Beginners Guide to ISO 27001
What is ISO 27001?
ISO 27001, sometimes referred to as ISO/IEC 27001, provides a technical framework that organisations can use to improve the management of their information. This process is an Information Security Management System (ISMS).
ISO 27001 was initially created and published jointly by the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC) in 2005, creating ISO 27001:2005. This was then updated in 2013. ISO 27001:2013 is the current standard set, but it is due for another update in October 2022. It is currently the leading information standard which focuses on improving companies' data protection and handling systems.
Why is ISO 27001 important?
There are more than a dozen sets of standards in the ISO 27001 family. Using them enables organisations to manage data securely and effectively, such as financial information, intellectual property and third party entrusted information. This encompasses data collected from clients, employees and partners. Having a rigorous data protection and handling system helps reduce data breaches.
Whilst not a legal requirement, there are certain industries where ISO 27001 is seen as being almost mandatory. Within those industries, it might well be a requirement of contract tenders, etc. Some example industries that are more likely to have ISO 27001 as a requirement include:
- Banking and financial sectors
- Government organisations
- Healthcare, specifically where patient data is held
- Telecoms
- Technology companies
- Pharmaceutical and medical R&D companies
… to name just a few.
What is an ISMS?
An Information Security Management System (ISMS) is a set of policies, procedures and other controls put in place by an organisation to install the proper processes and technology to protect sensitive data properly.
These ISMSs are regularly assessed by specially trained ISO 27001 auditors to improve their efficiency and provide companies with a risk-based and technology-neutral way of keeping their data assets secure and preventing data breaching.
What are the benefits of ISO 27001 certification?
ISO 27001 is the leading ISMS in existence. Its accreditation and certification are recognised worldwide. In the last decade, ISO 27001 certifications have increased by more than 450%, and have seen an increase of 22.38% between 2018 and 2022. These standardisations help you meet EU regulations (such as GDPR and NIC; Network Information Systems) and decrease the costs, both financial and to reputation, associated with data breaches.
ISO 27001 certifications are beneficial as it enables organisations to:
- Minimise overheads by only implementing the security controls needed
- Build reputation, and demonstrate commitment to data protection
- Ensure staff are aware of risks associated with data breaching and instils security in everyday working practices
- Respond quickly to changes both internally and externally
- Strengthen an organisation's security systems to minimise the risk of a cyber attack, and have processes in place ready to handle such a situation
- Provides a consistent data management methodology, regardless of whether data is stored in the cloud, or as a physical copy
How long does an ISO 27001 certification last?
After a successful certification audit, an ISO 27001 certification will last 3 years, during which regular reviews of Information Security Management System (ISMS) must be carried ), both internally by appointed managers (sometimes referred to as “Lead Implementers”), and externally. Data handling and processing systems must constantly be reviewed in order to remain certified.
How much does ISO 27001 certification cost?
The cost of ISO 27001 certification varies depending on many factors, such as an organisation's size, how risky you’re perceived to be and the accreditation certification body chosen. There will be a cost for implementing and running ISO 27001 as well as the cost to take the certification audit. For smaller businesses, the certification costs are usually around £5,000-£6,000. Taking both costs into account, small businesses can expect to pay around £15,000-£20,000.
It is not cheap, especially if you don’t have a large cash flow, but for many industries and organisations it is a system worth investing in, as it will provide many benefits in the long run such as opening new avenues for contract bids, and diminishing the costs associated with a data breach.
How do you implement ISO 27001?
We have created a simple guide to implementing ISO 27001 in an organisation.
10 Simple Steps to Implement ISO 27001
-
Develop an ISMS Policy
The Information Security Management System document is high-level. It outlines the main areas that require improvement in an organisation and highlights how improvements will be made. -
Develop and Carry Out a Risk Assessment
Organisations should identify any risks, threats and vulnerabilities. Risk treatment and acceptable policy should be created to resolve issues. When doing the risk assessment, an organisation’s information asset inventory and internal processes should be taken into account. -
Develop a Statement of Applicability (SoA)
The Statement of Applicability specifies which controls from ISO 27001 need implementation and which don’t. -
Develop a Risk Treatment Plan
Using the SoA, define how the applicable risks will be treated. Which staff will be implementing them? What is the budget? -
Develop Procedures
This is the most important step! Your organisation needs to develop the relevant procedures for ISMS. This can be quite a lengthy process. -
Staff Training
Procedures and policies should be carried out by staff and embedded within the company's culture. Lack of awareness is one of the main reasons for ISO certification failure. -
Implement and Monitor
Everyone should be following ISMS in their daily work life. Objectives should be monitored to be sure they are met. They can then be adapted if not. -
Internal ISO Auditing
A qualified ISO 27001 auditor should perform a thorough audit every 3-years to find out where any problems lie. -
Management Review
Management will need to analyse the findings of the internal audit and rectify the issues. -
Correcting and Preventing
Actions should be taken to correct any identified issues and preventative measures taken to avoid recurring.
Once these have been carried out, you can go ahead and apply for ISO 27001 certification!
How many controls are there for ISO 27001?
The standard doesn’t require all controls to be implemented, these will likely be different for each organisation and identified during the risk assessment stage. Annex A has 114 controls in total which are grouped into 14 families. Below is a list of all the control sets:
- A.5 Information Security Policies
- A.6 Organisation of Information Security
- A.7 Human Resource Security
- A.8 Asset Management
- A.9 Access Control
- A.10 Cryptography
- A.11 Physical and Environmental Security
- A.12 Operations Security
- A.13 Communications Security
- A.14 System Acquisition, Development and Maintenance
- A.15 Supplier Relationships
- A.16 Information Security Incident Management
- A.17 Information Security Aspects of Business Continuity Management
- A.18 Compliance
However, ISO 27001 is likely to have fewer controls, 93 in fact, to help simplify processes.
How long does it take to become ISO 27001 certified?
There are multiple checks to be carried out within the certification process, and each time frame will vary based on company size and several other factors. The certification process could take anywhere from 6-18 months.
If you’re already ISO 27001:2013 certified, how do you get ISO 27001:2022 certified?
A revised version of ISO 27001 is expected in October 2022. Some controls have been updated or reordered, some have been merged, removed entirely and new ones added. ISO 27001:2022 will have 93 controls, as opposed to ISO 27001:2013’s 114.
There is no automatic transition to the new accreditation. Instead, it will be necessary for organisations who already hold an ISO27001:2013 certification to adapt their process and submit an application specifically for the new ISO27001:2022 certification.
There will be a 2-year transition period for organisations that are already certified. This will allow them time to revise their security management systems and comply with the revised standard.
What are the alternatives to ISO accreditation?
Getting ISO-certified involves multiple stages, external audits and often high costs. It can be daunting, especially for start-ups. Thankfully there are a few alternatives.
Information Assurance (IA) for Small to Medium-Sized Enterprises (IASME) bridges this gap. It is a government-designed standard specifically for SMEs. It was developed in 2010 and is a government-funded project. This type of accreditation is more accessible for these organisations, whilst still ensuring they follow the proper data handling and management procedures in line with Cyber Essentials and GDPR.
Are you ready for ISO 27001:2022
With the launch of ISO 27001:2022 there has never been a more important time to ensure your organisation is compliant. We provide expert ISO 27001 auditing and consultancy services to help ensure compliance for certification renewal or any new certification application.
Get in touch to learn more and for a no-obligation chat to find out how we can help your organisation become ISO 27001 ready.