ISO 27001 – Why, What is it, and How to Get Started
By Jeremy Louise | May 23rd, 2019
This article was written with contributions from Timonthy Woodcome, director of NQA, a leading Global Certifications Body as well as the technical staff here at Technical Support International.
Also officially known as ISO/IEC 27001:2013, ISO 27001 is a specification for a set of policies and procedures that outlines all of the legal, physical and even technical controls that make up a business’ information risk management process. This type of framework is also known as an ISMS, or information security management system. It was first published by the International Organization for Standardization in 2005, in conjunction with the International Electrotechnical Commission. The GDPR has sparked some additional interest in the existing value proposition of ISO 27001, although it’s important to note that this was NOT a factor in the standard’s creation.
In certain situations, ISO certification is a customer requirement for vendor qualification and is oftentimes a specific bid/request for proposal requirement. In other situations, a business may choose to proactively certify for ISO 27001 for the intrinsic value alone – the structure provided is seen by many as a best practice for their business, creating a significant marketing advantage along the way.
All of this is important because most businesses already have a number of security controls that they’re working with, but the lack of a proper ISMS makes them disorganized and difficult to manage. This type of specification is designed to bring all of those controls under “one roof,” so to speak, allowing them to work together and become something much more effective than any one of them could be on their own.
What is ISO 27001 and Why Is It Happening?
ISO 27001 is notable for using a top down, risk-based approach and is intended to provide organizations with a way to establish, implement, operate, monitor, review, maintain and improve their ISMS moving forward. In essence, it’s the Cyber/InfoSec specific offering from the proven ISO model aimed to address the daily concerns or cyber risk of a business.
Documentation for ISO 27001 outlines a six part process , which includes elements like:
- Defining a security policy at the business level.
- Defining the scope of the ISMS as it relates to context of the organization.
- Conducting a risk assessment in an effort to determine as much information as possible regarding what types of risks a business is exposed to.
- Managing those identified risks.
- Selecting the right control objectives to be implemented moving forward.
- The preparation of a statement of applicability.
In addition to the standard ISO management system recommendations, ISO 27001 includes a set of 14 information security control objectives that themselves have more than 100 individual controls for businesses to consider and/or implement. This structure provides a valuable framework for incorporating other controls as well that would often be applicable if an organization is focused on things like the GDPR, NIST, HIPAA and others.
ISO 27001 is notable because it doesn’t actually mandate specific security steps to be taken – however, it does provide a checklist of said controls that are to be considered within the context of the unique risks that you’re exposed to. Obtaining some type of third-party accredited certification is recommended for true conformance.
As Information Security requirements become more stringent all the time, this ISO certification in particular can really help distinguish an organization from competitors – especially if the business in question is a Department of Defense-related contractor.
Likewise, choosing to remain non-compliant locks a business off from a wide variety of benefits that include those aforementioned commercial opportunities, better risk mitigation abilities, and its own inherent intrinsic value. Note that these types of issues are the most common in the Federal Government and financial industry contracting spaces, and are less of a factor in various manufacturing sectors.
Is It Possible to Comply With ISO 27001 On My Own?
Technically speaking, yes. However, there are a number of factors that may make this the wrong move to make for your business:
- It’s not likely that you or your staff are already qualified in the ways you need to be to objectively evaluate your own systems and controls on this level.
- Even if you were, it’s probably not the best use of your time.
- Partnering with the right company like a managed services provider would not only be a faster way to bring your organization up to speed, but it would likely be far cheaper as well.
The key thing to understand is that the ISO standard is not a step-by-step DIY implementation guide. A wealth of invaluable resources exist to support organizations going through their own implementations, including online resources, training materials, consultants and more. ISO certification itself requires a third party to audit and attest to the implementation.
Getting Started With ISO 27001
Once a security policy and the scope of the ISMS have been defined, the next step involves a careful examination of the various types of technology-related threats that your business might be exposed to. Not only does this require you to obtain more information about the threats themselves, but you also need to determine what vulnerabilities in gaps and protection that exist (so that they can be addressed later on) along with their potential impacts.
If your business was struck by a specific type of attack, what information would be compromised? Why? What are the long-term effects? These are the questions you need to answer.
Then, you’ll need to both design and implement a series of controls designed to either avoid or mitigate those risks that are deemed unacceptable. You’ll also need to adopt a more organic, holistic management process that helps to guarantee that these security controls can evolve as your business does – continuing to meet your organization’s information security needs tomorrow, next week and even five years from now.
Overall, ISO 27001 implementation requires you to focus on three main components: your technology, your people and their processes. This is why a gap assessment is critical to determine where your business is relative to these three integral factors at all times. It is possible to be strong on the technology side and still not have your people and processes lined up where they need to be.
More than anything, understand that ISO 27001 is an organizational effort, not a simple IT initiative. A complete buy-in from the whole organization is the primary contributor to your success.
Are You Overwhelmed by ISO 27001? Not For Long
If ISO 27001 seems complicated, that’s because it is – but it’s also not something you have to spend too much time worrying about. To get a better handle on the situation, begin with an internal discussion where you engage all key stakeholders and ask a simple-yet-essential question: “will this ISO requirement’s associated costs return an investment by way of business opportunities you wouldn’t have access to otherwise?”
The answer, for most people, will be “yes.”
At that point, you should talk to your MSP about how these requirements will actually impact your organization in an appreciable way. This will also give you a better idea of the IT tools necessary to make sure that the process goes as smoothly as possible.
One way to do this is by starting with a technology assessment – something that will give an indication of the baseline information required to generate the strategic ISO 27001 road map you need. Remember that in the modern era, you can’t afford for IT silos to exist within your organization. This is true both in terms of requirements like ISO 27001, and with regards to the actionable insight and intelligence you’re locking yourself off from by continuing to allow them to exist.
So where do you start with ISO 27001 compliance? It’s simple – with everyone. You begin by making IT an organizational-wide initiative that includes everyone – not just IT people – and you proceed carefully from there.
Help is Only a Phone Call Away
If you don't have the time to become an ISO 27001 expert, don't worry - that's what we're here for. To find out more information about everything you need to do to get started, or to discuss your own situation with someone in a little more detail, please don't delay contact us today.