July 16, 2021
4 Keys to a Successful ISO 27001 Certification
If you’re looking for a globally-recognized, industry-leading standard for managing security risks associated with the information held by your organization, look no further than ISO 27001. Achieving ISO 27001 certification not only ensures protection of your company’s valuable information but demonstrates to your clients and other stakeholders that you are serious about security.
In this blog post, we’ll provide an overview of ISO 27001 and four keys to successfully certifying for this comprehensive standard.
ISO 27001 Overview
Here are some of the key attributes of ISO 27001:
- Widely recognized information security standard. ISO 27001 was initially published in 1995 by the UK government. It was the first information security framework to receive broad global recognition, and it continues to be an important, internationally-recognized certification and standard that many other information security certifications, attestations, and frameworks have borrowed from.
- Two-part Structure. There are two fundamental structural components: Standards Clauses and Control Categories. There are 10 Standards Clauses and 14 Control Categories.
- Information Security Management System (ISMS). ISMS is a key term used in ISO 27001 and can be viewed as a framework of policies and procedures designed to achieve the desired information security objectives.
- Three-Year Certification Cycle. Many other information security standards and frameworks require an attestation of compliance by an external auditor every year (e.g., SOC 2, PCI DSS). ISO 27001 uses a three-year cycle, requiring full certification in year one with light spot checks or “surveillance audits” in years two and three.
- Annual Risk Assessment and Internal Audit. To maintain compliance with ISO 27001, organizations must perform a Risk Assessment and Internal Audit every year.
What are the 10 ISO 27001 Standards Clauses?
The ISO 27001 Standards Clauses provide structure and objectives to a company’s ISMS. The 10 clauses are summarized below.
ISO 27001 Standards Clauses
- Clauses 1-3: Structure and Organization. The first three clauses—Scope, Normative References, and Terms and Definitions—provide structure and organization for a company’s information security policies, procedures, and governance practices.
- Clause 4: Context of the Organization. Provides an understanding of the organization and its context, internal and external issues, operational scope, and interested parties.
- Clause 5: Leadership. Describes how information security is communicated, promoted, and established. Also outlines the resources dedicated to information security.
- Clause 6: Planning. Covers risk assessments, risk treatment, risk objectives, and associated plans.
- Clause 7: Support. Describes support resources, their competencies, and the training they receive. Also includes support communications and document control.
- Clause 8: Operations. Covers risk assessments and risk treatment.
- Clause 9: Performance Evaluation. Describes how the performance of a company’s ISMS will be evaluated. Includes monitoring, measurement, internal audit, and management review.
- Clause 10: Improvement. Describes how improvements and corrective actions will be taken when an organization discovers that they are not conforming to specific requirement(s) of ISO 27001.
What are the 14 ISO 27001 Control Categories?
Annex A of ISO 27001 includes 14 Control Categories that describe the specific controls your organization will need to comply with to meet the objectives established in the 10 Standards Clauses. Here’s a summary of the 14 Control Categories, which will likely be familiar to you if you’ve worked with other information security standards.
ISO 27001 Control Categories
While not specifically addressed in this blog post, it’s worth noting that the ISO 27002 standard provides more detailed and prescriptive requirements for complying with each of the 14 ISO 27001 Control Categories. Organizations often use ISO 27002 as a guide to help them prepare for ISO 27001 certification.
What’s the Process for Certifying for ISO 27001 and How Long Does it Take?
The process steps and timeline for achieving ISO 27001 certification are summarized below.
ISO 27001 Certification Timeline
It will generally take eight to twelve months to become certified for ISO 27001. However, this may vary somewhat depending on your specific environment and the amount of remediation work needed to prepare for certification.
Here’s a summary of the four certification phases:
- Gap Analysis. Collect data, conduct interviews, and perform analysis to identify areas where you are not yet compliant with ISO 27001’s 10 Standards Clauses and 14 Control Categories. Develop recommendations for work that needs to be done to become compliant.
- Develop or update policies, procedures, processes, and systems as needed to align with ISO 27001 requirements.
- Ensure that the required policies and control frameworks have been established. Develop a Statement of Applicability (SOA) document to describe the controls you have in place. Conduct a Risk Assessment and Internal Audit against ISO 27001 requirements. Documentation resulting from these activities will be used in the Certification phase.
- External auditor performs Stage 1 audit, a quick spot-check to ensure you are aware of the ISO 27001 standard and have the required artifacts and documentation (e.g., SOA, Risk Assessment, Internal Audit) in place. After confirming that Stage 1 requirements have been met, external auditor returns to perform a comprehensive Stage 2 audit against ISO 27001 requirements. Following the Stage 2 audit, the external auditor will either inform you that you have been certified or that additional corrective actions are required.
ISO requires that the firm helping a client prepare for ISO 27001 certification must be a separate legal entity from the external auditor. Accordingly, Tevora specializes in preparing companies for ISO 27001 certification but does not perform formal external audits.
Tevora partners with clients to perform as many or as few of the Gap Analysis, Remediation, or Preparation phase activities as they would like. Our team has extensive experience helping clients prepare for this important certification and has developed helpful tools and documentation templates to streamline the process. We often perform Risk Assessments for clients, and as a Certified ISO Lead Auditor, we are qualified to perform Internal Audits as well.
Keys to a Successful Certification
As we’ve partnered with some of the world’s leading companies over the years to help them prepare for and achieve ISO 27001 certification, we’ve developed a good sense of what works and what doesn’t. Based on this experience, we’ve identified four keys to a successful ISO 27001 certification.
- Use an experienced assessor. In our experience, there are many firms out there that have been certified as an ISO Lead Auditor but lack the knowledge and experience needed to effectively help their clients prepare for ISO 27001 certification. These firms often lack the skills required to handle complex client environments or even simple environments with a few unique security challenges. Clients frequently call us in to replace one- or two-person boutique firms that have gotten in over their heads, resulting in significant delays and budget overruns for the client. Make sure to do your due diligence and select a reputable and experienced firm that will help you prepare for certification in a way that is streamlined, effective, and meets your budget and schedule objectives.
- Use a firm that effectively supports remediation. There are many preparing firms, some reputable, that don’t do remediation. Some are mainly theoretical and lack the technical skills needed to help clients remediate areas of non-conformance (e.g., write a business continuity plan or configure logging and monitoring solutions). Others may not consider the work to be profitable enough. We recommend that you partner with a preparing firm that is willing and able to get down in the weeds with your team to help you effectively conduct needed remediation work.
- Plan on 8-12 month timeline for certification. Don’t make promises to your leadership that you can get it done faster than this. If anyone tells you it can be done faster, view those claims with a healthy grain of salt. We suggest using an experienced lead auditor to help you develop a realistic timeline. While you can establish a ballpark timeline at the start of your certification project, we recommend holding off on making a firm schedule commitment until you have finished the Gap Assessment phase and can put in place a plan to address the gaps.
- Get executive buy-in. As with any compliance or information security certification, get executive buy-in. We’ve seen too many certification projects stumble or fail due to lack of top-down support.
Tevora’s ISO 27001 Certification Webinar
For a deeper dive on these topics, check out the recording of Tevora’s Introduction to ISO 27001: Keys to a Successful Certification webinar.
We Can Help
Tevora’s dedicated team of ISO 27001 certification experts would welcome the chance to be your trusted partner in preparing for ISO 27001 certification. We’ve worked with many industry-leading companies to help them achieve certification and have developed tools, techniques, and document templates that streamline the process and help ensure all requirements are covered. While we’re deeply grounded in the theoretical aspects of ISO 27001, we also love to roll up our sleeves and work with clients to implement any remediations needed to comply with this important standard.
If you have questions about ISO 27001 or would like help preparing your organization for compliance, just give us a call at (833) 292-1609 or email us at firstname.lastname@example.org.
About the Author
Bhavin Patel is a Senior Information Security Consultant at Tevora.