Everything You Need to Know About ISO 27001 Certification
Originally published by A-LIGN.
With bad actors targeting sensitive data, many organizations are looking for new ways to monitor and improve their data security. Enter: ISO/IEC 27001:2013. A useful way to establish credibility with stakeholders, customers, and partners, ISO 27001 can help demonstrate your organization’s commitment to cybersecurity.
Of course, like most standards, the certification process can seem daunting at first glance. Here’s what you need to know before your organization decides to pursue an ISO 27001 certification.
What is ISO 27001?
ISO/IEC 27001:2013 was published by the International Organization for Standards (ISO) and International Electrotechnical Commission (IEC) in October 2005 and revised in 2013. It focuses on building strong information security management systems (ISMS) within organizations.
One of the most widely used security frameworks, ISO 27001 is a risk-driven standard that focuses on data confidentiality, integrity, and availability. The standard aims to help organizations have a stronger, more holistic approach to data security.
What is the Difference Between ISO 27001 and SOC 2?
ISO 27001 and SOC 2 are two of the most popular cybersecurity assessments that verify an organization’s ability to mitigate risk and protect information. However, the two standards are not interchangeable.
SOC, or System and Organizational Controls, is a framework developed by the American Institute of Certified Public Accountants (AICPA) with the aim of providing regular, independent attestation of the controls that an organization has implemented to mitigate information-related risk. There are three types of SOC audits: SOC 1, SOC 2, and SOC 3, although SOC 2 has become the de facto standard for cybersecurity.
The biggest difference between ISO 27001 and SOC 2 is that ISO 27001 is an audit process that results in a certification, and SOC 2 is an audit process that results in an attestation report. In an attestation report, a third-party assessor documents a conclusion about the reliability of a written statement. The organization which they are assessing is then held responsible for this statement. ISO 27001 certifications, on the other hand, are issued by certification bodies with the accreditation body and the International Accreditation Forum (IAF) seal.
Additionally, ISO 27001 is an international standard that is used as the principal cybersecurity standard throughout the world. SOC 2 is an American-born standard, and although it is gaining popularity in Europe, it is yet to have the same global reach as ISO 27001.
The Five Steps to ISO 27001 Certification
While the road to ISO 27001 certification is well-established, it is still a multi-pronged process that requires attention to detail and a generous time commitment. The five steps to ISO 27001 certification include:
- A Pre-Assessment
- The Stage 1 Audit
- The Stage 2 Audit
- A Surveillance Audit
Step 1: Pre-Assessment
The pre-assessment is designed for companies that are undergoing the certification process for the first time. This assessment is only performed on an as-needed basis, but highly recommended prior to the actual audit.
The pre-assessment involves performing a review of an organization’s scope, policies, procedures, and processes to review any gaps in conformance that may need remediation before the actual certification process begins.
Step 2: Stage 1 Audit
During a Stage 1, an auditor reviews an organization’s ISMS to confirm that it has been established and implemented in conformance with the ISO 27001 standard. This audit also checks to see if the mandatory activities of an ISMS have either been completed, or are scheduled for completion, prior to starting Stage 2.
Upon completion, the Stage 1 audit will reveal if an organization is ready to move forward to Stage 2 or if it needs to modify its policies, procedures, and supporting documentation before proceeding.
Step 3: Stage 2 Audit
The Stage 2 audit tests the conformance of an organization’s ISMS against the ISO 27001 standard. Upon completion of Stage 2, the auditor will determine if an organization is ready for certification.
If any major nonconformities were identified in the audit, they will need to be remediated by the organization before a certificate can be issued.
Stage 4: Surveillance Audit
The ISO 27001 certification process doesn’t simply end after a certificate has been issued. For the two years following certification, an auditor will conduct annual surveillance audits to ensure an organization’s ongoing conformity with the ISO 27001 standards. This step ensures your cybersecurity practices are operating at the highest possible level.
Stage 5: Recertification
An ISO 27001 certification is valid for three years after the certificate’s issue date. Organizations need to recertify before the certificate’s expiration date, which will require the organization to begin the certification process again. Recertification audits combine the stage 1 and stage 2 audit into one seamless audit.
How Do I Choose an Assessor?
Once an organization decides to pursue an ISO 27001 certification, they must then decide which path to certification they’d like to take. This initial step in the process means choosing a certification body (CB).
A CB is an organization that provides certifications around a chosen standard. These organizations come in two forms: accredited and unaccredited.
Although the process taken by both accredited and unaccredited certification bodies are similar, there are enough notable differences that require organizations to consider the risks that come from using unaccredited certification bodies before they begin pursuing ISO 27001 certification.
Accredited Certification Bodies
Accredited CBs must complete a more rigorous evaluation process through an accreditation body. This is done to ensure the certification audit it conducts is performed in accordance with the audit requirements.
The evaluation process involves reviewing the competence of the audit team, the audit methodology used by the CB, and the quality control procedures an organization has in place to ensure both the audit and report are completed accurately. This can minimize the risk of failing to receive certification.
Organizations that use an Accredited CB for certification will receive their ISO 27001 certifications with the accreditation body and IAF seal represented on the certificate. These marks means the certification body has an accreditation certificate that is accepted worldwide.
Unaccredited Certification Bodies
Because accreditation is not compulsory, non-accreditation does not always mean the certification body is not reputable. Accreditation, however, does provide an independent confirmation of competence. An Unaccredited CB is not audited to confirm their compliance with IAF certification audit requirements.
Oftentimes clients will only accept ISO 27001 certificates from accredited certification bodies. It is important for organizations to check to see if their clients have any specific accreditation requirements before they begin their certification process.
Common ISO 27001 Pitfalls
All certification processes come with the chance of not getting approved for certification, and ISO 27001 is no exception. Here are some of the most common mistakes organizations make while pursuing ISO 27001 certification, along with how you can avoid making the same missteps.
Failing to schedule the internal audit and management review
Both the internal audit and management review are critical to the success of the ISMS, as the internal audit feeds into the management review, and then both feed into the continuous improvement cycle.
However, the certification process can be easily disrupted if the internal audit and management review are not scheduled within the proper time frame. Organizations should make sure their internal audit is scheduled well in advance of the surveillance audit in order for management review and continuous improvement activities to have enough time to be completed.
The auditor starts the surveillance audit approximately nine months after receiving initial certification. This means an organization would start the internal audit six to seven months after certification.
Changes in key personnel
Most times, the ISMS is implemented by someone who fields many of the questions during an audit, taking overall responsibility for the ISMS. If this person leaves their role, the ISMS process can fall apart.
Organizations need to ensure they have a backup person who has a basic understanding of the ISMS. Even if this person never has to step up and take over the process, having an established transition process ahead of time can alleviate any potential headaches down the line. Detailed documentation will be key to this transition and will help the backup person properly carry out the ISMS process, providing guidance for performance.
Failing to be vigilant
ISO 27001 defines ongoing processes that should be in place throughout the year, not just during the audit itself. Management controls, which include periodic meetings, documented approvals for decisions, recording meeting minutes of oversight committees, etc., require maintenance for the ISMS to continue to function.
It is easy to fall into a period of false security and let oversight slip. Organizations should make sure their ISMS is a living process that is built into their day-to-day so that it continues to function as designed after certification is received.
Not considering environmental changes
ISO 27001 requires that all changes in the environment must be considered through the risk assessment process. It also requires new or modified controls to be mentioned in the statement of applicability.
The certification body you choose, must also be notified and a new certificate issued if there are changes to the scope or statement of applicability.
When changes in the environment may impact the scope of certification, it is necessary to review and update the ISMS documentation to ensure it correctly reflects the environment post-change.
What is ISO 27701?
Acting as an extension of ISO 27001, ISO 27701 is the first international privacy standard to provide a certification path for organizations to demonstrate their privacy systems and controls.
The ISO/IEC 27701:2019 standard was first published in 2019. It details the requirements and guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS). Although this standard is most relevant for personally identifiable information (PII) controllers and processors, it can also be used by organizations of any kind, size, and location.
To receive an ISO 27701 accredited certificate, organizations must either already have ISO 27001 certification or must undergo the ISO 27001 certification audit with the extension of ISO 27701.
Why organizations may want to pursue ISO 27001 and ISO 27701 certification
Outside of simply gaining a better understanding of the PIMS implementation process, there are multiple benefits that come from pursuing ISO 27701 and ISO 27001. Combining the two certifications:
- Streamlines compliance obligations for ISO 27001 and the GDPR by integrating privacy directly into an organization’s ISMS
- Helps organizations surpass the competition and attract new customers by adding a level of increased security and privacy into the organization
- Maintains peace of mind for current customers as they know their personal identifiable information (PII) is protected
- Helps organizations avoid potential fines, especially as the enforcement of privacy protection continues to increase
The underlying, foundational framework of ISO 27001 creates a strong ISMS. Alongside the ongoing PIMS improvement structure of ISO 27701, organizations can benefit from combining the two and ensuring a certifiable commitment to privacy controls.
Getting Started With Your ISO 27001 Certification
As privacy concerns and requirements continue to increase globally, ISO 27001 certifications will become increasingly important to organizations. This internationally recognized framework provides a set of best practices for organizations to follow and helps organizations provide peace of mind to customers and prospects.
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.