Yes, even small businesses or startups need compliance. No, it doesn’t need to hold up your sales cycle or cost a fortune or take a year to complete; though, it could be all of those things. Certifications in ISO 27001 have risen by 450% in the past 10 years. If your business is overlooking the relevance and responsibility of information security, you’ll almost certainly fall behind your competitors.
Most businesses have a variety of ways to secure information–from multi-factor authentication policies to keycard-only access in an office. When you’re starting out, it can be easy to overlook security policies and practices in favor of “moving fast and breaking things.” But if you want to grow your business long-term, your prospects and customers need to know that their data is secure.
This guide will spell out exactly what ISO 27001 is, why businesses need it, and how to tackle getting ISO 27001 certified.
- What is ISO 27001?
- What is an ISMS?
- Requirements for an ISO 27001 Certification
- Implementing ISO 27001
- Monitoring and Maintaining
- Certification and Audit Process
- Related Compliance Information
What is ISO 27001?
First things first, ISO/IEC 27001 provides specifications for creating and operating an effective Information Security Management System (ISMS). It is part of the ISO 27000 series, which provides international standards for information security management.
ISO/IEC 27001 was a joint effort developed by the International Organization for Standardization and International Electrotechnical Commission. They published the ISO series in 2005, and revised 27001 in 2013, further reviewing it in 2019; so the current version is “27001:13”.
Let’s talk about who ISO 27001 applies to, and how to implement it.
Do I need to be ISO 27001 Certified?
This international standard is generally applicable to all organizations, regardless of size, type, or industry. That’s because it simply provides the framework for securing your data effectively, instead of specifying exactly what or who needs to be secure.
To get more specific, answer these questions:
- Does your organization operate outside of the US?
- Do you transmit, store, or receive sensitive information?
If you answered yes to both, ISO 27001 is for you.
But if you’re reading this, chances are you’re already considering getting certified. Maybe a client has asked for a report on your information security, or the lack of certification is blocking your sales funnel. The reality is that if you’re considering a SOC 2, but want to expand your customer or employee base internationally, ISO 27001 is for you. We recommend that businesses pursue an ISO 27001 certification for regulatory reasons, when it’s impacting your credibility and reputation, or when you’re going after deals internationally.
However, setting up an ISMS is the crux of ISO 27001. And you may be wondering…
What is an ISMS?
An information security management system. It is also the basis of your ISO 27001 compliance. The system organizes people, processes, and technology to protect confidentiality, availability, and integrity of information.
Confidentiality: kept private and safe from unauthorized access (people, processes, or entities)
You can think about confidentiality like privacy. This aspect of the ISMS involves tangible controls like multi-factor authentication, security tokens, and data encryption. It may also involve special training for individuals with access to restricted or classified data.
Availability: accessible to authorized users
Availability typically requires the maintenance and monitoring of your systems. From preventing bottlenecks and redundancy to assuring business continuity and upgrading software and hardware systems, the availability of your data should prevent data loss and disaster recovery.
Integrity: data is complete and accurate
Finally, the integrity of your data examines trustworthiness. This aspect is vaguer, but if you have limited access to your data through confidentiality, the protection of your organization will lead to ISMS integrity.
Think of an ISMS as an overarching framework for auditors and internal organization. Your ISMS should describe the purpose of each company policy, and the scope of that policy. It acts like an application letter for ISO 27001 by defining exactly what requirements your company fulfilled through policies, practices, and procedures.
Ultimately, you’ll end up with a document specifying the governance of your systems. It should be shorter and more specific than an information security policy, for example, and focus on management and oversight. This document will establish a governance model to protect and secure your scoped systems.
ISO 27001 Requirements
ISO 27001 defines 114 controls, which largely deal with physical, technical, legal, and organizational security. Keep in mind that the requirements listed in the framework are the goal of controls. Controls are safeguards or countermeasures to avoid, detect, counteract, or minimize security risks.
Below is a fairly comprehensive list of ISO 27001 requirements.
Information Security Policy
A5, 1 control
The first directive of ISO 27001 is to provide management with direction and support for information security in accordance with business requirements and relevant laws and regulations.
Essentially, your team will need to author an Information Security Policy. This document will define how your organization will set up your ISMS. It should include a set of policies for management to communicate to employees and external parties (like auditors). You’ll also need to put in place a review process to determine the continual effectiveness of the policy.
A9, 14 controls
This section addresses access control in relation to users, business needs, and systems. The ISO 27001 framework asks that businesses limit access to information and prevent unauthorized access through a series of controls.
In practice, you’ll need to write an access control policy, manage user access through registration, regular review access rights, and adjust accordingly. This section includes password management, source code restrictions, and the use of secret authentication information.
A8, 10 controls
Asset Management defines responsibilities, classification, and handling of organizational assets to ensure protection and prevent unauthorized disclosure or modifications. It’s largely up to your organization to define which assets are within the scope of this requirement.
Your team will need to create an inventory of all assets associated with information and processing facilities and assigned ownership. You’ll also need to define acceptable use, return, labeling, handling, and classification of those assets. Finally, the third clause in Asset Management addresses media handling: implementing controls for removal media and how to transfer or dispose of media.
A15, 5 controls
This requirement section covers the protection of assets and information accessible to suppliers during operations and delivery. With 5 associated controls, organizations will need to address security within supplier agreements, monitor and review supplier services regularly, and manage taking changes to the provisions of services by suppliers to mitigate risk.
Acquisition, Development, and Maintenance of Systems
A14, 13 controls
ISO 27001 asks businesses to build security into the infrastructure of information systems. This includes requirements for information systems across the entire lifecycle, including design, testing, implementation, and analysis.
Related controls include securing application services transactions and on public networks, creating a secure development policy and environment, and change control procedures. Most of these controls will apply to your product and engineering teams.
A7, 6 controls
All Human Resource related security is defined under section A7 of ISO 27001. It’s broken into a few different categories; before, during, and termination or change of employment. Most of these requirements are logical, including prospective employee screening, communicating the terms and conditions of employment, disciplinary processes, and information and security awareness training.
In practice, this asks HR departments to carry out background checks and employee training, and write contracts that clearly state employees’ responsibilities for information security.
A10, 2 controls
The cryptographic requirement asks businesses to ensure proper protection of confidential information through translating data into a protected code that is only usable by someone who has a decryption key. Your company will need to ensure that data is stored and transmitted in an encrypted format to reduce the probability of data compromise in the event that the data is lost or stolen.
Environmental and Physical Security
A11, 15 controls
The goal of this requirement is to prevent unauthorized access, damage, and interference to information and processing facilities. It addresses secure areas and equipment belonging to the organization.
Associated controls include physical entry controls, like keycards issues to authorized personnel, and protecting against natural disasters, malicious attacks, or accidents. Equipment-related controls get into more specifics, like regularly scheduled maintenance, having a clear desk and screen policy, and reducing environmental risks to equipment.
A12, 14 controls
The Operations Security requirement of ISO 27001 deals with securing the breadth of operations that a COO would typically face. From documentation of procedures and event logging to protecting against malware and the management of technical vulnerabilities, you’ve got a lot to tackle here.
Some examples of controls under Operations Security include creating backups of information, software, and systems. You’ll also need to log system and facility activities and restrict software installations. Importantly, the committee that wrote ISO 27001 acknowledges that this is a heavy ask for most companies. And in the final clause, 12.7, they require businesses striving for certification to carefully plan and minimize disruptions to business operations by an audit.
A13, 7 controls
Network security management and information transfer is outlined in the Communication Security requirement. These requirements ensure the protection of information in networks and maintain information security when it is transferred internally or externally.
Your team will need to place security mechanisms and management requirements on all network services and service agreements within the scope of ISO 27001. You’ll also need to prove you’re properly protecting electronic messaging (emails, instant messaging, etc.), and add to confidentiality and non-disclosure agreements.
A16, 7 controls
In the case of a snafu, the framework requires your team to prepare a plan to ensure the consistent and effective management of the problem. This includes a communication plan on security events and weaknesses.
The controls here are basically just best practices. You’ll need to show that you have a way to report on any incidents, assess the situation, and learn from it.
A17, 3 controls
ISO 27001 requires businesses to embed information security into the organization’s business continuity management system and ensure the availability of information processing facilities. You’ll need to plan, implement, verify, and review the continuity plan.
A18, 8 controls
Finally, compliance with legal and contractual requirements of ISO 27001. This requirement asks businesses to avoid breaches of legal, statutory, regulatory, or contractual obligations related to information security. Further, it asks that the business make sure that they adhere to the policies and procedures laid out in the above requirements. Basically, follow your own rules.
Associated controls are exactly what you’d expect: protecting PII, regulating cryptographic controls, holding a technical compliance review, and so on. Your compliance or information security expert can help you execute these tasks and maintain compliance in the long haul.
Implementing ISO 27001
When you’re looking at implementing any new compliance framework, you’ll need to consider the scope of the controls. Simply, think about which sectors of your organization will need to comply with ISO 27001 and implement an ISMS. If you’re a startup, it’s likely that ISO 27001 will apply to your entire organization.
The scope is less of a consideration when you’re leading a smaller organization or a start-up; you can consider every team within the scope.
Your compliance team will need to perform a gap analysis against the ISO 27001 framework as the first step in your implementation process. This will help with initial organization moving into the next step.
Once the team understands the gaps in your current systems, they can move onto data classification. Most data classification falls into four categories: classified/restricted, confidential, internal, and public. You should define each category and which types of data fall into each.
This step helps define controls that need to be incorporated based on the data you collect, store, and share.
Network Architecture and Data Flow Diagrams
After understanding the data that lives in your ecosystem, you’ll want to know how it flows through the organization and who has access to it. Your compliance team will also be able to identify opportunities for the data to be compromised internally or externally through flow diagrams.
AWS provides its diagrams to the public here.
This allows you to start putting together your risk profile fastest and most efficiently by seeing what data is important to do, where it is stored and how it’s used. You can use any flow diagram tool to complete this step; we recommend Lucidchart.
When you’ve internally classified your data and identified where each piece of data moves through and is stored, you’re ready to implement ISO 27001 controls. The controls implemented are largely dependent on your findings in the first steps.
Above is an example from Laika on how control implementation can be organized and tracked.
ISO 27001 documentation can be the biggest lift of implementation. Because the framework prescribes more procedural documents like policies, the emphasis on writing those policies takes a significant amount of time. Similarly, setting up infrastructure for regularly scheduled reviews, like access control, also requires time and commitment from participants.
To avoid writing these policies on your own, from scratch, you can partner with a consultant or service that offers templated policies.
Not to be confused with a gap analysis, a risk assessment will evaluate risk outside of the ISO 27001 framework. ISO 27001 requires a risk assessment, which should be executed by a qualified and knowledgeable compliance team.
The risk assessment examines future plans and anticipated business growth to understand upcoming risks. That could include geographic challenges, data loss prevention, re-evaluation of scoped programs, and any concerns outside of the ISO 27001 framework controls.
Our team executes risk assessments after control implementation but before the audits. Based on your findings, the team can decide if the risk is acceptable or needs further control implementation to mitigate.
Risk Mitigation Controls
Implementing more controls is, as above, dependent on the amount of risk your organization is comfortable operating with. This step could be skipped if the risk assessment was found to be acceptable.
The final step of ISO 27001 implementation is accepting risk. Again, some of these steps can be skipped, but Laika always recommends consulting with compliance experts first.
Monitoring and Maintaining your ISMS
Some of your controls will need periodic execution, like quarterly access reviews or logging monitoring systems. Startups should always leverage existing functionality provided by cloud services providers to prevent extra headaches. For instance, AWS provides Amazon CloudWatch, you can use Stackdriver Logging for Google Cloud, and Azure logging and auditing for Microsoft Azure.
Keep in mind that an audit is simply a snapshot in time, but your controls need to continue to operate between annual audits. Otherwise, it’s likely that your business will fall out of compliance, and create more work when the time comes to be audited again.
ISO 27001 Certification Process
Getting ISO 27001 certified is more difficult than SOC 2 certification, largely because there are fewer auditors and the process takes longer. The initial audit process is two steps:
Audit Step 1:
First, ISO 27001 requires your company to go through a readiness assessment, which is really a mini-audit without recommendations on how to fix any problems they find. It’s an informal, internal review of the ISMS to check that it exists and is complete. This audit should be performed by an independent party or an external team. We’ve seen contractors hired to do the first audit, other companies select a team that was not involved in the project to execute it independently.
At the end of this readiness assessment, you’ll receive an excel checklist with all the controls and whether they have been implemented by your team.
Audit Step 2:
After your ISMS is deemed ready, an ISO 27001 certified auditor will need to perform a formal compliance audit. This involves examining ISMS to determine that it was properly designed, implemented, and is currently operating.
While the schedule of the audit is dependent on your auditing body, in our experience this audit typically takes about two weeks for investigation. After that stage, your auditors should take another two weeks to compile a final report.
Keep in mind that you can fail ISO 27001, unlike SOC 2. If auditors find that your information security has major issues, they will require your organization to go back and fix them to be reviewed again before handing over a certification. This process can be costly; it’s important for your budget to get it right the first time around.
Finally, your prospects and clients will likely ask to see that report, so keep it on hand!
Staying ISO 27001 Compliant
After your initial ISO 27001 certification, it gets a little complicated. For the following two years, your business will only need to pass the first step of the audit process. Auditors will perform tests on random controls, like a pop quiz. If your ISMS doesn’t pass, you’ll need to expand to a full audit, like described in step 2 above.
In the third year of certification, your organization will go through the full audit process again.
ISO 27001 Challenges and Tips from the Experts
Compliance with any framework has its challenges, and ISO 27001 is no different. Because these requirements are meant to build information security into the foundational operations of a business, it can be a big lift. Here are some of the most common challenges our team has seen implementing and maintaining ISO 27001.
Lack of Certified Auditors
The main challenge we see with our clients is finding a certification body and auditors. The barrier to entry with ISO 27001 is fairly high compared to other frameworks. Auditors need to have at least 4 years of experience in information security, go through 3 full ISMS audits, take a 5-day auditor course, and find a certification body for the trainee program.
While it’s difficult to avoid this challenge, we recommend seeking an auditor as soon as you start the ISO 27001 process. You can prepare your timeline appropriately and more accurately communicate the deadline for certification clients, employees, and investors.
Annual Internal Audit
For small businesses, an annual internal audit can be a difficult process. When your business is small enough, it’s hard to have an independent team that is knowledgeable in ISO 27001 compliance execute the exercise. Often, teams will look for external consultants to perform the internal audit, incurring an otherwise avoidable cost.
Note: your internal audit cannot be performed by the same party as your external audit. These two steps need to be completely independent of each other.
Unlike other certifications, ISO 27001 requires organizations to build an ISMS and author structured documents. These additional documents may not be inherently valuable to your business; compliance teams often struggle to find ways to make those documents useful instead of simply an exercise to receive a participation ribbon.
For example, your ISMS provides auditors with a lens to view your ISO 27001 security posture. But to anyone other than auditors, it’s not a very useful document. You’ll need to spend time developing and editing it nonetheless.
Our experts always recommend that our clients have a thorough asset inventory to speed audits. Building an asset inventory involves classifying your assets, e.g. data warehouses, cloud environments, databases, and any components of an application.
Uunderstanding where all your assets are and how data is stored or transferred through them means you’ll be able to better design a compliance program to protect your assets.
Get a headstart on GDPR and NIST
Finally, ISO 27001 is a comprehensive framework that helps businesses comply with a variety of regulations, like GDPR and NIST. If your organization operates in the EU, you’ll most likely need to comply with GDPR, if only for marketing purposes. NIS and NIST are cybersecurity regulations, much of which are covered by controls in ISO 27001.
As regulations and enforcement increase, it’s good to have your compliance bases covered in your ISMS. Getting ISO 27001 certified is a step in the right direction. While implementing the framework, you can cover other applicable regulations like GDPR or NIS/NIST at the same time.
Have more questions about ISO 27001? Reach out to our team.