ISO/IEC (International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC), 27001:2013 is an international standard that specifies the requirements for establishing, implementing, maintaining, and continually improving an organization’s information security management system. The standard’s goal is to establish an Information Security Management System (ISMS) to ensure a formal risk-based approach to managing risks to the confidentiality, integrity, and availability of an organization’s information assets.
The standard consists of ISMS requirements and Annex A controls. The ISMS part of the standard outlines the required components and activities within the program management and Annex A lists security controls that must be selected and implemented based on a security risk assessment.
ISO 27001 is a certifiable standard, meaning companies can obtain a formal certification against the standard. Additionally, an ISO 27002:2013 standard provides guidance on implementing ISO 27001 Annex A controls. As opposed to ISO 27001, ISO 27002 is not a certifiable standard and. ISO 27002 is an implementation guide based upon best practice suggestions and supports ISO 27001.
ISO 27001 certification is valid for three years. However, certified companies are required to conduct annual surveillance audits in order to maintain certification status.
ISO 27001 is an internationally recognized certification standard. Just like SOC 2 Type II audit, it demonstrates to your clients that you have a mature information security program. The ISO certification provides assurances to customers and consumers about the protection of their sensitive data and gives the company a competitive advantage.
Furthermore, many companies require that their service providers maintain ISO 27001 certification, and document this requirement as a contractual obligation.
The standard implementation and certification can be broken up into the following phases:
Scope and Objectives of ISMS
To ensure the success of ISMS, organizations have to understand ISMS’s scope and objectives, which vary greatly among different organizations and industries. Some large organizations may have ISMS that covers only a specific business unit or a location. Similarly, some organizations’ objectives may focus on protecting customer data while others concentrate on ensuring secure product development.
In this step, the organization establishes necessary organizational changes to lay out the ISMS foundation. This step includes the appointment of a role responsible for the ISMS management, organizing a Security Council and involving stakeholders across the company, documenting ISMS, securing the necessary budget, etc.
Security Risk Assessment
A security risk assessment is a key activity in determining what Annex A controls should be implemented to achieve the ISMS objectives. Once the risk assessment is done, the organization completes the Statement of Applicability (SOA); a document that identifies applicable security controls and provides an explanation when controls are not applicable.
This portion is the most resource-intensive and time-consuming stage of the process and requires commitment and involvement from multiple resources across the organization as well as sufficient financing. In this step, all the missing administrative, technical, and physical controls as determined by the risk assessment are implemented.
An internal audit is another required step in the certification process. The goal of the internal audit is to ensure that the implementation and effectiveness of ISO 27001 requirements have been validated by an independent audit. Companies may use internal resources not involved in the ISMS implementation or hire external auditors to complete the audit. Prior to the certification, all non-conformities must be addressed.
The certification audit can only be performed by an accredited certification body. The audit process consists of two phases; Stage 1 and Stage 2. In Stage 1, the auditor reviews the organization’s ISMS. Stage 2 focuses on the implemented controls (Annex A). When both stages are completed and without any non-conformities, the organization receives ISO 27001 certification.
Planet 9 employs seasoned professionals with years of experience working in various private industries, including e-commerce, finance, healthcare, manufacturing, and technology. We have consulting experience helping clients become and remain compliant. We have former security Chief Information Security Officers and compliance managers from private industries who have personally been accountable for ISO 27001 compliance.
Depending on the client’s internal resources expertise and availability, Planet 9 can completely or partially assist the client with the following: