In an era where data is the lifeblood of organisations, safeguarding sensitive information has never been more crucial. ISO 27001 is a guiding light for organisations navigating the intricate landscape of information security.
Originating from the International Organisation for Standardisation (ISO), this framework provides a systematic approach to managing and protecting valuable data assets. From confidential customer information to proprietary organisation processes, ISO 27001 offers a structured methodology to identify, assess, and mitigate risks associated with information security.
This guide explores why ISO 27001 is needed, the steps involved in achieving ISO 27001 certification, and what the future holds for organisations planning to become certified in 2024.
Why is ISO 27001 certification needed?
Although ISO 27001 certification is not a legal requirement, doing so fortifies an organisation's defences and unlocks a myriad of benefits that extend far beyond mere compliance. These include:
Organisation growth and continuity - Security breaches can bring organisations to a standstill. The ISO 27001 standard helps organisations identify vulnerabilities and assess risks to put policies and controls in place before they cause damage. Ultimately, this ensures business continuity.
Better reputation and competitive advantage - Organisations want to partner with companies that take security seriously, and ISO 27001 demonstrates that commitment to security. If a client is trying to decide between two similar competitors, they will likely choose to work with the one that’s ISO 27001 certified.
Enables compliance with legal, contractual, and regulatory requirements - This standard is designed to ensure adequate security measures and controls are taken to keep data secure. These controls help organisations keep in line with ever-evolving regulations such as the General Data Protection Regulation (GDPR) and the Network and Information Systems (NIS2) Regulations.
How can ISO 27001 certification be achieved?
The path to ISO 27001 certification is a structured journey that ensures a methodical approach to identifying, implementing, and auditing the necessary controls. From the initial analysis to the final certification audit, each stage is pivotal in establishing a resilient security management system.
Step 1: Management support and scope
Up-front support from top management is crucial when striving for ISO 27001 certification. Although ISO 27001 is an information security management system, its impact extends well beyond technology, requiring awareness and support from the broader organisation. Once the scope for certification has been decided, long-term leadership and commitment to the project are essential.
Step 2: Carry out an analysis
The next step is to conduct an analysis to determine which requirements and controls within ISO 27001 apply to the organisation becoming certified. At LRQA Nettitude, we carry out this analysis on behalf of our clients, but organisations can also perform the analysis internally.
Step 3: Implementation roadmap
If our experts have conducted the analysis, they will then create an implementation roadmap. This roadmap details exactly which policies and processes need to be developed and implemented by the organisation.
Step 4: Perform a risk assessment
Understanding the risks your organisation faces is a pivotal element of ISO 27001. LRQA Nettitude helps our clients identify their key information assets and assess risks associated with them. The next step is to evaluate those risks and determine whether they are acceptable or should be mitigated in some way.
Step 5: Complete a statement of applicability
Once the roadmap is completed, the next step is to create a statement of applicability. This is a list of the controls within ISO 27001 that are applicable to the organisation. It should detail the selected controls and offer justification for choosing or excluding them.
Step 6: Implement policies and controls
Upon completion of the Statement of Applicability, the next stage is to implement the necessary policies and processes. These policies and processes should adhere to the controls detailed in the Statement of Applicability. Once introduced, they should be tested and tweaked regularly until they are ironclad and meet every control.
Step 7: Organise an internal audit
After all policies and processes are in full effect, the next step is to organise an internal audit. This audit checks that every policy and process implemented meets the relevant requirements laid out by ISO 27001. When the audit is completed, if found, any issues identified can be rectified. If the organisation passes the audit, an external audit can be booked.
Step 8: Book an audit from a UKAS-accredited body
It is recommended that the certification audit and subsequent surveillance audits be conducted by a UKAS-accredited certification body. During the audit, an auditor will review:
-
The ISMS to ensure it meets the standard’s requirements.
-
The organisation’s information requirements and objectives for the ISMS.
-
The policies, processes, and other controls for practicality and efficiency.
If the organisation passes this audit, it will receive its ISO 27001 certification.
Step 9: Retain the certification
Once certified, the UKAS-Accredited Body will carry out surveillance audits after years one and two to ensure the requirements laid out by ISO 27001 are being adhered to. If any issues are raised by the auditor during these surveillance audits, the organisation will have plenty of time to fix these issues before the next audit. After three years, companies are required to recertify for ISO 27001.
Looking ahead to ISO 27001:2022
The current version of ISO 27001 is from 2013, but the 2022 version will be coming into full effect as of April 2024.
If an organisation is being audited before April 2024, they will be tested against the current 2013 standard unless their mapping and transition to the 2022 standard is already completed. If organisations are actively working toward certification against the current 2013 standard but will not be ready to be audited before April 2024, there’s no need to panic.
The main differences between the two are the number of controls being reduced from 114 to 93, and the 14 clauses becoming four main themes. These include:
-
People
-
Organisational
-
Technological
-
Operational
Additionally, eleven new controls have been added to the ISO 27001 document. These controls include:
Threat intelligence (5.7): This requires companies to collect and analyse information relating to information security threats.
Information security for use of cloud services (5.23): This requires companies to specify and manage information security for the use of cloud services.
ICT readiness for organisation continuity (5.30): This requires companies to create an ICT continuity plan to maintain operational resilience.
Physical security monitoring (7.4): This requires companies to detect and prevent external and internal intruders by deploying suitable surveillance tools.
Configuration management (8.9): This requires companies to establish policies to manage how they document, implement, monitor, and review the use of configurations across their entire network.
Information deletion (8.10): This provides guidance on how to manage data deletion to comply with laws and regulations.
Data masking (8.11): This provides data masking techniques for personal identifiable information (PII) to comply with laws and regulations.
Data leakage protection (8.12): This requires companies to implement technical measures that detect and prevent the disclosure and/or extraction of information.
Monitoring activities (8.16): This offers guidance on improving network monitoring activities to identify anomalous behaviour and address security events and incidents.
Web filtering (8.23): This requires companies to enforce access controls and measures to restrict and control access to external websites.
Secure coding (8.28): This requires companies to follow secure coding principles to prevent vulnerabilities caused by poor coding methods.
Do you need support becoming ISO 27001 certified?
We understand that being certified isn’t always a simple task; especially when a new standard of ISO 27001 has been introduced. Therefore, if you need some assistance gaining your certification against the new standards, we offer an ISO 27001:2022 transition service.
One of our Lead Auditors will take your existing ISMS and map them over to the new standard, presenting all findings and recommendations through a collaborative engagement. Simply get in touch with our team today.