ISO/IEC 27001 – What is it and why your organization should care!
Data security is an ever-increasing concern for the industry, and one of the best ways to prove your willingness to keep your clients/partners safety of information is to get certified with an ISO/IEC 27001! Today we’ll dive into what is it, why it matters and how you can begin your journey to a more secure enterprise!
We’ve harped on plenty about the various dangers there are on the web, and how much they can cost you! Last week we had one of our colleagues tell us about his personal experience with the clean desk policy. And if you didn’t know, it is one of the ISO/IEC 27k standards/policies, set by the “International electrotechnical commission” (IEC for short) and the “International Organization for Standardization” (or ISO).
Though in the industry whenever someone mentions ISO for informational security, they are talking about the “27001” certification specifically. Achieving which gives you some guarantees not to go under due to an unexpected Data Breach.
Data breaches are becoming a common place or even daily occurrence; hence businesses must adopt a “when not if” mentality when it comes to cybersecurity.
And that is what we’ll try to explain today to those who might not entirely understand what it is and why they need it. And Boy’o’boy do you need it! But more about that later, first thing’s first – What is ISO/IEC 27001?
What are ISMS and ISO/IEC 27001?
In lay terms ISO/IEC 27001 is simply a set of guidelines and rules, an organization must adopt, to create an effective ISMS – Information Security Management System.
In turn, an ISMS is a collection of people, processes and technology that governs how information is being protected within your company. Much like an HRMS, it’s an entire system with a complex structure.
An ISMS that conforms to the ISO/IEC 27001 guidelines, ensures compliance to a host of laws like the European GDPR (General Data Protection Regulation) and NIS (Network and Information Systems) regulations.
ISO/IEC 27001 is part of a series of standards, ranging from 27000 to 27799. Though the collection is of roughly 60+ standards and documents, not thousands.
From ISO/IEC 27000 simply stating: Information technology – Security techniques – Information security management systems – Overview and Technology. To ISO/IEC 27037 – Guidelines or identification, collection acquisition and preservation of digital evidence; and moving all the way to cybersecurity forensics for court hearings on cybercrime.
ISO/IEC 27001 applies to all organizations, irrespective of their size, nature, or type. It is mainstay of the 27k series that together supply a globally recognized framework for best practices in information security. It is important to note that the 27001 merely provides the specifications, or requirements for an ISMS. Whereas the ISO/IEC 27002 gives us the rules of conduct, code and recommended best practices themselves.
However, the key takeaway about the ISO/IEC 27001 standards should still be a risk management and recovery policy, not complete prevention.
ISO/IEC 27001 Certification Overview – Clauses and Annex A
Before we discuss the overview of the ISO/IEC 27001 and give a few comments, let’s define what a “control” means in scope of Information Security Management.
Security control is any administrative, managerial, technical, or legal method that is used to modify or manage information security risk.
A control can include things like processes, best practices, policies, tools, procedures, techniques, technology, organization structure and everything in between. A control can also mean – countermeasures or safeguards.
ISO/IEC 27001 is the main ISMS part which holds the clauses 1-10. Which is the “main part” with Annex A, being a list of controls that elaborate and work on specifics. Annex A has the 114 Controls spread out over 14 groups.
The ISMS is the overarching framework that sets up the organizations’ planning, analysis, and later implementation phases.
Following are the “ISMS part” and the “Annex A” – In essence think of these as “expected” things you must have within your ISMS when you’re being audited for your certificate.
ISO/IEC 27001 summarized – Clauses 4-10
First three clauses of the document simply define the scope of the document, how its referenced and terminology. The real important parts come from clauses 4 to 10; Those are:
Clause 4. Context of the organization and ISMS
This is the first thing you must do when implementing your ISMS and defining its scope. Here you’ll find questions like: Who are the stakeholders; Internal and External? What is the mission of your enterprise; are there any regulatory requirements? What are the needs and expectations of your business; What assets and resources are available? etc.
Essentially seeing your business as it is and documenting it thoroughly!
Clause 5. Leadership requirements
As we’ve said it multiple times, change must always come from and to the leadership first and foremost – Top to Bottom!
Here we have outlined all the requirements your leadership must show. There must be a clear commitment to the ISMS from the board of directors, down to the team leaders and managers. They all must show their utmost dedication to information security management and regulations.
The guidelines also demand that all essential roles to the ISMS are assigned correctly and clearly documented – who’s the CISO, do you have the information risk counsel, data protection officers, internal auditors etc.
Clause 6. Planning – risk assessment and treatment planning
Here we define the process of identification, analysis and plans to treat information risks, and clarify the main objectives of our ISMS. Determine what risks and opportunities may influence the effectiveness of your ISMS or disrupt its operations.
Clause 7. Support for your ISMS
All the resources that your ISMS may need must be clearly identified and adequately assigned, awareness raised, documentation prepared, and everyone must be aware of their location and scope. Here you’ll also find clauses governing, determining and supplying external support or competence assurances for your staff.
Some of these are simply – is everyone being trained correctly, do they know what to and not to do etc.
Clause 8. Operational requirements
Defining your ISMS operations and processes in detail. Here you establish the procedures you and your business must follow to achieve its ISMS goals defined earlier.
We’ll also find requirements for regular risk assessments and risk treatment implementation according to the guidelines found in clause 6.
Clause 9. Evaluation
Monitor, measure, analyse and evaluate/review the ISMS controls, processes, procedures, and systems; and how to do it.
Possibly one of the most important things external auditors will pay attention to, is whether the company is committed to continues improvement and self-evaluation.
Clause 10. Improvement
Address and act upon the information gathered under the clause 9, essentially governing continues refinements of your ISMS.
ISO/IEC 27001 summarized – Annex A – 114 Controls
Annex A is a set of controls and their goals in scope of ISMS. There are a total of 114 controls, broken into 14 groups, which we’ll be discussing now.
We have already discussed some parts ascertaining to asset management, physical security and clearances in another piece in a bit more detail.
But back on topic, think of these as your ISMS cookbook, they are examples of risks, best practices, and guides when you’re setting up. They however are not a “requirement” an auditor will examine.
Some of these are relatively small with a few controls, while others are comparatively massive.
Remember however, these are massive documents, each with elaborate description of procedures and processes or examples. We’re merely giving an overview/comment on each group rather than a step-by-step guide on how to achieve them.
A.5. Information Security Policies
This section is all about your policies, you don’t really have a program to enforce and govern without a policy. Policies are a documented way of dealing with a certain area of your ISMS, it explains the procedures and how they are organized.
A.6. Organization of Information Security
Annex 6 sets up an internal ISMS structure of your organization, distributing correct roles and responsibilities. Establishing and maintaining contact with all relevant authorities externally. This again is more of a guideline towards your planning
A.7. Human Resource Security
ISO looks at human resources through a three-stage overview in regard to its controls: Prior to employment, during employment and post-employment.
Prior employment demands thorough security background checks on your employees, as a seal tight contract.
During employment enforcing correct on-boarding policies, security breach disciplinary processes, and constant maintenance of security awareness programs.
And finally, the post-employment phase takes care of correct procedures during offboarding and other security issues when taking away access.
A.8. Asset Management
Assets are anything from employee’s laptop to a network device, to a server that runs your application. There a dozen controls in place governing correct procedures regarding storage, maintenance, and access towards these things.
A.9. Access Control
These controls govern appropriate access levels for employees and various staff, both physically and virtually. There are multiple requirements for multi-factor authentication procedures, registration processes, user privileges etc.
Pretty much any business that has anything to do with the IT industry or any network device, uses cryptography. Controls that we find here govern the proper control policies and key policies.
How the encryption keys are handled in a day-to-day operation, during transit, or if they are compromised.
A.11. Physical and Environmental Security
Herein lies controls governing proper procedure regarding your office physical security, there is an overlap with section 9, however there, it’s more on the documentation at a virtual level. A.11 demands proper controls on your physical servers, offices, cubicles, work areas, equipment protection and storage among many other things.
Think of this as locked cabinets for your devices, climate control for your server rooms, fire suppression systems, door access via retinal or fingerprint scanners, and everything in between.
A.12. Operational Security
This alongside section 11, are both the largest and most extensive list of controls out of all.
In Operational security you’ll find controls governing proper procedure development, capacity planning, operational environment decoupling, anti-malware requirements, data backup regulations, logging facilities, installation rules, generally a huge list of other regulations and guidelines.
A.13. Communication Security
Network security! This section is all about preventing man-in-the-middle attacks and making sure you’re transmitting your data in a secured fashion.
Here, surprisingly we also find the NDA agreement requirements.
A.14. System Acquisition, Development and Maintenance
This section contains controls regarding your software development procedures, what project management frameworks you use and how you treat your CI/CD cycles. Essentially, one of the most important parts for any software developer in ISO/IEC 27001 is contained in section A.14.
An important note however, due to the fact that the latest ISO/IEC 27001 was released in 2013, some of these guidelines outlined in section 14, especially regarding project management, it’s primarily waterfall based and not really DevOps/Agile optimized… though there are some addendums made in 2017 which rectify some problems, and there are talks of a major revision by 2023.
A.15. Supplier Relationship
If your business is not reliant on external suppliers, this section can be largely ignored; however, because ISO/IEC 27001 is designed for any type of business, you can find proper security regulations concerning supply chain security, vendor risk management, and agreements between everyone in the loop.
A.16. ISMS Incident Management
This section contains controls regarding your incident report management. These are named “SEV’s” in the industry; We’ve touched upon SEV’s and their importance previously, and we’ll later come back to this topic.
A.16 governs proper processes for identification of security weaknesses, reporting, and learning from those incidents.
A.17. ISMS and recovery plans
Holds controls on proper recovery and continuity business plans in case of a security incidents, or natural disasters. Think of this as – if things hit the fan, is your company ready to continue its operations, keep everyone safe, and report to appropriate authorities for aid.
Largely defines proper compliance to governmental regulations and laws. Here we have controls regarding intellectual property protection, personal privacy, record protection policies, and other legal matters.
What are the benefits of conforming to the ISO/IEC 27001?
Or simply – Why do you need a fully certified ISMS in place?
There are a number of benefits to introduction of a full-fledged ISMS:
Enhanced Data Security
One of the most obvious benefits is right there in the name, increased data security. By introducing the ISMS with regulations required to achieve full certification, you ensure your enterprise is adequately protected, both from software attacks and “human error” threats.
Even if you’re happy with the level of your data security, your potential clients might not be as confident.
Multiple market surveys show an ever-increasing demand of businesses to work with ISO certified companies. Same goes for your customers, knowing that their data is safe with your company is incredibly important, and ignoring this fact, not only affects new leads, but also can lead to increase of churn rate.
Increased Attack Resilience
We’ve discussed how setting up a proper “disaster recovery plan” is paramount to reducing downtime costs. A set up ISMS not only potentially protects from ransomware attacks but also ensures procedures in case(when) some sort of a data breach happens.
Ever evolving cyberthreat protection
The world of cyber-warfare is an ever-changing landscape of frightening innovation, hence why guaranteeing 100% security is impossible. Zero-day attacks happen with increasing frequency, however compliance to the ISO/IEC 27001 ensures the best odds at keeping up with the curve.
Optimized Costs of Cybersecurity
Data breaches happen, 1 in 10 malware passes unnoticed by all anti-virus software out there. Hence, there are almost guaranteed costs incurred due to data breaches.
An ISMS minimizes these costs, and due to the “Best practices” there are proven, most effective, cost-efficient ways to keep your business safe!
Sadly however, many businesses disregard the incurred costs of data breaches, and only after things hit the fan, do they really start thinking about the security budget…
Make CyberSec a part of “business as usual”
Setting up an ISMS within your enterprise requires, and thus ensures, the overall readiness of your team to answer and even prevent cyber-attacks. So much so, that eventually, keeping your data safe becomes second nature to everyone.
Government Regulatory Compliance
Aside from the European GDPR and NIS regulations, you may be subject to various rules and regulations from other sources. Most if not everyone however recognizes the ISO/IEC 27001 regulations. By being certified you’re sure you can pass any Data Security audit from either clients or the government.
We’ve said it previously, the cyber threat or the hacker-geddon is upon us. According to a study, the predicted collective costs of various cyberattacks will reach 6$ trillion by the end of 2021. And this number is only predicted to grow and grow.
This, logically, demands an increase to CyberSec spending and even harshening of government laws and fines concerning Digital Information Safety.
How do you get certified for ISO/IEC 27001? What do you need?
This all begs the question; how exactly do you get certified?
Well, if you have been diligently preparing your ISMS implementation process according to the ISO/IEC 27001 standards, you’re already halfway there with your documentation.
If you’re an existing business implementing an ISMS, it gets a bit trickier. Here’s a list of documents that are mandatory for the ISO/IEC 27001:2013.
- Scope of the Information Security Management System (ISMS)- Clause 4.3
- Information security policy – clause 5.2
- Information security objectives – clause 6.2
- Risk assessment process – clause 6.12
- Risk treatment process – clause 6.13
- Statement of Applicability for controls in Annex A – – clause 6,13,d
- Risk treatment plan – clause 6.13.e
- Risk assessment report- clause 8.2
- Definition of security roles and responsibilities (should be in employment agreement) – clause A7.1.2
- Inventory of assets – clause A8.1.1
- Acceptable use of assets – clause A8.1.3
- Access control policy – clause A9.1.1
- Operating procedures for Information Security – clause A12.1.1
- Incident management procedure – clause A16.1.5
- Business continuity strategy & procedures – clause A17.1
- Statutory, regulatory, and contractual requirements – clause A18.1.1
These are just the mandatory ones, there’s a whole massive list of additional documentation that is welcome.
There are various audit companies with official auditor certifications available, once you find one that fits your budget the audit itself can begin.
Certification for ISO/IEC 27001 is a four-step process. These are:
Planning and Scope
The Auditor must understand the scope of your enterprise, he will also plan the stage 1 audit timeframe.
Documents required: ISO/IEC 27001 Application letter.
Stage 1 Audit
The Auditor will go over the documentation, examine “high risk” items, and assess whether the company is ready for the Stage 2 phase. This typically takes one/two days to a week on-site or remotely, depending on the auditor.
Documents required: ISMS, Information Security Policies, Risk Assessments, Internal Audits.
Stage 2 Audit
Most intrusive and thorough examination, the auditor will go over every piece of documentation, examine your team and premise. This process typically takes at least a week or even a month on-site.
Documents required: You and your team will be required to provide all the documentation and full access to your enterprise’s security and information. Typically, there are between 100 to 150 “artefacts” required.
Annual Surveillance and Final Certification
The Final stage is the continual review and examination by the auditor, typically on a yearly cycle, which must be kept for at least 3 years before a full certification is granted.
And that about does it as a “short” introduction into peculiarities and specifics of ISO/IEC 27001 certification.
Of course, the certification is not mandatory by no means, it remains a growing trend with the number of growing companies certified growing by 18% in 2019. Which shows consistent growth throughout the years.
And the number of clients/partners that require companies to uphold to high standards of Information security, is likewise growing.
But before you go, tell us what was the incident that pushed you or your organization to seek ISO certification?
Stay classy business and tech nerds!