ISO 27001: The ultimate guide to the gold standard

• An ISO 27001 certification confirms that a company meets international standards for information security and provides a structured framework for protecting sensitive information
• The certification strengthens trust with customers and partners, improves compliance with data protection regulations such as the GDPR, and opens up new business opportunities
• The certification process involves the implementation of an Information Security Management System (ISMS) based on risk management, security controls, and continuous review
• Companies opting for ISO 27001 certification benefit from a better security structure, minimize potential risks, and ensure long-term compliance
• Certification costs vary depending on the size of the company and can be significantly reduced by using specialized compliance platforms like Kertos

What is ISO 27001?

A collaborative effort between the International Standards Organisation (ISO) and the International Electrotechnical Commission (IEC) led to the publication of more than a dozen standards in the ISO/IEC 27000 family. ISO/IEC 27001 is the most well-known and only member in the ISO 27000 series against which organisations can be certified.

ISO/IEC 27001 is an international standard for information security. The standard sets out a systematic approach to implementing policies, procedures, documentation, and controls, and involves people—elements that collectively form an information security management system (ISMS)—to help organisations maintain the confidentiality, integrity, and availability of their information.

The ISO 27001 standard outlines a framework for establishing, implementing, and continuously improving an ISMS. By following the requirements for risk assessment, security control implementation, and regular reviews outlined in ISO/IEC 27001, organisations can identify, manage, and mitigate risks to their information assets.

The ISO 27001 standard has remained a popular choice across both continents and business verticals, amid a myriad of country- and industry-specific options arising. For organisations considering embarking on the ISO 27001 compliance journey, read this blog post to understand how to get ISO 27001 certified and how Kertos can help.

Why do you need ISO 27001 certification?

In this digital age, while most modern organisations' information exists in digital form, there remain some less tangible assets like policies and procedures, proprietary knowledge, and buy-in from senior leadership that are vulnerable to losing or compromising. A breach or unauthorised access to any of these assets can adversely affect an organisation.

Businesses need to have strong security measures in place to combat potential data security risks. Often, these measures are ad hoc and inconsistent across companies—in short, incompatible with proliferating cyber risks. That's where an internationally recognised information security best practices framework, ISO 27001, comes to the rescue, providing a robust framework for the safety of both digital and non-digital information assets.

ISO 27001 provides organisations with a structured framework to safeguard their information assets. It encapsulates risk management, controls, policies, and procedures as core components to build and continuously improve the ISMS. Having an organisation ISO 27001 certified means that the organisation's ISMS has been built upon the very components outlined in ISO 27001, and, therefore, the organisation maintains the highest standard of information security.

Not to confuse with regulations like GDPR and CCPA—adherence to which is a must for organisations—compliance with ISO 27001 is not mandatory. Instead, without any legal obligation, ISO 27001 is a voluntary certification that organisations choose to demonstrate their commitment to information security. Customers, stakeholders, and partners trust ISO 27001-certified companies, opening up new business opportunities and giving them a competitive edge in the international marketplace.

While ISO 27001 itself doesn't directly influence whether subcontractors get a contract or not, some organisations might require the suppliers to meet specific security standards outlined in the contract between them. Especially in sensitive industries like healthcare and finance, ISO 27001 certification is generally expected.

Annex A.15 is about managing information security risks with suppliers with whom an organisation shares access to information assets. It requires the creation of a data-sharing agreement for the optimisation of business operations between an organisation and a supplier. The key points of A.15 include:

• Information security requirements for mitigating the risks associated with suppliers' access to the organisation's assets shall be agreed upon and documented.

• Establishing relevant information security requirements as agreed with each supplier that may access, process, store, communicate, or provide IT infrastructure components for, the organisation's information.

• Including requirements to address the information security risks associated with information and communications technology services and the product supply chain in agreements with suppliers.

• Regularly monitoring, reviewing, and auditing supplier service delivery.

• Based on re-assessments of the risk and the criticality of business information, provisions to the agreed terms shall be changed, including maintenance and improvement of existing information security policies, procedures, and controls.

Best practices for preparing for ISO certification

ISO 27001, being a complex standard, doesn't merely conclude with implementing a single control; it involves an entire ISMS establishment. A strong ISMS building to fence the information asset of an organisation against omnidirectional threats requires almost a year or more for proper implementation—and certification to be recommended.

ISO 27001 differs from other standards and frameworks in its approach towards achieving compliance. While other standards and frameworks emphasise implementing specific security controls, demonstrating compliance with ISO 27001 does not require strict adherence to specific technical controls; instead, the focus is on discovering the risks and taking a proactive approach to mitigate them across the security posture of the organisation.

Because this framework prioritises risk management over prescribed technical controls, a universal ISO 27001 checklist may only sometimes mean guaranteed certification. Regardless of more than a dozen controls listed in the standard's "Annex A," hardly any organisation implements every control to be ISO 27001 certified. Rather, each organisation may independently choose to implement an appropriate subset of controls that best address the risks to their business operations.

The International Organisation for Standardisation (ISO) doesn't itself provide the ISO 27001 certifications. Instead, third-party auditors or assessors of accredited certification bodies determine if the organisation's ISMS has been built upon best security practices following established ISO standards. Auditors use their professional experience to evaluate a company's ISMS and determine if it meets the requirements to be eligible for certification.

Where do I start with ISO 27001 certification?

Define the scope of ISMS

Clause 4.3 of the ISO 27001 standard is about setting the scope of an organisation's ISMS. Defining the scope helps determine the areas within which the ISMS will operate. Depending on which parts of the organisation need to create, access, or process the valuable information assets, the scope of ISMS may cover the organisation's systems, processes, subsidiaries, divisions, departments, etc.

Defining the scope could take minutes in smaller businesses or up to a year or more in larger enterprises. For instance, the scope of ISMS for a SaaS platform managing health data for pharmaceutical companies can include its design, development, technical support, sales, and marketing. It would considerably take longer for this platform to define the scope of ISMS as there are multiple departments involved.

In regard to powerful customers' expectations for information assurance, businesses need to focus not only on product development and deliveries but on people, processes, and geographies as well. Key stakeholders, large clients, and entities with substantial purchasing power require a 'whole organisation' scope, which is also being encouraged nowadays by ISO certification bodies like United Kingdom Accreditation Services (UKAS).

Perform a risk assessment

Risk assessment is required to conform with ISO 27001 and ensure the ISMS appropriately addresses threats. An organisation-wide risk assessment helps identify the necessary controls and create prioritised risk treatment plans to mitigate applicable risks. ISO risk assessment differs for organisations; no two organisations can have identical risks and assessments.

Risk assessment starts with first preparing a list of information assets across an organisation and then identifying risks attached to them. Threats and vulnerabilities could be unauthorised access, embezzlement, espionage, inadequate data backup, and password management, to name a few.

For each risk identified, calculate their impact by rating them on a scale of 1 to 10. Categorising the risks as per their impact and likelihood helps in designing and prioritising the risk treatment process. The risk treatment plan entails documenting the organisation's responses to the identified threats, vulnerabilities, and risks.

Complete statement of applicability

Along with the risk treatment plan, the statement of applicability (SOA) is a crucial document in performing an ISO 27001 risk assessment. SOA provides auditors and stakeholders with transparency and clarity in demonstrating the organisation's adherence to ISO 27001 requirements.

Per clause 6.1.3 of ISO 27001, an SOA must contain the following:

• Which Annex A controls were determined for responding to the identified risks.

• Justification for the preferences of controls and their implementation, and

• Which controls were excluded, and why?

Document information security policies

In collaboration with management, information security professionals, and legal advisors, organisations should define a set of policies, publish them, and communicate across broader organisations. Policies should be formulated with business needs in mind, along with respect to applicable regulations and legislation affecting the organisation.

The principles set out in the policies must be followed by the organisation's personnel as well as third-party suppliers. ISO requires policies to be regularly reviewed and updated in correspondence with security weaknesses, events, or incidents indicating a requirement for policy change, including advancements in technology and regulation.

Operationalise the ISMS

Operationalising the ISMS requires putting procedures in place to comply with Clauses 6 through 10. These sections cover planning, risk management, policy development, procedure implementation, monitoring, and how the formulated policies and strategies will remain current with updates and improvements.

Furthermore, ensuring that the policies and strategies are in line with the tactical actions demonstrates the operational and repeatable nature of the ISMS. This means that the established processes and activities (assessing risks, executing control processes, tracking metrics, and identifying and implementing corrective actions) can be reliably executed over time.

Perform an internal audit

An audit by the internal team alone, or with the oversight of external consultants, is required to monitor the ISMS and report its findings to management. An independently conducted internal audit helps an organisation discover any nonconformities with the ISMS and recommends any possible opportunities for improvement.

The next action should be to implement corrective actions and assess their effectiveness. Senior-level management should continuously review the system and schedule regular review meetings to discuss updates on ISMS reviews, feedback from internal audits and risk assessments, and document the findings and related actions.

Engage an accredited certification body

Finally, it's time that an accredited certification body be engaged to perform the audit. The audit consists of two phases. In the first phase, the certification body reviews whether the organisation is ready with all the necessary documentation and processes, along with evidence of implementation, well-identified metrics, and support from management in place.

Once these prerequisites are determined, the certification body moves onto a detailed phase 2 audit, examining the alignment of controls applied at the organisation with the requirements stated in the standard. This phase entails the auditor drawing on evaluations from the initial stage to verify whether the organisation has actually implemented everything in the documentation. Organisations should implement corrective actions for nonconformities established by auditors and track their effectiveness.

Once the organisation is issued ISO 27001 certification, it needs to undergo an annual surveillance audit to maintain ISO 27001 compliance. While these recurring audits aren't as rigorous as phase 2, non-conformance to any of the requirements may result in the revocation of the certification before the listed expiration date.

ISO 27001 certification costs

The cost of ISO certification largely depends on the size of the organisation and the complexity of the ISMS's scope. Costing is largely allocated around the following areas:

• Training employees on the intricacies of ISO 27001 best practices.

• Conducting a gap analysis to discover shortcomings in the ISMS and improve it to meet the standard's requirements.

• Subcontracting a consulting service adept at ISO 27001 certification to get a grasp of the ISO 27001 requirements, develop an ISMS from scratch, and get started with ISO 27001 certification.

• Accreditation provider's fees.

In a nutshell, the readiness stage, which involves defining the scope of ISMS, identifying where sensitive information is stored, conducting a risk assessment, and implementing policies and controls, costs between $10K and $39K. The cost of hiring an auditor runs between $14K and $16K for a small start-up. Hiring a Big Four firm (PwC, Deloitte, Ernst & Young, and KPMG) comes at a premium.  

Once certified, the cost of surveillance audits usually ranges from $6K to $7.5K each. In total, if you DIY, the cost of certification can range from $57K to $78K; if you choose a consultant to help you with certification, the cost may jump to range from $66K to $69K. However, taking advantage of a compliance platform to get certified can trim the cost to a great extent, largely between $43K and $51K.