For various reasons, ISO certification is increasingly being considered by US-based organizations seeking to demonstrate their information security acumen to customers and business partners. In most cases, these organizations have already achieved one or more certifications and/or attestations and are simply looking to further bolster their organizational credentials and satisfy any inquiring third parties. While commendable, the effort can be hindered by thinking that ISO is just one more security framework against which existing policies, procedures, and controls can be applied. The simple truth is that if you think successes in other compliance endeavors provides some assurance of ISO certification, then you need to think again.
For any organization considering ISO certification, LBMC is here answer common questions, dispelling common myths, and, most importantly, equip readers with valuable information for initiating a successful ISO certification journey.
What is ISO 27001?
The International Standards Organization is an independent body with the objective of publishing standards for any organization, irrespective of industry, to follow. As defined on their website, standards are “a formula that describes the best way of doing something.” These include quality and environmental management standards, health and safety standards, food safety standards and, of course, information security standards. Standards are published in numbered series and each series contains multiple individual documents that pertain to some aspect of the subject matter. In most cases, the “01” document in each series, e.g. 9001, 14001, 27001, is the standard against which organizations can be certified. All other documents in the series are supporting documents for the certification standards.
The ISO 27000 series is the established series for Information Security Management Systems. Management systems are the policies, procedures, and resources implemented to preserve confidentiality, integrity, and availability of information. The 27001 standard, ISO/IEC 27001:2013 at time of writing, is the standard against which organizations can be certified. This ISO certification demonstrates to interested parties an organization’s dedication to effectively managing risk and the security of critical information systems.
Incidentally, IEC in the document title refers to the International Electrotechnical Commission, a similar standards organization that contributes to ISO standards involving technical activities.
Why is ISO 27001 important?
While US-based organizations are subject to a number of industry and regulatory frameworks that guide cybersecurity and compliance efforts, ISO 27001 is the de facto information security standard outside the US. For organizations engaging customers and other business relationships outside the US, ISO certification is commonly expected to demonstrate an organization’s commitment to effective risk management and information security. The core of the ISO standard is the establishment of a formal management structure around the ISMS to ensure its continual effectiveness. This effectiveness must be demonstrated to earn and maintain certification. ISO is not a “checkbox security” framework.
Organizations frequently leverage the Information Security Management System established for ISO certification to manage other compliance initiatives such as SOC, PCI, and HITRUST. For example, while they are conducting their annual ISO internal audit, they take the opportunity to validate whether controls are still meeting the requirements of other compliance standards. Then, as part of the management review program for ISO certification, they take the opportunity to review their other compliance programs to identify changes in scope, changes in the risk or threat landscape, and any associated internal audit findings. For security managers seeking approval from upper management to pursue ISO certification, this is an effective tool to justify the resources needed to establish and maintain an ISO compliance program.
What are the ISO 27001 requirements?
ISO standard documents follow a common format whereby content is divided into numbered clauses. Clauses define the scope of a given standard, provide references to other supporting or dependent standards, define terms and definitions used in the standard, and establish requirements or expectations of the standard. Standards often include annexes or appendices providing supporting guidelines for requirements and expectations contained in the preceding clauses.
The ISO 27001 standard is comprised of 26 clauses and 114 control requirements. The clauses establish the foundational elements of the information security management system (ISMS) that the organization must have in place to manage risk and secure information. These requirements are unique to the ISO 27001 standard. Unlike other information security compliance frameworks, the clauses establish requirements for ongoing direction and oversight of the ISMS. These include activities such as organizational risk assessment and treatment analyses, regular executive management review of the ISMS, annual internal audit of the ISMS, and ongoing monitoring and measurement of the effectiveness of security controls.
The second half of the standard, titled Annex A, is comprised of the ISO 27001 control requirements. The control requirements will be more familiar to information security practitioners in that they are the tactical requirements to be utilized by the organization to treat security risks and threats. These include access and authentication, logging, encryption, incident response, and other control categories that organizations implement as part of their various security and compliance initiatives. Unlike some cybersecurity frameworks, ISO control requirements are not prescriptive. In other words, ISO 27001 does not establish minimum password settings, log retention periods, or cryptographic key lengths. Instead, ISO establishes the controls that must be considered by the organization. The organization then determines which controls are applicable to the environment and that sufficiently treat the identified risks. The auditor’s role, therefore, is to determine whether the controls are implemented as defined and whether they sufficiently address the risks for which they are implemented.
Is ISO 27001 a legal requirement? ISO 27001 is not a legal requirement per se. Organizations may, however, establish contractual obligations for earning and/or maintaining ISO 27001 certification as part of their business relationships. ISO 27001 certification may be utilized and/or accepted by organizations as a means to demonstrate adherence to industry and regulatory information security requirements.
What three aspects of information does ISO 27001 focus on?
While an organization’s ISMS addresses the security of multiple aspects of the organization’s hardware, software, and data assets, the ISO 27001 standard is focused on the confidentiality, integrity, and availability of information.
- Confidentiality is the protection of information from unauthorized access.
- Integrity is the protection of information from unauthorized modification.
- Availability is the assurance that information is accessible as needed.
The end result of achieving ISO 27001 certification is that an organization assures its customers, business partners, and other interested parties that information for which the organization is responsible is at minimal risk of compromise.
What are the current ISO 27001 standards?
ISO/IEC 27001:2013 is one of many standards and supporting documents in the 27000 series for Information Security Management Systems. While there are several associated guidelines and supporting documents in the 27000 series, 27001 is presently the only standard in the series against which an organization can be certified.
How do you get ISO 27001 certified?
Organizations must be audited by an independent third party. Any auditor can issue a certification, but it is recommended to engage an accredited ISO 27001 Certifying Body to conduct the audit. Accredited Certifying Bodies are themselves subject to regular independent audits to validate that they are reputable, competent, and trustworthy. This provides assurance to the organization, and any interested parties, that the audit was conducted, and certificate issued in accordance with all associated ISO standards.
To successfully pass an initial ISO 27001 certification audit, an organization must demonstrate that their ISMS is fully implemented and effective. To do this, the organization will need to have implemented all requirements established in the ISO 27001 clauses and Annex A controls. To demonstrate this effectiveness, ISO auditors will commonly look for a full iteration of the PDCA (Plan-Do-Check-Act) Cycle. For mature organizations with ISMS components and controls already well-established, this may take as little as four to six months to prepare for initial certification. For others, a minimum of one year may be necessary to establish the ISMS and associated controls to be ready for their initial certification audit.
Due to the significant effort needed to prepare for initial audit, many organizations engage a third party to assist with establishing their ISMS. Third parties may simply oversee and provide guidance while the organization implements their ISMS, or they may become fully or partially involved in the effort. Regardless of how involved they are in the effort, a third party who provides implementation assistance should not and, in accordance with some accreditors, cannot also conduct the organizations’ certification audits. This helps avoid conflict of interest between implementation and auditing entities.
Brian Willis, CISSP, CCSK, PCI QSA, ISO 27001 Senior Lead Auditor, is a Senior Manager in the information security department at LBMC, PC. He can be reached at brian.willis@LBMC.com or (615) 309-2607.