Looking to become certified to the ISO 27001 standard? In this article you will learn what ISO 27001 is, the key terms and definitions, information security risks you need to consider, and the process for meeting your compliance and certification requirements.
Table of ContentsOn October 25, ISO 27001:2022 was released, replacing the version from 2013. The International Accreditation Forum (IAF) has released a document, indicating that starting from the publication of ISO 27001:2022, organizations have 36 months to make the transition.
The management system of ISO 27001:2022 will contain minor changes, aligning it to Annex SL.
These changes include:
These changes also require certification bodies to update their accreditation. They should do so within 12 months after the publication of the standard
You can learn more about the changes between ISO 27001:2013 and ISO 27001:2022 at Instant27001.com
In addition, ISO/IEC 27002:2022 was published in February 2022. ISO 27002 is a reference guide for implementing the optional security controls listed in Annex A of ISO 27001. These controls help companies create an ISMS (information security management system) that complies with the Standard.
According to IT Governance, The completely new controls are:
While these updates will not have an immediate impact on the ISO 27001:2013 framework, they will provide added context and clarity for those seeking ISO/IEC 27001 certification in 2022, particularly as it relates to modern data security practices such as cloud security.
Learn More:
Mostly likely not at this time. As ISO 27002:2022 is a Code of Practice that cannot be certified against any updates are a matter of recommendation rather than a requirement.
At the time of this writing (08 Nov 2021) a decision to revise ISO/IEC 27001:2013 has not been made, though there may be announcements in the near future.
When the time comes for your organization to recertify you will need to verify that no updates have been made to the ISO 27001 framework itself. Any updates to the Standard may require amendments to your ISMS.
Your SoA and internal audit plan may need to be amended to address the new controls (Data leakage prevention, web filtering, etc).
“ISO/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in ISO/IEC 27001:2013 are generic and are intended to be applicable to all organizations, regardless of type, size or nature.”
– International Organization for Standardization
ISO 27001 (ISO/IEC 27001:2013) is an international standard for information security that is developed and maintained by the International Organization for Standardization (ISO). ISO 27001 provides organizations with the requirements for building and maintaining an information security management system (ISMS).
Though there are more than a dozen standards in the ISO/IEC 27000 series (also known as the ISO/IEC 27000 Family of Standards or ISO27K), ISO 27001 is the framework that organizations will be certified against to demonstrate that their ISMS is aligned with information security best practices. The majority of the other standards within the series provide further guidance in meeting and evaluating ISO 27001 standards.
Being certified in the Standard provides two key benefits for organizations, their partners, clients, and the data subjects that are responsible to protect.
To become certified an organization must demonstrate that its information security practices are sufficiently mature to prevent, detect, contain and respond to threats to information assets. By meeting these standards an organization will be more capable of protecting sensitive information.
Since ISO 27001 is an internationally recognized standard, certified organizations can readily demonstrate their commitment to information security to customers, governments, and regulatory bodies.
Many organizations opt for certification as part of their client or contractual requirements. Industries that handle sensitive classifications of data (such as medical and financial fields) often demand that their vendors and other third parties meet ISO 27001 compliance requirements.
Key Takeaways
At its core, the ISO 27001 framework is about developing a mature and resilient information security management system. Before seeking certification an organization must have existing information systems and security practices in place.
The information security aspects of the networks used to support the organization must include adequate information security controls and risk management processes. These span beyond specific tools to further include internal communications, operational standardization, employee training, HR risk management, and other non-technical controls.
To best align your organization’s ISMS (information security management system) with the ISO 27001 data security standard you will need to purchase official ISO 27001 documentation from the International Organization for Standardization. This documentation will inform your organization’s ISMS development strategy and ensure it addresses all of the relevant controls based on the applicable information security risks.
Examples of Key Components for an ISO 27001 Compliant ISMS
The documentation for ISO 27001 breaks down the best practices into 14 separate controls. These controls may be further consolidated or refined based on the amendments to ISO 27002 (ISO 27002:2022).
Further Reading: IT Governance—How to Implement and Maintain an ISO 27001-Compliant ISMS
Risk assessments and risk management are a core part of every ISO 27001 compliance project. A Risk Treatment Plan (RTP) documents the processes an organization will take to identify and respond to known threats.
To meet ISO 27001 compliance requirements, the organization must have someone who will take ownership over each risk. This includes identifying who is responsible for approving the risk treatment plans and accepting the level of residual risk.
Key Elements of an RTP:
All relevant parties must be aware of their responsibilities within the organization’s ISMS. This includes end-user security awareness training, adherence to company policies, and vendor agreements.
Get started today—Download the FREE template and customize it to fit the needs of your organization.
Risk management is a critical component of compliance with ISO 27001. Before seeking certification from a reputable certification body (CB), organizations should use the ISO 27001 standard as a guide to perform internal audits of their existing systems.
These will act as a performance evaluation and discovery session of the organization’s current security standard.
Examples of Items to Review
This best practice will help the organization identify gaps in its policies, procedures, tools, and other controls that will need to be addressed before being eligible for certification.
Tip: During the initial evaluation the CB will be reviewing your organization’s existing documentation. Ensure that you have all of the mandatory documents within a knowledge management system to simplify internal communication and to demonstrate the security/policy awareness of your personnel.
Further Reading: 7 Tips for Passing Your Next IT Security Audit
Several months after developing, auditing, and implementing your ISMS you will be prepared for an external audit from an accredited CB.
The CurrentWare Suite consists of 4 security software modules that can be purchased individually for the greatest flexibility or as a full suite for the best value. These modules provide the web filtering, data theft prevention, and user activity monitoring controls you need to help protect sensitive data as part of your ISO 27001 compliance strategy.
As of CurrentWare v7.0.2, admin activity within the CurrentWare Suite is kept in an audit log, allowing you to meet the ISO27001 control A.12.4.3 Administrator & Operator Logs as it relates to your security policies within the CurrentWare Suite.
Here’s how you can use CurrentWare to meet ISO 27k compliance requirements.
ISO 27001 Control: A.8.3.1 Management of Removable Media / A.8.3 Media Handling
ISO 27001 Control: A.12.4 Logging and Monitoring
ISO 27002 Control: 8.12 Data Leakage Prevention (DLP)
ISO 27002 Control: 8.16 Monitoring activities
CurrentWare’s removable media device control software AccessPatrol provides data security controls that alert administrators to suspicious file operations and prevents the use of unauthorized USB devices by users that have access to sensitive data.
Blocking data egress points such as portable storage devices is a critical data leakage prevention method. Without USB restriction, data theft is as simple as an insider threat effortlessly smuggling in a personal portable storage device and copying sensitive files to it.
ISO 27002 Control: 8.16 Monitoring activities
Employee monitoring with BrowseReporter provides continuous oversight of end-user activities as they perform their job functions, providing a method for identifying suspicious or unsafe computer usage.
Following the discovery of unwanted behavior, employee monitoring data provides your organization with the precedence for taking corrective actions to prevent unlawful or unsafe behavior that puts sensitive data at risk.
BrowseControl is an easy-to-use web filter that helps organizations enforce policies, improve productivity, reduce bandwidth consumption, and meet compliance requirements – no matter where their users are located.
With BrowseControl you can ensure a safe and productive environment by blocking high-risk, distracting, or inappropriate websites, improve network performance by blocking bandwidth hogs, and prevent users from using unsanctioned applications and software-as-a-service providers
BrowseControl’s security policies are enforced by a software agent that is installed on your user’s computers. This allows the solution to continue blocking websites and applications even when computers are taken off-site.
BrowseControl’s central console allows you to configure your security policies from the convenience of a web browser.
With BrowseControl you can Block or allow websites based on URL, category, domain, or IP address, assign custom policies for each group of computers or users, prevent users from launching specific applications, and block network ports to reduce the attack surface of your network
There are three key methods for blocking websites with BrowseControl:
The Blocked List allows you to block specific websites based on URL, domain, or IP address
Category Filtering allows you to block millions of websites across over 100 content categories including pornography, social media, and virus-infected sites.
and finally, you can use the Allowed List to allow specific websites that would otherwise be blocked based on their category, or for the greatest security and control you can block all websites except for those that are on the Allowed List.
When your users try to visit a blocked website they can either be presented with a custom warning message or directed to another site, such as a page with a reminder of your organization’s internet use policy.
With BrowseControl’s App Blocker you can prevent your users from launching specific applications.
Simply select the group you would like to restrict, enter the Original Filename of the application to the Application List, and add it to the blocked applications list.
When the user tries to launch the blocked application they can be presented with a custom warning message that alerts them of the restriction.
BrowseControl is best used in tandem with our computer monitoring software BrowseReporter. Using both solutions provides the visibility and control you need to ensure that your organization’s computers are being used appropriately.
Don’t let internet abuse run rampant in your organization. Take back control over web browsing with a free trial of BrowseControl.
Get started today by visiting CurrentWare.com/Download
If you have any technical questions during your evaluation our support team is available to help you over a phone call, live chat, or email.
Thank you!
ISO 27001 Control: A.12.6.2 Restrictions on Software Installation
ISO 27002 Control: 8.22 Web filtering
ISO 27002 Control: 8.12 Data Leakage Prevention (DLP)
Blocking websites with BrowseControl is essential for securing your network against malicious websites and preventing employees from transferring data to unauthorized cloud storage platforms.
BrowseControl includes a port filter to close unused or undesirable network ports such as those used for FTP and P2P, an application blocker to prevent employees from launching Windows applications, and a download filter to block files from being downloaded from the internet.
ISO 27001 Control: A.12.4 Logging and Monitoring
ISO 27002 Control: 8.16 Monitoring activities
enPowerManager provides remote power management features and time stamped device activity reports that detail when employees log in, log out, startup, shutdown, sleep, or hibernate their computers.
CurrentWare’s solutions can be installed on-premises or on your own self-managed cloud virtual machine, allowing you to retain full control over your deployment and any user activity data that you collect.
Organizations that would like to use CurrentWare to monitor and manage employees that are working from home can still do so even with an on-premises deployment. See this article for more information.
CurrentWare offers a variety of free resources that your business can implement to make the certification process easier. These resources include information security policies and cybersecurity best practice tips for your workforce.
Learn More on the CurrentWare Blog
Achieving ISO 27001 certification is highly advantageous for organizations that want to work with international partners, demonstrate their commitment to following information security best practices, and build an ISMS that keeps their sensitive data secure.
While the ISO 27K family does not prescribe specific tools and vendors, key security controls such as web filtering and device control solutions are valuable assets for protecting sensitive data against insider threats and other common data security risks.
Need to block websites and removable media devices in your organization? Get started today with a FREE trial of CurrentWare’s security solutions.
More Resources:
No, from a legislative standpoint compliance with ISO 27001 certification standards is not mandatory. However, organizations that work with any highly sensitive classifications of data may require their partners and vendors to meet ISO 27001 compliance requirements.
While it is not mandatory, acquiring ISO 27001 certification is a valuable resource for demonstrating that an organization has implemented information security best practices.
Clause 4.2 of ISO 27001 stipulates that the needs and expectations of interested parties must be considered when developing an Information Security Management System (ISMS).
In the context of ISO 27001, these are stakeholders that are affected by the organization’s information security practices.
Examples of these stakeholders include employees who are expected to be compliant with the ISMS. Customers have a vested interest in the organization’s security practices as it relates to the protection of their personal information.
ISO 27001:2013 certification is valid for 3 years once it has been achieved. During this time the ISMS must be continually monitored and managed to ensure that it is meeting the organization’s information security requirements.
Throughout the certification there will be continuous internal compliance audits and external surveillance audits from the independent certification body.
To renew its ISO 27001 certification the organization must audit its practices for nonconformities, rectify any issues, and apply for a recertification audit. This recertification helps ensure that the organization has updated its ISMS to address new threats and vulnerabilities as well as maintaining compliance with updates to the ISO standards.
ISO 27001 certification is not free. The costs of meeting certification requirements are highly variable depending on factors such as the current cyber maturity of the organization, the availability of internal resources, whether or not a consultant is hired, and the costs associated with an independent third-party certification body.
IT Governance estimates that the certification costs alone may cost up to £14,250 for an organization with 1551-2025 employees (Estimated costs for the USA are $27k). These costs do not include fees following the initial certification audit, the costs to implement new controls, and other factors.
They provide further information on the costs associated with this security standard in their 2018 ISO 27001 Global Report.
Other costs to implement the Standard include:
The International Organization for Standardization (ISO) is a global body that collects and manages various standards for different disciplines. Membership of ISO is only open to national standards institutes or similar organizations that represent standardization in their country.
Learn More: ISO General FAQs
In 2017 there were over 33,000 companies that were ISO 27001 certified. You can learn more about the adoption of ISO 27001 certification in The ISO Survey.
To find out if a specific company is ISO 27001 certified, you can contact the applicable accreditation body. Each country has its own accreditation body that is selected and appointed by the International Accreditation Forum (IAF). For example, America’s national accreditation body is the ANSI National Accreditation Board (ANAB)—their directory can be found here.
No. While the security requirements of ISO 27001 should satisfy the General Data Protection Regulation (GDPR) security standards, there is also a privacy component of the GDPR that will not be sufficiently addressed with ISO 27001 certification alone.
Combining your existing certification with the ISO 27701 data privacy framework will help your organization be better prepared to meet data privacy compliance requirements as new laws and regulations emerge.
“This document specifies requirements and provides guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS) in the form of an extension to ISO 27001 and ISO 27002 for privacy management within the context of the organization.
This document specifies PIMS-related requirements and provides guidance for PII controllers and PII processors holding responsibility and accountability for PII processing.” – Official Description of ISO 27701
Learn More: GDPR Chapter 3—Rights of the Data Subject
Annex A is an optional series of controls you can implement to meet ISO 27001 compliance standards. In ISO 27001 Annex A consists of 1-2 sentences per control; ISO 27002 further examples on Annex A with an average of one page per control.
Examples of Annex A Controls:
An ISMS is a holistic approach to ensuring the confidentiality, integrity, and availability of an organization’s information assets.
Though an ISMS is a combination of policies, procedures, tools, and other controls, in the context of ISO 27001 compliance an ISMS is entirely vendor and technology neutral.
The ISO 27001 standard emphasizes that an effective ISMS is not the sole responsibility of any one department or vendor; it is a combination of people, processes and technology from within all aspects of the organization.
A Statement of Applicability (SoA) is one of the mandatory documents for ISO 27001 certification. In an SoA the organization demonstrates which ISO 27001 controls are applicable based on the organization’s context.
Cookie | Duration | Description |
---|---|---|
__cfruid | session | Cloudflare sets this cookie to identify trusted web traffic. |
cookielawinfo-checkbox-advertisement | 1 year | Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category . |
cookielawinfo-checkbox-analytics | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics". |
cookielawinfo-checkbox-functional | 11 months | The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional". |
cookielawinfo-checkbox-necessary | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary". |
cookielawinfo-checkbox-others | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other. |
cookielawinfo-checkbox-performance | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance". |
JSESSIONID | session | The JSESSIONID cookie is used by New Relic to store a session identifier so that New Relic can monitor session counts for an application. |
LS_CSRF_TOKEN | session | Cloudflare sets this cookie to track users’ activities across multiple websites. It expires once the browser is closed. |
OptanonConsent | 1 year | OneTrust sets this cookie to store details about the site's cookie category and check whether visitors have given or withdrawn consent from the use of each category. |
viewed_cookie_policy | 11 months | The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data. |
Cookie | Duration | Description |
---|---|---|
__cf_bm | 30 minutes | This cookie, set by Cloudflare, is used to support Cloudflare Bot Management. |
_zcsr_tmp | session | Zoho sets this cookie for the login function on the website. |
Cookie | Duration | Description |
---|---|---|
_calendly_session | 21 days | Calendly, a Meeting Schedulers, sets this cookie to allow the meeting scheduler to function within the website and to add events into the visitor’s calendar. |
_gaexp | 2 months 11 days 7 hours 3 minutes | Google Analytics installs this cookie to determine a user's inclusion in an experiment and the expiry of experiments a user has been included in. |
Cookie | Duration | Description |
---|---|---|
_ga | 2 years | The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors. |
_ga_GY6RPLBZG0 | 2 years | This cookie is installed by Google Analytics. |
_gcl_au | 3 months | Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services. |
_gid | 1 day | Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously. |
CONSENT | 2 years | YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data. |
Cookie | Duration | Description |
---|---|---|
_opt_expid | past | Set by Google Analytics, this cookie is created when running a redirect experiment. It stores the experiment ID, the variant ID and the referrer to the page that is being redirected. |
IDE | 1 year 24 days | Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile. |
NID | 6 months | NID cookie, set by Google, is used for advertising purposes; to limit the number of times the user sees an ad, to mute unwanted ads, and to measure the effectiveness of ads. |
test_cookie | 15 minutes | The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies. |
VISITOR_INFO1_LIVE | 5 months 27 days | A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface. |
YSC | session | YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages. |
yt-remote-connected-devices | never | YouTube sets this cookie to store the video preferences of the user using embedded YouTube video. |
yt-remote-device-id | never | YouTube sets this cookie to store the video preferences of the user using embedded YouTube video. |
yt.innertube::nextId | never | This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen. |
yt.innertube::requests | never | This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen. |
Cookie | Duration | Description |
---|---|---|
_dc_gtm_UA-6494714-6 | 1 minute | No description |
_gaexp_rc | past | No description available. |
34f6831605 | session | No description |
383aeadb58 | session | No description available. |
663a60c55d | session | No description available. |
6e4b8efee4 | session | No description available. |
c72887300d | session | No description available. |
cookielawinfo-checkbox-tracking | 1 year | No description |
crmcsr | session | No description available. |
currentware-_zldp | 2 years | No description |
currentware-_zldt | 1 day | No description |
et_pb_ab_view_page_26104 | session | No description |
gaclientid | 1 month | No description |
gclid | 1 month | No description |
handl_ip | 1 month | No description available. |
handl_landing_page | 1 month | No description available. |
handl_original_ref | 1 month | No description available. |
handl_ref | 1 month | No description available. |
handl_ref_domain | 1 month | No description |
handl_url | 1 month | No description available. |
handl_url_base | 1 month | No description |
handlID | 1 month | No description |
HandLtestDomainName | session | No description |
HandLtestDomainNameServer | 1 day | No description |
isiframeenabled | 1 day | No description available. |
m | 2 years | No description available. |
nitroCachedPage | session | No description |
organic_source | 1 month | No description |
organic_source_str | 1 month | No description |
traffic_source | 1 month | No description available. |
uesign | 1 month | No description |
user_agent | 1 month | No description available. |
ZCAMPAIGN_CSRF_TOKEN | session | No description available. |
zld685336000000002056state | 5 minutes | No description |