Let’s Go Back to the Basics: How ISO 27001 Certification Works

Written by Yehia (Ian) Ahmed, Complade.

With cyber threats continually evolving, organizations across all sectors are increasingly pursuing ISO 27001 certification as a systematic framework for information security management and a robust assurance mechanism. ISO 27001 stands out as a universal standard, applicable to all types of organizations across diverse markets because it provides a framework for managing cyber risks rather than prescribing a rigid set of specific controls for certification.

For cloud service providers—such as Software as a Service (SaaS) platforms like accounting applications, Platform as a Service (PaaS) providers offering APIs for industries like insurance or credit risk scoring, and Infrastructure as a Service (IaaS) providers delivering self-service servers and hosting solutions—certain shared characteristics shape their approach to cybersecurity management. These include shared security responsibilities between providers, their vendors, and customers, as well as the transparency required across the supply chain. Given these unique attributes, such organizations often need to implement additional industry-specific controls to ensure genuine security rather than just the appearance of it.

This guide breaks down how ISO 27001 applies to cloud vendors, explores risk-focused security measures, and highlights the relevance of the Cloud Controls Matrix (CCM) as a controls framework. It also examines the role of the Cloud Security Alliance (CSA), including its Security Trust Assurance and Risk (STAR) program, in enhancing trust and security for cloud service providers.

What is ISO 27001?

ISO 27001 is a globally recognized standard for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). A management system encompasses policies, procedures, and processes designed to help organizations protect the confidentiality, integrity, and availability of their data by systematically identifying and managing information (or cyber) security risks.

A common misconception about ISO 27001 is that it includes a rigid checklist of mandatory controls that must be implemented to achieve certification. On the contrary, ISO 27001 is intentionally designed as a flexible, risk-based framework, allowing organizations to select controls tailored to their specific needs.

While Annex A of the standard provides a list of 93 controls across various information security domains, this list is not exhaustive. It is meant to guide organizations rather than serve as a one-size-fits-all solution. ISO 27001 requires organizations to identify and implement controls that effectively address their unique cyber risks, making it adaptable for businesses of all types and sizes.

It is important to note that the 93 controls in Annex A cannot mitigate every potential cyber risk, particularly for specialized industries like cloud service providers, which often require additional, industry-specific controls.

On this note, if the organization manages client payments through credit cards at a high volume—say, a million or more annually (e.g., a large retailer handling payments at checkout kiosks or a major e-commerce website)—they must adhere to specific controls outlined in the Payment Card Industry Data Security Standard (PCI-DSS). Similarly, every industry has tailored lists of controls designed to address its unique challenges. These industry-specific controls are meant to be used along ISO 27001, either as part of the scope requirements or as targeted risk mitigation measures. In such cases, Annex A of ISO 27001 may not need to be used at all.

Luckily though, controls from different frameworks can often be mapped to one another. As a guide, Check the CCM (Cloud Controls Matrix) documentation for meticulously mapped controls created by so many great cybersecurity leaders volunteering their time to help the community.

Key Steps in ISO 27001 Certification: Focus on Risk

Achieving ISO 27001 certification typically involves several stages, with an emphasis on information risk management. These steps are one way to establish and implement ISO 27001, and it is not inclusive. For guidance on implementing iso 27001, please refer to ISO 27003

Step 1: Conduct a Thorough Risk Assessment

ISO 27001 begins with a comprehensive risk assessment. This step involves identifying, analyzing, and prioritizing the risks to your information (cyber) assets. For each potential threat, the organization assesses the likelihood and potential impact of a security breach. This risk assessment is central to the ISO 27001 process, as it guides the selection of appropriate controls.

While ISO 27001 does not prescribe a specific method for conducting a risk assessment, frameworks such as ISO 27005 and the U.S. National Institute of Standards and Technology Risk Management Framework (NIST RMF) along with related publications like NIST 800-37 offer valuable guidance.

Step 2: Select Relevant Controls from Annex A

Once risks are identified, if an organization chooses to mitigate rather than just accept it or transfer or stop using the source of the risk altogether, the organization can select appropriate controls from Annex A to mitigate these risks. They can also select from Cloud Control Matrix, or even NIST 800-53 (Security and Privacy Controls for Information Systems and Organizations).

ISO 27001 Annex A contains controls in areas like access control, cryptographic measures, physical security, and operational security, and It’s important to understand that implementing every control in Annex A is not mandatory, or even possible—only those that mitigate the identified risks effectively. This flexibility is particularly valuable for organizations with unique needs or operating in specialized sectors.

Step 3: Document and implement the Controls

The selected controls (again from whatever list you choose from, or even custom controls you design) are then documented, this is why ISO 27001 is important, it gives this agreed-upon process to manage these effective processes in place. This ensures continuity and continuous improvement, also this documentation, along with a few control tests, serves as evidence for the ISO 27001 certification audit.

Also an interesting note here, there is NO specific requirement on how to write policies or procedures, but ISO 27003 or NISt 800-12 gives guidance.

Step 4: Certification and Continuous Improvement

After the implementation of these processes, an internal audit is required by ISO27001 conducted by a competent professional. Competency itself is defined in ISO 27001. Following this, an external auditor is employed by one of the International Accreditation Forum (IAF) accredited certification bodies to assess the ISMS to verify compliance with ISO 27001 requirements. Once certified, organizations undergo an annual surveillance audit to review and improve their ISMS to adapt to emerging threats, as ISO 27001 requires continuous monitoring rather than one-time compliance. This also means that organizations certified for conformance to ISO 27001 may, in fact, have very few controls in place. For example, if they accept most of the risks and document these decisions, they still get certified.

A document called a Statement of Applicability accompanies the ISO 27001 certification and acts as a scope for it. This represents a major difference from SOC 2, where the chartered public accountant testified that there are, in fact, controls in place for security. This doesn’t mean that one standard is better than the other or even that one replaces the other. Rather, suggests that organizations need both: starting with ISO to establish the process, and then, during the risk management phase, aiming to meet the trust criteria set forth by SOC (Security operations center) or by PCI-DSS (Payment Card Industry Data Security Standard) or NISt 800-172 (for Cybersecurity Maturity Model Certification CMMC compliance) or whatever industry or customer-specific requirements.

Beyond ISO 27001: The Role of CCM for Cloud Service Providers

For organizations operating in the cloud space—SaaS, PaaS, and IaaS providers—ISO 27001 Annex A may not fully address the unique risks associated with cloud environments. This is where the Cloud Controls Matrix (CCM) from the Cloud Security Alliance (CSA) comes into play.

CCM is a cybersecurity control framework specifically tailored for cloud service providers, addressing security requirements unique to the cloud and ensuring robust risk management practices. While ISO 27001 provides a comprehensive foundation for information security, cloud providers face specialized threats, such as data segmentation issues, multi-tenancy risks, and shared responsibility challenges. CCM includes controls designed to tackle these cloud-specific issues, going beyond the generalized approach of ISO 27001 Annex A.

The Importance of CSA STAR for Cloud Service Providers

To streamline the integration of cloud security requirements, cloud providers can pursue CSA’s Security, Trust & Assurance Registry (STAR) certification. CSA STAR offers three levels of assurance, each tailored to different maturity levels and reporting needs:

Level 1: Self-Assessment

This initial level allows organizations to conduct a self-assessment against the CCM controls. It’s a great option for providers who want to demonstrate their commitment to cloud security without undergoing a full external audit.

Level 2: Third-Party Assessment

Level 2 involves an external audit conducted by a qualified third party. This audit can be mapped to ISO 27001, enabling providers to align ISO 27001’s ISMS framework with CCM controls. This level provides customers with greater assurance through validated, externally assessed security practices.

Level 3: Continuous Monitoring

At this level, organizations implement ongoing, real-time monitoring and reporting. This approach is strategic for providers aiming to establish themselves as highly trusted cloud providers with advanced threat detection and response capabilities.

Simplifying Compliance with Cross-Mapping of Controls

One advantage of CSA STAR is its cross-mapping capability, which allows cloud providers to map ISO 27001 controls to CCM. This approach simplifies reporting and provides transparency, as organizations can demonstrate how each ISO 27001 control is implemented with cloud-specific adaptations. Rather than viewing ISO 27001 as a checklist, organizations can adopt it as a dynamic risk management framework, enhanced by CCM controls to address areas ISO 27001 does not explicitly address.

Conclusion: The Risk-Based Flexibility of ISO 27001 and the Value of CCM/CSA STAR

ISO 27001 is a risk-based standard that offers organizations with the flexibility to implement only the controls that align with their risk profile, fostering a security-first, risk-mitigation mindset.

However, for cloud service providers who face distinct risks, supplementing ISO 27001 with CCM and CSA STAR enables a more comprehensive approach to cloud security.

As cloud computing continues to grow, the additional focus provided by CCM and CSA STAR is invaluable for building trust with customers and ensuring that controls are adapted to meet the security needs of cloud environments. By embracing ISO 27001 as a risk management framework, enhanced by specialized controls from CCM, cloud providers can achieve effective, adaptable security that meets the demands of today’s evovling threat landscape.