Information security requirements can be complicated, both to understand and to implement.
You’re likely no stranger to these complexities, especially if you’ve worked with GDPR, HIPAA, or CCPA standards and have spent many hours comparing operations to compliance standards to stay in line. The International Organization for Standardization offers standards and checklists to help your business remain compliant with requirements.
One standard, ISO 27001, is becoming common among companies with lots of information security needs. This certification is proof that your company is invested in protecting its information, processes, and tools. Breaking ISO 27001 implementation down into three steps helps your company confidently work toward certification and stay compliant along the way.
Step 1: Scope Your ISMS and Run an ISO 27001-Compliant Risk Assessment
It’s impossible to know how to best protect your information with ISO 27001 if you don’t know what information needs protecting. Scope your ISMS—the information security management system that determines which clauses and Annex A controls your business needs—and complete a risk assessment to determine where you need to focus. At its most basic, your ISMS scope should reflect three things: the information that’s most important to your organization, how it’s protected, and what its limitations are.
How companies find these three pillars varies according to the specific products or services offered. However, following a consistent structure equips your scoping efforts for success and makes it easier to document these focuses clearly. Cyberblend recommends a four-section approach to cover your scope’s crucial facets. Each of these topics should be thoroughly explained, whether you use dedicated chapters or create separate documents for each one.
Each section of your ISMS scope should cover:
- Your company’s organizational context, including its industry, what your company does within that industry, and why information security is vital to its operations
- Your company’s security approaches, standards, and best practices, and why it chose to regulate them using ISO 27001 standards (instead of another approach)
- Relevant laws your information security standards must follow, including contractual requirements, and express a desire to adhere to those requirements
- Anyone (inside your company and out) involved with your information security efforts or who has access to the critical information your ISMS seeks to protect
Next, write a few concise sentences explaining critical points in your implementation efforts after mapping out your ISO 27001 scope with a larger document. This simplified scope statement should be a summary of your larger scope. For example, confidential patient information would be important to a (hypothetical) healthcare provider operating both in-person and online. Their scope statement might look like this:
“As a leading provider prioritizing the mental and physical health and wellbeing of our patients, we highly depend on protecting their personal information and our digital systems and operational processes. That is why information security is very important for our pharmacy, inpatient and outpatient clinics, and digital portal. This policy and our ISMS are a direct reflection of these requirements.”
Once you have a clear ISMS scope and simplified scope statement, your next move is to conduct a risk assessment. This identifies what’s putting your information at risk and how an ISO 27001-compliant ISMS can eliminate that threat. A standard risk assessment investigates weaknesses in your information security process so you can know how to combat them. An ISO 27001-compliant risk assessment has the same essential function but also forces the company running one to have clearly established ERM standards to keep its certification eligibility. Following a step-by-step process simplifies complex ISO 27001 requirements into actionable goals so your company can conduct a compliant risk assessment.
Seven crucial steps to an ISO 27001-compliant risk assessment:
- Decide whether a scenario or asset-based risk assessment approach works best for your company’s unique needs.
- Find a thorough risk assessment methodology within your desired approach (ISO 27001 does not require specific methods).
- Identify vulnerabilities in your information security that leave your business open to potential threats.
- Evaluate current risks to prioritize the most urgent threats.
- Treat high-priority risks by modifying, retaining, avoiding, or sharing them, then do the same with lesser risks.
- Document risk results and the controls you’re implementing (or omitting) to mitigate them according to ISO 27001 standards.
- Repeat this process—at least annually—to identify new risks and ensure your ISMS is equipped to treat them effectively.
Step 2: Address Required Domains and Apply Related Controls
ISO 27001 requirements ask that companies compare their internal best practices against Annex A controls and find the closest fit. Annex A contains 114 control sets (specific prevention methods) organized into 14 main domains of ISO 27001 that each focus on specific information security best practices. You only need to worry about applying the Annex A controls relevant to your company’s security vulnerabilities. While it’s unlikely you’ll need to implement all 114 prevention measures, you should be prepared to document valid reasons for choosing to ignore the controls you deem unnecessary. Collaborate across departments and with all necessary information security professionals to determine which domains are most relevant to your company.
Chris Hall, an ISO 27001 expert, offers an example to help determine helpful versus unnecessary Annex A controls. He says:
“An example [of identifying relevant controls] I have seen many times is organizations operating internal CCTV but when you look at it you realise that internal CCTV is not really a necessary control to manage an information risk. Or it might [be] a control that you want to continue operating because the cost of operating it is very low or it is very expensive to remove it. You may want to operate internal CCTV to manage fraud risk or theft of personal property. [But] CCTV may not be necessary to help you manage any of your information risks.”
Cross-referencing control coverage and covering your bases provides confidence that your information security is being handled within ISO 27001 compliance, keeping you on track toward certification.
The better your company’s ISMS addresses the main domains and applies the Annex A controls related to its specific risks, the more likely you are to earn certification.
Step 3: Document Your Process and Send a Certification Proposal
Simplify the documentation process by having a dedicated certification team or using compliance management software to securely store your in-process documentation for easy access and build a culture of compliance. A great team and software are essential because the process of documenting how your company implements ISO 27001 is likely to be more involved and time-consuming than the actual implementation process. Every required clause has its own unique documentation requirements. Each policy and procedure must be flow from research and development through approval and implementation, meaning documentation can take months.
But don’t worry! There’s no expiration date on the ISO 27001 implementation process. Your company can take its time working toward certification. In fact, it’s encouraged. The more time put into implementation and documentation of ISO 27001 efforts and to the creation of a thorough proposal, the more likely you’ll be rewarded with certification.
ISO 27001 certification is exclusive and can only be granted by an accredited certification body (CB) after careful evaluation and the determination of complete compliance. Third-party certifiers, like the ANSI National Accreditation Board, guarantee the impartial legitimacy of certifications and prove that your company’s information security meets the international best practice standards. Many resources exist to help you choose the right CB to evaluate your proposal against ISO 27001 requirements and grant certification.
ISO 27001 and Risk Management
Working toward ISO 27001 certification can feel daunting, even with clear elemental steps to guide you in the implementation process. Thankfully, it’s possible to take fewer internal risks with one simple improvement. Working with an experienced risk management partner can better prepare your team to gain its ISO certification, understand international requirements, or improve a specific part of your ERM framework.