We recently explored the many benefits of ISO 27001, an information security standard established by the International Organization for Standardization (ISO). We illustrated how adopting ISO 27001 brings companies that handle confidential data and intellectual property, like startups, financial services, law firms, healthcare and technology organizations, a higher level of security, privacy and accountability to company processes. ISO 27001 certification can also give an organization a competitive edge.
Understanding the benefits, the question becomes: is your organization ready to embark on ISO 27001 certification? If you believe you are, it can be helpful to take the following three steps first.
1. Review General Requirements for ISO 27001
It is essential that your organization is familiar with the general requirements for achieving ISO 27001 certification.
The ISO 27001 certification process consists of passing a certification audit divided into two separate reviews: Stage 1 and Stage 2. These reviews are typically scheduled one to three months apart.
To meet these requirements, organizations need to identify their strengths and weaknesses and design ways to address them through policy, procedures and control development.
Performing a readiness assessment or gap assessment is the first step. The assessment gives your organization an opportunity to evaluate current processes and controls related to securing sensitive data and systems through the lens of ISO 27001 framework.
Stage 1 primarily reviews the design of your organization’s information security management system (ISMS) against the ISO 27001 standard. Your organization will need to have specific documents pertaining to:
• Scope of your ISMS
• Information security policy
• Risk assessment process
• Information security risk treatment process
• Information security objectives
• Evidence of competence
• Operational planning and control
• Information security risk assessments
• Information security risk treatment
• Evidence of the monitoring and measurement results
• Evidence of the audit program and audit results
• Evidence of the results of management reviews
• Evidence of the nature of nonconformities identified and actions taken
• Evidence of the results of corrective action
Stage 2 is a comprehensive review that includes your ISMS and the security controls your organization has in place to address identified information security risks. This stage also includes an assessment of your organization’s level of preparation and operating effectiveness for your ISMS and controls.
By the end of the Stage 2 review, the auditor(s) will recommend certification, depending upon the results of your organization’s ISMS and control assessment.
Stage 2 can be an area where organizations prolong their time to certification. Primarily this is due to gaps in the ISMS and not taking appropriate action to contain any non-conformities (non-standard events occurring in your organization’s security).
Meeting the initial certification requirement is a significant achievement for your organization and demonstrates your commitment to embedding security throughout business decisions and processes within your organization. It requires planning and excellent execution.
2. Review Leadership and Security Resource Requirements
Reaching certification requires managing information security at an integrated level. Too many organizations lack the proper leadership, structure and resources for effective information security management. Before applying for ISO 27001, it serves to review your organization’s current leadership and security resources.
You will need to have three tiers of expertise and management with adequate security resources and processes. They are:
1. Senior Leadership:
This consists of individuals who define your information security policy and make executive decisions. Along with acting as the champion within the business to weave in security and risk discussions into daily processes.
2. Information Security Management:
These are the individuals who are responsible for implementing the ISO 27001.
3. Information Security Operations:
These people are responsible for day-to-day information security activities such as vulnerability management, logging and monitoring and incident response activities. Most organizations define these roles as (Security) Engineers and Analysts.
3. Review expected state of involved security program aspects such as BCP, Incident Response and vendor management
Finally, you will need to review your existing security programs such as:
- Business continuity and disaster recovery plans
- Incident response
- Vendor management and more
These areas should be included within your readiness assessment and prompt your organization to address them. Any significant gaps will be deemed a major non-conformity in the eyes of an auditor and delay certification.
For example, in terms of incident responses, your organization will need clear, comprehensive plans to detect incidents, perform detailed analyses of their root causes and perform regular tests of your incident response plan. This is beyond a simple incident detection and response. In addition, all incidents will need to be documented.
Taking such measures will ensure you are fully prepared for ISO 27001 adoption and allow you to demonstrate your organizations’ prowess and dedication to having effective security measures in place.
About the Authors
Christina Whiting is the managing director of privacy, enterprise risk and compliance at Tevora.
David Grazer is the privacy practice lead at Tevora.