Learn about the ISO 27001:2013 international certifiable standard and its significance for ISMS reliability
Safety and security indisputably belong to the main values of contemporary personal and business interactions. Modern organizations possess personal data about their clients as well as hold sensitive information about business operations. Inability to protect such sensitive and vulnerable information often has serious consequences that may even lead to business failure. As such, among the most acute concerns of contemporary business operations are how to identify all possible risks? What are the tools to manage them? And, generally, how to provide appropriate protection of information? To address these concerns, the International Organization of Standards (ISO) and The International Electrotechnical Commission (IEC) established an ISO 27001 standard in 2005. The standard has become the internationally recognized framework for maintaining organizations’ information security management systems (ISMS) worldwide. Nowadays, ISO 27001 certification adds value and credibility to organizational operations by demonstrating that products and services meet the national regulations and expectations of the main stakeholders.
Independently on their size and scope of activity, organizations are pursuing to obtain ISO 27001 certificates for their ISMS. Even when organizations do not choose to implement ISO 27001 voluntarily, many organizations are obligated to be certified by virtue of the contractual agreements with their customers. According to the latest ISO survey, conducted in 2019, the pioneer in obtaining ISO 27001 certification is China with 8,3 thousand certificates issued. The following are Japan with 5,2 thousand certificates, Great Britain (2,8), India (2,3), Italy (1,3), Germany (1,1), Netherlands, and Spain (938).
The United States with 757 certificates is in ninth place but the number of sites certified is three times bigger. Such a big amount of certifications by site means that the US companies allocated abroad strive to meet all international and national information security demands.
Indisputably, information technology is the main sector for the ISO certification, as it obtained 8,5 thousand certificates worldwide in 2019. It is nearly eight times bigger than in the second largest industry – transport, storage, and communications.
As US companies actively conduct their operations worldwide, ISO 27001:2013 certification is essential for gaining a competitive advantage on both national and international markets as well as giving confidence to their stakeholders that all sensitive data is adequately secured.
The 27000 series currently includes more than a dozen published standards, though, ISO 27001:2013 belongs to the most known ones in this family. Beyond the 27001, there are four other standards, which are necessary to be aware of when implementing an ISMS.
ISO 27000:2018 information technology standard includes ISMS overview and provides terms and definitions that are commonly used in the ISMS family of standards.
ISO 27002:2013 provides the code of practice for information security controls and policy guidance. In comparison to ISO 27001 that provides high-level control requirements, ISO 27002 provides detailed implementation guidance for those controls.
ISO 27005:2018 suggests a framework for conducting security risk assessments.
ISO 27701:2019 specifies general requirements and provides guidance for establishing, implementing, maintaining, and continually improving a Privacy Information Management System (PIMS) in the form of an extension to ISO 27001 for privacy management within the context of the organization.
ISO 27001:2013 certification combined with the main considerations of other related standards, enables organizations to successfully manage the security of assets such as intellectual property, financial data, personal data, and other sensitive information.
ISO 27001 was originally published in 2005 and then amended several times so it became the international standard for ISMS. The most significant update to the ISO 27001 occurred in 2013 when the “Annex SL” structure was adopted. Although there were some minor amendments in 2017 and 2019, ISO 27001:2013 remains the current standard that organizations pursue to achieve.
ISO 27001:2013 standard contains two main sets of requirements: ISMS Requirements (Management Clauses) and management directions (Annex A).
The first set refers to the initial ISO 27001 requirements and contains 10.0 Clauses, which specify the general framework for management system standards. Clauses 4.0 – 10.0 are the building blocks for the successful certifications process. These Clauses refer to such concerns as the Context of Organization, Leadership, Planning, Support, Operation, Performance Evaluation, and Improvement. As distinct from other ISO management system standards, all the requirements contained in Clauses 4.0 – 10.0 are obligatory to comply with and there is no possibility to miss one or more clauses as not applicable.
The other set of requirements specified in a section called Annex A. It declares management direction for information security. The main aim of Annex A is to support ISMS in line with the organization’s requirements, as well as in accordance with relevant laws and regulations. Annex A provides a control framework grouped in fourteen domains:
Obtaining an ISO 27001:2013 certificate helps ensure effective protection for sensitive and vulnerable information within the three aspects of security – confidentiality, integrity, and availability. An ISMS that complies with ISO 27001 uses a set of best practices that facilitate the appropriate design, implementation, and maintenance of controls. The best practices of ISMS usually combine the core business processes ( e.g. recruitment, product design, maintenance, service delivery) and the specific ones designed to maintain information security (e.g. incident management and information classification). It is important to realize that the primary goal of ISO 27001:2013 certification extends beyond ISMS and focuses on providing and processing information without disruptions, supporting business processes as a whole.
To establish a reliable ISMS, ISO advocates using a Plan-Do-Check-Act (PDCA) approach. Hence, Planning means establishing objectives, resources, policies, and stakeholders’ requirements as well as identifying risks and opportunities. Do-step requires the implementation of what was planned. Checking involves monitoring and measuring processes’ performance. Finally, in the Act stage, all necessary preventive and corrective actions for the improvement of ISMS performance are implemented. Besides the obvious advantages for ISMS, PDCA management practice provides the ability to reuse investments in such important management areas as quality management, environment management, security management. Therefore, PDCA is a good way to achieve ISO 27001:2013 compliance.
The main purpose of ISO 27001:2013 certification is to provide a robust framework to protect sensitive and vulnerable information for organizations of all types, sizes, and scopes of activity. Maintaining compliance with ISMS with ISO 27001 is especially important for those having increased exposure to information security-related risks.
It is important to admit that ISO itself is not involved in the process of certification but only develops International Standards (CASCO Standards) that provide guidance for the certification process. The only entities that can perform certification are external certification bodies. Half of the battle in assuring a successful ISMS certification is choosing the right certification body. The most reliable ones usually follow the relevant CASCO Standards and are accredited. Finding an experienced consulting services provider is also an important step, and Planet 9 provides reliable support during the entire preparation and certification processes.
The process of obtaining the ISO 27001 certification is complicated and demands effort and commitment from the entire organization. It usually includes a series of interchanged steps with clearly defined objectives. At the beginning of the certification process, it is recommended to identify the scope and objectives of ISMS for the particular organization. These objectives may vary from protecting customer’s data to ensuring secure product development. When organizational objectives are established, the organization can start establishing the ISMS foundation. The third step in the process is conducting a security risk assessment in order to determine applicable controls from Annex A. The risk assessment is essential for completing the Statement of Applicability (SOA) that identifies the applicable security controls. The fourth step includes gaps assessment processes which define all the missing administrative, technical, and physical controls. This step is followed by the remediation of identified gaps. An internal audit is another required step in the certification process. Its primary goal is to validate the implementation and effectiveness of ISO 27001 requirements.
After completing the previous steps and addressing all identified gaps and non-conformities, the ISO 27001 certification audit is conducted. The audit process is divided into two main phases called Stage 1 and Stage 2. In the scope of the Stage 1 audit, the auditor reviews the organization’s ISMS and then focuses on the implemented controls (Stage 2). The organization receives ISO 27001 certification when both stages are successfully completed.
It often occurs that auditors may reveal some non-conformities with ISO 27001 requirements and procedures. Furthermore, as technologies and business processes constantly develop, the risk landscape changes every minute. So, no ISMS is likely to be perfect a priori. The NQA global certification body revealed and discussed typical non-conformities found by their auditors. Thus, according to NQA, one of the most frequently occurring failures is neglecting the Annex A requirement to retain documented information. Auditors expect to see evidence for the ISMS-related processes, controls, and operating procedures while their absence is likely to result in non-conformity. Some of the common examples are the lack of specific records required upon organization rules; missing documentation in the organization’s usual practice; and improper performing of documentation. The next common failure is not following defined information security procedures or even not knowing that one exists. The common examples of neglecting this requirement include sending sensitive emails insecurely or not reviewing system logs. As NQA identifies, around 50% of non-conformities occur because organizations fail to define the external and internal issues that affect their ISMS. This is only a shortlist of issues that can lead to non-conformities during and after the ISO 27001 audit and there are many others. Therefore, to maintain the organization’s resilience to information security events and avoid non-conformities in the certification process, organizations must keep their ISMS actively managed and continually improved.
To sum up, among the main drivers for ISMS stability are adopting the world’s best practices and learning from organizations’ own mistakes and examples. Security incidents, performance issues, complaints from stakeholders, and ideas generated at management reviews induce companies to go through ISO 27001 certification which is now the synonym of security and stability.
If you need any help with ISO 27001 certification readiness or other information security and compliance services, we’ll be happy to assist: