Information Security or IS is among the most important aspects of running a business. Ensuring your data is secure is vital for long-term success, and undergoing an IS certification is one of the best ways to achieve this. While all businesses can agree on that, not many understand what the ISO 27001 standard is about and what is needed to implement it. We decided to answer the questions you might have on this topic.
In this guide, we provide an overview of how to implement ISO/IEC 27001:2013 for companies that decided to proceed with this process. We will cover key implementation milestones and challenges, along with some useful tips on how to avoid common traps.
What is ISO 27001?
ISO/IEC 27001:2013 is an international standard designed to help businesses create a robust Information Security Management System (ISMS). An ISMS is a systematic approach to managing sensitive company information so that it remains secure. It encompasses people, processes, and IT systems by applying a risk management process to daily data management workflows.
ISMS is a top-down approach ensuring the company has a transparent policy on who can access what information and how they can use it. In addition, it introduces a framework for data handling, which ensures that everyone from C-level to common staff members knows what information they can (and cannot) access. Its main goal is to ensure the CIA (Confidentiality, Integrity and Availability) of mission-critical sensitive data, both during normal business operations and when under attack by hackers.
To that end, ISO/IEC 27001:2013 provides a comprehensive set of controls comprising best practices in information security. The standard is applicable to any industry and any company size. It can help small, medium, and large businesses in all sectors keep information assets secure. It is also a basis for adopting enterprise-grade software like Microsoft Active Directory.
More importantly, as an internationally recognized information security standard, ISO 27001 provides a distinct advantage for those businesses that implemented it and obtained certification. The standard demonstrates the company’s ability to securely handle information throughout all business operations and is often included as one of the prerequisites for governmental tenders and corporate contracts. As of today, more than 20,000 companies worldwide are already ISO/IEC 27001:2013 certified.
On top of that, many other certifications are based on ISO/IEC 27001:2013, including SOC 1/2 and TISAX. Even GDPR and DPA’s technical requirements are quite well matched with ISO 27001. So, the ISO 27001 implementation is a good foundation for a company to be ready to respond to various IS (information security) requirements according to the industry best practices.
Updated ISO 27001:2022 revision
ISO 27002 is a supporting standard which provides guidance on the implementation of security controls listed in ISO 27001 Annex A. In February 2022, this standard was updated, and the newest version as of now is ISO 27002:2022. It is also expected that ISO 27001 will get a corresponding update toward the end of 2022.
Fundamental changes in the 2022 revision:
- First of all, the changes touch only security controls, not the body of the standards. Only the security controls listed in ISO 27001 Annex A will be updated.
- The number of controls has decreased from 114 to 93, and controls are not grouped in 4 sections instead of 14.
- There are 11 new controls, and some controls were merged.
Overall, these changes make the standard more logical and better applier to the modern IT and software realities.
Concerning the preparation for the 2022 changes, there are a few things to keep in mind:
- First of all, there will be (most probably) a two-year transition period starting from the ISO 27001:2022 publication date. So there is definitely enough time to prepare.
- If you are already implementing ISO 27001 and have a certification roadmap, don’t wait for the new standard and get certified (:2013).
- If you only plan to implement ISO 27001, it might be a good idea to address the new version already from the beginning.
Contact our experts to get advice on the implementation roadmap for your company.
Need help?
The business value of ISO 27001 implementation
Below we describe the business value delivered by four main sections of this standard that form the ISMS core.
Risk assessment
The risk management process starts with identifying and quantifying the risks to the company’s business assets present in the existing operations. Once quantified, such risks form a risk profile that can be managed by applying specific security controls. This allows companies to mitigate security risks by reducing them to acceptable levels for a business based on its risk appetite.
Security policies
These policies are basically written instructions on the approach an organization should take to deploy and manage the security controls. Defining these policies helps enforce such controls consistently across the entire organization.
Organization of information security
This aspect of the process enables structuring the IS roles and responsibilities within the organization, which is needed to properly manage and maintain the ISMS. As a part of this process, adequate information security training and periodic skill checks are introduced, along with risk profile reviews and implementation process steering meetings.
Asset management
This ISMS component aims to compose and manage a list of assets (any information of business value, like the employee personal details, CRM data, intellectual property, etc.). Maintaining such a list helps organizations better control the information whose CIA must not be compromised. As mentioned above, the risks to digital assets must be identified and quantified, appropriate security controls must be deployed, and the risk levels should thus be reduced to the degree that the organization feels comfortable with.
The above sections form the core of the ISMS and provide the most business value to every company. The rest of the standard’s sections contain instructions on how to ensure watertight information management security. They cover the workflow for the identification, management, and resolution of security incidents. On top of that, other sections contain business continuity plans and critical recommendations for controlling physical access to key elements of the organization’s ISMS.
After implementing these instructions, your company will benefit from a robust IS management framework, streamlined data security workflows, and industry-leading best practices for incident resolution.
How to implement ISO 27001
Many consider a gap analysis to be a good start for ISMS implementation workflow. It allows organizations to understand the level of operational maturity and readiness for ISO 27001. But, in our experience, a gap analysis doesn’t make much sense unless a company has a dedicated IS department. The reason is the lack of skills required to identify the challenges. That’s why it’s better to dive straight into implementation and solve the issues as they arise.
General overview
Typically, the ISMS is organized in the PDCA (plan–do–check–act or plan–do–check–adjust) cycles. PDCA, also known as the Deming circle/cycle/wheel, is an iterative four-step management method used in business to control and continuously improve processes and products.
For ISO 27001, ISMS goes in year-long PDCA cycles. Here is what each stage encompasses:
| Phase | What has to be done | Timeline |
|---|---|---|
| Plan | - Define ISMS objectives and goals - Organisation of information security - Implement risk management framework | 1-3 months |
| Do | - Develop key policies (BYOD, HR, Physical security, Encryption, etc.) - Implement Annex A controls to mitigate risks - Perform activities and create periodic records required by the policies | 3-6 months |
| Check | - Accomplish internal ISMS audit - Perform monitoring, measurement, analysis, and evaluation | 1-2 months |
| Act | - Fix issues and non-conformities identified during the internal audit | 1-2 months |
The most heavyweight phases are Plan and Do. Check and Act are meant to verify and correct what has been done.
After successfully completing one cycle, a company can apply to become ISO 27001 certified. While normally the PDCA cycles are one year long, the initial cycle can be shortened to speed up the certification process.
Companies can implement ISO 27001 entirely on their own or get implementation guidance from certified professionals.
Timeline
On average, expect the ISO implementation to take 6-12 months. The exact timeline depends on many factors: company size, readiness level, management focus, resources, etc. Some companies do it faster, e.g., in a few months, but they are cutting corners instead of practically working on the system. It is not advisable, as you can create technical debt that you will have to pay off with a project on your hands, and the cost of failure can be rather high.
Treating ISMS as a project
To make ISMS implementation efficient and to meet the set deadlines, you need to treat this process as a separate project. It means:
- Having a dedicated PM (Project Manager) or IS manager who has expertise in organizing things and documentation
- Using a project management system like Jira, Youtrack, Trello, Asana, or others to assign the tasks and oversee their completion
- Having a project plan in place and following it
- Performing regular check-ins to ensure the team does not digress.
Having a good project plan in place is extremely important! This is what we normally do as one of the first steps when guiding clients to implement ISO 27001. You can come up with your own or use the Excel template we provide:
Assembling a team
Of course, the team can vary from company to company based on your industry, size, level of operational maturity, and other factors. But here’re the approximate team structure and roles you would need:
| Role | Function |
|---|---|
| PM/IS manager | ISMS implementer. This person should be skilled in IS and understand what the ISO standard is. Some ISMS implementers might be less experienced in ISO 27001 specifically. If this is the case, they should be backed up with external experts. Main responsibilities: orchestrating the project, managing/writing most of the documentation, keeping track of the project status, etc. |
| IT and system administration | Lots of ISMS activities depend on the IT department in one way or another. So, good cooperation and dedication from IT are required. |
| C-level support | ISO standard implementation requires making many company-wide decisions, so a wholehearted buy-in from C-level executives is a must. Somebody with the authority to make decisions and supply a budget must oversee the project. |
| Departments heads | SO 27001 touches different areas of the company, so all the key stakeholders (e.g., head of engineering, head of PM, head of recruitment/HR) should be onboard. |
| Expert ISO 27001 or Virtual CISO | In case you don’t have an experienced ISO 27001 implementer with dozens of projects behind, external experts will save you from mistakes, point you to important gaps, and prepare you for the audit in general. |
| Internal auditor | It’s often an underestimated role. An internal auditor is needed to make an independent internal evaluation of the ISMS readiness level and identify any gaps. |
Be ready to allocate enough capacity for these resources; otherwise, it will drag the project away from timelines.
How to get certified
Certification involves the organization’s ISMS being assessed for compliance with ISO 27001 by the certification body. Normally, it’s an on-site visit by an auditor that consists of several days (up to one week) of interviews. If everything is successful, a company gets a certificate valid for three years.
Finding an auditor is the task for an organization that needs to get a certification. We recommend contacting your local vendors to get quotes since it’s always easier to do it with local providers. It’s preferable to work with certification bodies accredited by one of the IAF members as it’s a guarantee that their certificate will be recognized without any issues.
It’s also important to get in touch at the beginning of the project so that auditors keep your organization in mind and set the audit date in advance. Waiting until the last minute is a bad idea as auditors may be booked in, and your certification can be delayed.
Remember that auditors are humans, too. So it’s your task to help them understand what you’ve done, explain the processes, and talk through everything.
Tips and FAQ for making the most of ISO 27001 implementation
Based on Iterasec’s extensive cybersecurity expertise, ISO implementation is a complex process. And there are certain things to keep an eye out for. So here are some expert tips:
Tip #1. Properly implement the following policies and controls:
- Risk management
- Device/laptop and BYOD policies
- Access control
- Physical security
- Information classification and protection
- Incident management: reporting and incident recovery
From experience, these controls are especially significant for IT companies hence to make ISO 27001 practically useful, we recommend not cutting corners when implementing them.
Tip #2: Create clear and concise documentation
For an average employee, there will be quite a lot of documents to get familiar with, which can be overwhelming. To help your personnel learn new rules, create something more distilled, with your key IS rules outlined in 1-2 pages.
Tip #3: Make documents easy to access and navigate
People will not remember everything and will have to look things up. Store the key ISMS policies and documents on a corporate Google drive or equivalent secure cloud storage. Ensure your ISMS provides easy-to-access information on where to report incidents and how to reach out to IS people, etc.
Tip #4: Invest enough in training your staff
Make it practical and useful, not just pro forma. For the ISO to provide actual business value, all the participants must be on board. Everyone should clearly understand what happens and why it is done this way and not the other.
FAQ #1: Can I implement another ISO at the same time?
Yes, you can. Popular combinations are ISO 27001+22301 or ISO 27001+9001, as they have a lot in common. Another combination could be ISO 27001+27701 as ISO 27701 is basically the GDPR translated to the language of ISO standards.
Furthermore, there are other non-ISO frameworks and standards, such as SOC 2 or TISAX, which have a lot in common with ISO 27001.
FAQ #2: Where can I get document templates?
Good templates will save you a lot of effort, especially if you are new to ISO 27001. There are several options in the market, for example, Advisera.
When guiding our clients, we normally provide our own pre-filled set of templates.
FAQ #3: Does ISO 27001 mean my company won’t be hacked?
The answer is no. While ISO 27001 does require some strong security controls, it’s a management and organisational framework in the first place. At the same time, if implemented properly and with enough attention (not just creating documents but actually putting them into practice, organizing good training for employees, etc.), it really increases company resilience, especially when a company is new to IS or the ISO 27001 implementation.
FAQ #4: Is a pentest needed before the audit?
It really depends on the product or company to be certified. In practice, it is not always needed. The standard requires that the technical audit should be performed, but it doesn’t necessarily have to be an external pentest or security assessment. At the same time, pentesting is an extremely useful exercise to validate your real security level. Our company offers a wide range of such services: for applications, networks and clouds.
Conclusion
Yes, implementing ISO 27001 in IT requires quite a lot of resources, but it’s definitely worth it. First of all, you will be sure that you have watertight data security. Secondly, being ISO-certified shows the high-quality level of your services to customers, partners, and contractors.
Should you have any additional questions, feel free to contact us and get a consultation from our experts!