ISO 27001 Certification

By Scott Dawson
April 21, 2021

ISO 27001 Certification  – 2023 Update

Please Note: ISO 27001 had some changes and additions.  See what those changes are: ISO 27001:2022

In an increasingly virtual world, cybersecurity matters more than ever. Even small businesses need to think about how they handle sensitive information. Without cybersecurity management, your organization could lose revenue and damage customer trust.

The ISO 27001 standard provides systems and controls to help you achieve information security. As part of the ISO 9001 family, it can be easily integrated into your existing management systems such as ISO 20000-1—or even the CMMC and CMMI standards, regardless of the size of your business.

Cybersecurity isn’t just about technology. Less than half of ISO 27001 involves the actual IT side of the standard. Most of the standard deals with the people and policies that keep your information secure.

ISO 27001 Consultants with a client

Let’s break down the standard and see how Core Business Solutions can help you achieve ISO 27001 certification.

What is ISO 27001?   

ISO 27001 is a robust Information Security Management System (ISMS) standard. This standard can apply to any business in any sector. It addresses any aspect of your business that deals with protected data.

To do this, ISO 27001 applies a comprehensive set of security controls called Annex A. Those controls include best practices, control areas, and control objectives.

If you want to maintain security and continuity, you need to ensure the Confidentiality, Integrity, and Availability of your information. ISO 27001 and Annex A exist to help you achieve those goals.

Information Security assures Information Assets maintain their: 

    • Confidentiality – authorized disclosure 
    • Integrity – accurate and complete 
    • Availability – reliable, timely  

An ISMS is necessary for the legitimate use of informationIt can keep your information safe from high jacking and illegitimate use. 

Who Wrote ISO 27001 and Why?

The ISO/IEC 27001:2013 standard was developed by the ISO/IEC Joint Technical Committee, JTC 1. Through JTC 1 experts develop International Information and Communication Technology standards. The ISO 27001:2013 standard was last reviewed and confirmed in 2019.

ISO 27001:2022

ISO 27001 had some changes and additions.  See what those changes are: ISO 27001:2022

 

What are the Benefits of ISO 27001?

    • Reduced risk 
    • Improved customer trust 
    • Improved availability of information 
    • Improved security of information 
    • Improved confidentiality of information 
    • Creation of a systematic approach to security 
    • Involvement of all employees in ensuring the effectiveness of your Information Security Management System
    • Greater management visibility and risk management
ISO 27001 consultants discussing 2022 changes

How to Get ISO 27001 Certified

For your business to become ISO 27001 certified, a third-party registrar must audit your company’s compliance with the standard. This involves an extensive evaluation of your ISMS. After your certification audit, surveillance audits must be repeated on an annual basis to maintain certification.

What Requirements are Included?

If you’re familiar with other ISO standards, you will recognize the structure of ISO 27001. The standard is organized into these sections: 

    • Context of the Information 
    • Leadership 
    • Planning 
    • Support 
    • Operation 
    • Performance 
    • Improvement 
ISO 27001 badge

Together, these requirements make up the ISMS. They include the ISMS manual, procedures, policies, records, and other information to optimize your day-to-day security.

At the center of these requirements is Risk Assessment and Management. It all comes back to ensuring the Confidentiality, Integrity, and Availability of your information, and implementing the required controls to make that happen.

What are the ISO 27001 Clauses?

Now we can take a look at the standard itself.  

The first three clauses aren’t auditable. They simply provide supporting information: the purpose of the standard, an explanation of the process approach methodology, terms and definitions, and other documents that may be referenced.

Let’s dive into the auditable clauses of the standard—those that an auditor will expect to see addressed.  

Clause 4: Context of the Organization

The context of your organization means the total picture of your environment and influences, both internal and external. Once you define that context, you can see how the ISO 27001 standard applies to your business. Then you can develop and implement the ISMS to reduce risks to the Confidentiality, Integrity, and Availability of your data.  

Clause 5: Leadership

Information security starts with the leadership of your organization. Management commitment to the ISMS is fundamental to ISO 27001. The standard itself employs several tools to ensure such commitment.

As part of ISO 27001, your organization must publish an information security policy. This policy should establish the management’s vision for—and commitment to—information security. Auditors will want to see this policy communicated across your organization.

This section also addresses organizational roles, responsibilities, and authorities. A management review must be conducted at least annually.

Clause 6:Planning

This is where you begin to assess and address your organization’s security risks. Once you know your risks, you can set security objectives and form a practical plan to achieve them. 

Things to Remember:  

  • All actions should be proportionate to the risk they address. To determine this, consider the impact that risk may have on the confidentiality, integrity, and availability of your information. 
  • All planning should be results-driven. 
  • Planning is handled by managers and process owners on an ongoing basis. 
  • Details of all actions, tasks, needed resources, risks, responsibilities, completion dates, and effectiveness evaluations must be documented.

Clause 7: Support

After planning, you must identify and provide the support you need to implement and improve your ISMS. Those supports include tangible resources and hardertoquantify elements like competency, employee awareness, and communication.  

One crucial support is employee training on the ISMS. Another is documentation; auditors will be looking for appropriate document management. The CORE platform is a great way to ensure consistent document control across your business.  

Clause 8: Operations

This is where planning ends and action begins. Having determined the necessary security processes, it’s time to implement and control. This is how you achieve your organization’s security objectives. 

As you implement the ISMS, your business context will likely changeFor planned changes, make sure to implement the proper controls for your new situation. For unintended changes, you must review the consequences and take action to mitigate adverse effects.  

This also applies to outsourced processes. Determine which processes to outsource and apply the necessary ISO 27001 security controls.  

Clause 9: Performance Evaluation

Once your ISMS is operating, you must regularly evaluate its performance and effectiveness. Determine which factors to monitor or measure and when that evaluation should occur 

Management reviews and internal audits are a central part of this process. The internal audit will show you what must be improved before your certification audit takes place.  

Clause 10: Improvement

This last clause of the standard deals with nonconformities and corrective action. After proper performance evaluationyou should have a clear picture of the places where your ISMS requires improvement.  

Once again, documentation is key. Your organization must document areas of improvement and corrective actions taken. The auditor will want to see evidence of continual improvement to the suitability, adequacy, and effectiveness of your ISMS. 

Annex A — ISO 27001 Controls 

The last part of ISO 27001 is Annex A. This is unique to the ISO 27001 standard. It includes 14 control areas, 34 control objectives, and 114 controls.  These controls define what needs to be controlled but not the how. That’s where Core Business Solutions consultants can help you apply this standard to your business. Annex A Control Areas

Getting ISO 27001 Certified:

Information security matters more than ever. A continually improving information security management system builds trust, both within your organization and with your customers.   

Applying this broad standard to your specific business might feel challenging. That’s where Core Business Solutions comes in. Our consultants can help you figure out just how this standard applies to you. We also offer the CORE Compliance Platform, a document control system specifically designed to help you keep the necessary documentation for your certification.  

Interested in pursuing ISO 27001 certification? Contact Core Business Solutions and talk to a consultant today. 

Related Articles:

Cybersecurity Checklist

Cybersecurity Checklist

Small Business Cybersecurity Today’s cyber threats can impact any company, regardless of size or industry. But did you know that 43% of cyber-attacks are aimed at small businesses, according to...

Cyber Hygiene Practices for Every User

Cyber Hygiene Practices for Every User

What is Cyber Hygiene? Cyber hygiene refers to the practices and measures individuals and organizations take to maintain good digital health and security. Just like personal hygiene routines keep us...

ISO 27001:2022 Is Here

ISO 27001:2022 Is Here

ISO 27001:2022 The latest version of ISO 27001 has arrived. Published on October 25, 2022, the new version (ISO 27001:2022) brings important updates to the standard. Initial ISO 27001 audits...