You’ve heard its name in the breeze and in hushed whispers. A certification to rival SOC 2,
HIPAA, perhaps even FedRAMP. Your sales team wants it, your customers want you to have it. That’s right! All the way from Geneva, Switzerland, it’s ISO 27001!
ISO 27001 is the cool kid of the cyber security certifications world, and you want to be his friend. But that’s not an easy task. ISO 27001 isn’t for the faint of heart. It’s picky, prescriptive, and uses weird language that seems like it’s made to confuse the uninitiated. It’s no wonder that it’s gained such a reputation for being an opaque and confusing certification to obtain.
Thankfully, we’re here to get you familiar with the process. We’ll be going over the components of ISO 27001, the ISMS requirements, intuitively explaining how these requirements fit together, and other steps you’ll need to follow to get your very own brand new ISO 27001 certification!
But first, a refresher.
What is ISO 27001?
You can think of ISO 27001 a bit like a driver’s license. Maybe you knew how to drive before you got your license. Maybe your parents let you sit on their lap when the car was parked or let you drive a golf cart around a few times. But the government didn’t trust your ability to drive, so they forbade you from using their roads. To earn their trust, they gave you a list of things that you needed to know and do, like parallel parking and what different traffic signs mean. Then, once you were confident in your skills and had driven around the neighborhood a few times, you went to the DMV, waited for a few hours, and took your test. If you could convince the test administrator that you weren’t a danger to society and could be trusted on the roads, you got a license.
It isn’t a perfect system. Crashes still happen. But it’s a lot better than the alternative.
ISO 27001 is similar. You may have a cybersecurity program already. You may have MFA turned on and give your employees security awareness training. But if you want to work with another company and have access to their systems, they need to have some way of being able to trust you. So ISO 27001 gives you a list of things you need to do, such as creating an asset inventory and documenting operating procedures. You do as much as you can, go for a test drive known as an internal audit, then take a full ISO 27001 audit. If you can convince the auditor that you do these things and can be trusted, then congratulations! You earned your ISO 27001 certification.
The list itself is broken up into two parts. The first part outlines and gives broad instructions for establishing and running a successful Information Security Management System (ISMS).
The ISMS is the meat of what the auditor will actually be auditing and includes security policies, risk assessments, internal audits, and more.
The second part, sometimes referred to as the Annex, sometimes as ISO 27002, lists the specific cybersecurity controls that an organization should follow to be secure. It becomes especially relevant with the Statement of Applicability – which we’ll cover shortly.
What is an ISO 27001 Information Security Management System (ISMS)?
An ISMS is an internally created and maintained framework of policies and procedures that includes all legal, physical and technical controls involved in an organization’s information risk management processes.
A complete ISMS is a big collection of documents that explain and guide your cybersecurity program.
We’ll use another metaphor. The ISO 27001 is a bit like the official football rulebook. It sets certain standards and rules that
must be followed to win a game. You must be in possession of the ball while in the endzone to score a touchdown, an offensive player can’t start moving after taking a set position, defensive players can intercept a pass to reclaim the ball, etc.
However, while these rules may be set in stone, it is up to each team to create their own playbook to win a game using their own strengths and weaknesses. If a team knows they have a strong running back and weak receivers, maybe they’ll focus on rushes more than long passes. Every team has their own particular needs and strengths and it’s up to them to determine the best way to play the game, within that established set of rules.
The ISMS is similar. ISO 27001 tells us the rules of the game, but it’s up to each organization to write their own playbook. That ISMS playbook will likely consist of, at a minimum, the following documents:
Roles and Responsibilities
List of Interested Parties
Internal and External Risks
Statement of Applicability
Risk Treatment Plan
Risk Assessment (and process)
Information Security Policy
Other Necessary Policies
Internal Audit Report
Ok so we know what it is, but how do we actually go about doing this? Without going into excruciating detail, here are the basic instructions you can follow to comply with the ISO 27001 ISMS requirements.
Laying some groundwork
The first thing we need to do is… decide what we actually want to do. Before starting any project, it’s good to have an understanding of existing problems and what our goals are.
So first, we need to identify the
internal and external risks our organization currently faces and document them . We can put them in an excel sheet, write them in a google doc, carve them into a stone tablet, it doesn’t really matter. We just need to record them somewhere.
Second, we need to make a
list of interested parties. This could mean customers, investors, employees, government agencies, etc. Anyone and everyone that could be affected by our success or failure, write them down and record what they need from us.
Taking into consideration these last two items, we then want to determine the
ISMS scope. What are the boundaries of what we actually care about certifying? Is it the whole company and all of our operations? Or only a specific product?
Once we’ve done all this groundwork, we’re ready to officially establish our ISMS.
The most important, and often most complicated, part of any management system is the people. The first thing we need to do is establish expectations for our leadership. For instance, an effective ISMS leadership team will make sure that business operations actually fulfill our security requirements, that employees, even non technical ones understand the importance of security, that we are always improving our security posture, and that our security management system always has the resources it needs to be successful.
Leadership should also delegate and document the
roles and responsibilities relevant to the ISMS. These include ensuring that security requirements are fulfilled and that the performance of the ISMS is reported to top leadership.
Information Security Policy
Policies are the next most important element of ISMS requirements. Policies are vital for ensuring consistent and effective practices across the organization. You’ll likely create at least a dozen policies later on, but for now we’ll just focus on the
Information Security Policy.
This is the top level policy which should outline your organization’s security objectives, officially commit to complying with ISO security requirements, and promise to continually improve organizational security. So basically, it should just put into writing everything that we’ve already discussed without going into any more specifics.
Remember those risks we carved into a stone tablet earlier? For each risk, we need to make a
risk treatment plan.
This plan can be as simple as, “We’re just going to deal with the consequences if this goes south.” (the technical term for this is “risk acceptance”). We also need to prepare to record how effective these mitigation plans are, after we’ve implemented them.
ISO 27001 auditor wouldn’t find our risk treatment plan satisfactory if every risk was simply accepted. Many of our risks are going to require actions, or controls, to treat.
We’ll make a list of all of the controls we need, then create something called a “
Statement of Applicability.” This is essentially a document that records which controls from the Annex we’ll actually be using to mitigate risks, and where those controls are written into policy. We haven’t talked a lot about the Annex yet, but it is essentially just a list at the end of the ISO 27001 which identifies specific actions or controls an organization can take to secure their systems.
The other important component of risk management is the
risk assessment. For the purposes of ISO, simply completing a risk assessment is not enough. We also need to make sure that we have an established and documented risk assessment process for how we want to perform risk assessments, which helps to ensure the risk assessments produce consistent, valid, and comparable results.
If you ask me, the best risk assessment is a
Quantitative Cybersecurity Risk Assessment!
internal audit is where a significant amount of your preparation work will go. After you establish what needs to be done in the statement of applicability, we’ll need to ask and answer one more question: “ Are we doing that?”
The first answer to that question will come from our policy library.
Every annex control that you declared as necessary in the Statement of Applicability, and maybe a few extras for good measure, should be accounted for somewhere in your policies.
For instance, if you’ve determined that your organization needs to “supervise and monitor the activity of outsourced system development” (Annex 8.30), then somewhere in your policies, probably your Third Party Management Policy or equivalent, you need to have language that says something similar to “we will supervise and monitor the activity of outsourced system development.” You’ll record exactly what your policy says and which policy it’s in.
Of course, it’s not enough to just say you’re doing something! You also have to prove that you’re actually doing it with an internal audit.
We’ll need to collect some sort of evidence that indeed proves we’re doing what we say we are. For our previous example, we might provide documented evidence of a vendor review meeting, or maybe even just screenshots of an email between management and a third party discussing an issue with their service. Any evidence is better than none.
Internal audits are a complex topic in and of themselves. We have a guide on a methodology for conducting them here: Internal Audits.
For now, know that you need an
internal audit report to meet ISMS requirements. The internal audit report covers the results of your internal audit and covers action items for controls you aren’t actually performing effectively.
If you have requirements in your policies that your own organization does not actually follow, get rid of them.
Avoid the trap of aspirational policies!
If your policy states “We will run a full static analysis of our entire code base every week” and you (understandably) don’t do that, then you need to take that language out of your policy. Maybe change it to annually instead of weekly if that’s more realistic. You won’t get any bonus points for having fancy requirements that you don’t follow. If you say you do something, you need to be ready to prove that you do or it will only cause issues for you during the audit.
The golden rule of ISO is:
Say what you do, and do what you say. If you remember to follow that at all times, you’ll be fine. Continuous Improvement is an ISMS Requirement
A core principle of a successful ISMS is continuous improvement. It is very likely that you will miss important details and overlook various flaws, especially on your first try. It’s ok, we’re human. In ISO language, these mistakes are called “nonconformities” because your actions do not conform either to your own requirements or to those of ISO. You can choose to either correct these errors, or accept the consequences.
If you do choose to correct the nonconformity, make sure to document the cause of the nonconformity and what action you plan to take to correct it. Once it is corrected, make sure to record the results of that corrective action.
Getting your ISO 27001 is a marathon, not a sprint. Look at all the documentation that has to go into meeting the ISMS requirements! That doesn’t even cover any organizational changes, new policies and processes you will likely have to roll out.
With all that work, you can expect your first time to take the better part of a year from scope to certification. But the benefits are enormous. Not only are you guaranteed to have a better security program by the end of it, but you’ll also have a shiny new certificate to prove it.
Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.