Many organizations find themselves in a position where customers are asking for an independent certification of their organization’s controls. Sometimes they are given choices – SOC 2, HITRUST, or ISO27001. While you’ll hear these terms thrown around quite a bit, many US companies have much to learn about ISO27001.
What is ISO27001?
ISO 27001 is a specification for an information security management system (ISMS) published by the International Organization for Standardization (ISO). An ISMS is a framework of policies, procedures, processes, and various technical controls that set the information security rules for an organization.
It's hard to imagine a 'good time' to receive customer requests for an independent certification of your organization's controls. However, with the right mindset, it can be a power for good. If a customer never asked for a review, you may not have found that glowing, flashing, red, problem hiding in the corner of the environment that, had it gone unnoticed, may have been the reason your organization's name ended up on the news.
As a security professional, I’d like to see all organization leverage frameworks like ISO27001 to ensure that they have a properly implemented ISMS. But, like most things, frameworks and certifications vary from one to the other.
Certain audits, like a SOC Audit, are often easier to obtain, can be less expensive, and the timeline is often shorter. These can be compelling reasons for many organizations – especially those who view an audit as “checking the box”. However, I think it’s important to note that SOC Auditing standards are not a security framework and may not help your organization prevent or respond to data breaches.
Pros of ISO27001
- ISO27001 can help protect your organization’s data and reputation. Data breaches can be expensive with hard costs such as fines. The cost of a reputational hit is hard to measure. For a small to medium sized business a breach could have a huge impact.
- An ISO27001 Certification can be a competitive advantage over similar organizations that are not certified.
- ISO27001 is an international standard for managing Information Security that is globally recognized, which is important if you do business with companies outside of the United States.
I have worked with organizations that implemented an ISMS based on ISO27001 without going through the certification process, but simply because they recognized the need for better security and cyber resilience. However if you want to be certified, you’ll need to be able to show that you have defined security processes in place. You need to show who is responsible for what. You also need to demonstrate what you are doing to manage risk and how you would handle a breach if one is detected. Frankly, ISO27001 requires that you’ve given data protection the attention it deserves, and you continue to do so on an ongoing basis.
To be certified you must follow the certification process that includes an assessment by an organization approved to perform ISO27001 certification and also have an audit of your ISO27001 ISMS performed independently.
The ISO27001 standard has a good deal of flexibility however there are some hard and fast requirements:
- Define the scope of your information security management system in a statement of applicability.
- Develop security policies, procedures, and supporting processes.
- Implement a risk assessment / risk treatment process.
- Assess skills required and competency of resources.
- Conduct training and maintain records of training on general security awareness and more specific security role-based training.
- Conduct audits of your information security management program (this is not the same as the actual certification assessment).
About the Author
Mark Keppler, CISSP, CISA, QSA
Information Security Leader & Advisor
Mark brings over 20 years of experience in IT Risk and Security including PCI DSS compliance, risk assessment, security frameworks such as ISO and NIST. Mark served as Chief Information Security Officer of a financial services company where he redesigned and revamped the security program. Mark has served as the interim or virtual CISO for several organizations and holds the CISSP, CISA, PCI QSA, and ISO27001 Lead Auditor certifications.