What is ISO 27001?
To understand 27001, you need to first understand ISO. ISO is the acronym for the International Organization for Standardization, which creates international standards in virtually every industry. In fact, the organization has published more than 21,000 international standards.
ISO 27001 is the information security management certification. According to the ISO website, some of the benefits of the ISO 27001 standard are as follows:
- “Identify risks and put controls in place to manage or reduce them.”
- “Flexibility to adapt controls to all or selected areas of your business.”
- “Gain stakeholder and customer trust that their data is protected.”
- “Demonstrate compliance and gain status as preferred supplier.”
- “Meet more tender expectations by demonstrating compliance.”
The ISO 27001 Certification Process: A Basic Overview
Step 1: Purchase the standard. The standard is quite inexpensive—US $120. But implementing the necessary controls and going through the certification process will cost a pretty penny. Keep this in mind if you are working with limited resources.
Step 2: Implement the standard. If you purchase the standard, you have two options:
- You can spend the next however-many months understanding the standard, performing gap assessments between your company and the standard to see what’s missing, and trying to get yourself ready for the assessment process.
- You can hire someone who can shepherd you through this process. This individual will do an audit of your organization and suggest a number of areas to improve upon in order to be ISO-27001-compliant.
Take a look at the ISO 27001 Client Manual for more information.
Step 3: Go through the certification process. Once you feel adequately prepared, you can ask a company like British Standards Institute—a large certifier of the ISO 27001 standard —to come in and begin the certification process. This third party will suggest any practices that need alteration before you’re able to become certified.
5 ISO 27001 Implementation Questions Answered
Question #1: “What do I get out of the ISO 27001 implementation process?”
The end goal to implementing the ISO 27001 controls is to become certified, which signifies that you’re doing a lot of things right when it comes to securing your organization and your data. But there are added benefits along the way as well. Placing this kind of scrutiny on your own information security program and having a third party examine it drives improvements across your organization in a number of areas, from governance, to technology, to policy.
Question #2: “How does ISO 27001 fit into my goals for my information security program?”
There’s a number of reasons those in an organization would want to go through this certification process:
- They were asked by key customers to become certified.
- They believe it’s a critical component of winning new business.
- Their management team or board of directors thinks it’s important to align to international standards and best practices.
- They believe it’s critical to have an independent party take a look at their cybersecurity program.
Ultimately, the reason organizations go through such a significant undertaking is to represent to others—including customers, third parties, or shareholders—that they’ve done it. Also, it’s an added effort to establish that they’ve taken reasonable measures to protect the organization and data therein.
Question #3: “How difficult is the ISO 27001 certification to obtain?”
This certification takes a significant investment in both time and resources—and you’d only want to proceed if you believe there is a clear and quantifiable benefit to the organization. While purchasing the standard is inexpensive, the certification process itself takes a great deal of time and money. All this being said, ISO 27001 is easily considered the “de facto” approach and international standard to validating a cybersecurity program. If shareholders, customers, or clients want to see definitive proof that you have certain cybersecurity controls in place—and you can take on the time and resource burden—it could be a good thing to move forward with.
Question #4: “What is an example of an ISO 27001 control?
An IS0 27001 control is something visible or observable that helps the assessor document if your organization is satisfying the objectives and requirements of the standard. If there’s a control in place, the expectation is that you’re implementing a process or a technology that addresses the underlying objectives.
For example, one control looks at the electronic devices, systems, and software inventoried at your organization. So the question would be, “Do you have an inventory for mobile devices, laptops, desktops, and software that your organization uses?” In order to answer this question adequately, the organization in question would have to show a list of this inventory and the process by which they collect the items or information.
Question #5: “Is there a ISO 27001 audit checklist I should refer to?”
Before a third party begins an audit of your organization to see if you’re ISO-compliant, you’ll want to go through an internal audit. Luckily, ISO has a fantastic and free resource on their website: the ISO 27001 Self-Assessment Questionnaire. It provides 99 questions—filed in 19 categories—that you can review prior to your certification.
In Summary
ISO 27001 is a great way of assessing all the different components of your information security program—from policies, processes, and objectives to results, oversight, and more.
But one last thing: Just being certified doesn’t mean you’re secure.
In other words, you can spend a great deal of time, money, and effort validating your own controls—but how do you know with certainty that those controls are effective?
BitSight Security Ratings can validate what goes into your cybersecurity program and is complementary to the ISO 27001 controls. It’s important to go through the ISO 27001 assessment and certification process to see that you are following best practices for creating and implementing an information security program—but you can ensure that the program itself will be effective.
