Do you ever get tired of those statements from companies after a data breach telling us: “we take your security seriously”?
In a year of high-profile ransomware incidents and data breaches, security is near the top of the agenda as never before. Boards and managers are asking how they can protect their organisations better against similar incidents. One way to do this is to become certified to the ISO 27001 information security standard. It’s not a technology product or service but a way of demonstrating security by applying repeatable policies and documented procedures to manage risk.
What is it – and what is it not?
ISO 27001 is a globally accepted independent standard that provides external validation for an organisation’s information security. The last major revision to the standard happened in 2013 and the next update is expected around 2022-2023. Both the standard and the audit process include the people, processes and technology involved in maintaining security within the organisation.
It is not limited to IT and is not a security checklist or risk analysis method. It is also not an insurance policy against security breaches – but it does mean the business will have prepared incident response processes and business continuity plans in place so will be better placed to deal with possible incidents.
Choosing to become certified is not a once-off exercise to tick the box and say: “we’re secure”. It’s a continuing commitment to embed good security practice throughout an organisation or business. Certification should be viewed as a strategic investment.
Why become certified to ISO 27001?
The number of organisations becoming certified to the ISO 27001 standard is increasing all the time. The most recent data from ISO (the International Organization for Standardization) shows that certifications were up by almost 14 per cent in 2019 compared to 2018. There are many possible reasons for this: some organisations become certified to improve their business processes. Others do it to demonstrate a clear commitment to security for stakeholders, investors, or customers.
In certain cases, large or regulated organisations in certain industries require ISO 27001 certification before a company can submit a tender for work. And although the EU GDPR focuses primarily on data protection, this includes requirements to provide adequate security controls (including the controls of any third-party provider who may store or process personal data on your behalf) and organisations often find it easier to comply with the regulation after becoming certified to the standard. Certification provides evidence for third parties that you have security controls in place, which might reduce time for those organisations tasked with completing lengthy supplier security questionnaires.
How does it work?
The ISO 27001 standard (ISO/IEC 27001:2013 to give its full title) refers to an Information Security Management System, or ISMS, which describes controls that an organisation needs to implement to ensure that it is sensibly managing the risks it has identified. It’s essentially split into two parts. Ten short clauses cover the management, support, and oversight of the ISMS. Leaders should demonstrate their commitment to security and risk management by ensuring they have:
- The right organisational structure in place to inform them about key IT and security-related risks
- Clear policy and security objectives
- Adequate and suitably trained resources available
- Communicated the importance of having effective security management
- Planned security requirements, including scheduled audits
- Promoted continual improvement.
The second part of the standard is a long annex with a list of controls and their objectives. This includes human resources security, access management, supplier relationships, physical and environmental security, as well as operational and network controls.
Who is it for?
The idea of becoming certified to an international standard might sound daunting, or a task for large enterprises. In reality, ISO 27001 is suitable for businesses of any size – even sole traders or small companies. Organisations can scope and scale their certification to suit their needs and size. They can decide to certify a product, a process, or a single location.
Once certified, an organisation is continuously trying to evolve, managing risk by regularly reviewing its security, and checking to see where possible gaps may be and where there’s a threat to its defences. This can help to build a process of continuous improvement, because maintaining the certification involves regular independent audits to ensure compliance with the standard.
How does the ISO 27001 certification process work?
There is a two-stage audit process to become certified to ISO 27001. An externally accredited body will carry out a stage one assessment to determine if the organisation meets the mandatory requirements of the standard and if the management system is ready to proceed to stage two. The assessor will call out any non-conformities that you will need to address before you can progress to stage two. There is usually a gap of two or three months between the two stages, giving you time to address any findings or concerns identified in the audit, and to build evidence.
The stage two assessment determines the effectiveness of your management system and seeks to confirm that your management system controls have been implemented and are fully operational. If your assessor is satisfied that your organisation is compliant with the relevant standard and has reviewed any corrective action you needed to take after stage one, they will recommend your organisation for certification.
To stay certified, you should carry out internal audits at least once a year. You can do this in house or with an external consultancy that specialises in ISO 27001. There are also six-monthly surveillance audits carried out by the accreditation body to ensure continuous improvement.
Who can help me to achieve certification?
It can help to work with an external consultancy when you are getting ready to become certified. Using its experience, the consultancy can identify gaps where you fall short of what the requirements. It can also advise on actions to take to fill those gaps. Working with a consultancy company can help you to develop a process for assessing risks that covers not just physical IT assets but also intangible assets. Because ISO 27001 is an audited standard, you need to produce a lot of evidence. A specialist consultancy can make sure you know which documents you will need to collect and evidence to record to become certified.
A specialist consultancy firm can also help you develop new policies or review existing ones and develop your Statement of Applicability, or SOA, which is a key document that states what ISO 27001 controls and policies your organisation is applying. Lastly, the implementation stage usually consists of an internal audit to validate the controls and evidence are in place.
By becoming certified to the ISO 27001 standard, organisations benefit in many ways:
- A framework to ensure they fulfil commercial, contractual, and legal responsibilities
- A process to identify and manage risk exposure that builds or enhances a security culture and supports continuous improvement
- A potentially significant competitive advantage
- An external validation of the security systems – covering the people, processes and technology – in place at the organisation.
With a structured, independently validated way to manage information security, certified organisations benefit from being able to manage their IT security risk better, keep confidential data secure, and protect their reputation. Achieving certification can demonstrate to others that you really are “taking security seriously”, rather than just taking an interest after a breach.
Some more ISO 27001 resources: