LISTEN TO THE LESSON

laika mp3
Laika University
What is ISO 27001?

This ISO and IEC created ISO 27001 regulated guidelines to help businesses assess and treat threats and vulnerabilities. It tests how well your organization creates, implements, maintains and continues to improve on an ISMS that is appropriate.

A certification body needs to audit your ISMS to become ISO compliant. The assessment examines a business’ established controls align with the standards.

What is the ISO 27000 family of standards?

The ISO/IEC 27000 family is the completed set of standards that provides an international framework for information security management practices. It sets the groundwork for assessing and addressing information security risks within an organization.

In 2005, the ISO and IEC committees published the ISO series and revised the 27001 series in 2013. As part of the ISO 27000 family, the guidelines specifically focus on the implementation of the ISMS. The committees renamed and revised the series in 2019 “27001:13.”

Who needs ISO 27001?

ISO 27001 is generally applicable to all businesses because it provides the framework required to secure data effectively.

Regardless of the organization’s size or type, certifications specify the standards to become compliant, rather than what exactly needs to be secure.

Similar to a SOC 2 report, your business will likely need an ISO 27001 if it operates outside the US and stores sensitive information. We recommend that businesses pursue an ISO 27001 certification for regulatory reasons primarily. Our customers also come to us when a lack of certification impacts reputation or when pursuing international deals.

Why is certification important?

Your business should leverage an ISO 27001 certification as proof of credibility with customers, partners, and regulators.

In globally competitive markets, it isn’t easy for consumers to evaluate how secure their vendor practices are. A certification, like ISO 27001, makes it easier to build trust immediately. Equipping your organization with certification can help you field security questions and build a compelling story about how your business stands out right from the start.

In addition to a powerful marketing message, the ISO 27001 certification pairs with highly regulated General Data Protection Regulation (GDPR) requirements. Due to the overlap between the two frameworks, the ISO 27001 helps guide businesses towards stricter, required regulations internationally.

How do you implement ISO 27001?

Setting up an ISMS is the core to receiving an ISO 27001 certification. There are 114 controls that largely deal with four general areas:

  1. Physical
  2. Technical
  3. Legal
  4. Organizational Security

The requirements listed in the framework are the goal of controls. Controls are safeguards or countermeasures to avoid, detect, counteract, or minimize security risks.

How do you maintain a certification?

The ISMS needs to be managed and maintained every year, even though ISO 27001 only needs to be audited every three years. Some controls will need yearly or quarterly reviews in order to stay in compliance. An audit is simply a snapshot in time, but your controls need to continue to operate regardless.

If your business falls out of compliance, it creates more work when the time comes to be audited again.

What does a typical ISO 27001 process look like?

Every business model is unique, therefore making the certification process different for everyone. But generally, most businesses will follow this checklist:

  • Perform a gap analysis
  • Classify your data
  • Build network architecture and data flow diagrams
  • Implement controls
  • Assess and mitigate risk
  • Perform a readiness assessment
  • Complete an audit