ISO 27001 Certification
Gaining ISO 27001 certification can give your organisation an undeniable advantage when dealing with today's security sensitive clients. Many organisations however, view ISO 27001 as an expensive, unfeasible panacea. In fact, with experience, implementing an effective ISO 27001 Information Security Management System can often be a straightforward task and many organisations already have done much of the work without realising it.
Sec-Tec has helped organisations of all sizes achieve ISO 27001 certification, and for those organisations not wishing to certify, alignment with the standard can still offer massive benefits.
The ISO 27001 Certification Process
The ISO 27001 accreditation and implementation process can broadly be broken down into the follow stages:
ISO 27001 Foundation Stage
During the ISO 27001 foundation stage, the foundation requirements are met. Executive commitment is confirmed, basic documents such as the security policy, risk assessment methodology and document control processes are created and approved, and the scope of the information security management system (ISMS) is set. The scope of the ISMS does not need to be an entire organisation, aspects of a business (such as a department, office or function) can be certified alone.
Information Asset Identification
Information assets, together with their owner(s) are identified within the organisation. What is an information asset? Almost anything that would have a measurable impact if the Confidentiality, Integrity and/or Availability was reduced or lost. Organisations tend to be good at identifying tangible assets, but poor at identifying intangible assets. Third parties are also often overlooked. The term "owner" does not refer to the legal owner, but the entity responsible for the asset.
ISO 27001 Risk Assessment
The ISO 27001 risk assessment is where most organisations really struggle. For each asset, the threats and likelihood must be objectively evaluated and the associated risk calculated. The ISO 27001 standard allows for any method which produces "Comparable and Reproducible" results, and it is often this flexibility which causes the confusion.
Whilst large organisations will likely require specific ISO 27001 risk analysis tools, many organisations need little more than a spreadsheet to perform a usable, useful ISO 27001 risk assessment. This stage is absolutely critical to the success of the implementation, and by far the biggest headache for most. It need not be.
Organisations generally get confused about calculating existing controls. For example, if you already have a firewall, should it feature in your ISO 27001 risk assessment? The answer is generally "no". If you work from the assumption of zero controls, then you can assess the existing controls for adequacy and help prevent dangerous assumptions.
Control Selection
For those risks beyond the organisations risk appetite (the organisations acceptable level of risk), controls must be selected to reduce the risk in some way. An almost infinite number of methods and strategies can be used to control risk, but the standard provides a useful list of examples. Organisations are free to use these or select their own.
Control Implementation and Review
The controls selected must be implemented, maintained, and managed. They must also be reviewed, along with the entire ISMS, on a regular basis for adequacy and effectiveness. New threats emerge on an almost ongoing basis, and must be recognised and accounted for.
The ISO 27001 Audit
The audit will be performed by an accredited certification body. Normally, within the UK, the certification body will be accredited by UKAS or a UKAS recognised equivalent. ISO 27001 Certification providers from other accreditation bodies do exist, but may not be formally recognised by certain clients. Select your certification body carefully.
The ISO 27001 audit will generally be performed in two stages:
Stage one will generally investigate the information security management system documentation and supporting material to ensure that it meets the requirement and is generally fit for purpose.
Stage two will be a more in depth audit, and will basically ensure that you actively implemented and follow your ISMS.
Deviations from the standard will normally be recorded according to the severity:
- Observation - An observation is exactly that. It simply documents a potential improvement. There is no corrective action necessary on an observation, only a recommendation.
- Minor Non Conformity - A minor non conformity is a non-fulfilment of a requirement. A minor non conformity will not in itself result in a failure but will require a corrective action that will require formal documentation and communication to the auditor.
- Major Non Conformity - A major non conformity is a significant deviation which results in the breakdown of the management system as a whole. A major non conformity will result in a failure.
The above is of course open to interpretation and the auditor is trusted to make the appropriate judgement. If the audit is successful, the organisation will normally receive ISO 27001 certification within a couple of weeks. Most if not all certification providers have secondary auditors "Back at base" that will perform a secondary audit. This can result in subsequent questions so do not assume certification until you have received the certificates!
In summary
Although the above is a heavily simplified example, it can be seen that implementing ISO 27001 can be straightforward, logical, and of huge benefit. And even seeking alignment as opposed to certification can teach an organisation a lot.
Sec-Tec has helped companies of all sizes achieve ISO 27001 certification in a straightforward, cost effective way, and don't forget, we've been through the process ourselves!