Let’s talk about ISO 27001.
Who needs gold and other precious metals when you have information? Gigabytes and gigabytes of financial data, personal data, Intellectual Property, proprietary research, sensitive information and more.
Cyber security is just one part of managing your risk and at the heart of putting in place security, are controls to keep your information secure.
ISO 27001 is one place you can start when you are considering the risks to your information assets and this guide covers the most common questions PGI’s Information Assurance consultants are asked.
What is ISO 27001? Show more Show less
ISO/IEC 27001:2013, or ISO 27001 for short, “specifies the requirements for establishing, implementing, maintaining, and continually improving an information security management system within the context of the organization.
It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in ISO/IEC 27001:2013 are generic and are intended to be applicable to all organizations, regardless of type, size or nature.”
Or in laymen’s terms, it’s a framework to help you set up policies, processes and procedures, in a system that is repeatable within your organisation to keep information out of the hands of unauthorised persons (and therefore assuring its confidentiality, integrity and availability).
What is the difference between ISO 27000, 27001, 27002? Show more Show less
There are more than a dozen standards within the ISO/IEC 27000 family, including ISO/IEC 27001:2013 and ISO/IEC 27002:2013.
While ISO 27001 is the Standard with which you can achieve compliance, ISO 27002 provides the in-depth, recommended implementation guidance (or what could be considered a blanket solution—everything is covered).
Essentially, ISO 27002 is a best practice guide to support the implementation of an ISO 27001-compliant Information Security Management System, but the selection is tailored to the organisation.
ISO 27001 is a flexible standard that doesn’t prescribe the exact way to implement controls, only that a control should be implemented. That’s why it’s important to conduct a risk assessment that will define what you need to implement and what the options are for responding to those risks.
This approach ensures the Standard gets stronger over time as it can adapt with the business and technology environment.
Do I actually need ISO 27001? Show more Show less
Many organisations don’t need to implement an ISO 27001-compliant Information Security Management System, but in an increasingly digital world, more and more organisations are managing their digital risks by having one in place and they often expect their suppliers to be compliant, too.
Being compliant with the best-practice information security standard proves to your customers and other stakeholders that you take the security of their data seriously and should there be a breach or an attack, it is more likely that their information will be safe.
The Statement of Applicability (SoA) provides an easy means to communicate with your clients about what they need and expect, and helps you demonstrate that you’ve got it covered.
At the end of the day, most organisations already have a lot of the processes and policies they need in place. It’s just a matter of formalising them to ensure they can be consistently applied and adhered to.
How to get the ISO 27001 certification? Show more Show less
To achieve the certification, you will need to prove to an external auditor that you have put the appropriate security controls in place. This will usually be in the form of records and documented evidence, including:
- Scope of the ISMS
- Information security policy and objectives
- Risk assessment and risk treatment methodology
- Statement of Applicability
- Risk Treatment Plan
- Risk assessment and risk treatment report
- Definition of security roles and responsibilities
- Inventory of assets
- Acceptable use of assets
- Access control policy
- Operating procedures for IT management
- Secure system engineering principles
- Supplier security policy
- Incident management procedure
- Business continuity procedures
- Legal, regulatory, and contractual requirements
- Records of training, skills, experience and qualifications
- Monitoring and measurement of results
- Internal audit programme and results
- Results of the management review
- Non-conformities and results of corrective actions
- Logs of user activities, exceptions, and security events
What are the main challenges of implementing ISO 27001? Show more Show less
When it comes to implementing ISO 27001 in your organisation there may be a few challenges, including:
- Generic language that may need training or consultancy to understand.
- A focus on top down controls can leave company exposed by threat actors working bottom-up, so finding a balance is key.
- Near term business goals can divert you from a more decisive strategic approach
- Finding a balance between management discretion and decision-making records, i.e. compliance with a system.
- Areas of newer technology without much direction, such as SDLC, Cloud, PCI, HMG/Defence, WCAG, Containers etc.
- Non-linearity of cyber risks – how to combine technical and business risk to avoid breaches i.e. Equifax.
- Attacker:Defender work ratio.
- Metrics can be an issue i.e. no official CVSS for vulnerabilities in custom software.
Engaging with a consultancy like PGI will ensure you can successfully navigate all of these challenges.
What are the benefits of being ISO 27001 certified? Show more Show less
Minimise risk to your business. By embedding ISO 27001 into your organisation, you can minimise the impacts of data breaches and cyber attacks—including substantial legal and financial liabilities, and reputational damage.
Demonstrate your commitment to keeping information secure. Many businesses opt for an ISO 27001-compliant ISMS, because the framework is recognised at an international level. It helps organisations to effectively manage their global reputation for best-practice information security management and gives them a competitive edge, not only nationally, but in alternative markets.
Inspire customer trust. Being able to show compliance with the standard instils trust in customers and provides peace of mind to stakeholders, who can be sure that their information assets are handled, stored, and managed securely. This position of trust can lead to new customers and business.
ISO 27001 is a flexible framework. It has been designed to grow with your business and focuses on a system for continuous improvement.
How do I implement ISO 27001? Show more Show less
How your organisation implements the Standard will depend on a number of factors, starting with the scope. This step is key for defining the scale of your Information Security Management System (ISMS) and therefore your Gap Analysis, which will identify what work will need to be conducted to achieve compliance.
- Find the right people. The first step for a successful implementation is ensuring you have the right team on the job. You don’t necessarily need a consultant, but there are many benefits to having an experienced ISO 27001 implementer taking care of the process.
- Your organisation should set down goals for the ISMS and identify which methodology the organisation will use.
- Define the scope. The information, systems and business operations that will be managed through the ISMS and certified to ISO 27001.
- Implement your ISMS, and go through a cycle of audits, reporting and remediation to create records and evidence.
- Engage your external auditors and certifying organisation, with consultancy support through the process to certification.
How much does it cost to get certified to ISO 27001? Show more Show less
There is no set cost to implement an ISO 27001-compliant Information Security Management System (ISMS). The scope and scale of your ISMS will inform the cost. It’s important to note that many organisations already have a good baseline of controls in place, so taking a pragmatic approach is necessary; this ensures the implementation is relevant to the organisation and not disproportionate (i.e. the scope of your ISMS may only need to cover one element of your operations, which will keep costs down).
It’s important to remember that the maturity of your organisation will also have a bearing on the cost. You may already have a number of controls in place meaning you may not need to do much at all in that area. That is why a gap analysis should be considered when planning your implementation.
A light touch, entrepreneurial approach, in a system of continuous improvement, helps to minimise cost, while gaining experience throughout the process.
How do ISO 27001 and the GDPR fit together? Show more Show less
The goal of the General Data Protection Regulation (GDPR), made law in the UK as part of the Data Protection Act 2018, is to protect personal data by giving EU citizens more rights around how their data can be used. It also provides guidance around how organisations should process and store that data, to ensure its confidentiality, integrity and availability.
ISO 27001 is a best practice framework for managing processes, technology and people.
While complying with one will not make you automatically compliant with the other, being compliant with ISO 27001 can help you achieve GDPR requirements because they do have some overlapping goals: protecting information.
Because both GDPR and ISO 27001 require management input and thoughtful application—rather than prescriptive controls and box ticking—they align very well.
Do I need ISO 27001 compliance software? Show more Show less
Compliance software is not required to achieve a compliant status. It will be up to each organisation as to whether software to help them achieve and maintain compliance requirements is required.
For example, you may want to run associated software. For example, if you want to run vulnerability scans, to demonstrate technical vulnerability management etc. or if you develop software you probably want testing software to demonstrate having a system for continuous improvement in place.
It is about having in place relevant, and effective controls, and obviously software helps greatly with automation, but be careful because it can also generate more work than you can handle without a corresponding automated remediation system. This automation of compliance and remedy is where the industry is moving towards with INSPEC, Chef and CIS benchmarks; an approach driven by the benefits of cloud services evolution.
What is PGI’s approach to ISO/IEC 27001? Show more Show less
PGI’s approach to helping organisations implement ISO 27001 can be best described as efficient. We know that complying with the Standard and achieving certification is often not a choice and is therefore typically seen as just another cost to doing business in a digital world.
That’s why our goal is to get your organisation compliant as efficiently and cost-effectively as possible. By engaging with PGI, your team can focus on what they do best while our team do the heavy lifting.
We wrote a blog post that busts 5 of the top myths about the Standard that demonstrate our approach, ‘5 ISO 27001 myths that make the Standard seem expensive and difficult’:
What is an ISO 27001 Gap Analysis? Show more Show less
In order to identify what work needs to be done to achieve certification, a Gap Analysis compares what your organisation is currently doing with what you must do to meet the compliance requirements of the Standard.
It will highlight shortfalls (or gaps) in compliance and where efforts should be concentrated to meet the requirements of the Standard.
An experienced ISO 27001 or information security consultant—familiar with the intricacies of the Standard—will be able to accurately assess your organisation’s current levels of compliance and provide pragmatic recommendations. A neutral or third-party review will enable your internal staff to concentrate on core business.
A PGI ISO 27001 gap analysis will take you through the main sections of the standard for compliance, as well as the Annex A controls, to give you a complete assessment.