ISO 27001 Certification Understanding the Basics

1. What is ISO 27001 Certification

ISO 27001:2013 is a standard on how to manage information security and is published by the International Organization for Standardization (ISO). It deals with the requirements for establishing, maintaining and improving an information security management system (ISMS). It use to show the effectiveness of a company’s security program to its customers and prospects.

2. What are the ISO 27001 requirements?

ISO 27001 contains requirements for the governance framework of the information security program referred to as Clauses 4-10. There are also 14 control domains, broken down into 35 different control objectives and a total of 114 controls that are designed to meet those objectives. A listing of the domains, objectives and controls can be found in Annex A of ISO 27001:2013 while a detailed guide on how to implement the controls can be found in ISO 27002:2013.

You can read a detailed framework breakdown, including typical policy and technical requirements, in our ISO 27001 whitepaper.

3. Do I need to achieve ISO 27001 certification?

There are no regulatory requirements to achieve ISO 27001 certification. But your organization may have contractual requirements to achieve certification. Traditionally, an organization elects to pursue ISO 27001 certification for one or more of the following reasons:

  • Reason 1: An organization desires to improve your overall security posture.
  • Reason 2: A prospect or client requirement dictates it in a contractual agreement.
  • Reason 3: Prospective clients are asking about security or official certification during the sales cycle.
  • Reason 4: An organization is over-burdened with security questionnaires or customers audits.

4. What does ISO 27001 certified mean?

To be ISO 27001 certified means that an entity has engaged with an ISO accredited certifying body (CB) and undergone an assessment that resulted in the organization’s management system being certified.

5. Who does ISO 27001 apply to?

ISO is a standard adopted by other countries outside the United States. But over the past 10 years it has been pursued by business-to-business service providers in the United States. Its main use is to prove a minimum level of security maturity. The profile of a company pursuing ISO 27001 in the United States is typically an entity that offers a traditional Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), or Infrastructure-as-a-Service (IaaS) solution.

6. How do I get ISO 27001 certified?

The journey to ISO 27001 certification typically involves 2 steps: Implementation and Certification

To implement ISO 27001 you may choose to engage a firm like risk3sixty to help build an ISO 27001 compliant program. This typically consists of various program elements such as establishing a governance structure, risk management program, policies and procedures, and implementation of various technical requirements.

In order to get ISO 27001 certified you must engage an ISO accredited certifying body (CB) and go through a Stage 1 and Stage 2 audit. Stage 1 audits serve to determine the organization’s readiness for their Stage 2 certification, and is largely a documentation review and interview-based audit. The Stage 2 audit is an evaluation of the implementation and effectiveness of the organization’s management system and is performed through documentation review, interviews, site inspection and controls testing. Following the Stage 2 audit, and the remedying of any non-conformities, a CB can issue a ISO 27001 certification.

You can read our detailed whitepaper on the ISO certification process. You can also watch a short video on the ISO 27001 certification process.

7. How often are ISO 27001 audits performed?

Year 1
ISO certification is performed annually and on a three year cycle, with year one consisting of the Stage 1 and Stage 2 audit, and years two (2) and three (3) consisting of ‘surveillance audits’. Stage 1 audits are only performed during the entities initial first-year ISO 27001 pursuit. The Stage 2 audit is generally conducted within one (1) to three (3) months after the completion of the Stage 1.

Years 2 and 3 Surveillance Audits
The surveillance audits include roughly one-third of the full scope of controls. In year four, a full Stage 2 audit is performed, and in subsequent years, the cycle continues.

8. How long does it take to get ISO 27001 certified?

With readiness and ISO controls implementation and documentation development we generally suggest to plan for six (6) to nine (9) months of readiness activities, followed by the Stage 1 and Stage 2 audits. In general, plan for a period of 9 months to one (1) year from ground zero to certification in-hand.

9. Who can perform ISO 27001 certification assessments?

Only an ISO accredited certifying body (CB) can certify an organization for the ISO 27001 standard. The most popular accreditation body in the United States is ANAB. You can review a list of ANAB accredited certification bodies.

risk3sixty has partnerships with many of the top CBs in the United States and globally. During our implementation process we work directly with your team and the certification body to ensure a smooth audit experience.

10. Are there any other recurring costs besides the annual audits?

Yes. There are two key factors your organization should consider as additional cost associated with obtaining ISO 27001 certification:

Internal Audit
Clause 9.2 of ISO 27001 requires an annual internal audit of your security controls. The auditor must be “independent” from the security team and as a result most organizations choose to leverage a third party, like risk3sixty.

Penetration Testing
ISO 27001 also calls for an annual penetration test. Cost and effort of a penetration test will vary widely based on the number of systems tested and overall complexity of your system. The penetration test must be performed by individuals independent of the area under review, and they must possess the appropriate skills and experience to conduct the penetration test. Most organizations satisfy this requirement leveraging a third-party firm, such as risk3sixty.

12. What about Privacy? Enter 27701.

ISO 27701 is a privacy extension to ISO 27001:2013 and serves as a standard for how to manage information privacy. It deals with the requirements for establishing, implementing, maintaining and continually improving a privacy information management system (PIMS) and is frequently leveraged as a means of demonstrating the effectiveness of a companies privacy program to its customers and prospects.

While not intended to serve in this capacity, it is also leveraged considerably in supporting organizations in evaluating and reporting on their compliance with the General Data Protection Regulation (GDPR), which is a regulation in EU that established guidelines for the collection and processing of personal information.

You can read more about ISO 27701 in our whitepapers.

ISO 27001 Basics Webinar

Phalanx GRC