Everything you need for ISO 27001 Certificate [Guide]
As a company dealing with vast amounts of data, we understand that we have an obligation by law and principles to safeguard that data and protect it to the highest standards possible. That is why after a six month long process of preparation, meetings, reviews and testing, Sample Solutions and Sales Rocks are now officially ISO certified. Check out our handy guide to see how we got our ISO27001:2017 Certification.
Do you know that more than 91% of businesses say that it improves information security?
ISO27001 is a global management system standard that provides the specification for establishing, implementing, maintaining and continually improving an information security management system (ISMS). It enables you to protect the confidentiality, integrity and availability of your information.
What does ISO27001 certification mean?
An ISMS (information security management system) is a systematic approach to managing data in a secure way and includes people, processes and technology.
Organisations that adopt ISO 27001 can be certified by an independent audit body, thereby presenting evidence to clients, potential clients and stakeholders that they comply with international information security management best practices and levels of quality.
The certification covers the following organisation’s data:
- Data stored on mobile devices, computers and electronic systems.
- Hard copy (documentation and paper trail).
- Company intellectual property, company secrets and client’s info.
- The physical and environmental security of where the business operates from.
- Staff directly or indirectly involved in data processing.
There are four key points that will determine the next course of action concerning potential issues:
Getting rid of outdated software and hardware and using newer technologies with modern security and technical support.
Improve existing and employing new security measures to mitigate risk.
Third party risk management
Company protection via an insurance policy.
Cost to benefit ratio
In the eventuality that the cost of reducing the risk would be greater than the damage the risk presents, it is a viable option to mitigate the risk as much as possible and manage the potential damage fallout.
ISO27001 Control sets for risk management:
The standard contains 114 annexes/controls for risk management in 14 control sets which are tested during internal and external audits:
- Annex A.5 Information Security Policies (2 controls): how policies are written and reviewed.
- Annex A.6 Organisation of Information Security (7 controls): the assignment of responsibilities for specific tasks.
- Annex A.7 Human Resource Security (6 controls): ensuring that employees understand their responsibilities prior to employment and once they’ve left or changed roles.
- Annex A.8 Asset Management (10 controls): identifying information assets and defining appropriate protection responsibilities.
- Annex A.9 Access Control (14 controls): ensuring that employees can only view information that’s relevant to their job role.
- Annex A.10 Cryptography (2 controls): encryption and key management of sensitive information.
- Annex A.11 Physical and Environmental Security (15 controls): securing the organisation’s premises and equipment.
- Annex A.12 Operations Security (14 controls): ensuring that information processing facilities are secure.
- Annex A.13 Communications Security (7 controls): how to protect information in networks.
- Annex A.14 System Acquisition, Development and Maintenance (13 controls): ensuring that information security is a central part of the organisation’s systems.
- Annex A.15 Supplier Relationships (5 controls): the agreements to include in contracts with third parties, and how to measure whether those agreements are being kept.
- Annex A.16 Information Security Incident Management (7 controls): how to report disruptions and breaches, and who is responsible for certain activities.
- Annex A.17 Information Security Aspects of Business Continuity management (4 controls): how to address business disruptions.
- Annex A.18 Compliance (8 controls): how to identify the laws and regulations that apply to your organisation.
Benefits of ISO27001 Certification
- Internationally certified practices performed in information security management leading to a more consistent approach.
- Avoid financial penalties and losses due to data breaches.
- New business opportunities with certification prerequisite.
- Improved brand reputation.
- Raising staff awareness on security practices.
- Stronger security acts as a deterrent to malicious agents.
Obstacles of ISO27001 Certification
The first and foremost detriment to obtaining the ISO 27001 certification is of course, its price. It can range from €20,000 for small and up to €50,000 for medium sized companies. It can take up a part of the budget that may have been reserved for other means that due to this process may be delayed or postponed. That is why careful planning and budget segmentation is vital.
More often than not, upper management fails to foresee and understand the extent of information security risk which can lead to increase in cost and damage the brand long-term.
The process itself requires new and improved policies, procedures and documents that can take up a large amount of time and be detrimental to teams on a strict time schedule.
Specialisation and education
The company must have a DPO (Data Protection Officer) that is aware of the company’s current security procedures, the latest certification requirements and how to implement them in the company’s existing framework.
Complexity of the procedure
Depending on the policy wording and implementation requirements, additional consultation may be required to ensure proper compliance.
The Road to ISO27001 Certification Guide
1. Conduct an analysis
Analyse the organisation’s existing information security framework
2. Obtain management support
Ensure top management support for appropriate human and financial resources
3. Specialised team/DPO
A specialised information security team and an experienced Data Protection Officer are key to a successful process
4. Scope, ISMS objectives, budgeting
Define the scope and cost of the project as well as the needs of your organisation and certification requirements
5. Conduct risk assessment and control implementation
Develop a risk assessment framework to identify, analyse and evaluate the potential security risks and their potential impact and provide a defined control implementation policy
6. Staff awareness
Train your employees to implement and maintain the new security policies
Revise and update existing documentation and write an Information Security Policy and Statement of Applicability
8. Internal audit
Make an internal review to assess the readiness of the organisation and to identify potential problems and failures to follow policy before the final review
9. Certification audit
After reviewing your documentation and your IMSM (information security management system) a thorough assessment is made for the certification compliance and final audit
We hope our ISO27001 guide was useful in explaining the process as we took you through all the key points that you and your organisation will need to address to get your ISO Certificate.