What’s Required for ISO 27001 Certification?
By Scott Dawson
April 21, 2021

Table of Contents:

In an increasingly virtual world, cybersecurity matters more than everEven small businesses need to think about how they handle sensitive information. Without cybersecurity management, your organization could lose revenue and damage customer trust.  

The ISO 27001 standard provides systems and controls to help you achieve information security. As part of the ISO 9001 family, it can be easily integrated into your existing management systems such as ISO 20000-1or even the CMMC and CMMI standards—no matter the size of your business. 

Cybersecurity isn’t just about technologyIn fact, less than half of ISO 27001 involves the actual IT side of the standard. Most of the standard deals with the people and policies that keep your information secure. 

Let’s break down the standard and see how Core Business Solutions can help you achieve ISO 27001 certification. 

In an increasingly virtual world, cybersecurity matters more than everEven small businesses need to think about how they handle sensitive information. Without cybersecurity management, your organization could lose revenue and damage customer trust.  

The ISO 27001 standard provides systems and controls to help you achieve information security. As part of the ISO 9001 family, it can be easily integrated into your existing management systems such as ISO 20000-1or even the CMMC and CMMI standards—no matter the size of your business. 

Cybersecurity isn’t just about technologyIn fact, less than half of ISO 27001 involves the actual IT side of the standard. Most of the standard deals with the people and policies that keep your information secure. 

Let’s break down the standard and see how Core Business Solutions can help you achieve ISO 27001 certification. 

What is ISO 27001?   

ISO 27001 is a robust information security management system (ISMS) standard. This standard can apply to any business in any sector. It addresses any aspect of your business that deals with protected data. 

To do this, ISO 27001 applies a comprehensive set of security controls called Annex A. Those controls include best practices, control areas, and control objectives 

If you want to maintain security and continuity, you need to ensure the Confidentiality, Integrity, and Availability of your information.Cybersecurity ISO 27001 and Annex A exist to help you achieve those goals. 

Information Security assures Information Assets maintain their: 

  • Confidentiality – authorized disclosure 
  • Integrity – accurate and complete 
  • Availability – reliable, timely  

An ISMS is necessary for legitimate use of informationIt can keep your information safe from high jacking and illegitimate use. 

 

Who Wrote it and Why?  

The ISO/IEC 27001:2013 standard was developed by the ISO/IEC joint technical committee, JTC 1. Through JTC 1, experts develop international Information and Communication Technology standards. The ISO/IEC 27001:2013 standard was last reviewed and confirmed in 2019 and is the most current version of the standard.

 

What are the Benefits? 

  • Reduced risk 
  • Improved customer trust 
  • Improved availability of information 
  • Improved security of information 
  • Improved confidentiality of information 
  • Creation of a systematic approach to security 
  • Involvement of all employees in ensuring the effectiveness of your Information Security Management System
  • Greater management visibility and risk management

 

How to Get ISO 27001 Certified

For your business to become ISO 27001 certified, a third-party registrar must audit your company’s compliance with the standard. This involves an extensive evaluation of your ISMS. After your certification audit, surveillance audits must be repeated on an annual basis to maintain certification.

 

What Requirements are Included? 

If you’re familiar with other ISO standards, you will recognize the structure of ISO 27001. The standard is organized into these sections: 

  • Context of the Information 
  • Leadership 
  • Planning 
  • Support 
  • Operation 
  • Performance 
  • Improvement 

Together, these requirements make up the ISMS. They include the ISMS manual, procedures, policies, records, and other information to optimize your day-to-day security

At the center of these requirements is Risk Assessment and Management. It all comes back to ensuring the Confidentiality, Integrity, and Availability of your information, and implementing the required controls to make that happen. 

Clauses of the ISO 27001 Standard 

Now we can take a look at the standard itself.  

The first three clauses aren’t auditable. They simply provide supporting information: the purpose of the standard, an explanation of the process approach methodology, terms and definitions, and other documents which may be referenced.   

Let’s dive into the auditable clauses of the standard—those that an auditor will expect to see addressed. 

 

Clause 4: Context of the Organization 

The context of your organization means the total picture of your environment and influences,Cybersecurity Requirements both internal and external. Once you define that context, you can see how the ISO 27001 standard applies to your business. Then you can develop and implement the ISMS to reduce risks to the Confidentiality, Integrityand Availability of your data. 

 

Clause 5: Leadership 

Information security starts with the leadership of your organization. Management commitment to the ISMS is fundamental to ISO 27001. In fact, the standard itself employs several tools to ensure such commitment.  

As part of ISO 27001, your organization must publish an information security policy. This policy should establish the management’s vision for—and commitment to—information security. Auditors will want to see this policy communicated across your organization. 

This section also addresses organizational roles, responsibilities, and authorities. A management review must be conducted at least annually. 

 

Clause 6: Planning 

This is where you begin to assess and address your organization’s security risks. Once you know your risks, you can set security objectives and form a practical plan to achieve them. 

Things to remember:  

  • All actions should be proportionate to the risk they address. To determine this, consider the impact that risk may have on the confidentiality, integrity, and availability of your information. 
  • All planning should be results-driven. 
  • Planning is handled by managers and process owners on an ongoing basis. 
  • Details of all actions, tasks, needed resources, risks, responsibilities, completion dates, and effectiveness evaluations must be documented. 

 

Clause 7: Support 

After planning, you must identify and provide the supports you need to implement and improve your ISMS. Those supports include tangible resources and hardertoquantify elements like competency, employee awareness, and communication.  

One crucial support is employee training on the ISMS. Another is documentation; auditors will be looking for appropriate document management. The CORE platform is a great way to ensure consistent document control across your business. 

 

Clause 8: Operations 

This is where planning ends and action begins. Having determined the necessary security processes, it’s time to implement and control. This is how you achieve your organization’s security objectives. 

As you implement the ISMS, your business context will likely undergo changesFor planned changes, make sure to implement the proper controls for your new situation. For unintended changes, you must review consequences and take action to mitigate adverse effects.  

This also applies to outsourced processes. Determine which processes to outsource and apply the necessary ISO 27001 security controls. 

 

Clause 9: Performance Evaluation 

Once your ISMS is operating, you must regularly evaluate its performance and effectiveness. Determine which factors to monitor or measure and when that evaluation should occur 

Management reviews and internal audits are a central part of this process. The internal audit will show you what must be improved before your certification audit takes place. 

 

Clause 10: Improvement 

This last clause of the standard deals with nonconformities and corrective action. After proper performance evaluationyou should have a clear picture of the places where your ISMS requires improvement.  

Once again, documentation is key. Your organization must document areas of improvement and corrective actions taken. The auditor will want to see evidence of continual improvement to the suitability, adequacy, and effectiveness of your ISMS. 

Annex A — ISO 27001 Controls 

The last part of ISO 27001 is Annex A. This is unique to the ISO 27001 standard. It includes 14 control areas, 34 control objectives, and 114 controls.  These controls define what needs to be controlled but not the how. That’s where Core Business Solutions consultants can help you apply this standard to your business. Annex A Control Areas

Getting ISO 27001 Certified: What does all this mean for you? 

Information security matters more than ever. A continually improving information security management system builds trust, both within your organization and with your customers.   

Applying this broad standard to your specific business might feel like a daunting task. That’s where Core Business Solutions comes in. Our consultants can help you figure out just how this standard applies to you. We also offer the CORE Compliance Platform, a document control system specifically designed to help you keep the necessary documentation for your certification.  

Interested in pursuing ISO 27001 certification? Contact Core Business Solutions and talk to a consultant today. 

For additional information and a downloadable ISO 27001 PDF, visit our main ISO 27001 page. 

Related Articles:

Smartlink Execution Complete Please note that the CORE Application window may have fallen behind this window and your Email client. Close this Message