There are certifications like CISA and CISM for individuals who want a professional recognition for their knowledge and skills of information security. But what about the entities if they need assurance about whether they have a robust information security management system in place or not.
For organizations, there is ISO 27001 certification which they can get after getting certified by an accredited certifying body which audits them against the security controls given in the ISO 27001 standard. It was developed by the International Organization for Standardization (ISO), and published in 2004. However, the standard was thoroughly revised in 2013 and the current standard is from 2013.
ISO 27001 is designed to provide organizations with a framework for managing their information security risks. It covers a wide range of topics including risk assessment, incident response, vulnerability management, and training.
ISO 27001 is used by all the organizations that want to protect their informational assets from being hacked and from many other problems. It is an international standard, providing the organization with the proper management framework for putting efforts to trust ISMS for ensuring security of their data bases.
ISO 27001 controls not only to protect confidential data but also to the integrity and availability of all your data including the financial, employee details, third-party information, and intellectual property information as well.
What is meant by the term ISMS?
If you are new to the world of technology, then it could be the first time that you heard the word ISMS. ISMS stands for an International Security Management System, which is a system that an organization devises and puts in place to secure confidential and important information and assets, by providing series of security controls against vulnerabilities and threats.
If an organization has maintained and managed ISMS, then it can have reasonable assurance of protection of its data and information from being compromised. ISMS helps to protect any information, be it on paper, digital, or on Cloud, by having a documented management system. It helps people by identifying any security threat or vulnerability by the managing controls.
What is an ISO 27001 certification?
If an organization is investing in protecting the processes, people, or even technology and their ITs data and also, provides assessments that are independent even if their data is protected, then it gets the ISO 27001 certificate after getting these controls and processes audited and vetted by an independent third party auditing agency.
They can get certification through a certified body that is accredited. It helps to tell the customers that the organization is following the best practice for security information management.
Getting an ISO 27001 compliance has become essential as the regulator requirements pressurize the organization to protect the data of the customers and the organization itself.
What is an ISO 27001 certification process?
An organization or people need to get in the services of accredited CB that has been assessed to particular authorities based on the impartiality, performance, and competence through a process of assessment.
There are two stages of an ISO 27001 certification process, that the qualified auditors conduct.
- Stage 1
Firstly, your documentation will be reviewed by the auditor to check whether or not the ISMS has been created according to the standards. For that, you need to give evidence required by the CB’s which will be mostly in the form of documentation for all the processes and procedures related to controls specified in ISMS 27001 standard.
- Stage 2
After passing from the first stage, an even more thorough assessment will be conducted by the auditor. In this assessment, the real activities will be reviewed and the auditor will visit on site to gain assurance that the processes are in place and working as per documentation. Your policies will be analyzed with your procedures, and the auditor will be reviewing how your ISMS works. Your main staff members will also be interviewed and observed so that he can verify if all the activities are undertaken by following ISO 27001 specifications.
After you pass this onsite audit, you will get an ISO 27001 certification.
What are the benefits of an ISO 27001 certification?
There are a lot of benefits of an ISO 27001 certification as it is a recognized standard for an information security, which has 40,000+ certified organizations. Here are the benefits:
- An ISO 27001 certification helps you have systems and process in place to protect your data whether it is digital, on cloud or even on paper.
- An ISO 27001 certification defends against any cyber-attack an organization might get, and it also helps to protect any data or security from breaching because of the security controls you will be having in place as result of implementing ISMS.
- An ISO 27001 helps to reduce the costs of an information security program as it has an analysis approach and the risk assessments which helps organizations focus on the high risk areas by following a risk treatment plan. The budget for information security is limited, therefore, ISMS helps in efficient utilization of that budget by focusing on the highest risk areas first.
- An ISO 27001 certified organization will be better at responding to many new security threats than any other defensive technology. This is all because of the risk management approach that ISMS takes which involves continuous evaluation of security risks and identification of relevant controls to mitigate those risks.
- Employees will be aware of the security information risks and they will know how to deal with them perfectly. This is because there is an established security culture in an ISO 27001 certified organization.
- An ISO 27001 certification helps meet the contractual obligations by providing evidence that they have already implemented information security best practices.
What are ISO 27001 controls?
If you want to have the best practice for ISMS, then an ISO 27001 certification is the best way. You might have to take a little bit of risk as this standard is a risk-based approach to your security information. You even have to approve that this might be risky and whether or not you still want to use this standard and select the controls that are appropriate to tackle the problems.
The name of the controls are given in the Annex to the ISO 27001:2013 standard there are about 144 of them, which are further classified into about 14 categories.
- The first category is A.5 Information security policies that has 2 controls.
- The second category is A.6 Organization of information securities that has 7 controls.
- The third category is A.7 Human resources securities that has 6 controls.
- The fourth category is A.8 Asset management that has 10 controls.
- The fifth category is A.9 Access controls that has 14 controls.
- The sixth category is A.10 Cryptography that has 2 controls.
- The seventh category is A.11 Physical and environmental security that has 15 controls.
- The eighth category is A.12 Operational securities that has 14 controls.
- The ninth category is A.13 Communications securities that has 7 controls.
- The tenth category is A.14 System acquisition, development, and maintenance that has 13 controls.
- The eleventh category is A.15 Supplier relationships that has 5 controls.
- The twelfth category is A.16 Information security incident management that has 7 controls.
- The thirteenth category is A.17 Information security aspects of business continuity management that has 4 controls.
- The fourteenth category is A.18 Compliance that has 8 controls.
How ISO 27001 Audits Work
If you are done with your external audit, then you can easily obtain the certification, from a certification body. The organization’s policies, procedures, and practices will be reviewed by the auditors, and they will check whether the organization’s ISMS meets up with all the requirements that are needed by the standard.
This certification mostly lasts for about 3 years, but there will be internal audits on routine bases, conducted by the organizations to check the continual process improvement. And once an organization is certified, it will conduct the annual assessments to the compliances.
When an organization first gets ISO 27001 certification, it is valid for one year. The certifying body will do surveillance audits for next two years as well to make sure that the ISMS as matured and is still working.
Link between ISO 27001 and Risk Management
Risk management is at the heart of ISO 27001 implementation. After defining scope of the implementation, Risk Identification is performed against all the assets, including virtual and human assets, to identify the risk. After that a risk assessment exercise is conducted to understand the impact of these risks and the required controls.
And finally a Risk Treatment Plan is conceived which also lists all the controls that are needed to mitigate the identified and assessed risks.
Of course all this exercise is conduced the the entity itself and the certifying body will only audit this documentation and its implementation.
ISO 27001 follow up audits
Also called surveillance audits, these are audits that a Certifying Body will conduct in the subsequent two years of achieving the certification to help ensure that the ISMS is maturing nicely and the controls and processes that were designed and implemented as part of achieving ISO 27001 certification are still being implemented and have matured.
The audits that the organization’s own resources carry out are called internal audits. As part of implementation of ISO 27001, the implementing organization is required to conduct its own internal audits against ISO 27001 controls before the external audit by the certifying body. Any missing controls and documentation needs to be addressed and then the external auditors are invited to audit for certification purposes.
What’s involved with ISO 27001 internal audits?
The documentation reviews are involved in internal audits, in which the organization’s standards, procedures, and policies are reviewed to ensure whether or not it is fit and maintained to perform the purpose.
An evidential audit is involved to actively sample the evidence to check whether or not the organization’s policies are getting complied with, guidance is getting considered or not, and to check if all the procedures are getting followed or not.
Analysis of this audit is involved to make sure that the standard requirements are getting followed properly.
In the end, a management review is involved to check if all the requirements of the standard are fulfilled or not, and if the audits are carried out properly to ensure the correct actions and implemented improvements are made or not.
External audits are done by the certification bodies to gain the certification or maintain the certification.
What’s involved in an external ISO 27001 audit?
In the external audits, the processes are similar to the internal audits but with the difference of them being that the review in performed by a certifying body that is external to the entity that is implementing ISO 27001.
These external auditors also known as the certification bodies, will provide a plan for the audit, which then needs to be confirmed by the organization, and then the time, date, and location will be agreed upon.
After performing their audit, the auditor will recommend a Certification if there are no major shortcomings observed. However, if he identifies missing controls that are material in nature, then the entity has to address these and send evidence to the auditor for his assurance and once he is satisfied with the controls, the ISO 27001 certification is granted by the Certification Body.