How to Achieve ISO 27001
Welcome to our guide on ISO 27001 compliance! We’ll cover everything you need to know about ISO 27001, including its clauses, the preparation & audit processes, costs, and best practices. Let’s get started!
The Basics of ISO 27001
Before diving into the details of ISO 27001 compliance, it’s important to establish a foundation of knowledge about the framework and its key concepts. In this section, we’ll cover the basics of ISO 27001, including its purpose, its differences against SOC 2, its role in ISMS and its clauses. Whether you’re new to ISO 27001 or just need a refresher, this section will help you understand the fundamentals of this important framework.
What is ISO 27001, and why should I pursue it?
ISO 27001 is a globally recognized framework, part of the ISO/IEC 27000 series, for governing an organization’s information security program by providing a clear set of requirements for an Information Security Management System (ISMS).
If you want to expand into global markets and need to prove to your international customers that you’re taking data security seriously, ISO 27001 helps you demonstrate efforts towards mitigating information security risks.
The specifics involved in pursuing an ISO 27001 attestation really depend on the market, the wants or needs of the organization’s customers, as well as any regulatory requirements with which the organization needs to comply. Companies in the following industries most typically need ISO 27001:
- IT companies, which may use the ISO 27001 framework as a guideline to protect the data they handle and to comply with contractual security requirements.
- Financial companies, which are required to follow the strictest laws and requirements to ensure their customers’ and stakeholders’ data is safe.
That being said, the ISO 27001 framework is intended to be applicable to all organizations, regardless of type, size or nature, and any organization with sensitive data may find adhering to it to be beneficial.
The Differences Between ISO 27001 vs. SOC 2
SOC 2 and ISO 27001 are compliance frameworks commonly required of organizations that house data or store sensitive information. Both standards focus on information security management, but they have some key differences in their approach and scope.
SOC 2 is relatively more affordable and faster to achieve, but ISO is a universal standard around the globe, and its certification is recognized by all industries in all regions. On the other hand, ISO usually takes about 50 – 60% more time to complete, and it costs 50 – 60% more as well.
Neither SOC 2 or ISO is mandatory, but acquiring them helps you:
- Build trust with potential customers
- Pass security reviews and win business
- Stay on track with compliance and regulatory requirements
- Evaluate and improve data security practices on a regular basis
So, how would one know which one to pursue?
It depends on a multitude of factors, such as how mature your company is, where it’s located, where your customers are, where and how you want to grow, and how many resources you have at your disposal. A critical factor is customer requirements; if your customers expect one or both of these frameworks, then they may be required to do business.
Now that that’s out of the way, let’s get back to ISO 27001.
What is ISMS, and how does it relate to ISO 27001?
ISMS stands for Information Security Management System, and is a collection of documents including policies, processes, procedures, and controls that together implement an effective risk management process.
When building out your ISMS, it’s your responsibility to ensure that the controls, policies, and procedures you adopt help you meet the following information security objectives:
- Confidentiality: ensuring that only authorized individuals have access to data.
- Integrity: data is always complete and accurate.
- Availability: data can easily be accessed by authorized individuals.
ISO 27001 Clauses
ISO 27001 is composed of 10 sections (“clauses”) and one annex (Annex A). Clauses 1 – 3 are conceptual, and outline the scope of the standard, how the document is to be read, and ISO 27001 terms and definitions.
Clauses 4 – 10 are more strategic in nature and provide guidelines for the business as a whole. Annex A comprises 114 controls, divided into 14 categories, that should be considered when aiming to comply with the standard.
Each clause contains a set of guidelines intended to improve your company’s security posture. We have outlined these below:
- Clause 4: Context of the organization
Establish the context of the ISMS by outlining and documenting how your organization is structured, your contractual relationships, and the way you run your business.
- Clause 5: Leadership
Define the policies that govern your organization, list the roles and responsibilities of team members working on putting the ISMS together, ensure that the team has the necessary resources, and conduct regular reviews.
- Clause 6: Planning
When planning your company’s long-term goals and upcoming work, it’s critical that security and risk are taken into account. The guidelines in this clause surround the processes for doing so.
- Clause 7: Support
Ensure that the appropriate supporting evidence is created, collected, and maintained as you build out your ISMS.
- Clause 8: Operation
Develop, implement, and control processes around information security.
- Clause 9: Performance evaluation
Establish processes to ensure that your ISMS is continuously monitored and evaluated.
- Clause 10: Improvement
Ensures that once performance is evaluated, all gaps are addressed.
In addition to these clauses, ISO 27001 includes a single annex, titled Annex A. This annex comprises 114 controls, divided into 14 categories, that should be considered when aiming to comply with the standard. The security objectives and controls defined in Annex A can be used as a baseline when creating your own set of controls for ISO 27001. However, the list of control objectives and controls contained within Annex A is not exhaustive, and may not apply to your environment — as such, additional security objectives and controls can also be created from scratch or selected from other frameworks. When an Annex A control is not implemented, a justification for its exclusion must be documented and presented to the auditor.
Similarly to the base clauses, the first few sections of the appendix are introductory, and are followed by control sets in sections numbered Annex A.5 – Annex A.18. Here is a brief overview of these categories:
- Annex A.5: Information Security Policies
Show that the policies you’ve developed are in line with the overall organization’s practices.
- Annex A.6: Organization of Information Security
Show that your organization has a framework for implementing and maintaining information security practices for both on-premise and remote devices.
- Annex A.7: Human Resources Security
Show that your organization has the right procedures to help employees and contractors understand their obligations to protect sensitive data. Data should be protected both while they are employed, as well as after they have left the organizations or switched roles.
- Annex A.8: Asset Management
Show that you are able to identify and classify information assets, and that you’ve put measures in place to protect data from unauthorized disclosure, modification, removal, or destruction.
- Annex A.9: Access Control
Show that you’ve developed, and are adhering to, procedures around who has access to information and systems both within and outside the organization.
- Annex A.10: Cryptography
Show that measures have been taken to protect the confidentiality, integrity, and availability of data in your possession.
- Annex A.11: Physical and environmental security
Prove that you’ve taken the necessary steps to secure data, whether it is stored on premises, externally, , in software, or in physical files.
- Annex A.12: Operations Security
If you are working with vendors to process information, show that the data being shared with these organizations is protected and secure.
- Annex A.13: Communications Security
Show that you’re securing your networks and protecting the information that travels through them.
- Annex A.14: System acquisition, development, and maintenance
Show that data security is a consideration when purchasing new systems or upgrading existing ones.
- Annex A.15: Supplier Relationships
Show that the vendors you’re working with are safeguarding data shared with them.
- Annex A.16: Information Security Incident Management
Show that you’ve implemented mechanisms to manage and report on any security incidents, and fix any issues in a timely manner.
- Annex A.17: Information Security Aspects of Business Continuity Management
Show that in the event of a disruption, the business can continue and the information systems will be available.
- Annex A.18: Compliance
Show that you are able to meet legal obligations, and have a plan to mitigate any legal, statutory, regulatory, or contractual breaches.
Starting your ISO 27001 Journey
Now that you have a basic understanding of the framework and its requirements, it’s time to begin your compliance journey. In this section, we’ll provide guidance on which tools to use, how to best prepare for the audit, auditor selection, share what auditors look for, and the cost breakdown of it all.
The Tools to Use to Pass an ISO 27001 Audit
The execution of certain controls necessitates acquiring and incorporating tools or services. The following compilation has been carefully curated from TrustCloud customers to highlight potential purchases essential for your ISO 27001 preparation. To read about the tools that led our customers to compliance success, check out our ISO 27001 Toolkit list.
*It’s important to note that these suggestions are not comprehensive but rather serve as a preliminary guide.
Understanding the Audit Process
Before we dive into the details around preparing for an ISO 27001 audit, let’s take a step back and start by outlining the three stages that make up the ISO 27001 certification process itself. Keeping this broader view in mind will save you time and help you better structure your preparation.
In stage 1, the auditor you selected will review your ISMS, typically on-site, to determine if mandatory requirements are being met, and whether the management system is good enough to proceed to stage 2.
This initial review is primarily focused on validating whether your ISMS is appropriately designed — whether the documented processes exist, are effective, and comply with the standard requirements. The auditor will also gauge your own understanding of the standard, and discuss planning for stage 2. Ideally, stage 1 should take place two to four weeks before stage 2, so that the management system does not substantially change between the two stages.
In stage 2, the auditor will conduct a more thorough assessment of your ISMS, and evaluate whether it is implemented effectively and meets ISO 27001 requirements.
In order to satisfy the auditor’s needs, it’s imperative that documentation is both complete and accurate. The source of any documented information must be identified and verified, documents must be written with integrity, and documentation has to be easily accessible and retrievable for audit purposes. At the end of the day, you want your auditor to come to the same conclusion about the state and health of your information security program as you would. It’s your job to help them come to that conclusion.
Once the first two stages are completed, you can now apply for certification. This process can be facilitated by your auditor, who will assist in submitting your ISMS files to a formally accredited certification body. You can find a list of reputable certification bodies in the ANAB directory.
However, the ISO 27001 process doesn’t end when you obtain your certification. To maintain your certification, you must go through surveillance audits every year, in order to ensure that you’re continually improving and adhering to your information security protocols, rather than letting them stagnate. Additionally, the certification itself is only valid for three years!
Understanding the certification process is important as it helps you gauge the continual effort you need to put into maintaining compliance. Check out our checklist of the 5 things you’ll need to show your auditor so you can pass with no exceptions noted.
How to Choose an Auditor
Going through an audit can be a nerve-racking process. When it comes to ISO 27001, the one thing you have to remember is that at its core, an audit is an auditor’s informed opinion on how well your organization’s controls meet the relevant clauses. There are a few things you should consider when selecting an auditor:
- Accreditation: Ensure that your auditor is a member of ANSI National Accreditation Board (ANAB). ANAB assesses and accredits certification bodies. Only certified bodies can issue an ISO 27001 certification.
- Find a reputable firm. It doesn’t have to be a brand-name firm like KPMG; one with a good reputation will suffice. If you need guidance in this area, we’re happy to provide some recommendations.
- Experience matters. An auditor with more experience is likely to have a better and more thorough understanding of ISO 27001, how to evaluate controls against your organization, and the best practices that apply.
- Fit. Auditors are like snowflakes; no two are alike. It’s important that your auditor understands your business, so they can expertly assess if there are any gaps or deficiencies.
If you want to skip over the researching process, TrustCloud has developed a Trusted Partner Network with premier auditing firms, advisors, and VCISO.
How to Prepare for an ISO 27001 Audit
You now understand the level of commitment, time and dedication required to implement and manage an effective ISMS program. Now that you know what you are in for you can start to gauge your level of readiness.
Preparing for an ISO 27001 audit can seem like a challenge, but with the right approach, it can be broken down into a few simple steps:
- You’ll need to appoint a leader and create a task force. The team will be responsible for creating controls and policies, and mapping them to the Annex A controls and clauses 4-10.
- Gather evidence
- Conduct tests
- Fill in the gaps
- Document everything.
A good starting point is to take stock of your resources and team. Given the level of effort required to become ISO 27001 compliant, it is important that knowledgeable team members lead the effort.
If your team doesn’t have the right skill set, you may want to consider hiring people with the appropriate expertise. In fact, having the right people in place is a key requirement to demonstrate compliance with clause 7.2, which dictates that your ISMS must be managed by competent, properly trained employees.
Once an experienced team is in place, you’ll need to create an inventory of your business, systems, and assets, and map those to the control requirements outlined in ISO 27001’s ten clauses and Annex A. You can generally do this in one of two ways:
- Using a Compliance Automation Tool
You can read more information on your two options, as well as how to best implement a management review program here.
Conducting an Internal Audit
One of the biggest pain points for companies preparing for an ISO 27001 audit is meeting the requirement for clause 9.2. This clause requires that the organization conduct internal audits, to provide information on whether the ISMS both conforms to the organization’s own requirements for its ISMS (9.2a) as well as conforms to the requirements of the standard (9.2b).
In order to fulfill these requirements, an independent and objective auditor must conduct internal audits at (frequent) planned intervals, and any issues or non-conformities must be tracked, documented, analyzed, and remediated.
However, this can be problematic for most companies, and you can read why here.
For an in-depth guide on how to conduct an ISO 27001 internal audit, its requirements, and FAQs, click here.
The Cost of an ISO 27001 Certification
The cost of ISO auditing varies with company size and how much groundwork you have already laid. Organizations with 10 or fewer employees might spend around $10,000 on an audit that lasts about five days. For companies under 425 employees, the process can span at least 15 days and cost around $30,000.
Company size is just one factor in determining audit costs. Other influential factors include ISMS complexity and scope, the number of IT platforms and networks you may use, outsourcing and third-party arrangements, and more. In addition to the audit itself, there will likely be costs associated with the work required to prepare for an audit.
We break down the cost of an ISO 27001 certification here.