ISO 27001:2015

IT Management System

What is ISO 27001 certification?

ISO 27001 is the international standard which is recognized globally for managing risks to the security of information you hold. Certification to ISO 27001 allows you to prove to your clients and other stakeholders that you are managing the security of your information. ISO 27001:2013 (the current version of ISO 27001) provides a set of standardized requirements for an Information Security Management System (ISMS). The standard adopts a process based approach for establishing, implementing, operating, monitoring, maintaining, and improving your ISMS.

Who needs ISO 27001?

IT companies Software development companies, cloud companies, and IT support companies are only some of those that implement ISO 27001 – most commonly, they do it because they want to get new clients by proving to them with a certificate that they are able to safeguard their information in the best possible way; some IT companies also use ISO 27001 to comply with contractual security requirements from their main clients, or SLAs (Service Level Agreements). In some cases, fast-growing companies use ISO 27001 as a way to resolve problems in their operations, because this standard forces companies to define who is responsible for what and which steps need to be done in the most important processes, which is very often undefined in companies that are growing too fast. Financial industry Banks, insurance companies, brokerage houses, and other financial institutions typically go for ISO 27001 when they want to comply with numerous laws and regulations. Data protection legislation is the strictest for the financial industry, and luckily, the lawmakers have based their legislation mostly on ISO 27001. This means that ISO 27001 is a perfect methodology to achieve compliance, which makes it very easy to present such a project to the executives. The second most common reason why these kinds of organizations implement ISO 27001 is cost – they want to prevent incidents from happening, which is, of course, much cheaper than dealing with the consequence of an incident. This approach is typical for the financial industry, because they are usually the most advanced when it comes to risk management. Telecoms Telecommunication companies, including Internet providers, are very keen on protecting the huge amount of data they handle and reducing the number of outages, so naturally they look toward ISO 27001 as a framework that helps them do that. Further, similar to the financial industry, there are a growing number of laws and regulations for telecoms, where ISO 27001 is very helpful for compliance. Government agencies Typically, government agencies handle very sensitive data – in some agencies this data is confidential, but in all agencies protecting the integrity and availability of their data is of paramount importance. The fact that ISO 27001 was designed to satisfy those three concepts (the famous C-I-A triad) makes it a perfect methodology to decrease the number of incidents to a minimum. And, being an international standard recognized by standardization bodies in each country, ISO 27001 is a perfect framework with official government recognition. Other organizations with sensitive datas This list could go on and on – e.g., health organizations want to protect the data of their patients, pharmaceutical companies want to protect their development data and data on formulas, food processing companies protect their special recipes, manufacturing companies want to protect their knowledge on how certain parts are produced. Basically, any company that has sensitive information can find ISO 27001 useful. To see a list of potential benefits, and to learn how to present them, read this article So, the point is: rather than viewing ISO 27001 as a purely IT project, you should view it is a tool to achieve some very concrete business benefits. And, when you do this, you’ll see that it can be applied much more widely than you initially thought, and it can help you in more ways than you expected.

What are the requirements of ISO 27001?

1. Prepare Get an understanding of ISO 27001:2013 Reading the standard provides a good background to ISO 27001 and its requirements. There are a number of ways to up-skill yourself about ISO 27001: Read a free white paper about the Standard Read IT Governance’s free information about ISO 27001 and how to get started Purchase a copy of the Standard (the Standard is not freely available) You may want to attend an introductory online ISO 27001 Foundation training course Appoint an ISO 27001 champion It is important to secure someone knowledgeable (either internally or externally) with solid experience of implementing an information security management system (ISMS), and who understands the requirements for achieving ISO 27001 registration. (If you do not have internal expertise, you may want to enrol for the ISO 27001 Online Lead Implementer training course.) Secure senior management support No project can be successful without the buy-in and support of the organization’s leadership. A gap analysis, which comprises comprehensive review of all existing information security arrangements against the requirements of ISO/IEC 27001:2013, presents a good starting point. A comprehensive gap analysis should ideally also include a prioritized plan of recommended actions, plus additional guidance for scoping your information security management system (ISMS). The results from the gap analysis can be provided to develop a strong business case for ISO 27001 implementation. 2. Establish the context, scope, and objectives It is essential to pin down the project and ISMS objectives from the outset, including project costs and timeframe. You will need to consider whether you will be using external support from a consultancy, or whether you have the required expertise in-house. You might want to maintain control of the entire project while relying on the assistance of a dedicated online mentor at critical stages of the project. Using an online mentor will help ensure your project stays on track, while saving you the associated expense of using full-time consultants for the duration of the project. You will also need to develop the scope of the ISMS, which may extend to the entire organization, or only a specific department or geographical location. When defining the scope, you will need to consider the organizational context as well as the needs and requirements of interested parties (stakeholders, employees, government, regulators, etc.). ‘Context’ takes into account internal and external factors that could influence your organization’s information security, and includes aspects such as the organizational culture, risk acceptance criteria, existing systems, processes, etc. 3. Establish a management framework The management framework describes the set of processes an organization needs to follow to meet its ISO27001 implementation objectives. These processes include asserting accountability of the ISMS, a schedule of activities, and regular auditing to support a cycle of continuous improvement. 4. Conduct a risk assessment While ISO 27001 does not prescribe a specific risk assessment methodology, it does require the risk assessment to be a formal process. This implies that the process must be planned, and the data, analysis, and results must be recorded. Prior to conducting a risk assessment, the baseline security criteria need to be established, which refer to the organization’s business, legal, and regulatory requirements and contractual obligations as they relate to information security. vsRisk Cloud the simplest and most effective risk assessment software, provides the framework and resources to conduct an ISO 27001-compliant risk assessment. 5. Implement controls to mitigate risks Once the relevant risks have been identified, the organization needs to decide whether to treat, tolerate, terminate, or transfer the risks. It is crucial to document all of the decisions regarding risk responses, since the auditor will want to review these during the registration (certification) audit. The Statement of Applicability (SoA) and risk treatment plan (RTP) are two mandatory reports that must be produced as evidence of the risk assessment. 6. Conduct training The Standard requires that staff awareness programs are initiated to raise awareness about information security throughout the organization. This might require that virtually all employees change the way they work at least to some extent, such as abiding by a clean desk policy and locking their computers whenever they leave their work stations. A company-wide staff awareness e-learning course is the easiest way to bring across the philosophy behind the Standard, and what employees should do to ensure compliance. 7. Review and update the required documentation Documentation is required to support the necessary ISMS processes, policies, and procedures. Compiling policies and procedures is often quite a tedious and challenging task, however. Fortunately, documentation templates – developed by ISO 27001 experts – are available to do most of the work for you. Formatted and fully customizable, these templates contain expert guidance to help any organization meet all the documentation requirements of ISO 27001. At a minimum, the Standard requires the following documentation: 3 The scope of the ISMS 2 Information security policy 1.2 Information security risk assessment process 1.3 Information security risk treatment process 1.3 d) The Statement of Applicability 2 Information security objectives 2 d) Evidence of competence 5.1 b) Documented information determined by the organization as being necessary for the effectiveness of the ISMS 1 Operational planning and control 2 Results of the information security risk assessment 3 Results of the information security risk treatment 1 Evidence of the monitoring and measurement of results 2 A documented internal audit process 2 g) Evidence of the audit programs and the audit results 3 Evidence of the results of management reviews 1 f) Evidence of the nature of the non-conformities and any subsequent actions taken 1 g) Evidence of the results of any corrective actions taken 8. Measure, monitor, and review ISO 27001 supports a process of continual improvement. This requires that the performance of the ISMS be constantly analyzed and reviewed for effectiveness and compliance, in addition to identifying improvements to existing processes and controls. 9. Conduct an internal audit ISO/IEC 27001:2013 requires internal audits of the ISMS at planned intervals. A practical working knowledge of the lead audit process is also crucial for the manager responsible for implementing and maintaining ISO 27001 compliance. The Online Certified ISO 27001 Lead Auditor course teaches you how to plan and execute an effective information security audit in line with ISO 27001:2013. It also teaches you to lead a team of auditors, and to conduct external audits. If you have not yet selected a registrar, you may need to choose an appropriate organization for this purpose. Registration audits (to achieve accredited registration, recognized globally) may only be conducted by an independent registrar, accredited by the relevant accreditation authority in your country. 10. Registration/certification audits During the Stage One audit, the auditor will assess whether your documentation meets the requirements of the ISO 27001 Standard and point out any areas of nonconformity and potential improvement of the management system. Once any required changes have been made, your organization will then be ready for your Stage 2 registration audit. Certification audit During a Stage Two audit, the auditor will conduct a thorough assessment to establish whether you are complying with the ISO 27001 standard.

Advantages of ISO 27001 certification:

Implementing an information security management system will provide your organisation with a system that will help to eliminate or minimise the risk of a security breach that could have legal or business continuity implications. An effective ISO 27001 information security management system (ISMS) provides a management framework of polices and procedures that will keep your information secure, whatever the format. Following a series of high profile cases, it has proven to be very damaging to an organisation if information gets into the wrong hands or into the public domain. By establishing and maintaining a documented system of controls and management, risks can be identified and reduced. Achieving ISO 27001 certification shows that a business has: Protected information from getting into unauthorised hands Ensured information is accurate and can only be modified by authorised users Assessed the risks and mitigated the impact of a breach Been independently assessed to an international standard based on industry best practices ISO 27001 certification demonstrates that you have identified the risks, assessed the implications and put in place systemised controls to limit any damage to the organisation. Benefits include: Increased reliability and security of systems and information Improved customer and business partner confidence Increased business resilience Alignment with customer requirements Improved management processes and integration with corporate risk strategies Achieving ISO 27001 is not a guarantee that information breaches will never occur, however by having a robust system in place, risks will be reduced and disruption and costs kept to a minimum.