If you’re trying to prove that your organization is serious about security, ISO27001 is the gold standard, the Black Card, the bumper sticker bragging thatyou’ve run a full marathon.
ISO 27001 certification has such an elite reputation because it’s so difficultto attain–it sets exacting standards that must be rigorously documented andcontinually maintained.
Despite the challenges, there are real benefits to achieving ISO 27001compliance. In a moment where data breaches are rampant, cybercrime is on therise, and data privacy laws are being passed around the world, adhering to astrict security standard is your best liability insurance.
Here, we’ll provide an overview of the audit process, so you can embark on itwith a clear idea of what it entails and how you stand to benefit.
ISO/IEC 27001 is an international standard for data security established by theInternational Organization for Standardization (ISO) and the InternationalElectrotechnical Commission (IEC.) It provides guidance for creating aninformation security management system (ISMS) encompassing people, processes,and technology.
This standard is usually abbreviated as ISO 27001, but its full name is ISO/IEC 27001:2013, in which “2013” is the year it was most recently revised.
It’s the lynchpin of the ISO/IEC 27000 family of standards, which layout internationally accepted best practices for data security. (The other ISO27000 standards go into greater detail about specific aspects of informationsecurity, but ISO 27001 is the only one for which you can receive certification.)
ISO 27001 specifies how an ISMS should function to satisfy the “C-I-A triad” of information security:
- Confidentiality (Restricting data access to authorized users)
- Integrity (Data is complete and free from inaccuracies or corruption)
- Availability (Users can access the information they need)
The ISO 27001 framework is divided into two sections. The first, “Clauses,”explains the background and theories of data security, such as defining what toconsider in a risk assessment.
Meanwhile, Annex A of the standard lays out the recommended controls forensuring data security. There are 14 sections of the Annex, each of whichconcerns a different domain, ranging from cryptography to asset management tobusiness continuity management. Within each section are multiple controlstouching on various security concerns.
For example, Annex A.7 deals with human resource security and includes controlsstarting with pre-hire screening and ending with secure offboarding.
The principles and best practices of the ISO 27001 standard apply to anyorganization that wants to formalize its information security and data privacyprocesses.
But while any organization that handles sensitive data should consider gettingcompliant with ISO 27001, getting certified is a different matter, and arelatively small number of companies choose to go through the process.
According to ISO’s 2020 survey,there are roughly 45,500 currently valid ISO 27001 certifications. That’sobviously not a huge number, but it’s still a significant increase from 2016 when there were 33,290. (It’s also worth noting that these numbers are justbest guesses since the survey is voluntary, and there’s no central directoryof certified organizations.)
Organizations that have the most to benefit from getting ISO 27001 certifiedare the ones that deal in highly sensitive information assets. These includeinformation technology companies (e.g., managed services providers,) financialinstitutions, healthcare providers, telecom companies (e.g., internet servicesproviders,) and government contractors.
ISO 27001’s elite reputation and global usage mean that certification canconfer a competitive advantage. And even compliance without certificationoffers security benefits.
Guard Against Data Breaches
Complying with the ISO 27001 standard will strengthen your security posture. Byidentifying and remediating risks, and defining the people and processesresponsible for managing risks, you can reduce your vulnerability to securityincidents, and the fallout should one occur. This, in turn, offers a meaningful(albeit invisible) ROI since you’ll avoid the high costs of data recovery,remedial actions, loss of business, and regulatory fines.
Stay Compliant With Data Privacy Laws
ISO 27001’s status as a global standard means it has heavily informed multipleinternational data privacy laws. GDPR refers organizations to it as a set of recognized best practices, and Australia’sDigital Security Policy was deliberately crafted to adhere to 27001.
Broadly speaking, while ISO 27001 certification doesn’t guarantee perfectcompliance with every data security regulation, it does represent a big step inthe right direction for data privacy compliance goals.
Close More Deals
ISO 27001 certification shows partners and customers that your company takesinformation security seriously. This can put you ahead of the competition,particularly among international customers, enterprise clients, andorganizations with strict security requirements.
Improve Risk Management
The ISO 27001 standard requires organizations to establish accountability forinformation risk. With the proliferation of information assets, this transparentchain of command helps you clarify roles and processes and maintain appropriateaccess control, so nothing falls through the cracks.
Reduce Frequent Audits
As data breaches and attacks become more common, more organizations areauditing their vendors’ ISMSs to ensure that their supply chain is protected.An ISO 27001 certification can help reduce the number and costs of these auditsfor existing customers and during the sales cycle.
ISO 27001 certification is a multi-step process, requiring a great deal of workbefore an auditor even gets involved. Here’s a (non-exhaustive) list of what itentails.
1. Read the ISO 27001:2013 Standard
Step one is simply to read the complete ISO 27001:2013 text, which requires purchasing a copy. (At present, it costs roughly $120.) This will help you get a general sense of howlabor-intensive the certification process will be, based on which requirementsyou already fulfill.
2. Get Management Buy-In
ISO 27001 emphasizes the role of leadership in establishing and maintaining anISMS. Clause 5.1 specifically “identifies specific aspects of the management system where top management areexpected to demonstrate both leadership and commitment.”
Auditors will interview leadership and look for evidence of their involvement,so if you don’t have enthusiastic buy-in from the C-Suite, you should hit thebrakes before you go any further.
To secure leadership support, you’ll need to build a business case forcertification, and the projected ROI can help determine the project’s scope andbudget. Organizations typically enlist the help of an automated complianceproduct such as Vanta orSecureFrame, a third-party consultant, or acombination of the two. Those are costs you can budget for at the beginning ofthe process.
3. Conduct a Risk Assessment
The first official document you’ll need to produce is a risk assessment. Thereare various methodologies for determining risk, but the most common is anasset-based approach.
Here, you’ll list all your organization’s information assets–physical devices,intellectual property, software, etc–and assign a risk level to each based onthe C-I-A framework we mentioned earlier. Since no two organizations areexactly alike, your approach to risk will vary depending on the specific dataassets you maintain, but prioritize anything that could threaten yourregulatory or contractual obligations or is business-critical.
Next, you’ll assess how likely each threat is, and what the fallout from itwould be. For instance, a sinkhole opening directly under your server roomwould have a massive impact but is relatively unlikely. By contrast, the impactof someone stealing a developer’s unencrypted laptop could bealmost as disastrous and could happen easily.
Once you’ve identified your risks, ISO 27001 lets you choose from four optionsof risk treatment:
1. Eliminate: Delete the data in question or stop the risky activity entirely.
2. Share: This can mean either outsourcing risk to a third party or purchasing insurance to minimize the financial impact of a security event.
3. Control: Put policies or technology in place to manage the risk. In the developer’s laptop example, this would mean ensuring that all company devices meet your security requirements.
4. Accept: Choosing to accept a risk means that you believe that it’s so unlikely or its impact would be so small that it doesn’t justify the cost of remediating it.
The next (sub)step is to write a risk treatment plan, which will include:
- A description of the risks
- The treatment option for managing each risk
- Who is accountable for the risk itself
- Who is accountable for the risk mitigation activity
- When you plan to complete the mitigation activity
4. Write a Statement of Applicability
Once you’ve established which information security risks you plan to treat vs.accept, it’s time to craft your Statement of Applicability. This document outlines how you’ll applycontrols to address your identified risks. (If all this documentation seems alittle redundant, welcome to the world of ISO standards.)
In the Statement of Applicability, you’ll list which controls apply to yourorganization, the implementation status of each one, and an explanation forany controls you chose to exclude. You may reject a control that doesn’t applyto you (a fully remote company can disregard the section on delivery or loadingareas) or because the cost of implementation outweighs the risk.
(If you’d like to see an example, our friends at Secureframe have afree Statement of Applicability template.)
5. Update Mandatory Documentation
Documentation is the bedrock of ISO 27001, and you’ll need to provide detaileddescriptions of every facet of your ISMS. ISMS documentation describes how anorganization meets the standard’s requirements, including the risk mitigationactivities identified earlier.
As ISMS.online points out,the ISMS needs to obey the same principles of Confidentiality, Integrity, andAvailability as the security policies it describes. Therefore, “it needs tobe available when required and adequately protected from loss ofconfidentiality, unauthorized use or potential integrity compromise.”
Once you’ve completed your ISMS, don’t rush to bring in an outside auditor! Make sure your systems work in practice, not just on paper. The most crucial element is conducting employee outreach and education so everyone is aware of and compliant with all policies. The standard also recommends that you conduct two internal audits before certification.
6. Undergo Stage 1 Audit
There are two phases to an ISO 27001 audit. In Stage 1, an external auditor orcertification body will conduct a “tabletop” audit focused on your documentation.
At this stage, you can still be in the process of implementing risk mitigationstrategies as long as you can show that you do have plans in place. However,according to Varonis,“Lack of key documentation, weak support from management, or poorly identifiedmetrics can all bring an ISO 27001 audit to a screeching halt.”
Assuming there are no giant red flags, auditors will identify any issues theyexpect you to resolve before the next stage.
7. Undergo Stage 2 Audit
Stage 2 of the audit is much more intensive. Whereas in the first stage,auditors review the documentation of your processes, in this stage, theyreview the processes themselves.
Auditors will test your controls and look for proof that when an incidentoccurs, it triggers the appropriate response from the people responsible.
To pass the certification stage, it’s absolutely essential that employeesare aware of the ISMS and their role in it. You can’t create an ISMS “for”the auditors; if it’s not an internally functional document with realstakeholder buy-in, you won’t pass this stage. And since the Stage 1 and Stage 2audits are usually only a month or two apart, you can’t plan to conduct thistraining during the gap.
In Stage 2, auditors will note any remaining nonconformities. Majornonconformities can prevent certification entirely, while minor issues can beflagged for further evaluation.
Assuming your ISMS works as promised, Stage 2 concludes with the auditorrecommending you for certification.
But that doesn’t mean you’re done.
8. Maintain Compliance
It takes a lot of work to achieve ISO 27001 certification and a lot of work tokeep it. While you won’t need to get recertified for three years, you will haveto continually maintain your ISMS and Annex A controls to pass yourrecertification audit.
During this time, you’ll also need to stay up to date on:
- Mandatory internal and external audits (more on those in the FAQ section)
- Regular employee security training
- ISMS policy updates
- Changes to the risk assessment
As we’ve said, no two ISO 27001 experiences are exactly alike. However, you canmake some rough estimates about the cost and timeline of the certificationprocess based on where your organization is starting from.
How Much Does ISO 27001 Certification Cost?
The cost of the entire process from preparation to certification will depend onyour organization’s current security posture, number of employees, and theresources you choose to devote to it.
According to ISO/IEC recommendations, the audit itself should cost between $5,400 (for an organization with under 50 employees)and $27,000 (up to 2,000 employees).
On top of that, you’ll need to account for the costs associated with providingemployee training, creating documentation, hiring external assistance, updatingtechnologies, and of course, the certification audit.
How Long Does the ISO 17001 Certification Process Take?
The certification process can take anywhere from 3 months to a full year.Factors influencing this include:
Whether you have a documented ISMS or are building one from scratch
The scope of your audit (a single business unit will be less time-consumingthan your entire organization)
Whether you have a dedicated compliance professional, hire outside consultants,or assign a team member to take on compliance in addition to other duties
The number of risks requiring remediation, and the difficulty of theremediation efforts
How Long is the ISO 27001 Certification Valid For?
An ISO 27001 certification is valid for three years, but you are required toundergo both internal and external audits during this time. A third-partyauditor will conduct “surveillance audits” at 6 or 12 month intervals, usually focusing on areas of your ISMS that wereof particular concern or significance in your original audit. Inaddition, Annex A.5 requires a review of your information security policies on at least an annual basis.
“It’s supposed to be hard. If it wasn’t hard, everyone would do it.” Tom Hankswas talking about baseball in that quote, but it also applies to ISO 27001certification. The difficulty is part of the point.
But even though meeting this standard is a challenge, there are ways to make itless daunting. Your biggest ally (as we wrote in our article about SOC 2 compliance) is automation. The fewer manual processesyou have, the lower the risk of human error and the easier it is to maintaindocumentation.
Most compliance software has some automated security features built in, and youcan also integrate standalone solutions, including Kolide’s. Many of ourcustomers use Kolide as part of their approach to compliance because itprovides real-time, cross-platform (even Linux), data onemployee devices while respecting privacy. (ICYMI, those qualities map directlyto the C-I-A framework.)
Johan Edholm, the co-founder of Detectify, shared his experience with Kolide.
“As we were going through our ISO27001 audit, we realized we required a level of reporting, remediation and validation into our employee’s devices that we simply did not have. With the goal of being able to monitor these factors without jeopardizing employee privacy, we knew Kolide would be a great fit.”
At the end of the day, the most important thing isn’t that you use Kolide oreven that you go through an ISO 27001 audit at all. There’s enormous value inpursuing compliance with this standard, whether or not you ever pursue certification. Because while certification isn’t for everybody, information security absolutely is.
Try Kolide for free and see how we can helpyou achieve and maintain ISO 27001 compliance.