ISO 27001 is a globally recognized framework, part of the ISO/IEC 27000 series, for governing an organization’s information security program by providing a clear set of requirements for an Information Security Management System (ISMS).
In this post, we will explain the basic concepts of ISO 27001, outline what you can expect as you work towards compliance, and provide guidance based on our cumulative experience working closely with our customers and auditor partners.
What is an ISMS?
ISMS stands for Information Security Management System, and is a collection of documents including policies, processes, procedures, and controls that together implement an effective risk management process.
When building out your ISMS, it’s your responsibility to ensure that the controls, policies, and procedures you adopt (more on this below) help you meet the following information security objectives:
- Confidentiality: ensuring that only authorized individuals have access to data.
- Integrity: data is always complete and accurate.
- Availability: data can easily be accessed by authorized individuals.
How is ISO 27001 Structured?
TL;DR. ISO 27001 is composed of 10 sections (“clauses”) and one annex (Annex A). Clauses 1 – 3 are conceptual, and outline the scope of the standard, how the document is to be read, and ISO 27001 terms and definitions. Clauses 4 – 10 are more strategic in nature and provide guidelines for the business as a whole. Annex A comprises 114 controls, divided into 14 categories, that should be considered when aiming to comply with the standard.
ISO 27001 is composed of 10 sections (referred to as “clauses” in ISO 27001 terminology) and one annex. While the first three clauses are introductory in nature and serve as an overview of the process itself, clauses 4 – 10 are more strategic, providing guidelines for securing the business as a whole. Each clause contains a set of guidelines intended to improve your company’s security posture We have outlined these below:
- Clause 4: Context of the organization
Establish the context of the ISMS by outlining and documenting how your organization is structured, your contractual relationships, and the way you run your business.
- Clause 5: Leadership
Define the policies that govern your organization, list the roles and responsibilities of team members working on putting the ISMS together, ensure that the team has the necessary resources, and conduct regular reviews.
- Clause 6: Planning
When planning your company’s long-term goals and upcoming work, it’s critical that security and risk are taken into account. The guidelines in this clause surround the processes for doing so.
- Clause 7: Support
Ensure that the appropriate supporting evidence is created, collected, and maintained as you build out your ISMS.
- Clause 8: Operation
Develop, implement, and control processes around information security.
- Clause 9: Performance evaluation
Establish processes to ensure that your ISMS is continuously monitored and evaluated.
- Clause 10: Improvement
Ensures that once performance is evaluated, all gaps are addressed.
In addition to these clauses, ISO 27001 includes a single annex, titled Annex A. This annex comprises 114 controls, divided into 14 categories, that should be considered when aiming to comply with the standard. The security objectives and controls defined in Annex A can be used as a baseline when creating your own set of controls for ISO 27001. However, the list of control objectives and controls contained within Annex A is not exhaustive, and may not apply to your environment — as such, additional security objectives and controls can also be created from scratch or selected from other frameworks. When an Annex A control is not implemented, a justification for its exclusion must be documented and presented to the auditor.
Similarly to the base clauses, the first few sections of the appendix are introductory, and are followed by control sets in sections numbered Annex A.5 – Annex A.18. Here is a brief overview of these categories:
- Annex A.5: Information Security Policies
Show that the policies you’ve developed are in line with the overall organization’s practices.
- Annex A.6: Organization of Information Security
Show that your organization has a framework for implementing and maintaining information security practices for both on-premise and remote devices.
- Annex A.7: Human Resources Security
Show that your organization has the right procedures to help employees and contractors understand their obligations to protect sensitive data. Data should be protected both while they are employed, as well as after they have left the organizations or switched roles.
- Annex A.8: Asset Management
Show that you are able to identify and classify information assets, and that you’ve put measures in place to protect data from unauthorized disclosure, modification, removal, or destruction.
- Annex A.9: Access Control
Show that you’ve developed, and are adhering to, procedures around who has access to information and systems both within and outside the organization.
- Annex A.10: Cryptography
Show that measures have been taken to protect the confidentiality, integrity, and availability of data in your possession.
- Annex A.11: Physical and environmental security
Prove that you’ve taken the necessary steps to secure data, whether it is stored on premises, externally, , in software, or in physical files.
- Annex A.12: Operations Security
If you are working with vendors to process information, show that the data being shared with these organizations is protected and secure.
- Annex A.13: Communications Security
Show that you’re securing your networks and protecting the information that travels through them.
- Annex A.14: System acquisition, development, and maintenance
Show that data security is a consideration when purchasing new systems or upgrading existing ones.
- Annex A.15: Supplier Relationships
Show that the vendors you’re working with are safeguarding data shared with them.
- Annex A.16: Information Security Incident Management
Show that you’ve implemented mechanisms to manage and report on any security incidents, and fix any issues in a timely manner.
- Annex A.17: Information Security Aspects of Business Continuity Management
Show that in the event of a disruption, the business can continue and the information systems will be available.
- Annex A.18: Compliance
Show that you are able to meet legal obligations, and have a plan to mitigate any legal, statutory, regulatory, or contractual breaches.
Why Should I Pursue an ISO 27001 Attestation?
If you want to expand into global markets and need to prove to your international customers that you’re taking data security seriously, ISO 27001 helps you demonstrate efforts towards mitigating information security risks.
The specifics involved in pursuing an ISO 27001 attestation really depend on the market, the wants or needs of the organization’s customers, as well as any regulatory requirements with which the organization needs to comply. Companies in the following industries most typically need ISO 27001:
- IT companies, which may use the ISO 27001 framework as a guideline to protect the data they handle and to comply with contractual security requirements.
- Financial companies, which are required to follow the strictest laws and requirements to ensure their customers’ and stakeholders’ data is safe.
That being said, the ISO 27001 framework is intended to be applicable to all organizations, regardless of type, size or nature, and any organization with sensitive data may find adhering to it to be beneficial.
What is this going to cost me?
TL;DR. As they say, if you need to ask how much it costs… use a compliance automation platform.
Traditionally, ISO 27001 can cost anywhere between $30,000 to $100,000 when you factor in the cost of the audit firm, as well as internal costs including productivity, staff training, and resources needed to meet specific requirements.
At TrustCloud, we believe compliance shouldn’t cost an arm and a leg. We want to make the readiness and audit process both affordable and simple. We’ve broken the cost down into two areas:
- A compliance automation platform. By automating much of the process, platforms such as TrustOps help you reduce and better manage your internal costs. We’ve developed a transparent and straightforward pricing structure to make it easier for you to manage the overall cost of the program (read: $12,000/year for ISO 27001 with no hidden consulting fees.)
- An auditor. We’ve developed strong relationships with a number of audit firms. Not only does this mean that they are trained on the platform and know how to evaluate your business, they are also able to pass along discounts as a result of a referral from TrustCloud. ISO 27001 audit partners in the TrustCloud network charge between $12,000 – $28,000 for audits, based on the maturity and complexity of the engagement.
How long is this going to take?
TL;DR. Without automation and an expert-built system to manage the whole thing, you’re looking at 12 – 18 months.
Given the complex structure of ISO 27001, it can take months, or even a year, to meet all the requirements by putting all the requisite controls, policies, and procedures in place. If you’ve decided to pursue an ISO 27001 attestation, our recommendation is to kickstart this process sooner rather than later.
In addition to the months of preparation, an auditor may spend 6 – 12 months going through your ISMS, depending on the size of your organization and the complexity of your ISMS.
If you’re reading this and find yourself in the depths of despair at how long this is all going to take (maybe because you’ve got a large deal contingent on the attestation report), we’ve got good news! There is a faster way to do your audit prep, and it involves leveraging automation to implement controls, craft policies, and prove that you’re doing what you say you are.
What we’re trying to say is: you should take a look at TrustOps. We guarantee (yes, guarantee!) that it will save you time, resources and money.
How to prepare for an audit?
TL;DR. Appoint a leader and create a task force. The team will be responsible for creating controls and policies, and mapping them to the Annex A controls and clauses 4-10. Gather evidence. Conduct tests. Fill in the gaps. Document everything.
If you’ve been through an ISO 27001 audit before, you are well aware of how tedious and time-consuming it can be for your team and yourself. If you haven’t, we want you to close your eyes, go to your happy place… and then imagine it being slowly filled with spreadsheets from floor to ceiling.
After you’ve made the decision to pursue an ISO 27001 attestation, here’s something to keep in mind when drafting your audit preparation strategy. You may want to create a taskforce of employees from the IT or security team, with support from team members familiar enough with your technical systems. Having an executive or manager own this process with the team will also be hugely beneficial.
The ISO 27001 process requires commitment, and team members may need to take time away from their other tasks to focus on preparing for an audit. You should account for a loss in productivity, and ensure you are staffed accordingly.
The first thing you may want to do is examine ISO 27001’s ten clauses, as well as Annex A, and determine which are applicable to your business. This can feel like an overwhelming decision, and while you can certainly do it by yourself, give us a call if you’d like some help — it’s what we do day in, day out.
Once you’re familiar with the applicable requirements, you will need to create and adopt controls that are relevant to your business, determine systems and business processes that need to conform to them, and validate that your selected controls are appropriately mapped back to the requirements.
What are controls?
Controls are a way to express elements of risk that can impact your business, and account for how these risks can be mitigated. You may need to implement up to 100 controls as part of your ISO 27001 program.
The next step is to fill in the gaps: purchase and implement security tools and services to improve your security and business processes. Some examples of these include performing pen testing, enrolling in asset management, and conducting background checks. At the same time, you should be gathering evidence to show that you are accurately compliant with all relevant controls, writing policies, and documenting procedures that explain how certain controls are satisfied.
What are policies?
A policy is a document that describes how you are mitigating the risk expressed by one or more related controls. The ISO 27001 standard is not very specific about how many policies are required, but the final tally is typically between 15 to 25 policy documents. The number of policies depends on the size of the company, its industry, and any laws and regulations. The most important thing to remember is that everything described in a policy must be demonstrable and provable.
Once complete, it is up to you to conduct the necessary tests to prove your compliance, and ensure that you consistently pass them. If you’re working with a vendor like TrustCloud, we’ll help you automate much of this work. In TrustOps, we’ve developed a readiness-assessment feature to help you determine if you’re on the right path for an audit (consider this a shameless plug).
When you’re ready, it’s time to select an auditor.
How to choose your auditor?
Going through an audit can be a nerve-racking process. When it comes to ISO 27001, the one thing you have to remember is that at its core, an audit is an auditor’s informed opinion on how well your organization’s controls meet the relevant clauses. There are a few things you should consider when selecting an auditor:
- Accreditation: Ensure that your auditor is a member of ANSI National Accreditation Board (ANAB). ANAB assesses and accredits certification bodies. Only certified bodies can issue an ISO 27001 certification.
- Find a reputable firm. It doesn’t have to be a brand-name firm like KPMG; one with a good reputation will suffice. If you need guidance in this area, we’re happy to provide some recommendations.
- Experience matters. An auditor with more experience is likely to have a better and more thorough understanding of ISO 27001, how to evaluate controls against your organization, and the best practices that apply.
- Fit. Auditors are like snowflakes; no two are alike. It’s important that your auditor understands your business, so they can expertly assess if there are any gaps or deficiencies.
What do auditors look for?
TL;DR. Auditors are looking for evidence that proves you’re adhering to the policies and procedures you have selected.
Auditors are guided by the IIA standard Code of Ethics, which tasks auditors with being independent and objective. The documentation you developed as evidence is seen by an auditor as proof that a particular control exists, and helps them evaluate operational effectiveness (whether or not the control is performing as it should).
Using a combination of techniques, an auditor obtains an in-depth understanding of your program and how it fits into the ISO 27001 framework. These techniques may include:
- Observation: Observing you perform a task relevant to specific control.
- Inquiry: Interviewing you or your team to learn about a specific process.
- Inspection: Requesting evidence of compliance with a control.
Stage 1 vs. Stage 2 Audit
The audit process for ISO 27001 is broken down into two distinct stages.
In stage 1, an auditor reviews the ISMS, typically on-site, to determine if mandatory requirements are being met, and whether the management system is good enough to proceed to stage 2. This initial review is primarily focused on validating whether your ISMS is appropriately designed — whether the documented processes exist, are effective, and comply with the standard requirements. The auditor will also gauge your own understanding of the standard, and discuss planning for stage 2. Ideally, stage 1 should take place at most two to four weeks before stage 2, so that the management system does not substantially change between the two stages.
In stage 2, the auditor will more thoroughly assess your ISMS, and evaluate whether its implemented effectively meets ISO 27001 requirements.
In order to satisfy the auditor’s needs, it’s imperative that documentation is both complete and accurate. The source of the information in the document has to be identified and verified, the content of the document must be written with integrity, and the documentation has to be easily accessible and retrievable for audit purposes. At the end of the day, you want your auditor to come to the same conclusion about the state and health of your information security program as you would. It’s your job to help them come to that conclusion.
At the end of this long journey, once an auditor has reviewed your work and determined that your controls, policies, and procedures meet all requirements, and after you have implemented the corrective actions to address the auditor’s findings raised during stage 1 and 2, your auditor will give you their stamp of approval. and can now recommend you for certification.
Your ISMS files will then be reviewed by an independent and certified body, which will (with any luck) decide in your favor and grant you a certification. You can now shout from the rooftops (or post on your website) that you are ISO 27001 compliant…for now.
An ISO 27001 certificate is valid for three years, which in the world of compliance is relatively long. However, ISO 27001 imposes an additional “continual improvement” requirement. To maintain your certification, you must go through surveillance audits every year, in order to ensure that you’re continually improving and adhering to your information security protocols, rather than letting them stagnate.