Frequently Asked Questions Answered—ISO 27001 Certifications

Originally published by BARR Advisory.

As one of the most thorough cybersecurity assessments an organization can go through, achieving ISO certification might initially seem daunting.

At our recent ISO Open House, Director of Attest Services Angela Redmond and Manager of Attest Services Marc Gold answered some frequently asked questions about ISO 27001 and what to expect when working towards the certification.

Let’s look at a few of these FAQs and what our experts have to say so you can confidently take the next steps on your path to long-term cyber resilience.

Q: What can my organization expect when working to achieve ISO 27001 certification?

ISO 27001 outlines the requirements for establishing, implementing, maintaining, and continually improving an organization’s information security management system (ISMS). ISO 27001 is an internationally accepted standard and a valuable way to differentiate your organization and comply with industry standards.

The following steps outline what to expect during the certification process.

Pre-certification activities

You’ll need to gather information about your ISMS scope and boundaries of the system to determine resourcing needs, such as:

• Approximate number of people
• Infrastructure
• Software components
• Key activities and data
• Locations (physical and virtual) of the ISMS

Pre-assessment (optional)

A pre-assessment is not required, but a formal readiness assessment against the ISO 27001 Standard can help organizations prepare for initial certification in order to identify deficiencies in your ISMS.

Initial certification audit

Initial certification audits include two stages. Stage 1 evaluates your management system and documentation, primarily focusing on your system’s design. The Stage 2 audit evaluates the implementation and effectiveness of your management system.

Surveillance audit

The initial certificate issued is valid for three years from the issuance date. At least annually, surveillance audits are conducted to help ensure your organization complies with the standard.

Recertification

Before the certificate expires, arrangements for recertification are planned. Recertification activities include a full audit of your ISMS.

Q: What are the ISO 27001 requirements and options I have for my organization’s specific needs?

At the heart of ISO 27001 is the development of your organization’s ISMS. Before your audit, it’s best to define the scope of your ISMS compared to your business needs, the structure of your organization, location, information assets, and technologies. The scope of your ISMS can be as small or as large as your organization wants to design it—covering a small part of your organization or the entire organization—as long as all of the requirements of the ISO 27001 standard are applied and operational.

The design and implementation of your organization’s ISMS will be influenced by your business and security objectives, security risks and control requirements, the processes employed, and the size and structure of the organization.

Additional considerations when thinking through the scope and design of your ISMS include:

• The design and adoption of your ISMS should be a strategic decision involving top management—not exclusively the IT team.
• Your ISMS will evolve systematically in response to changing risks.
• Areas outside your ISMS are inherently less trustworthy, meaning additional security controls may be needed for business processes passing information across the boundary.
• A formally certified ISMS builds confidence in the organization’s approach to information security management among stakeholders, both internal and external.

Q: What are the significant changes from ISO 27001:2013 and ISO 27001:2022?

At least once every five years, all ISO standards are reviewed. Standards are updated to remain current and reflect new and evolving security challenges. The changes can be broken down into two parts—changes to the management system clauses and Annex A controls.

Changes to the management system clauses are minor overall, with the most significant being clauses 4.4 and 8.1. Clause 4.4 adds to the context of the organization the requirement to identify necessary processes and their interactions within the ISMS. Clause 8.1 adds a requirement to define process criteria.

The Annex A controls changes are moderate and have been derived from ISO 27002:2022, released earlier this year. Organizationally, the former 14 families of Annex A have now been focused on just four themes. Most of the controls have stayed the same or have been renamed. Another group of rules was merged to reduce the total number of controls. Still, the requirements within those controls are almost the same. The most significant change has been the addition of 11 new controls.

Q: What effort and commitment is required to obtain an ISO 27701 certification?

ISO 27701 was released in August 2019 as an extension of ISO 27001. It outlines requirements for establishing, implementing, maintaining, and continuously improving an organization’s Privacy Information Management System (PIMS). It’s an internationally accepted standard and essential for organizations that process Personally Identifiable Information (PII).

Similarly to ISO 27001, ISO 27701 uses a risk-based approach, which means organizations adopting ISO 27701 are not required to implement every possible control for every situation.

Organizations should also understand the context in which they handle data as either controllers or processors which are terms that are part of the GDPR. A data controller is the entity that determines the “why” and “how” for processing personal data, while the data processor is the entity that performs the data processing.

You’ll want to consider ISO 27701 if your organization:

• Handles both controller and processor-specific controls.
• Wants to demonstrate a commitment to privacy.
• Is small to medium-sized or enterprise level—all sizes can benefit from this certification.
• Needs to comply with GDPR standards.
• Already has an ISO 27001 certification in place.