Table of content
What is the ISO 27001 standard?
Who is the ISO 27001 standard intended for?
What Are the Benefits of Implementing ISO 27001?
ISO 27001 Certification Process
Phase 1 – Define the scope of your Information Security Management System (ISMS)
Phase 2 – Perform a gap analysis
Phase 3- Develop a risk management plan
Phase 4 – Train People
Phase 5 – Develop Information Security Management System policies and procedures
Phase 6 – Plan reviews to analyse the effectiveness and compliance of ISMS
Phase 7 – Conduct Internal Audits
Phase 8 – Certification Audits
FAQs
How long will it take us to pass ISO 27001 certification?
How much does it cost to get an ISO 27001 certification?
Should the ISO 27001 standard be implemented throughout the organization?
We have a certificate for ISO 9001 standard, can we also implement ISO 27001?
Extensions to the ISO 27001 standard
What is the ISO 27001 standard?
ISO 27001 is a standard for managing information security in the organization, with the aim of ensuring the safe storage and management of the information in the organization, through the establishment of a system for managing information security.
The standard sets the requirements for creating processes for identifying risks, writing procedures and defining controls so that the data in the organization is safe, available and correct at all times, and even aids in rapid business recovery.
Who is the ISO 27001 standard intended for?
The standard is intended for any organization from small private companies to corporations and huge organizations that want to protect themselves from leakage or loss of information and the risks that may result from it.
While ISO 27001 can be applied to any business, it is most useful for companies that have sensitive information. The following industries typically implement ISO 27001:
- IT industry – Software development companies, cloud companies, and IT support companies,
- Financial industry – Banks, insurance companies, brokerage houses
- Telecoms – Telecommunication companies, including Internet providers
- Government agencies that handle sensitive information
In addition to these industries, any business that has unique knowledge, formulas or recipes will benefit from implementing ISO 27001. This includes pharmaceutical companies that want to protect their formulas, food manufacturers looking to protect their special recipes and other manufacturing companies that want to protect their knowledge.
What Are the Benefits of Implementing ISO 27001?
ISO 27001 helps an organization establish a system where you have identified risks, assessed the criticality of these risks, and put in place controls to protect information from going into unauthorised hands. The organization certified to ISO 27001 demonstrates the fact that you have protected sensitive information which increases the organization’s credibility. This helps in building a positive image for the organization which in turn helps you get more business. With increased security and reliability of systems and information, you reduce the possibility of breaches which leads to less disruption in business and reduced costs.
The standard addresses the requirements of the legislature in the areas of information protection and privacy, hence helping you comply with any legal requirements and reducing the possibility of fines.
ISO 27001 Certification Process
Phase 1 – Define the scope of your Information Security Management System (ISMS)
This includes what information your organization needs to protect, does the ISMS includes the entire organisation or a specific department? Does the ISMS cover all services and products, or do you want to exclude some services from the scope of the system?
Phase 2 – Perform a gap analysis
The next step is to perform a gap analysis against the requirements of ISO 27001. During the gap analysis, an assessment of your existing security controls is performed against the requirements of ISO 27001. The gap analysis will also include actions that are required to close the gaps. This will help plan the ISMS implementation based on the number of gaps and actions identified.
Phase 3- Develop a risk management plan
ISO 27001 requires that the organization develop a risk assessment framework to identify, analyse and implement controls to mitigate risks. The results of your risk assessment must be documented.
To start the risk assessment, consider your baseline for security. What legal, regulatory, or contractual obligations is your company being held to?
A risk treatment plan is created which will include the controls that you decide to implement to reduce the impact or likelihood of the risks. A Statement of Applicability (SOA) is also produced which states what are the ISO 27001 controls being applied to the organization. Both the Risk Treatment Plan and SOA are mandatory documents that the auditors would like to see during the audits.
Phase 4 – Train People
ISO 27001 requires that awareness should be raised within the organization on information security and its importance. This can be achieved by running staff awareness training programs throughout the organization. This will raise awareness on information security and how employees can comply with the requirements of the standard. Policies that directly involve each employee are clear desk policies, locking their workstations whenever they leave their desks, etc. These should be developed, and each employee should be made aware of these policies.
Phase 5 – Develop Information Security Management System policies and procedures
This step involves developing policies and procedures to comply with the requirements of the standard. These policies and procedures provide the necessary guidance to employees on how they can comply with the requirements of the standard and what is allowed/not allowed in the organization.
ISO 27001 mandates documentation of the following elements, at the minimum:
- The scope of the ISMS
- Information security policy
- Information security risk assessment process
- Information security risk treatment process
- The Statement of Applicability
- Information security objectives
- Evidence of competence
- Documented information determined by the organization as being necessary for the effectiveness of the ISMS
- Operational planning and control
- Results of the information security risk assessment
- Results of the information security risk treatment
- Evidence of the monitoring and measurement of results
- A documented internal audit process
- Evidence of the audit programs and the audit results
- Evidence of the results of management reviews
- Evidence of the nature of the non-conformities and any subsequent actions taken
- Evidence of the results of any corrective actions taken
Phase 6: Plan reviews to analyse the effectiveness and compliance of ISMS
ISO 27001 requires that the performance of the ISMS is continuously monitored to ensure its effectiveness and compliance. These can be achieved by measuring current achievements against the objectives, monitoring, and review of ISMS related activities. Management Review is another mandatory requirement of ISO 27001 which should be done at a fixed frequency. The goal of the management review is to review the performance of the ISMS and identify improvements in existing controls and processes.
Phase 7: Conduct Internal Audits
Conducting Internal Audits at planned intervals is another mandatory requirement of the standard. The internal audit should be conducted at a fixed frequency by a trained auditor who is independent of the work being audited. The non-conformities identified during the audit and the actions planned to close the non-conformities should be documented and tracked to closure.
Phase 8: Certification Audits
This is the last step in the certification process which will lead to your organization obtaining an ISO 27001 certificate. The certification audit is carried out by external auditors from a certification body. The audits are conducted in 2 steps, Stage 1 audit, and Stage 2 Audit. In Stage 1 audit, the external auditor will review your documentation to ensure that it meets the requirement of the standard. They may identify non-conformities or gaps in the documentation. Once you close these non-conformities and auditors confirm closure of all non-conformities of Stage 1, your organization will be recommended for a Stage 2 audit.
In Stage 2 or certification audit, the auditor will assess the implementation of ISO 27001 requirements in the organization. Upon successful completion of the Stage 2 audit, your organization will receive your certification.
FAQs
How long will it take us to pass ISO 27001 certification?
The process varies in each organization and depends on the nature of the organization, its complexity, processes, and other technologies that need to be acquired and assimilated into the organization. An expert consultant in the field of information security will know how to implement cheaper tools in a shorter time.
Management commitment is also important as effective leadership helps in gaining the support required to run the program. When Top Management leads this initiative from the front, communicates the importance of information security management systems to each employee and provides the resources required, the certification milestones can be achieved quickly. Management plays an important role in ensuring that information security becomes part of the culture which is what paves the way for successful certification.
Most small to medium-sized organizations can expect to obtain a certification within 4-6 months, depending on the size and complexity of the scope of the management system.
How much does it cost to get an ISO 27001 certification?
The cost is made up of the cost of system development and the cost of certification body.
The cost varies in each organization and depends on the size of your business, the complexity of your processes, how much information your business has and the level of risk. Developing and implementing ISO 27001 is considered an expensive investment when compared to ISO 9001 standard.
Should the ISO 27001 standard be implemented throughout the organization?
Yes, ISO 27001 needs to be implemented throughout the organization. Having said that, there are certain roles and departments that will be directly responsible for the implementation of certain key areas while others may be responsible for a small part of the ISMS. To elaborate further on this, the primary roles who will have a larger role would be Top Management, senior risk stakeholders such as Chief Information Security Officer (CISO), Chief Risk Officer (CRO), and Information Security Manager or similar.
The other stakeholders or secondary roles would be representatives from HR, IT, Facilities, Legal and compliance, business departments, suppliers and partners, etc. and all employees in general to ensure compliance with the policies/procedures.
We have a certificate for ISO 9001 standard, can we also implement ISO 27001?
Yes, the ISO 9001 standard focuses on quality management and the ISO 27001 standard focuses on information security.
Many of the mechanisms that are in ISO 9001 are required in ISO 27001 and can be used in risk surveys and management surveys. An integrated system of quality and information security can be established so that the organization is covered in terms of work processes with customers and at the same time preserves personal information and prevents the information from leaking out of the organization.
Extensions to the ISO 27001 standard
ISO 27799 standard – for managing medical information security.
ISO 27032 standard – for cyber security.
2019 standard: ISO 27701 – for managing information privacy.
ISO 27017 standard – for information security in the cloud.
ISO 27018 standard – for managing personally identifiable information in public clouds.
Author: Avital Koren
Avital Koren
Avital is passionate about small business and working with entrepreneurs. She was the first to identify and address the needs of small businesses in management systems.
100% success – Certification is guaranteed!
Improved operational control
We are ISO 9001 certified
User friendly systems trusted by certification bodies and auditors.
Get a system within 6-8 weeks
What our Clients Say
“ISO Global proved that the process doesn’t have to be difficult, lengthy or stressful”
“Our certification auditor described the system as “excellently done”
“Thank you and your team for the hard work and for holding our hand along the way”