ISO 27001 Compliance And Certification

Sapphire specialises in the delivery of either ISO 27001:2013 compliance or to achieve third party ISO 27001 Certification. Each programme is typically divided into a number of discrete phases.

a) Information Security Management System (ISMS) Scope
This phase clearly defines the scope of the ISMS. This is an organisational decision. A scope Statement is produced which details the departments and business units to be covered.

b) ISO 27001 Current State Gap Analysis
The initial gap analysis will review several areas of the business and benchmark current information security processes and procedures against the industry standard. The main output of this stage is a Current State Analysis, which is a document detailing the current state of the organisation against ISO 27002’s 114 security control objectives. This is then used to develop a Security Improvement Plan to identify next steps.

c) Risk Assessment and Risk Management
Any risk assessments that have been previously conducted by the organisation will be reviewed. A Risk Assessment Methodology Policy document will be produced detailing the risk process and plans. The results of the existing risk assessment process, as well as the results from the Gap Analysis, will then be put into a security improvement plan.

d) Security Improvement Plan
The Security Improvement Plan twill be translated into an Information Security Management System (ISMS). The ISMS will typically comprise of the policy, manual and procedures used to identify the rules and guidelines needed to protect information assets and prevent security breaches.

e) Information Security Awareness Education and Training
The provision of information security awareness training relating to ISO 27001 for specified groups e.g. senior management; technical training; and general staff training to selected ‘IS co-ordinators’ (skills transfer) to develop an effective Information Security Culture based upon ‘shared responsibility’.

f) ISO 27001 Mock Compliance
The ISMS document set will be reviewed to ensure it is complete and meets the requirements of ISO 27001:2013. An ISO 27001 readiness review and mock-assessments will then be conducted to determine that you are ready in all respects to proceed to compliance or indeed certification.

g) ISO 27001 Certification
Should the organisation want to complete the process to ISO 27001 certification, an independent accredited certification body will carry out a final audit and award certification.

Given the rigour required to pass ISO 27001, it is a sign that an organisation has a high level of cyber risk maturity. It is also required as a compliance baseline in many industries.

This depends on a number of variables. It can be anywhere between 6 – 8 months for small organisations and between 12 – 18 months for larger enterprises.

ISO 27001 is an international standard established by the International Organization for Standardisation (ISO) and International Electrotechnical Commission (IEC) for data security. It provides a guide to creating an information security management system (ISMS) that includes people, processes, and technology.

The goal of ISO 27001 is to safeguard the availability, confidentiality, and integrity of information within an organisation. This is achieved by determining the potential issues that could arise with the information (i.e., performing risk assessment) and determining what has to be done to address those issues (i.e., risk mitigation or risk treatment plan).

As a result, the core principle of ISO 27001 is built on a process for managing risks: identify the hazards and then systematically address them by implementing security controls (or safeguards).

The controls are categorised into the following domains:

• Information Security Policies – To ensure the policies are written and reviewed according to the organisation’s practices and overall direction.
• Organisation of Information Security – To assign responsibilities for specific tasks.
• Human Resource Security– To ensure employees and contractors know their responsibilities.
• Access Controls – Ensure employees view only the information relevant to their jobs.
• Asset Management- To ensure organisations identify the information assets and determine the appropriate protection responsibilities.
• Physical and Environmental Security – To prevent unauthorised physical access, interference or damage to data or premises and control of equipment to prevent damage, theft, and loss of hardware, software and physical files.
• Cryptography – To encrypt data and ensure integrity and confidentiality.
• System Acquisition, Development, and Maintenance – To secure internal systems and the ones that provide services over public networks.
• Operations Security – To ensure information processing facilities are safe.
• Information Security Incident Management- To ensure effective management and reporting of security incidents.
• Communications Security – To protect information networks.
• Information Security Aspects of Business Continuity Management- To minimise business interruptions.
• Supplier Relationships – To properly manage contractual agreements with third parties.
• Compliance – To ensure adherence to the relevant laws and regulations and also mitigate the risks of non-compliance

Like the other ISO management system standards, ISO/IEC 27001 certification is possible, but it’s not obligatory. Some organisations continue to implement the standard to take advantage of its best practices. In contrast, others may become certified to reassure customers and clients.

By achieving certification, organisations can reduce data security risks and enhance their capacity to adhere to data protection standards. Also, when you achieve certification, you can demonstrate your commitment to protecting your data assets, partners, suppliers, customers, and others.

Lastly, building trust can boost your organisation’s reputation and give you a competitive advantage.

The ISO 27001 certification process takes the following steps:

• Develop an ISMS which includes people, policies, procedures and technology
• Conduct an internal review to find nonconformities and corrective actions
• Call auditors to conduct a basic review of the ISMS.
• Rectify the issues that the auditors will find
• To ensure you followed the policies and procedures, have an accredited certification body conduct a thorough certification audit of the ISO 27001 components.

Certification will take about three to twelve months. Therefore, many organisations conduct a preliminary gap analysis against the standard to increase the certification process’s cost-effectiveness and determine the time and effort needed to implement any necessary changes.
Once you earn the ISO 27001 certification, you must perform regular internal audits.

The ISO 27001 controls, also called the safeguards, are practices that, once implemented, minimise risks to acceptable levels. ISO 27001 controls are implemented in the following ways:

• Technical controls are mainly implemented in information systems using hardware, software and firmware components added to the system like a backup or antivirus software.
• Organisational controls are implemented by specifying the rules and expected behaviour from users, software, systems and equipment, such as BYOD Policy, Access Control Policy, etc.
• Legal controls are implemented by ensuring the rules and expected behaviours follow and enforce laws, contractual obligations, regulations and other similar legal instruments like the SLA (service level agreement) or NDA (non-disclosure agreement)
• Human resource controls are implemented by giving people the knowledge, education, skills, or experience they need to carry out their tasks safely. For instance, they are training internal auditors in ISO 27001 compliance.
• Physical controls are mainly implemented using devices or equipment with physical interaction with objects and people, such as locks, CCTV cameras or alarm systems.