Undertaking certification against ISO27001 Information Security Management Systems
So you’re considering becoming certified against ISO27001:2013, Information Security Management Systems? Congratulations!
Likely due to an increase in discovered or reported data breaches over recent years, clients (clients/customers/users) have become more aware of how personal information, business and transactional data is being stored and managed within systems and applications. As a result of this awareness, their expectations of organisations whom they interact with has also increased.
Being in a B2B environment, it’s becoming more common for information security questioning to form part of a prospect’s due diligence. Although it can sometimes be frustrating (because they’re all asking the same questions), in my opinion, this shows the maturity of the organisation we’re about to enter into a relationship with.
Certification against ISO27001 demonstrates to your clients (and prospects) that you have a systematic and comprehensive approach to managing information security. The best part is, once certified you can hopefully reduce the buying cycle time as, in almost all cases, the specific questions you’re being asked can be traced back to the ISO27001 controls from Annex A.
Unfortunately, it won’t eliminate the questioning from all prospects because, although you can now point them in the direction of your wonderful new certificate and formal statements about information security, some organisations will still want your written responses to their questions. That’s okay though because Annex A.15 standard is all about ‘supplier relationships’, and once again this shows the information security maturity of your new business partner.
Over the last few years in my career, I played a key project role with two different organisations as they undertook the ISO27001 certification journey. In the context of ISO27001, both organisations were essentially starting with a blank slate having no formalised documented information security management system in place.
Building a formalised system has allowed them to better protect all information assets, their customers and overall business reputation in a documented, controlled and monitored manner which ultimately drives continuous improvement for their entire system.
This article aims to explain the process and provide an idea of what your journey might be like. I’ll cover the following:
- What is ISO27001:2013 and why bother
- How technical the standard is
- Where you should start
- What documents you’ll need
- What the overall certification journey includes
What is ISO27001:2013?
Firstly, ISO stands for ‘International Organisation for Standardisation’ which is an independent, non-governmental organisation with a membership of 165 national standards bodies. Together the members share expert knowledge to develop voluntary, consensus-based, market-relevant international standards. ISO27001:2013 is just one of those standards.
Secondly, ISO27001:2013 is part of the ISO27000 series which provides best practice recommendations on information security management within the context of an overall Information Security Management System (ISMS). The series covers privacy, confidentiality and IT technical and cybersecurity issues relevant to organisations of all sizes.
The series is flexible and encourages organisations to assess their own environment and information risks and then treat those risks using information security controls according to their overall risk appetite.
Due to the dynamic nature of information security risks, a key component of the overall standard is incorporating continuous feedback and improvement activities into the system to enable responsiveness when it comes to identified incidents, threats and vulnerabilities.
In short, ISO27001:2013 is an internationally accepted standard that aims to assist in taking a risk-based approach to building a systematic and comprehensive management system for information security.
Why bother with ISO27001?
Like other ISO management system standards, certification to ISO27001 is possible but it’s definitely not a requirement (unless one of your stakeholders says it is).
Some organisations choose to implement the standard in order to benefit from best practice, while others decide on certification to reassure customers and clients that its recommendations have been followed.
If you’re reading this article, I’m sure you already know why YOU are pursuing certification, but some other possibilities could be:
- Being encouraged (or forced) by the Government or a Government department
- To satisfy the request of a client or group of clients
- Improve the marketability of your business and appeal to a wider market
- Formalise and improve your overall business security posture
Whatever the reason, it’s important that the entire organisation is committed to the process because there will likely be significant change management exercises.
In addition to being a requirement of the standard, it’s particularly important for those in top management positions to demonstrate leadership and true commitment to the overall information security management system. Without that support, efforts made to achieve certification could all be undone at subsequent surveillance (check-in) audits.
How technical is the standard?
The standard aims to assist in taking a risk-based approach to building a systematic and comprehensive management system for information security. The keywords here are ‘management system’. It’s not completely technical and, although it would help, you don’t need to be a tech geek to work through this standard to build your own.
If you’re not a geek, for some aspects you may need to enlist the support of those who are more technical from within your organisation. Why do I say this? Well, as an example, what is cryptography and your policy on cryptographic controls and cryptographic key management? Yeah…
Don’t stress, I had no idea what this meant on my first pass. Like anything unknown, Google and Wikipedia will become your most-trusted assistant. I spent many hours on Google reading about information security and delved fairly deep into what other organisations have compiled for their management systems throughout their compliance and certification journey. Looking at what other organisations have built will definitely help you compile yours.
Where to start?
At some point, you’ll also need to grab yourself a copy of the actual standard. You could do the right thing and purchase a copy here for roughly AUD$200. Or you could use your new most-trusted assistant and find that somebody has already made one available. Or you could just click this link here.
As mentioned earlier, it’s all a risk-based approach, so depending on your risk appetite, you may just use the found copy. Just don’t tell your auditor.
I’ve also gone ahead and found you the ISO27002 here, which is the companion explainer for everything in the ISO27001 standard.
I recommend before commencing anything, start with a self-assessment against the standard. If you do a quick Google search, you will have no problems finding many organisations offering PDF self-assessment checklists. Here’s one from BSI Global.
Completing this checklist will give you a good indication of where your organisation is in the compliance/certification journey and form the basis from which you need to start. From there, it’s about building the documentation for your overall system.
What documents form the overall system?
I’d take a guess that you’re not an expert at these security things and that you’re either managing this process solo or part of a small team. The hardest part and most lengthy process is documenting what your organisation is probably already doing.
Section 7.5 of the standard specifies that your overall system should include documents as required by the standard in addition to your own organisations, but doesn’t specifically tell you the exact documents it requires.
Reading through the entire standard, it will become clear that certain sections, requirements or controls are likely to be their own document or have a similar theme of another document.
Your main document will be the Information Security Management System Manual (ISMS Manual) and as a rough guide, it’ll likely be accompanied by the following documents:
- Statement of Applicability (Read Section 6.1.3)
- Risk Register (information security related)
- Information Security Policy
- Access Control Policy
- Acceptable Use Policy
- Secure Development Policy
- Incident and Corrective Actions Register
As you will see, section 7.5.2 and 7.5.3 will also outline how you should approach maintaining the integrity of these documents through appropriate access, versioning, approvals and communication. Ensure you keep these updated and current.
What is the certification journey/process?
- Get yourself a copy of the standard
- Conduct a self-audit against the standard
- Build your overall management system
- Conduct an Internal Audit (as per Section 9.2)
- Induct all current employees into the system
- Conduct a Management Review (as per Section 9.3)
- Engage with an auditor
- Undertake a Stage 1 audit
- Correct any non-conformances
- Undertake a Stage 2 certification audit
- 🍾 🙌 🎉 Revel in your successes 🍾 🙌 🎉
- Maintain compliance and the integrity of your system
Is it worth it?
Totally! The conversation has completely changed throughout our organisation. More people are information security-aware and are on the lookout for potential threats and vulnerabilities. After all is said and done, it’s our clients who benefit the most from the entire process.
Will you still need to complete those pesky information security spreadsheets? Yes! But, you’ll be much faster and better at it!
Feel free to reach out to me if you have any questions or are looking for any assistance. I’d also love to hear your comments on any of this article’s contents (or lack of).