- An ISMS certification according to ISO/IEC 27001 confirms that a company adheres to international security standards for information protection
- The ISO 27001 standard provides a structured framework for identifying, managing, and mitigating security risks
- The certification enhances compliance with data protection regulations such as the GDPR and demonstrates a commitment to protecting sensitive data
- Companies benefit from ISO 27001 certification through increased customer trust and a competitive advantage in the global market
- The certification process involves a thorough examination of the security management system in two stages, as well as annual surveillance audits to ensure ongoing compliance
Why is an ISMS certification important?
In times when cyberattacks are getting increasingly sophisticated, ISMS certification assures that the organisation has the required security measures in place to mitigate the risks of information security to a minimum acceptable level. Achieving ISO 27001 certification means a company is genuinely dedicated to proactively addressing emerging threats.
Protection of sensitive information
Data-driven organisations that process large amounts of personal data are required to comply with data protection regulations like GDPR in the EU and LGPD in Brazil. Processing requirements universal across all data protection laws are to ensure the protection of data against unauthorised access, data breaches, and other potential risks. Some security controls, as well as processes, required under ISO 27001 overlap with data processing requirements under GDPR.
ISMS Certification: The Key Focus Areas
1. Risikomanagement:
The risk assessment approach is intrinsic to handling the organisation-spanning identification, scrutiny, and management of risks to information assets. Both ISO 27001 and GDPR prioritise regularly assessing risks to identify vulnerabilities and threats and then implementing measures proportionate to those risks.
2. Data security:
Both ISO 27001 and GDPR aim to strengthen data security and mitigate the risks of data breaches. For this objective to be accomplished, GDPR Article 5 specifies protection against unauthorised or unlawful processing, accidental loss, and destruction or damage as general principles for data processing.
Compliance with legal requirements
Artikel 24 der Datenschutz-Grundverordnung legt fest, dass die Einhaltung von Verhaltensregeln und anerkannten Zertifizierungen, wie ISO 27001, als ein Nachweis für die Einhaltung der Vorschriften verwendet werden kann. Das bedeutet, dass bestimmte Komponenten der Norm, die die Anforderungen der Verordnung erfüllen, leicht durch die Einhaltung der Anforderungen für erstere erreicht werden können.
Der Schlüssel zum Erreichen der DSGVO-Compliance durch die ISO 27001-Zertifizierung liegt in der Identifizierung und Abbildung der personenbezogenen Daten, die ein Unternehmen sammelt, verarbeitet und speichert. In diesem Zusammenhang wird die DSGVO als allumfassendes Datenschutzgesetz bezeichnet, auf dessen Grundlage die meisten Länder ihre jeweiligen Datenschutzbestimmungen erlassen haben. Mit anderen Worten: Die Einhaltung der DSGVO erleichtert die Einhaltung anderer Datenschutzgesetze, unabhängig von der Rechtsprechung.
Unternehmen, die die ISO 27001-Zertifizierung für die Einhaltung anderer Vorschriften zur Informationssicherheit nutzen möchten, sollten sich mit den wichtigsten Klauseln, Anhängen und zusätzlichen Leitlinien, die gemeinsam genutzt werden (wie im obigen Punkt hervorgehoben), vertraut machen. Die Einhaltung von ISO 27001 hängt von der Informationssicherheit ab. Die Einbeziehung der ISO 27001-Leitlinien für die Einrichtung eines Informationssicherheitsmanagementsystems verbessert die Einhaltung von Gesetzen oder Vorschriften, die einen soliden Datenschutz vorschreiben, z. B. NIS (Network and Information Systems).
Boost customer and partner confidence
The ISO 27001 certification reflects the organisation's unwavering commitment to maintaining top-tier information security standards. It works wonders for certified entities in terms of gaining a competitive edge in contract bids, garnering the attention of security-conscious customers, and fortifying relationships with existing customers. Additionally, it also unlocks doors to the global marketplace, where adherence to international information security standards is highly valued.
ISO 27001 certification also acts as tangible proof of an organisation's readiness for safeguarding sensitive customer data. The ISO 27001 certification acts as a hallmark of robust security measures in place, fostering trusted B2C and B2B relationships. Acting as a potent marketing tool, it appeals to security-conscious customers and increases loyalty and retention.
How does ISMS certification work?
ISO 27001 is an international standard for information security. Standards do not require mandatory certification. Organisations choose to get ISO 27001 certified to gain confidence in their information security infrastructure, which also instils clients' and stakeholders' trust in the organisation.
Remember, there is a stark difference between compliance with ISO 27001 and ISO 27001 ISMS certification
Compliance means that an organisation has implemented its ISMS to meet the requirements of ISO 27001. Comparatively, certification is a rather formalised external assessment process. An independent certification body audits the organisation against specific requirements of the standard. Only when compliance is demonstrated does the certification body award ISO 27001 certification to the entity.
What is the process for obtaining ISMS certification?
Before you dive into this read, let us warn you that this article is not a step-by-step guide to ISMS certification. The lifecycle of ISMS certification comprises two stages: one is pre-audit, and the other is the audit period. Here, we summarise the processes involved once a third-party auditor is on-site for review. This stage is rather cyclic and consists of four parts.
We have covered an article extensively breaking down the pre-audit stage, which you can find here.
Initial certification: 2 stages of review
Stage 1 review
The first stage covers an evaluation of how exactly an ISMS designed by an organisation aligns with the extensive requirements of ISO 27001. An organisation needs to document the entire ISMS implementation process, from establishing the ISMS and conducting risk assessments to security control implementation and management reviews.
At this stage, the third-party auditor asks to produce evidence of documentation, including detailed policies, procedures, and processes, for evaluation.
This stage is more of an investigative audit in which the auditor conducts a high-level review of the ISMS. The objective of the review is to gain an understanding of management's description of the organisation's system and the suitability of the design of security controls. It also determines an ISMS's readiness for the next-stage evaluation, which is about checking the effectiveness of controls in practice.
The auditor looks specifically for "nonconformities." The auditor scrutinises areas or opportunities that can be further improved for better ISMS performance and security. If the auditor happens to find one (or more) nonconformities, they may ask for corrective actions and evidence of correction before proceeding to Stage 2. The organisation needs to take the necessary corrective actions to remediate any nonconformities noted by the auditor. Only if this stage succeeds in convincing the auditor will the organisation undergo the Stage 2 review.
What happens in case of non-conformities?
Nonconformities describe an ISMS's derailment in terms of missing elements from those prescribed under the standard.
There are two types of non-conformities:
- Major nonconformities indicate serious issues with ISMS, e.g., the scope of ISMS is not properly defined. These issues require an addressal and correction plan, in addition to evidence arranged for both correction and remediation, before the issuance of a certificate.
- Minor nonconformities are comparatively less severe issues that indicate a partial misalignment with the ISO 27001 requirements. For any minor nonconformities discovered, the auditor examines evidence of remediation during the following surveillance review to formally resolve them. For example, the current best practices for access control procedures require employees to use a minimum of 12 characters. Even though the organisation has implemented this, it has not updated the procedure presented before the external auditor, which previously required an 8-character password.
The Stage 1 audits can be completed remotely, on-site, or through a hybrid approach. The length of the assessment varies with the size of the organisation, the industry it is in, the complexity of the information systems, and the maturity of the ISMS. The more mature the ISMS, the shorter the assessment period, and vice versa.
Stage 2 review
When Stage 1 is cleared as successful, the auditor moves on to Stage 2 review, which is often referred to as the 'certification audit'. Comparatively, it's a more comprehensive assessment. It involves the auditor conducting an on-site assessment of the ISMS against the requirements of both ISO 27001 and internal requirements. This assessment includes evaluating the effectiveness of active practices, activities, and controls implemented within the organisation.
During pre-audit planning, organisations are required to conduct a risk assessment of their environments. This is followed by the development of a subsequent risk treatment plan, which outlines the measures to manage identified risks. This process also includes the creation of a statement of applicability (SOA), which identifies the control activities within Annex A of ISO 27001 that best support the objectives of the ISMS. During Stage 2, the auditor evaluates the operational effectiveness of Clause 4-10 and the controls defined in the SOA.
Keeping records of identified risks and the methods employed to manage them, reports of any security incidents and actions taken to resolve them, security training programmes organised to educate employees, and findings of the internal audit play an important role in Stage 2 success. These records provide tangible proof to the auditors that the ISMS is implemented, maintained, and improved continuously.
Much like Stage 1, Stage 2 also involves the auditor looking for nonconformities and opportunities for improvement. Any nonconformities found during this stage need to be addressed and corrected before the auditor recommends the organisation for certification. Once this review process is over, the organisation is issued a certificate valid for 3 years. This certificate states that the organisation's ISMS complies with the ISO 27001 standard.
Annual surveillance
Once certification is granted, organisations should make sure their ISMS continue to perform optimally. They are advised to adopt the PDCA (plan-do-check-act) model to monitor and document any changes, conduct internal audits of risks, and review and reiterate all processes established during the pre-buildout of the ISMS. Auditors focus on these activities during the surveillance review.
The validity of the certificate lasts for three years. The certification gets confirmed on an annual basis through surveillance audits. The auditor returns annually for two years to reexamine the continued conformance of the ISMS to the ISO 27001 standard. These assessments are less intense compared to certification audits, with a focus on ISMS Framework Clauses 4–10 and a subset of Annex A control activities.
Again, the auditor looks for nonconformities and opportunities for improvement. Any neglect in addressing the nonconformities puts ISO 27001 certification at risk of being revoked.
Recertification
A recertification is required to be completed before the expiration period to recertify the ISMS. Its goal is to make sure that the ISMS has upheld effective maintenance, that the impact of any changes introduced to business processes or operations during this period has been documented, and that newly arisen risks have been mitigated.
The recertification covers evaluating the entirety of the ISMS, including its processes, controls, and overall effectiveness in meeting the requirements of ISO 27001. The auditor will once again seek any nonconformities or areas that require improvement. Organisations should promptly address the findings from the recertification audit to maintain their ISO 27001 certificate.
The recertification audit continues to occur every three years for an organisation as long as it maintains its ISO certification.
Kertos can help you get ISO 27001 certified
It should be clear by now the immense benefits ISO 27001 certification bestows on your organisation. At the same time, the processes involved in the standard certification are easy to confuse. At Kertos, we take the responsibility of ISO 27001 certification off your shoulders and make it our duty to guide you through the entire process.
Kertos eases your way of navigating the complexities of ISO 27001 certification. Our ISO 27001 experts meticulously put together all requirements on your behalf to make sure you're fully prepared for your initial certification audit or subsequent recertification audits every three years. Get in touch with us for any support related to ISO 27001 certification.
