It’s the gold standard
ISO 27001 is a standard that describes how organisations can implement an ‘information security management system’ (ISMS) to govern and manage their information security risk. It’s internationally recognised and considered the “gold standard” in information security as it represents best practice in procedures, controls and people processes.
Why should you consider it?
It proves you are proactively managing your cyber security. But there are other reasons too. For certain work, or companies, it’s required. For example, it is a requirement in many tender processes. It may even be beneficial in proving your level of cyber security awareness when trading internationally.
Starting the process towards certification
To begin with, you need to choose your scope. Are you certifying your entire organisation? Or, do you want to exclude a certain functional area or geographical location from the scope of your certification?
Following this, to become certified against the standard, you start by engaging an external auditor with the appropriate accreditations. This is a two-stage audit process.
The first stage is to review various parts of your documentation, such as your policies forming your ISMS. At the end of the first stage, you can expect a statement on your suitability to proceed for certification. You can also expect a report detailing the findings from the review, including any minor or major nonconformities to the standard found.
Some auditors may provide you with a ‘statement of intent’ to indicate that you are in the process of becoming certified. This is useful in situations where you may be certifying due to a third party requirement and this can be given to the third party as proof prior to you achieving it.
The second stage is to review how you have implemented the standard and how effective it is. It should (hopefully!) result in you being awarded certification for your chosen scope. After that you’re required to conduct annual surveillance audits to maintain certification.
Once certified, it lasts three years. So, if you want to remain certified, it’s important to continue maintaining your ISMS and renew every three years. The number of days and cost of the audit stage varies depending on the number of employees in the company and amount of locations/offices that are in scope.
Selecting an auditor
An external auditor is needed to conduct the audit for both stages as they are independent from your company. (You can only use an internal auditor for the internal audits that need to be conducted as required by a clause in the standard.)
When searching for an auditor, it is important to check whether they are accredited, for example UKAS accredited (UKAS is a UK accreditation body). Being accredited means that the auditors have undergone rigorous audits themselves to ensure they are compliant and that they conduct audits on companies to the standard expected.
Certification may not always be necessary
Some organisations choose to be compliant with the standard, rather than go for achieving certification. This, notionally, is doing all of the stuff but without incurring the cost of the audit process. We’ve explored this before in a previous blog post “Certification is about rules, compliance is about trust”.
So, what’s required?
There are certain things you must do or have to meet the requirements. These are broken down in the standard over fourteen clauses. These include: demonstrable ‘top management’ commitment, cyber security risk assessment and documented regular management reviews/continual improvement evidence.
The risk assessment is an important part of the process. During this phase you identify and analyse the risk scenarios facing the business, and make decisions over which you wish to treat, tolerate, transfer or terminate. The resulting ‘risk treatment plan’ and ‘statement of applicability’ of controls is generally what is time consuming to implement or improve and document all the controls needed to appropriately manage their risk. ISO 27001 can go hand in hand with a broader Security Improvement Programme and help drive what’s needed (and justify why).
It is important to address any nonconformities, where you are not compliant with the standard, in order to be certified. These come in the form of minor and major nonconformities and require corrective action plans to be defined and addressed. They feed into the focus of continually improving security within your organisation and it’s good to identify these yourself during the process of implementing the ISMS to build self-awareness.
Timescales to achieve certification can be lengthy
Typically it takes an organisation 12-18 months to become certified.
This can be shortened but it depends on what’s already in place or if you are almost starting from scratch. If you already have some policies and procedures that are somewhat reasonably documented, along with a range of security controls in place, the process will likely involve checking for gaps and solidifying the policies/procedures and controls.
It should be noted that the issuing of a certificate will be delayed should there be a major nonconformity, as the auditor will require you to provide your corrective action plan and address it before your certification is issued. So, it’s important to address nonconformities!
It is achievable to be quicker than the average expected time. Over the past year, we assisted a technology company to get to the point of certification in six months. Where the aim is to achieve certification quickly, it’s crucial to be flexible in the approach taken in implementing the standard’s clauses.
Is ISO 27001 on your roadmap?
It’s important to consider your cyber security and need for assurance of your posture. Your target customers or clients need to be factored into your decision as well: what are their expectations of trusting you to secure their data? Do they make it a requirement to have an external cyber security certification?
If it is, remember that this becomes an integral part of your security programme plan and you need to maintain it to be able to re-certify!
It’s also important to ensure you are aware of the latest publication of the standard (although there are usually several years between the versions, the last being 2022) and are compliant with the correct one as of when auditors are ready to assess against the latest.
Here’s an insight into the work we were involved in with Kaluza on their path to achieving ISO 27001 certification: