ISO 27001 for your business and what you need to know

Oro provides content designed to educate and help audiences on their compliance journey.

Yes, all businesses and organizations need compliance and security. No, it doesn’t need to hold up your sales cycle, cost a fortune, or take a year to complete; though, of course, it could create all those things. If your business or company overlooks the relevance and responsibility of information security, you’ll almost certainly need to catch up to your competitors. Not doing so could cost you a competitive edge.

Most businesses have a variety of ways to secure information–from multi-factor authentication policies to keycard-only access in an office. When you’re starting out, it can be easy to overlook security policies and practices in favor of “moving fast and breaking things.” But if you want to grow your business long-term, then your prospects and customers need to know that their data is secure. You can even save money and prevent a future cyberattack or data breach when remaining compliant.

One of the most universally accepted compliance frameworks is ISO 27001.

This post spells out precisely what ISO 27001 is, why businesses need it, and how to tackle getting ISO 27001 certified.

1. What is ISO 27001?
2. What is an ISMS?
3. Requirements for an ISO 27001 Certification
4. Implementing ISO 27001
5. Monitoring and Maintaining
6. Certification and Audit Process
7. Related Compliance Information

What is ISO 27001?

First, ISO/IEC 27001 provides specifications for creating and operating an effective Information Security Management System (ISMS). It is part of the ISO 27000 series, which provides international standards for information security management.

ISO/IEC 27001 was a joint effort developed by the International Organization for Standardization and International Electrotechnical Commission. They published the ISO series in 2005 and revised 27001 in 2013, further reviewing it in 2019 and then upgrading it in 2022, so the current version is “27001:22.”

Do I need to be ISO 27001 certified (whether as a large or small business)?

This international standard generally applies to all organizations, regardless of size, type, or industry. That’s because it simply provides the framework for securing your data effectively instead of specifying exactly what or who needs to be secure.

To get more specific, if you’re wondering if your company needs ISO 27001, start by answering these questions:

• Does your organization operate a business that wants to establish, implement, maintain, and continually improve its information security management system?
• Does your organization want to preserve the confidentiality, integrity, and availability it receives by applying a risk management process to give confidence to your customers, partners, and interested parties that you adequately manage risks?

If you answered yes to both, ISO 27001 is for you.

The reality is that if you’re considering a SOC 2 but want to expand your customer or employee base internationally, ISO 27001 is for you. We recommend that businesses pursue an ISO 27001 certification for regulatory reasons, when it’s impacting your credibility and reputation, or when you’re going after deals internationally.

However, setting up an ISMS is the crux of ISO 27001. 

What is an ISMS?

ISMS stands for information security management system. It is also the basis of your ISO 27001 compliance. Information security management systems organize people, processes, and technology to protect the confidentiality, availability, and integrity of information. Furthermore, information security management systems consist of systematic policies and procedures for managing an organization’s sensitive data. It helps your business by keeping risk management in place.

Confidentiality: kept private and safe from unauthorized access (people, processes, or entities)

You can think about confidentiality like privacy. This aspect of the ISMS involves tangible controls like multi-factor authentication, security tokens, and data encryption. It may also involve special training for individuals accessing restricted or classified data.

Availability: accessible to authorized users

Finally, availability typically requires the maintenance and monitoring of your systems. From preventing bottlenecks and redundancy to assuring business continuity and upgrading software and hardware systems, the availability of your data should prevent data loss and disaster recovery.

Integrity: data is complete and accurate

Finally, the integrity of your data examines trustworthiness. This aspect is vaguer, but if you have limited access to your data through confidentiality, protecting your organization will lead to ISMS integrity.

Think of an ISMS as an overarching framework for auditors and internal organizations. Your ISMS should describe the purpose of each company policy and the scope of that policy. It acts like an application letter for ISO 27001 by defining exactly what requirements your company fulfilled through policies, practices, and procedures.

ISO 27001 requirements 

ISO 27001 defines 114 controls, which largely deal with physical, technical, legal, and organizational security. Remember that the requirements listed in the framework are the goal of controls. Controls are safeguards or countermeasures to avoid, detect, counteract, or minimize security risks.

Below is a comprehensive list of ISO 27001 requirements. Thoropass tends to look at Clause 4 to 10 and Annex A containing 93 controls aligned to Clauses 5 to 8:

Clause 5 Organization Controls: 37 controls

Clause 6 People Controls: 8 controls

Clause 7 Physical Controls: 14 controls

Clause 8 Technological Controls: 34 Controls

Information security policy

Organizational Controls (37 Controls)

Organizational controls include information security policies, organization of information security, asset management practices, and access controls.  In addition, this section includes supplier relationship management, incident management practices, business continuity considerations, and controls related to regulatory/statutory compliance.

People Controls (8 Controls)

The People controls include proper screening of candidates, establishing terms and conditions of employment, managing responsibilities, and providing information security awareness through education and training.  Additionally, the organization establishes a disciplinary process for employees who have committed an information security breach which may lead to possible termination of employment responsibilities.  

Physical Controls (14 Controls)

Physical controls are important to ensure that there is proper security of tangible assets.  These controls include physical monitoring to entry points, visitor access security, asset disposal processes, and clear desk controls.

Technological Controls (34 Controls)

Technological controls are vital to the successful security of an organization’s production data.  This section includes controls around the security of the IT infrastructure, including authentication techniques, change management, logging/monitoring controls, vulnerability management, and data leakages techniques.  

Implementing ISO 27001

When you’re looking at implementing any new compliance framework, you’ll need to consider the scope of the controls. Simply, think about which sectors of your organization will need to comply with ISO 27001 and implement an ISMS. If you’re a startup, it’s likely that ISO 27001 will apply to your entire organization.

The scope is less of a consideration when you’re leading a smaller organization or a start-up; you can consider every team within the scope.

Gap analysis

If your company has been operating for a couple of years, it’s likely that you already have some best practices in place. For instance, having a formal hiring process and privacy policy is fairly common. Before diving into each specific control, you’ll need to understand where the biggest gaps are and how to prioritize them.

Your compliance team will need to perform a gap analysis against the ISO 27001 framework as the first step in your implementation process. This will help with the initial organization moving into the next step.

Data classification

Once the team understands the gaps in your current systems, they can move onto data classification. Most data classification falls into four categories: classified/restricted, confidential, internal, and public. You should define each category and which types of data fall into each.

This step helps define controls that need to be incorporated based on the data you collect, store, and share.

Network architecture and data flow diagrams

After understanding the data that lives in your ecosystem, you’ll want to know how it flows through the organization and who has access to it. Your compliance team will also be able to identify opportunities for the data to be compromised internally or externally through flow diagrams.

AWS provides its diagrams to the public here.

This allows you to start putting together your risk profile fastest and most efficiently by seeing what data is important to do, where it is stored and how it’s used. You can use any flow diagram tool to complete this step; we recommend Lucidchart.

Control implementation

When you’ve internally classified your data and identified where each piece of data moves through and is stored, you’re ready to implement ISO 27001 controls. The controls implemented are largely dependent on your findings in the first steps.

Above is an example from Thoropass on how control implementation can be organized and tracked. This is also a part of the statement of applicability. 

ISO 27001 documentation can be the biggest lift of implementation. Because the framework prescribes more procedural documents like policies, the emphasis on writing those policies takes a significant amount of time. Similarly, setting up infrastructure for regularly scheduled reviews, like access control, also requires time and commitment from participants.

To avoid writing these policies on your own and from scratch, you can partner with a consultant or solution (like Thoropass) that offers templated policies.

Risk assessment

Not to be confused with a gap analysis, a risk assessment will evaluate risk outside of the ISO 27001 framework. ISO 27001 requires a risk assessment, which a qualified and knowledgeable compliance team should execute.

The assessment examines future plans and anticipated business growth to understand upcoming risks. That could include geographic challenges, data loss prevention, re-evaluation of scoped programs, and any concerns outside of the ISO 27001 framework controls.

Our team executes risk assessments after control implementation but before the audits. Based on your findings, the team can decide if the risk is acceptable or needs further control implementation to mitigate.

Risk mitigation controls

Implementing more controls is, as above, dependent on the amount of risk your organization is comfortable operating with. This step could be skipped if the risk assessment was found to be acceptable.

Risk acceptance

The final step of ISO 27001 implementation is accepting risk. Again, some of these steps can be skipped, but Thoropass always recommends consulting with compliance experts first.

Monitoring and maintaining your ISMS

Some of your controls will need periodic execution, like quarterly access reviews or logging monitoring systems. Startups should always leverage existing functionality provided by cloud service providers to prevent extra headaches. For instance, AWS provides Amazon CloudWatch, you can use Stackdriver Logging for Google Cloud, and Azure logging and auditing for Microsoft Azure.

Keep in mind that an audit is simply a snapshot in time, but your controls need to continue to operate between annual audits. Otherwise, it’s likely that your business will fall out of compliance, and create more work when the time comes to be audited again.

ISO 27001 certification process

Getting ISO 27001 certified is more difficult than SOC 2 certification, largely because the process takes longer because we are establishing an information security management system with a lot of moving parts. The initial audit process is two steps:

Audit Stage 1:

First, ISO 27001 requires your company to be analyzed on your policies and procedures. The auditor performs this first stage to determine the design effectiveness of the policies and procedures.

Once this is completed, the organization mitigates any minor or significant non-conformities and moves on to Stage 2.

Audit Stage 2: 

After your ISMS is deemed ready, an ISO 27001-certified auditor must perform a formal compliance audit. This involves examining ISMS to determine that it was properly designed, implemented, and is currently operating.

While the schedule of the audit is dependent on your auditing body, in our experience, this audit typically takes about two weeks for investigation. After that stage, your auditors should take another two weeks to compile a final report.

Keep in mind that you can fail ISO 27001, unlike SOC 2. If auditors find that your information security has major issues, they will require your organization to go back and fix them to be reviewed again before handing over a certification. This process can be costly; it’s important for your budget to get it right the first time around.

Finally, your prospects and clients will likely ask to see that report, so keep it on hand.

Staying ISO 27001 compliant

After your initial ISO 27001 certification, your business will only need to pass the first step of the audit process for the following two years. Auditors will perform tests on random controls, like a ‘pop quiz.’ An Auditor will also make sure nothing has changed and that you continue to implement controls as you say you do. If your ISMS doesn’t pass, you’ll need to expand to a full audit, as described in step 2 above.

In the third year of certification, your organization will go through the full audit process again.

ISO 27001 challenges and tips from the experts

Compliance with any framework has its challenges, and ISO 27001 is no different. Because these requirements are meant to build information security into the foundational operations of a business, it can be a big lift. Here are some of the most common challenges our team has seen in implementing and maintaining ISO 27001.

Lack of certified auditors

The main challenge we see with our clients is finding a certification body and auditors. The barrier to entry with ISO 27001 is fairly high compared to other frameworks. You have individual requirements and then certifying body requirements. The auditors work for a certifying body that is accredited by an accreditation body.  Yes, auditors need to take training and have the experience to obtain a lead auditor certification. The individual auditors go through a separate certification body for their certification instead of the certifying body firms (that go through an accreditation body). Auditors need to have at least 4 years of experience in information security, go through 3 full ISMS audits, take a 5-day auditor course, and find a certification body for the trainee program.

While it’s difficult to avoid this challenge, we recommend seeking an auditor as soon as you start the ISO 27001 process. You can prepare your timeline appropriately and more accurately communicate the deadline for certification clients, employees, and investors.

Annual internal audit

For small businesses, an annual internal audit can be a difficult process. When your business is small enough, it’s hard to have an independent team that is knowledgeable in ISO 27001 compliance execute the exercise. Teams often look for external consultants to perform the internal audit, incurring an otherwise avoidable cost.

Note: An internal auditor is different than a certifying auditor.  An internal audit can be performed by someone knowledgeable and not directly involved in establishing the controls. This can be someone within the company (or an external party). Your internal audit cannot be performed by the same party as your external audit. These two steps need to be completely independent of each other.

Structure-heavy requirements

Unlike other certifications, ISO 27001 requires organizations to build an ISMS and author structured documents. These additional documents may not be inherently valuable to your business; compliance teams often struggle to find ways to make those documents useful instead of simply an exercise to receive a participation ribbon.

For example, your ISMS provides auditors with a lens to view your ISO 27001 security posture. But to anyone other than auditors, it’s not a very useful document. You’ll need to spend time developing and editing it, nonetheless.

Asset inventory

Our experts always recommend that our clients have a thorough asset inventory to speed audits. Building an asset inventory involves classifying your assets, e.g. data warehouses, cloud environments, databases, and any components of an application.

Understanding where all your assets are and how data is stored or transferred through them means you’ll be able to design a compliance program better to protect your assets.

Get a headstart on GDPR and NIST

Finally, ISO 27001 is a comprehensive framework that helps small businesses, and large, comply with a variety of regulations. Simultaneously it may help with GDPR and have some cross-over with NIST. If your organization operates in the EU, you’ll most likely need to comply with GDPR, if only for marketing purposes. 

As regulations and enforcement increase, it’s good to have your compliance bases covered in your ISMS. Getting ISO 27001 certified is a step in the right direction. While implementing the framework, you can cover other applicable regulations like GDPR and/or have cross-over with NIST at the same time.

Have more questions about ISO 27001 for your small business? Reach out to our team.

---