen to implement. It also explains why you’ve chosen to include or exclude specific controls.
• Content: Think of it as a table with two main columns. One column lists the controls from Annex A, and the other explains whether you’ll implement the control (and why) or not (and why not). Common reasons for excluding a control might be that it’s irrelevant to your specific business context or that you already have alternative measures to achieve the same goal.
• Benefits: The SoA serves several purposes. It ensures a targeted approach to security by focusing on controls applicable to your organization’s risks. It also demonstrates a risk-based rationale for your ISMS to auditors during certification. Finally, the SoA is a clear reference point for everyone involved in your ISMS, outlining the implemented controls.
• Not Static: The SoA is a living document. As your organization evolves, so too should your risk profile. Regularly review and update the SoA to reflect changes in your information security landscape and ensure it continues to represent your implemented controls accurately.

How often do organizations need to review and update their controls?

Risk Assessments: Regular risk assessments (at least annually) should identify any changes in threats, vulnerabilities, or organizational impact. This may necessitate control adjustments to address new risks.

Internal Audits: Internal audits (recommended at least annually) evaluate the effectiveness of implemented controls. If audits reveal control weaknesses, updates may be required.

Management Reviews: Management reviews (conducted periodically) assess the overall ISMS performance and identify areas for improvement. This could lead to control modifications to enhance information security posture.

Changes in the Organization: Any significant changes within the organization, such as new technologies, processes, or personnel, may necessitate control updates to ensure continued effectiveness.

Industry Regulations: Updates to industry regulations or compliance requirements may necessitate adjustments to existing controls.

What happens if organizations can’t implement all the controls in Annex A?

Annex A of ISO 27001 provides a comprehensive list of information security controls, but it’s not mandatory to implement them all. Organizations can adopt a risk-based approach:

• Identify Critical Assets: Focus on information assets critical to your business operations.
• Assess Risks: Evaluate the threats and vulnerabilities associated with these assets and the potential impact of a security breach.
• Select Controls: Choose controls from Annex A or develop your own that effectively mitigate the identified risks.
• Document Justification: Maintain a Statement of Applicability (SoA) that documents which controls are implemented and why others are not. This SoA demonstrates a thoughtful approach to information security and is reviewed during audits.

How does ISO 27001 certification impact cloud based systems and data storage?

ISO 27001 applies to information security management regardless of where data resides – whether it’s on-premises or in cloud based systems. Here’s how it impacts cloud adoption:

• Vendor Due Diligence: Organizations need to assess the security posture of their cloud service providers (CSPs). This includes reviewing the CSP’s security controls, certifications, and incident management procedure.
• Contractual Agreements: Contracts with cloud providers should clearly define security responsibilities. This ensures both parties understand who is responsible for implementing specific controls.
• Data Encryption: Organizations may need to implement additional encryption measures to protect sensitive data stored in the cloud.
• Data Access Controls: Maintain strict access controls to ensure only authorized personnel can access sensitive information in the cloud.

How can organizations measure the return on investment (ROI) of ISO 27001?

Quantifying the ROI of ISO 27001 can be challenging, but here are some potential metrics to consider:

• Reduced Costs of Data Breaches: ISO 27001 helps prevent data breaches, which can be financially devastating. Estimate the potential cost of a breach (including lost revenue, legal fees, and reputational damage) and compare it to the cost of certification.
• Improved Customer Trust: Certification demonstrates a commitment to information security, which can enhance customer trust and loyalty. Track changes in customer satisfaction or acquisition rates potentially linked to improved security posture.
• Enhanced Operational Efficiency: The ISMS framework promotes streamlined information security processes, potentially leading to cost savings and improved operational efficiency. Track time saved on security-related tasks or identify areas where efficiency has improved.
• Increased Business Opportunities: Some organizations require ISO 27001 certification as a vendor selection criterion. Certification can open doors to new business opportunities. Quantify the potential revenue generated from these opportunities.

How can an organization ensure ISO 27001 compliance when they have remote workers?

Maintaining ISO 27001 compliance with a remote workforce requires additional considerations to mitigate the unique cybersecurity risks of remote workers. As a part of your risk assessment and compliance process you need to account for these vulnerabilities and mitigate them accordingly.

Here’s how organizations can ensure continued compliance with ISO 27001 when they have remote workers:

Access Control:

• Multi-Factor Authentication (MFA): Enforce MFA for all remote access points, including VPNs, web applications, and cloud storage. This adds an extra layer of security beyond passwords.
• Least Privilege Principle: Grant remote workers the minimum level of access required to perform their jobs. This reduces the potential damage if a hacker gains access to a remote worker’s device.
• Device Management: Implement a mobile device management (MDM) or unified endpoint management (UEM) solution to manage and secure company-issued devices used by remote workers. This allows for remote wiping of lost or stolen devices and enforces security policies on these devices.
• Network Access Control (NAC): Consider implementing NAC to restrict access to the corporate network based on device type, security posture, and user location.

Data Security Training:

• Phishing Awareness: Regularly train remote workers to identify and avoid phishing attacks, a common method for stealing credentials or compromising systems.
• Data Classification and Handling: Educate remote workers on classifying data based on sensitivity and proper handling procedures to prevent accidental data breaches.
• Secure File Sharing: Train employees on approved methods for sharing sensitive information electronically, avoiding insecure channels like personal email accounts.
• Password Management: Educate remote workers on creating strong passwords and using a password manager to avoid password reuse.

Remote Monitoring:

• Endpoint Detection and Response (EDR): Consider deploying EDR solutions to monitor remote devices for suspicious activity and identify potential malware or security threats.
• User Activity Monitoring (UAM): Monitor user activity on critical systems to detect unusual access patterns or potential insider threats.

Data Loss Prevention (DLP):

• Content Filtering: Implement DLP solutions to filter data transfers across email, web applications, and removable media to prevent unauthorized data exfiltration.
• Data Encryption: Encrypt sensitive data at rest and in transit to ensure confidentiality even if intercepted by unauthorized parties.

Secure Communication Channels:

• Virtual Private Network (VPN): Require remote workers to connect to the corporate network through a secure VPN to encrypt all data traffic.
• Secure Meeting Platforms: Choose secure video conferencing platforms with encryption features for confidential online meetings.

Security Policies:

• Remote Work Policy: Develop and enforce a clear remote work policy that outlines security expectations, including acceptable use of company devices, data handling procedures, and reporting security incidents.
• Password Policy: Enforce a strong password policy requiring complex passwords and regular password changes for remote access accounts.
• Incident Management Procedure: Have a documented incident response plan in place that outlines procedures for identifying, containing, and recovering from security incidents involving remote workers.

Additional Considerations:

• Physical Security: Educate remote workers on securing their home workspace to prevent unauthorized physical access to company equipment or data.
• Regular Reviews and Updates: Regularly review and update security measures as technologies evolve and new threats emerge. Conduct internal audits to assess the effectiveness of controls for remote workers.

By implementing these comprehensive controls and fostering a culture of security awareness among remote workers, organizations can ensure continued compliance with ISO 27001 and maintain a robust information security posture in today’s increasingly remote work environment.