ISO 27001:

The Path to Certification

(Part 1)
The Business Case for ISO 27001
Implementation
Bottom Line Up Front
Cybersecurity is a business problem impacting
the livelihoods of companies and their owners.
As a result, Leadership must take steps to
proactively mature their information security
posture and articulate their security posture to
current and prospective customers.

A great place to begin maturing your security

environment is through the implementation of
a security framework such as ISO 27001. If you
are considering program implementation, this
three-part whitepaper series will provide all
the information you need to make an educated
decision on ISO 27001 adoption.

This Whitepaper Series Includes:

Part 1: Will present a business case which

outlines why organizations should consider
ISO 27001 certification from business
perspective (This Whitepaper )

Part 2: Will cover the essential elements of the

ISO 27001 Framework (Read it Here)

Part 3 : Will cover the ISO 27001 certification

process from start to finish (Read it Here)

Security | P rivacy | Compliance

 What is ISO 27001
Table of Contents
Before we begin dissecting the business
What is ISO 27001 .................................. 0 reasons to adopt ISO 27001, it is important
that we establish a common understanding
Bottom Line Up Front ............................... 0
ISO 27001 Clauses 4-10 ................................. 1 of ISO 27001.
ISO 27001 Annex A (Control Framework) ....... 2
ISO 27001 is an internationally recognized
ISO 27001 Business Drivers ..................... 3 information security standard that is
Desire to Improve Security Posture ............... 3
Partner and Client Certification Requirements3 comprised of 10 clauses, 14 categories, 35
More Stringent Regulatory Environment ....... 4 control objectives, and 114 controls.
Growing Marketplace Acceptance and Adoption Companies may choose to align to ISO
.................................................................... 4 27001 as part of security best practices
ISO 27001 as a Unifying Compliance and/or choose to pursue ISO 27001
Framework .............................................. 5 certificaiton.
Next Steps ............................................. 5
Clauses 4-10 are typically referred to as
Let’s Get Started .................................... 7 the Information Security Management
Programs That Leave No Doubt ..................... 7 System, while the 114 control
requirements are called “Annex A.”

Speak with a
Table ISO 27001 Clauses 4-10
Professional3" \h \z \u |No table of When most people think of ISO 27001,
contents entries found.}
they immediately consider the 114 controls
that make up ISO 27001’s Annex A. Often
ignored, however, are Clauses 4-10. These
clauses are the core of ISO 27001 and
establish the system of management
necessary to build and maintain an
effective information security program.

4 Context of the organization - understand

the organizational context, the needs and
expectations of ‘interested parties,’ and
defining the scope of the ISMS.

5 Leadership - top management must

demonstrate leadership and commitment
to the ISMS, mandate policy, and assign
information security roles, responsibilities
and authorities.

1
6 Planning - outlines the process to
identify, analyze and plan to treat
information risks and clarify the objectives
of information security. This is the first
clause that requires a risk assessment.
7 Support - adequate, competent
resources must be assigned and
awareness raised.
8 Operation - additional detail about
assessing and treating information risks,
managing changes, and documenting
requirements.
9 Performance evaluation - monitor,
measure, analyze and
evaluate/audit/review the information
security controls, processes and
management system, systematically
improving things where necessary. This is
where ISO requires an independent audit of
the ISMS.
10 Improvement - address the findings of
audits and reviews (e.g. nonconformities
and corrective actions), make continual
refinements to the ISMS.
ISO 27001 Annex A (Control
Framework)
This is the section that outlines the 14
categories, 35 control objectives and 114
controls. You may refer to ISO/IEC 27002
for further detail on the controls, including
implementation guidance.
A.5 Information Security Policies – Defines
requirements for policies and procedures.
A.6 Organization of Information Security –
Defines requirements for roles and
responsibilities.
A.7 Human Resource Security – Defines
requirements for pre-employment, during
employment, and termination.
A.8 Asset Management – Defines
requirements for inventory, ownership,
and use of assets.
A.9 Access Control – Defines requirements
for user access management throughout
the user lifecycle.
A.10 Cryptography – Defines requirements
for cryptographic controls and key
management.
A.11 Physical and Environment Security
A.12 Operations Security – Defines
requirements for security operations such
as system security, backup, logging,
malware, and vulnerability management.
A.13 Communications Security – Define
requirements for network security and
information transfer.
A.14 System Acquisition, Development and
Maintenance – Defines requirements for
security in the system development and
change management lifecycle.
A.15 Supplier Relationships – Defines
requirements for security as related to
vendors.
A.16 Informaiton Security Incident
Management – Defines requirements for
management of security incidents.
2
A.17 Information Security Aspects of
Business Continuity Management – Defines
requirements for information security
continuity and redundancies.
A.18 Compliance – Defines requirements
for legal and contractual requirements.
ISO 27001 Business
Drivers
Now that we have established a basic
understanding of the ISO 27001
framework, let us discuss the business
case for adopting ISO 27001 and pursuing
certification.
The choice to align to ISO 27001 or pursue
certification can often be linked to one or
more of the following five factors:
Desire to Improve Security
Posture
For companies beginning their security
journey, ISO 27001 is a good fit for
organizations of all sizes that seek to
mature their information security program.
ISO 27001 is a worthy framework to
consider because it is both flexible and
thorough. It permits organizations to
structure their information security
program in a fashion that suits their needs
and aligns to business objectives .
ISO 27001 also occupies the “goldilocks”
zone of security frameworks in that it is
thorough, but not overwhelming (NIST 800-
53, for example, is over 400 pages in
length). It considers both organizational
level (clauses 4-10) and technical level
(Annex A) requirements to build and
sustain an information security program.
Because ISO 27001 is considered right-
sized, is internationally recognized, and
considers both organizational and
technical requirements, it is the framework
of choice for many information security
professionals.
Note: An organization may choose to align to
ISO 27001 without pursuing certification.
Partner and Client
Certification Requirements
With the rapid rise of business to business
interconnectivity and business process
outsourcing, third party risk management
programs continue to mature across all
organizations. The desire to manage
supplier and vendor relationships
manifests itself as stringent contractual
and/or due diligence requirements that
focus heavily on information security.
These security requirements can stretch
the sales cycle by months and even halt
important relationships entirely. The
bottom line is, if your organization is
unable to evidence a baseline level of
security – customers may take their
business elsewhere or burden your
organization with endless customer audits.
If your organization desires to shorten the
sales cycle, reduce customer audit
burdens, and grow in a globally
competitive marketplace -- it must instill
absolute trust in potential partners and
customers. As a result, obtaining security
certifications is considered a must-have to
3
drive revenue growth for most
organizations.
Banks Requiring ISO 27001 Certification
30%
25%
25%
20%
15% 14%
10%
5%
0%
All Banks US Banks
Figure 1 (above) - Survey results from 42 global banks asked if
they require ISO 27001 certification as part of contractual
requirements for key service providers. As ISO 27001
certification continues to grow globally (see figures 2 and 3)
these numbers will likely grow, as well.
More Stringent Regulatory
Environment
In May of 2018 the European Union made
effective the General Data Protection
Regulation (GDPR). In March 2019, the
State of New York department of financial
services’ cybersecurity regulation (23
NYCRR 500) final compliance deadline
1 Find whitepapers on each of these regulations on our website:
https://www.risk3sixty.com/whitepaper/
2Harvard Business Review: https://hbr.org/2017/11/the-avoidable-
mistakes-executives-continue-to-make-after-a-data-breach
arrived. In January 2020 California will
make effective the California Consumer
Protection Act (CCPA). These are just a few
of the trending security and privacy
regulations enacted across the globe at all
levels of government. 1
“ Executives today must operate under
the assumption that they will experience
a cyber incident that will require them
to notify their customers, investors, and
regulators.” 2
As result, information security has risen
beyond the scope of the information
technology department on to the agendas
for top level leadership and the board of
directors.
This renewed focus on information security
and compliance makes globally acceptable
security frameworks like ISO 27001 an
attractive means to evidence compliance.
Growing Marketplace
Acceptance and Adoption
Another trend to consider is the rapid
global adoption of ISO 27001 and ISO
27001 certification.
Based on a global analysis, ISO 27001
certification has gained traction in all
marketplaces globally since 20073 and
shows accelerated adoption in the United
States in particular.
If these trends continue, ISO 27001
adoption will continue to grow in the
3 Data source of all figures via ISO.org:
https://isotc.iso.org/livelink/livelink?func=ll&objId=18808772&objActi
on=browse&viewType=1
4
United States and act as a common election year and may be responsible for the decline in
certifications in that year, but this is speculative.)
reference point in the marketplace to
communicate an organization’s security
posture to customers and prospects.
ISO 27001 as a Unifying
Compliance Framework
ISO 27001 Certification for Selected For companies who must navigate multiple
Countries
security compliance frameworks (e.g., ISO
30000 27001, SOC 2, PCI DSS, HIPAA, HITRUST,
25000 etc.), ISO 27001 can act as a unifying
compliance framework to align all other
20000
compliance activities.
15000
SOC 2 Type II
10000

Framework
ISO 27001
PCI DSS
5000
HIPAA
0
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017

HITRUST

United States Japan

China Germany Leveraging this strategy, companies can
France United Kingdom gain significant efficiencies by managing a
single set of controls rather than managing
India
each compliance requirement in a silo.
Figure 2 (above) - When compared to other developed nations Unifying compliance efforts may also result
the United States shows greater potential for ISO 27001
adoption in the coming years. As result, organizations should in a reduction in external audit fees and
position themselves to ready for the potential wave of ISO will certainly reduce the burden on internal
27001 certification requirements.
teams faced with producing audit evidence
throughout the year.
ISO 27001 Certification in the U.S.
1600
1400
Next Steps
1200 In summary, for companies who seek to
1000 enhance their security posture, future-
800 proof their business relationships, navigate
600 complex regulatory and compliance
400 requirements, and enhance overall
200 compliance program efficiency – ISO 27001
0 may be an excellent investment.
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017

Our ISO 27001 Guided Implementation

Figure 3 - ISO 27001 certification in the United States continues Program
to grow and has accelerated in recent years. (2016 was an

5
If you are ready to get started and would
like a guide – risk3sixty can help! Learn
why we have

ü 100% three-year client retention

ü 100% ISO 27001 certification success rate
ü 100% of clients are references

Our Process Includes:

ü ISO 27001 Scope Determination

ü Current State Assessment
ü Detailed plan/checklist and timeline to
compliance
ü Project management to oversee
remediation efforts
ü All ISO 27001 policies and procedures
ü Risk Assessment and Risk Management
Workshop
ü ISO 27001 Internal Audit Program
ü Support during the certification audit

6
Let’s Get Started About the Authors
Programs That Leave No Doubt

risk3sixty is a nationally recognized

security, privacy, and compliance advisory
firm serving firms across the United States
and Globally.

We strive to be “craftsmen” in our space

and as a result we offer our clients an
uncommon level service demonstrably
unchallenged in our industry.
Christian Hyatt
CEO
By the Numbers:
CISA | CIPM | CISM | PCI QSA
 Clients across the United States and 17 HITRUST CSSFT | ISO 27001 LA
countries
 Certified Security Experts such as CISSP,
CISA, CISM, GPEN, CEH, CRISC, PCI QSA,
ISO 27001 Lead Auditors, and much more
 Certified Privacy Experts such as CIPP/US,
CIPM, IAPP Privacy Fellows, ISO 27701
Lead Auditors, and more

Our Promise of Quality:

Christian White
We pride ourselves on our ability to President
provide outstanding service, meeting our CISA | CISSP | GPEN | PCI ASV
clients’ deadlines, and exceeding HITRUST CSSFT | MCSE
expectations. The bottom line is that if
you aren’t satisfied with the quality of
our services, we’ll make it right. Period.

Speak With An Expert

(404) 692-1324

12
ISO 27001:
The Path to Certification
(Part 2)
Understanding the ISO 27001
Framework

Bottom Line Up Front

Cybersecurity is a business problem impacting
the livelihoods of companies and their owners.
As a result, Leadership must take steps to
proactively mature their information security
posture and articulate their security posture to
current and prospective customers.

A great place to begin maturing your security

environment is through the implementation of
a security framework such as ISO 27001. If you
are considering program implementation, this
three-part whitepaper series will provide all
the information you need to make an educated
decision on ISO 27001 adoption.

This Whitepaper Series Includes:

Part 1: Will present a business case which
outlines why organizations should consider
ISO 27001 certification from business
perspective (Read it Here)

Part 2: Will cover the essential elements of the

ISO 27001 Framework (This Whitepaper)

Part 3: Will cover the ISO 27001 certification

process from start to finish (Read It Here)

Sec ur ity | Privac y | C om plianc e


Table of Contents
ISO 27001 Framework Elements .............. 0
Bottom Line Up Front ............................... 0
ISO 27001 Clauses 4-10 .................................. 1
ISO 27001 Annex A (Control Framework) ....... 2
ISO 27001 Explained in Detail ................. 3
ISMS: Essential Elements (Clauses 4-10)......... 3
Governance (Clauses 4 & 5) ........................... 4
Risk Management (Clause 6 & 8) ................... 5
Strategic Planning (Clauses 6, 7, and 8) .......... 5
Internal Audit and Performance Monitoring
(Clause 9 and 10) ........................................... 6
Annex A Controls ................................... 7
Controls and Self-Assessment Questions ........ 7
The Certification Process ...................... 11
Let’s Get Started .................................. 12
Speak with a ProfessionalError! Bookmark not
defined.
Programs That Leave No Doubt .................... 12
Speak with a
Table
Professional3" \h \z \u No table of
contents entries found.
ISO 27001 Framework
Elements
Before we begin dissecting the ISO 27001
framework, it is important that we
establish a common understanding of ISO
27001’s core elements.
ISO 27001 is an internationally recognized
information security standard that is
comprised of 10 clauses, 14 categories, 35
control objectives, and 114 controls.
Companies may choose to align to ISO
27001 as part of security best practices
and/or choose to pursue ISO 27001
certification.
Clauses 4-10 are typically referred to as
the Information Security Management
System, while the 114 control
requirements are called “Annex A.”
ISO 27001 Clauses 4-10
When most people think of ISO 27001,
they immediately consider the 114 controls
that make up ISO 27001’s Annex A. Often
ignored, however, is Clauses 4-10. These
clauses are the core of ISO 27001 and
establish the system of management
necessary to build and maintain an
effective information security program. If
you are considering ISO 27001
certification, clauses 4-10 are the main
focus of the audit.
4 Context of the organization -
understanding the organizational context,
the needs and expectations of ‘interested
parties’ and defining the scope of the ISMS.
5 Leadership - top management must
demonstrate leadership and commitment
1
to the ISMS, mandate policy, and assign
information security roles, responsibilities
and authorities.
6 Planning - outlines the process to
identify, analyze and plan to treat
information risks, and clarify the objectives
of information security. This is the first
clause that requires a risk assessment.
7 Support - adequate, competent
resources must be assigned and
awareness raised.
8 Operation - a bit more detail about
assessing and treating information risks,
managing changes, and documenting
requirements.
9 Performance evaluation - monitor,
measure, analyze and
evaluate/audit/review the information
security controls, processes and
management system, systematically
improving things where necessary. This is
where ISO requires an independent audit
of the ISMS.
10 Improvement - address the findings of
audits and reviews (e.g. nonconformities
and corrective actions), make continual
refinements to the ISMS.
ISO 27001 Annex A (Control
Framework)
This is the section that outlines the 14
categories, 35 control objectives and 114
controls. You may refer to ISO/IEC 27002
for further detail on the controls, including
implementation guidance.
A.5 Information Security Policies – Defines
requirements for policies and procedures.
A.6 Organization of Information Security –
Defines requirements for roles and
responsibilities.
A.7 Human Resource Security – Defines
requirements for pre-employment, during
employment, and termination.
A.8 Asset Management – Defines
requirements for inventory, ownership,
and use of assets.
A.9 Access Control – Defines requirements
for user access management throughout
the user lifecycle.
A.10 Cryptography – Defines requirements
for cryptographic controls and key
management.
A.11 Physical and Environment Security
A.12 Operations Security – Defines
requirements for security operations such
as system security, backup, logging,
malware, and vulnerability management.
A.13 Communications Security – Defines
requirements for network security and
information transfer.
A.14 System Acquisition, Development and
Maintenance – Defines requirements for
security in the system development and
change management lifecycle.
A.15 Supplier Relationships – Defines
requirements for security as related to
vendors.
2
A.16 Informaiton Security Incident information security environment. This, in
Management – Defines requirements for short, is the ISMS.
management of security incidents. There are many elements of a functional
ISMS that must be implemented in order to
A.17 Information Security Aspects of satisfy ISO 27001 certification
Business Continuity Management – Defines requirements. These requirements are
requirements for information security described in Clauses 4-10 of ISO 27001.
continuity and redundancies. For those unfamiliar with ISO 27001,
reading through these clauses for the first
A.18 Compliance – Defines requirements time and trying to understand the scope of
for legal and contractual requirements. what needs to be done to implement an
ISMS can be daunting and confusing.
ISO 27001 Explained in Thus, it is helpful to think about these
requirements as being a part of one of
Detail four categories: Governance, Risk
Management, Strategic Planning, and
In this section we will explore the essential Performance Monitoring.
elements of ISO 27001 including the “ISMS”
and “Annex A” controls. 1) Governance
Governance (Clauses 4 and 5) Governance includes establishing
Information Security Management

(Leadership, Roles, Policies, Procedure, People)

leadership and ownership of security,
System (ISMS) (Clauses 4-10)

defining roles on the organizational chart,

Risk Assessment (Clauses 6 and 8)
(Provides context, drives decision making, drives
l i )
Strategic Planning (Clauses 6, 7, 8)
(Plan for Information Security, Key Performance
Indicators, Communication Plans.)
Internal Audit/Performance Monitoring (Clause 9 and 10)
(Management Visibility, Drives Continuous Improvement)
authoring and implementing policies and
procedures related to information security,
and ensuring appropriate resources are
available to support the security program.
Governance is a key element of clauses 4-
10 of ISO 27001 and especially relevant to
clauses 4 “Context” and 5 “Leadership.”

Annex A: 2) Risk Assessment/Risk Management

(114 Controls – Reference ISO 27002)
Risk management is an essential element
of establishing a process to identify,
ISMS: Essential Elements analyze, and treat risks. A risk management
program should grant authorization and
(Clauses 4-10) authority of those individuals responsible
for information security (often called the
As a philosophical point, ISO 27001 information risk council, or similar).
establishes a system of management (hence A formalized risk assessment is the
the term information security management process which helps leadership identify key
system or ISMS) that empowers risks, prioritize resources and controls, and
management to establish, implement, align the security program with business
govern, and continuously improve the objectives. Risk assessment and risk

3
management are directly linked to clauses
6 “Planning” and 8 “Operation.”
3) Strategic Planning
The strategic plan defines how the security
program will be tactically implemented. It
is typically a 12-month outlook on the
initiatives that comprise the security
program. It typically includes key projects,
security program improvements, people,
budgets, a communication plan, and key
performance indicators (measurables)
required to execute on the information
security program.
Strategic planning is most closely tied to
clause 6.2, but is especially relevant to
clauses 6 “Planning,” 7 “Support,” and 8
“Operation.”
4) Internal Audit/Performance
Monitoring
Internal audit is the mechanism by which
management gains visibility into the
information security program, identifies
areas for improvement, and drives
continuous improvement. The internal
audit function must be independent from
the security program and qualified to do
an effective audit. Internal audit and
continuous improvement are key elements
of clause 9 “Performance Evaluation” and
10 “Improvement.”
Now that we have a basic understanding of
the ISMS, we will discuss these areas at
length and map them back to their specific
clauses within ISO 27001’s ISMS (Clauses
4-10). We will also outline the specific
documents you will need to create to
support ISO 27001 certification efforts.
Governance (Clauses 4 & 5)
Establishing an effective governance
structure that supports information
security program objectives is an essential
element of the ISMS, primarily outlined in
clauses 4 and 5 of ISO 27001.
1) Scope and Context (Clause 4)
The organization should articulate the
scope and boundaries of the ISMS
including relevant people, processes,
technologies, locations, and interested
parties. (See sections 4.1-4.4 in the ISO
27001 standard)
2) Leadership and Policy (Clause 5)
Clause 5’s primary concern is top level
leadership’s commitment to continuous
improve of the information security
program. In addition, the clause lays out
the requirement for leadership
involvement (clause 5.1), defined policies
which articulate management’s intent
(clause 5.2), and defined roles,
responsibilities, and granted authorities
(clause 5.3).
At more than 20% per year, North America
has the largest growth rate of ISO 27001
certifications in the world. ISO 27001 has
become table stakes to show clients we take
security seriously.
-CEO, US Based Technology Company
Document Checklist : Governance
 ISMS Document – this document contains
the context, requirements, and scope of
the organizations ISMS and aligns with
Clauses 4-10.
 Information Security Policy(s) – The master
security policy or a base security policy
4
 with derivative policies on specific topics
such as access control, cryptographic
controls, and change management.
 Statement of Applicability (SoA) – identifies
the security controls to be included in the
ISMS, justifies the choice of included
controls and whether they are
implemented or not, and justifies the
excluded controls from Annex A.
Risk Management
(Clause 6 & 8)
The Risk Management workstream helps
the organization establish a defined risk
identification, intake, and analysis process
and satisfies elements of clauses 6 and 8
of ISO 27001.
1) Opportunities, Risk Assessment and
Risk Treatment (Clauses 6.1, 8.2, and
8.3)
The risk management process is the
Company’s formalized approach to risk
identification, risk measurement, risk
treatment, and risk acceptance. It is
important that the organization establish a
formal risk management office (often
called the information risk council (IRC)),
complete a formal risk assessment
process, and maintain a formal log of
identified risks which are communicated
formally to the IRC.
Authoritative Guidance
Executing an effective risk assessment is
complex (and merits a separate
whitepaper); however, there are several
accompanying standards that you should
familiarize yourself with to implement a
risk management program.
 ISO 31000 Enterprise Risk Management
 ISO 27005 is an adaption of the ISO 31000
framework for Information Security. ISO
27005 explains in detail how to conduct a
risk assessment and is also aligned with
ISO 27001 requirements.
Document Checklist :
Risk Management
 Risk Management Charter – Established
the information risk council and grants this
office the authority and responsibility to
measure and treat identify risks.
 Risk Management Policy – Policy that
outlines management expectations related
to risk management and risk assessment
process.
 Risk Assessment Report – Report outlining
the results of the risk assessment.
 Risk Register – Formal log of identified risk.
Strategic Planning (Clauses 6,
7, and 8)
The goal of the security program strategic
plan is to layout program priorities for the
next 12 months. The strategic plan should
consider all elements of the ISMS including
the context of the organization, results of
the risk assessment, and overall business
objectives. The strategic plan should also
consider resources that will be required to
execute the plan, including personnel and
budget.
Objectives and Planning (Clause 6.2)
5
Clause 6.2 requires that an organization
establish formalized “security objectives”
and plans to achieve those objectives. The
security objectives should be in alignment
with the business’s goals.
1) Support (Clause 7.1)
Clause 7.1 requires that an organization
“determine and provide resources” needed
to establish, implement, maintenance, and
continue to improve the information
security program. The term “resources”
includes both personnel and budget.
2) Operational planning (Clause 8.1)
Clause 8.1 reemphasizes the requirements
outlined in clause 6.2, but adds that the
organization must have established
mechanisms in place “to have confidence
that the processes have been carried out
as planned.” Most commonly, organizations
satisfy this requirement by implementing
agreed-upon key performance indicators
(KPIs) and regular communication
cadences including status reports and
formalized status meetings.
Document Checklist :
Strategic Planning
 Program Roadmap – Project plan outlining
what you are going to do, when you plan
to do it, and who will execute.
 Security Program Resource Plan – The
resource plan should include budget for
personnel, toolsets, implementations, etc.
 Key Performance Indicators (KPIs) –
Defined measurables tied to program
success indicators.
 Communication Plan – Plan to
communicate with key stakeholders
including status reporting and meeting
cadences.
Internal Audit and
Performance Monitoring
(Clause 9 and 10)
Understanding that no program is perfect
or stagnant, ISO 27001 emphasizes
Management’s commitment to continuous
improvement. As a result, ISO 27001
requires that management measure the
program on a periodic basis and take
actions to improve the program based on
the results. On key element of measuring
the security program is internal audit.
The Internal Audit workstream satisfies
clause 9.2 and requires that the internal
audit function is formally defined and
authorized to carry out assessments. ISO
27001 requires that the internal audit
function have: “Specified responsibilities;
establish independence, objectivity, and
impartiality of the internal audit function; a
defined internal audit plan of audit
activities; allocated resources; defined
audit procedures; executed audit activities;
report on audit findings; and
nonconformity follow-up activities.”
Included in the internal audit activities is
the testing of the ISMS to include clauses
4-10 and the Annex A controls. Since not
all organizations have an independent,
objective, and impartial internal audit
function capable of auditing the ISMS,
organizations may leverage third party
assessors to execute internal audit
activities.
Document Checklist :
6
Internal Audit and Performance
Monitoring
 Internal Audit Policy – Policy that defines
the roles, responsibilities, authority, and
process that governs internal audit. The
policy should define auditor qualifications
and methodology.
 Internal Audit Plan – The internal audit
plan should be a 3-year plan (in alignment
with the 3-year ISO 27001 certification).
The plan must be “risk based” and include
the entirety of the ISMS Scope.
 Internal Audit Report – Results of the
annual internal audit in line with the
Internal Audit plan.
 Management Action Plans – Management
commitments as a result of any internal
audit findings.
In summary, the foundation of the ISMS is
top level Management’s ability to control
and continuously improve the security
program in alignment with identified risks
and opportunities. Next, we will take a
deeper look into the 114 controls that
comprise Annex A and consider a few self-
assessment questions that may provide
insight into your current alignment with
ISO 27001 requirements.
Annex A Controls
Controls and Self-Assessment
Questions
ISO 27001 Annex A is the section that
outlines the 14 categories, 35 control
objectives and 114 controls companies
should consider alignment with. You may
refer to ISO/IEC 27002 for further detail on
the controls, including implementation
guidance.
Below we will outline each category and
suggest a few questions you may consider
to assess your ability to align to the
framework.
A.5 Information Security Policies – Defines
requirements for policies and procedures.
Sample Questions to Consider:
• Do Security policies exist?
• Are all policies approved by
management?
• Are policies properly communicated
to employees?
• Are security policies subject to
review?
• Are the reviews conducted at regular
intervals?
• Are reviews conducted when
circumstances change?
A.6 Organization of Information Security –
Defines requirements for roles and
responsibilities.
Sample Questions to Consider:
• Are responsibilities for the protection
of individual assets clearly identified
and defined and communicated to the
relevant parties?
• Do all projects go through some form
of information security assessment?
• Does a mobile device policy exist?
• Is there a set process for remote
workers to get access?
A.7 Human Resource Security – Defines
requirements for pre-employment, during
employment, and termination.
Sample Questions to Consider:
7
• Are background verification checks
carried out on all new candidates for
employment?
• Are all employees, contractors and
third party users asked to sign
confidentiality and non-disclosure
agreements?
• Are managers (of all levels) engaged in
driving security within the business?
• Do all employees, contractors and 3rd
party users undergo regular security
awareness training appropriate to
their role and function within the
organization?
• Is there a documented process for
terminating or changing employment
duties?
A.8 Asset Management – Defines
requirements for inventory, ownership,
and use of assets.
Sample Questions to Consider:
• Is there an inventory of all information
and physical IT assets?
• Is the inventory accurate and kept up
to date?
• Is there a policy governing
information classification?
• Is there a process by which all
information can be appropriately
classified?
• Is there a policy governing removable
media?
• Is there a physical media transfer
policy?
• Is media in transport protected
against unauthorized access, misuse
or corruption?
A.9 Access Control – Defines requirements
for user access management throughout
the user lifecycle.
Sample Questions to Consider:
• Is there a documented access control
policy?
• Is access to all systems limited based
on the principle of lease privilege?
• Is there a formal provisioning and
deprovisioning process?
• Are privileged access accounts
separately managed and controlled?
• Is there a formal management
process in place to control allocation
of secret authentication information?
• Do you perform periodic user access
reviews?
• Are complex passwords required?
• Are privilege utility programs
restricted and monitored?
• Is access to the source code of the
Access Control System protected?
A.10 Cryptography – Defines requirements
fo cryptographic controls and key
management.
Sample Questions to Consider:
• Is there a policy on the use of
cryptographic controls?
• Is there a cryptographic key
management policy
A.11 Physical and Environment Security
Sample Questions to Consider:
• Are sensitive or critical information
areas segregated and appropriately
controlled?
• Do secure areas have suitable entry
control systems to ensure only
authorized personnel have access?
• Are environmental hazards identified
and considered when equipment
locations are selected?
8
• Is there a UPS system or backup
generator?
• Is there a rigorous equipment
maintenance schedule?
• Is there a process controlling how
assets are removed from site?
• Does the organization have a policy
around how unattended equipment
should be protected?
A.12 Operations Security – Defines
requirements for security operations such
as system security, backup, logging,
malware, and vulnerability management.
Sample Questions to Consider:
• Is there a controlled change
management process in place?
• Is there a capacity management
process in place?
• Does the organization enforce
segregation of development, test and
operational environments?
• Are processes to detect malware in
place?
• Is there an agreed backup policy?
• Are appropriate event logs maintained
and regularly reviewed?
• Are sysadmin / sysop logs maintained,
protected and regularly reviewed?
• Is there a vulnerability management
program?
• Is there a process to risk assess and
react to any new vulnerabilities as
they are discovered?
• Do you perform penetration tests?
A.13 Communications Security – Define
requirements for network security and
information transfer.
Sample Questions to Consider:
• Is there a network management
process in place?
• Does the organization implement a
risk management approach which
identifies all network services and
service agreements?
• Is security mandated in agreements
and contracts with service providers
(in house and outsourced)?
• Are security related SLAs mandated?
• Does the network topology enforce
segregation of networks for different
tasks?
• Do organizational policies govern how
information is transferred?
• Are relevant technical controls in
place to prevent non-authorized
forms of data transfer?
• Do contracts with external parties and
agreements within the organization
detail the requirements for securing
business information in transfer?
• Do security policies cover the use of
information transfer while using
electronic messaging systems?
A.14 System Acquisition, Development and
Maintenance – Defines requirements for
security in the system development and
change management lifecycle.
Sample Questions to Consider:
• Are information security requirements
specified when new systems are
introduced?
• Are controls in place to prevent
incomplete transmission, misrouting,
unauthorized message alteration,
unauthorized disclosure,
unauthorized message duplication or
replay attacks?
9
• Are there policies mandating the
implementation and assessment of
security controls?
• Is there a formal change control
process?
• Is there a policy in place which
mandates when and how software
packages can be changed or
modified?
• Do all projects utilize the secure
development environment
appropriately during the system
development lifecycle?
• Where systems or applications are
developed, are they security tested as
part of the development process?
A.15 Supplier Relationships – Defines
requirements for security as related to
vendors.
Sample Questions to Consider:
• Is information security included in
contracts established with suppliers
and service providers?
• Is there an organization-wide risk
management approach to supplier
relationships?
• Are suppliers provided with
documented security requirements?
• Is supplier access to information
assets & infrastructure controlled and
monitored?
• Are suppliers subject to regular
review and audit?
A.16 Informaiton Security Incident
Management – Defines requirements for
management of security incidents.
Sample Questions to Consider:
• Are management responsibilities
clearly identified and documented in
the incident management processes?
• Is there a process for reviewing and
acting on reported information
security events?
• Is there a process for reporting of
identified information security
weaknesses?
• Is there a process to ensure
information security events are
properly assessed and classified?
• Is there a forensic readiness policy?
A.17 Information Security Aspects of
Business Continuity Management – Defines
requirements for information security
continuity and redundancies.
Sample Questions to Consider:
• Do BCP/DR Policies exist?
• Do you perform a BIA?
• Do you perform BCP/DR testing?
• Are systems redundant to ensure
availability?
A.18 Compliance – Defines requirements
for legal and contractual requirements.
Sample Questions to Consider:
• Has the organization identified and
documented all relevant legislative,
regulatory or contractual
requirements related to security?
• Does the organization keep a record
of all intellectual property rights and
use of proprietary software products?
• Does the organization monitor for the
use of unlicensed software?
• Are records protected from loss,
destruction, falsification and
unauthorized access or release in
accordance with legislative,
regulatory, contractual and business
requirements?
• Is personal data protected in
accordance with relevant legislation?
10
• Are cryptographic controls protected
in accordance with all relevant
agreements, legislation, and
regulations?
• Is the organizations approach to
managing information security subject
to regular independent review?
• Is the implementation of security
controls subject to regular
independent review?
• Does the organization regularly
conduct technical compliance reviews
of its information systems?
Authoritative Guidance
ISO 27001 is accompanied by ISO 27002
which provides detailed implementation
guidance for the 114 controls.
If you would like assistance with guided
implementation and certification, risk3sixty
can help. Following risk3sixty’s guided
implementation process, our clients have
100% ISO 27001 certification success rate.
We can assist with every step of the project
from complete implementation, auditor
selection, and working directly with the
auditor during the certification process.
 100% Certification Success Rate
 100% three-year client retention
 Our clients consistently report 50% faster
implementation
 Supported by a complete team of security
and compliance experts
 Leveraging our audit workflow platform
Phalanx, we save our clients an average of
50% over attempting to implement ISO
27001 without assistance

Annex A Controls | Did you Know?  Our firm is peer reviewed for rigorous
quality standards by an independent CPA
Did you know that you can achieve ISO firm (read our results here).
27001 certification even if some controls
are not currently implemented? It is a
common myth (and often costly) that all
controls must be implemented. Contact a
professional to learn more about the
nuances to ISO 27001 implementation and
how to achieve certification.

The Certification
Process
If you are considering ISO 27001
certification and would like to understand
the process in detail check out Part 3 in
our whitepaper series where we cover the
ISO 27001 certification process in detail.

11
Let’s Get Started About the Authors
Programs That Leave No Doubt

risk3sixty is a nationally recognized

security, privacy, and compliance advisory
firm serving firms across the United States
and Globally.

We strive to be “craftsmen” in our space

and as a result we offer our clients an
uncommon level service demonstrably
unchallenged in our industry.
Christian Hyatt
CEO
By the Numbers:
CISA | CIPM | CISM | PCI QSA
 Clients across the United States and 17 HITRUST CSSFT | ISO 27001 LA
countries
 Certified Security Experts such as CISSP,
CISA, CISM, GPEN, CEH, CRISC, PCI QSA,
ISO 27001 Lead Auditors, and much more
 Certified Privacy Experts such as CIPP/US,
CIPM, IAPP Privacy Fellows, ISO 27701
Lead Auditors, and more

Our Promise of Quality:

Christian White
We pride ourselves on our ability to President
provide outstanding service, meeting our CISA | CISSP | GPEN | PCI ASV
clients’ deadlines, and exceeding HITRUST CSSFT | MCSE
expectations. The bottom line is that if
you aren’t satisfied with the quality of
our services, we’ll make it right. Period.

Speak With An Expert

(404) 692-1324

12
ISO 27001
Certification Process
(Part 3)
A Step-By-Step Overview of the
ISO 27001 Certification Process
Bottom Line Up Front
Cybersecurity is a business problem impacting
the livelihoods of companies and their owners.
As a result, Leadership must take steps to
proactively mature their information security
posture and articulate their security posture to
current and prospective customers.

A great place to begin maturing your security

environment is through the implementation of
a security framework such as ISO 27001. If you
are considering program implementation, this
three-part whitepaper series will provide all
the information you need to make an educated
decision on ISO 27001 adoption.

This Whitepaper Series Includes:

• Part 1: Will present a business case which

outlines why organizations should
consider ISO 27001 certification from
business perspective (Read it Here)
• Part 2: Will cover the essential elements
of the ISO 27001 Framework (Read it
Here)
• Part 3: Will cover the ISO 27001
certification process from start to finish
(This Whitepaper )

Security | P rivacy | Compliance


Contents
ISO 27001 Overview ................................. 1
What is ISO 27001 ................................... 1
ISMS - Essential Elements ....................... 1
Policies and Procedures ................... 2
Goverance & Risk Management ...... 2
Internal Audit ..................................... 3
The Business Case .................................... 3
The ‘Why’ behind Certification ......... 3
ISO 27001 Certification Process ............. 4
Phase I: ISO 27001 Implementation ........ 4
Step 1: Scope and Plan ..................... 5
Step 2: Current State Assessment .. 5
Step 3: Remediation Roadmap ........ 5
Step 4: Program Implementation .... 6
Guided Implementation Options .... 6
Phase II: ISO 27001 Certification Process 7
Certification Cost ............................... 7
Step 1 – Certification Body Selection8
Step 2 – Scoping and Planning ........ 8
Step 3 – Stage 1 Audit ...................... 8
Step 4 – Stage 2 Audit ...................... 8
Step 5 – Certification In-Hand ......... 9
Step 6 – Surveillance Audits ............ 9
Speak with a Professional ..................... 10
Let’s Get Started! .................................... 10
ISO 27001 Overview
Components of an ISMS
What is ISO 27001
(If you would like a detailed framework
overview, read part 2 of this whitepaper
series.)
Before we walk through the ISO 27001
certification process, it is important that
we establish a common understanding of
ISO 27001’s core elements.
ISO 27001 is an internationally recognized
information security standard that is
comprised of 10 clauses, 14 categories, 35
control objectives, and 114 controls.
Clauses 4-10 are typically referred to as
the Information Security Management
System (ISMS), while the 114 control
requirements are called “Annex A.”.
ISMS - Essential Elements
While most professionals are familiar with
the controls associated with ISO 27001,
the lesser known core of ISO 27001 is the
“ISMS”. The ISMS defines the “system of
management” in which your organization
will govern the security program and is the
heart of the audit when pursuing
certification.
There are several elements of a functional
ISMS that must be implemented to satisfy
ISO 27001 certification requirements.
These requirements are described in
Clauses 4-10 of ISO 27001.
For those unfamiliar with ISO 27001,
reading through these clauses for the first
1
time and trying to understand the scope of
what needs to be done to implement an
ISMS can be daunting and confusing.
It is helpful to think about these requirements as
being a part of one of three buckets or
workstreams:
1. Policies and procedures,
2. Risk Assessment (Risk Management),
and
3. Internal Audit.
Policies and Procedures
Included in the policies and procedures
workstream are the following items:
• ISMS Document – This document
contains the context, requirements,
and scope of the organizations ISMS
and aligns with Clauses 4-10.
• Security Policies and procedures –
Depending on how the organization
chooses to document its security
policies, this may be a master security
policy or a baseline security policy
with derivative policies on specific
topics, such as access control,
cryptographic controls, and change
management.
• Statement of Applicability (SoA) – This
document identifies the security
controls that are to be included in the
ISMS; justifies the choice of included
controls; whether they are
implemented or not; and justifies the
excluded controls from Annex A.
Governance & Risk
Management
The Risk Management workstream satisfies
components of Clauses 6.1.1-6.1.3, 8.2,
and 8.3 and includes the following
elements and attributes: defined risk
assessment approach and methodology,
risk identification, estimation, evaluation,
treatment, and acceptance. This
workstream is of particular importance
because information security risk
management is the core element of an
ISMS and chief driver of many of the other
requirement and activities associated with
implementing and maintaining an ISMS
(e.g. an input for producing the SoA).
It is useful to note that ISO 31000 is a
generic framework on Risk Management
and ISO 27005 is an adaption of the ISO
31000 framework for Information Security.
ISO 27005 explains in detail how to
conduct a risk assessment and risk
treatment, and is also aligned with ISO
27001 requirements. Both ISO 31000 and
ISO 27005 may be helpful in guiding an
organization to adopt a right-sized risk
management program.
If an organization does not feel it has the
adequate knowledge and resources to
implement a risk management program,
that organization may seek out a third
party to conduct the risk assessment and
implement this workstream; this is
common, even among large organizations,
who may have the resources but not
necessarily have the experience to
implement an end-to-end risk
management program that meets ISO
27001 requirements.
Documents associated with this workstream
include the following:
• Risk Management Charter
2
• Risk Management Policy
• Annual Risk Assessment (Report)
• Current Risk Register (Risk Treatment
Plan)
Internal Audit
The Internal Audit workstream satisfies
Clause 9.2 and includes the following
elements and attributes:
• Internal audit program with a defined
role for the internal audit function
and specified responsibilities,
• Establish independence, objectivity,
and impartiality of the internal audit
function,
• Plan audit activities,
• Manage and allocate resources,
• Create an audit procedure,
• Perform audit activities,
• Report on audit findings, and
• Nonconformity follow-up activities.
Included in the internal audit activities is
the testing of the ISMS to include Clauses
4-10 and the Annex A controls. Since not
all organizations have an independent,
objective, and impartial internal audit
function capable of auditing the ISMS,
organizations may outsource this internal
audit requirement to a third party
organization.
Documents associate with this workstream
include:
• Audit charter
• Audit procedures
• Internal Audit Report
• Nonconformity follow-up report
• Audit records
Now that you have a basic understanding
of the ISO 27001 framework. Let us review
a few of the business reasons adoption of
the ISO 27001 framework may make sense
for your organization.
The Business Case
The ‘Why’ Behind Certification
(If you would like a comprehensive business
case for adopting ISO 27001, read part 1 of
our ISO 27001 whitepaper series.)
If you are trying to help your organization
decide if formal ISO 27001 certification is
right for your organization, here are a few
of the business reasons organizations
move forward with certification.
1. Create a world-class Information
Security Program – ISO 27001
Certification is increasingly becoming
a standard certification obtained by
successful companies who take
information security seriously and
want to communicate that.
2. Enable Business Development (Sales)
– In today’s connected world,
companies know that prospects will
be asking questions around
information security, and that vendor
scrutiny can slow down the sales
cycle. An ISO 27001 certification may
enable sales teams to lead with
security and compliance and close
deals faster.
3. Meet Partner/Client Requirements
Some companies specifically require
that their vendors obtain an ISO
27001 certification to demonstrate
3
 adherence to and compliance with Scope and Plan
information security best practices. Agree on scope and detailed timeline

Phase I: ISO 27001 Implementation

(4-12 months based on complexity)
4. Create a Marketing Differentiator – All
else being equal, companies with an Current State Assessment
Gap assessment against ISO 27001
ISO 27001 certification have an
advantage over their uncertified Remediation Roadmap
competition. They have a story to tell Detailed plan based on gap assessment

around how their ISMS enables

security for their business and clients, Program Implementation
Implement defined remediation
and they are excited to highlight this roadmap. Read this whitepaper for
distinction. detailed review of requirements.

5. Satisfy Various Legal, Regulatory and

Compliance Requirements – For legal Auditor Selection and Scoping
and compliance reasons, some Select external auditor and communicate
certification scope.
companies are required to obtain a
third-party attestation report (e.g. Stage 1 Audit

Phase II: ISO 27001 Certification

SOC 2 report) or a widely recognized Typically 1-2 days of document review.

security certification (e.g. ISO 27001

30-45 days between stages
certification). Since ISO 27001 has
(2-3 months)

greater international recognition, it

Stage 2 Audit
may make help satisfy various legal, The “big audit”. Typically, 1-2 weeks of
regulatory, and compliance on-site audit effort.

requirements.
30 days waiting on final certification.

ISO 27001 (Due to auditor QA process)

Certification Process Certification In-Hand

Steps / Effort / Costs

Phase I: ISO 27001
The ISO 27001 certification process is
Implementation
broken into two distinct elements. The first step in your ISO 27001 journey is
implementation of the framework. This
1) The implementation of the ISO 27001 consists of 4 step, as follows:
framework, and
2) The ISO 27001 audit and certification
process

4

Step 1: Scope and Plan
ISO 27001 certification is bound by a scope
specified by the client. What you choose to
certify is typically driven by stakeholder
requirements (such as clients) who require
official ISO 27001 certification.
The scope does not have to be inclusive of
an entire organization. As a result, it is
important to be very specific about your
desired scope, what is included, and what
is not included.
The defined scope will dictate the
implementation efforts and will be
communicated to the external auditor. As
a strategy point, you may choose to align
to ISO 27001 as an organization, but only
pursue formal certification based on a
defined scope. This flexible approach to
scope is one reason ISO 27001 is a good fit
for organizations of all sizes.
The output of scoping and planning results
in an application letter (that will be sent to
the external auditor), a statement of
applicability, and formal scope statement,
and a detailed project plan for the
remainder of the implementation timeline.
Step 2: Current State
Assessment
The second step in the implementation
process is understanding your
organization’s current alignment with ISO
27001. There are likely a variety of things
that your organization does well and many
areas for improvement – these
improvement areas are where you want to
focus your attention.
This “gap assessment” will result in a list of
activities your organization will need to
implement to align to the ISO 27001
framework.
The art of the current state assessment is
interpreting the ISO 27001 requirements
and understanding how those
requirements should be implemented
based on the nuances of your
organization. ISO 27001 requirements are
not prescriptive or “one size fits all”.
As a result, the output of the current state
assessment should be interpreted through
the prism of your organizations unique
business model, processes, and
technology.
Step 3: Remediation Roadmap
As mentioned above, interpreting ISO
27001 requirements is as much an art as a
science. As a result, you must take a
pragmatic approach to interpreting ISO
27001 requirements considering the
nuances of your organization’s
environment. This interpretation will
inform measures your organization adopts
to comply with ISO 27001 frameworks.
The output of the remediation roadmap
should be a detailed project plan that
helps management track implementation
process.
Typical elements include:
• Management’s committed action plans
to resolve identified gaps,
5
• Detailed remediation timelines,
• Clear ownership of each item,
• Financial or effort analysis (if
required), and
• Methods for reporting progress on
remediation efforts (e.g., periodic
status reports)
Tip: One common pitfall of ISO 27001
implementation is over or mis-
implementation of ISO 27001 requirements.
If your organization finds itself spending
$100,000 to solve a $10,000 problem –
pause and ask if it is necessary. These errors
in interpretation can cost far more than the
certification itself.
Step 4: Program
Implementation
Program implementation is where the
organization executes against the
remediation roadmap. Common activities
include:
• Formalizing an ISMS document,
• Formalizing a governance structure,
• Executing a risk assessment,
• New or updated policies,
• Updates to existing technology or
configuration settings,
• Implementation of security tools, and
• Formalizing and internal audit
process.
Once implementation is complete and your
organization feels confident ISO 27001
requirements have been satisfied. It is time
to pursue certification.
Self vs. Guided
Implementation Options
There is one other important consideration
your organization should contemplate
when pursuing implementation: Do you
want to do it yourself or do you need a
guide?
For a planning factor, consider the
following factors for a mid-size
organization:
Option 1: Self-Implemented ISO 27001 Program
Some organizations may choose to
implement ISO 27001 with existing internal
resources. If an organization chooses to
implement ISO 27001 themselves, here are
a few considerations:
• Best Fit: Self Implementation is best
fit for organizations with dedicated
security and compliance resources
with knowledge, desire, and expertise
interpreting and implementing
security frameworks.
• Effort: 1,500-2,000 man-hour spread
across the team including security,
engineering, operations, and
leadership
• Internal Resources: 1-2x strong
project managers (one ISO 27001
Lead Implementer is preferred); buy-
in from senior leadership; support
from all departments.
• Time: 6-18 months (It is rare to see
an ISMS implemented in under 6
months unless the organization is
already mature, has implemented
security controls, and is
6
 demonstrating compliance with
another security/compliance
framework (e.g. SOC 2, PCI DSS).
• Challenges: Organizations
implementing ISO 27001 themselves
will need to be able to accurately
interpret (the sometimes unclear)
requirements outlined in the ISO
27001 standard. This can be
challenging if internal resources are
also tasked with a full plate of existing
responsibilities. ISO 27001 can also
be a significant distraction to core
responsibilities; so be sure your
resources are bought in on dedicating
time and efforts on building an ISO
27001 program.
Option 2: Advisor-Led Guided Implementation
The second option is to leverage a partner
to guide your organization through ISO
27001 implementation.
• Best Fit: Best fit for organization who
want to outsource subject matter
expertise to a proven partner. Perfect
for organizations who do not have full
time employees with the desire or
time to take on ISO 27001
implementation.
• Advisory Costs: Typically, $50k-100k
depending on organization size and
complexity
• Time: 4-12 months (6 months is most
the most common timeline)
• Internal Resources: The advisor will
typically do most of the heavy lifting.
However, Management will still play a
key role in decision making. You will
need buy-in from senior leadership
and support from and access to all
departments.
• Benefits: Leveraging an advisor to
implement ISO 27001 will help
expedite the implementation process
by eliminating the guesswork. (At
risk3sixty, we have 100% certification
success rate.) The advisor also
eliminates distractions – allowing your
employees to focus on core business
activities.
• Challenges: The advisor will need to
be able to gain the trust of the
organization to implement the
program effectively. This will require
top level leadership’s support.
Phase II: ISO 27001
Certification Process
Once implementation is complete, your
organization is ready for official
certification.
Certification Cost
ISO 27001 certification can only be
performed by an accredited certification
body. A list of ANAB accredited certification
firms can be found on the ANAB directory.
Costs are driven by the complexity of the
scope being audited (e.g., people,
locations, tech stack) and typically range
between 1-4 weeks of auditor effort. Costs
(and quality of service) vary widely from
one firm to another so we recommend
getting multiple quotes.
7
For a typical SaaS organization of 100-500
people, with 1-2 locations, you can expect
an audit duration of 1-2 weeks and
certification costs ranging from $25-$55k.
Step 1 – Certification Body
Selection
The first step in obtaining ISO 27001
certification is selecting a certification
body.
ISO 27001 certification can only be
performed by an accredited certification
body. A list of ANAB accredited certification
firms can be found on the ANAB directory.
The certification body will require an
application letter outlining the certification
scope to provide a formal quote.
Here is a guide on vendor and partners
selection that may be helpful.
Step 2 – Scoping and Planning
Your organization will work with the
certification body to define the certification
scope and a detailed timeline of events.
This will include:
• Establishing scope of the audit
• Defining locations that will need to be
visited (if applicable)
• Define dates the auditor will distribute
an information request list
• Define dates for Stage 1 Audit
• Define dates for Stage 2 Audit
• Providing walkthrough agendas so you
can coordinate with the appropriate
parties to undergo the audit
If you are leveraging an implementation
partner, like risk3sixty, we will have a pre-
audit preparatory checklist to ensure the
audit is executed successfully with minimal
burden to your organization.
Step 3 – Stage 1 Audit
The Stage 1 audit helps the auditor
validate you are ready for ISO 27001
certification.
The Stage 1 audit is typically 1 day in
duration and consist of providing the
auditor 20-30 documents for their review.
The auditor uses the stage 1 audit to
validate your organization is ready for a full
ISO 27001 certification audit.
The audit is typically virtual with the
auditor and the ISO 27001 program
manager in attendance. They auditor will
review policies, risk assessment results,
results of the internal audit, and discuss
how the organization is addressing key
elements of the ISO 27001 framework.
Upon successful completion of the Stage 1
audit the certification body will proceed to
stage 2 audit. The stage 2 audit is 30-45
days after the stage 1 audit.
Step 4 – Stage 2 Audit
The stage 2 audit is the “big show”.
The Stage 2 audit is typically 1-2 weeks in
duration and consist of providing the
auditor upwards of 200 documents for
their review.
The audit is typically on-site (with separate
visits to in scope locations that are typically
8
1 day in duration) with the auditor, the ISO
27001 program manager, and break out
sessions with various control owners.

The auditor will review documented

evidence that each requirement outlined in
ISO 27001 is in place. Upon successful
completion of the audit, the certification
body will issue an ISO 27001 certification.
It typically takes 30-45 days after the end
of the certification to obtain certification in
hand.

Step 5 – Certification In-Hand

After the Stage 2 audit the certification
body will begin their internal quality
assurance review process. QA review
typically takes between 30-45 days. Upon
completion of the firm’s internal QA
process they will email a formal ISO 27001
certification to the client.

Tip: Auditors are busy - reach out every week

for an update to keep things moving and on
track.

Step 6 – Surveillance Audits

ISO 27001 is a three-year commitment.

Year 1 follows the path described above.
Years 2 and 3 are a reduced burden and
consist of an annual audit roughly similar
to half the effort of year 1 stage 2 audit.

In year 4, the ISO 27001 certification

process will restart the three-year
certification cycle.

9
Let’s Get Started About the Authors
Programs That Leave No Doubt

risk3sixty is a nationally recognized

security, privacy, and compliance advisory
firm serving firms across the United States
and Globally.

We strive to be “craftsmen” in our space

and as a result we offer our clients an
uncommon level service demonstrably
unchallenged in our industry.
Christian Hyatt
CEO
By the Numbers:
CISA | CIPM | CISM | PCI QSA
 Clients across the United States and 17 HITRUST CSSFT | ISO 27001 LA
countries
 Certified Security Experts such as CISSP,
CISA, CISM, GPEN, CEH, CRISC, PCI QSA,
ISO 27001 Lead Auditors, and much more
 Certified Privacy Experts such as CIPP/US,
CIPM, IAPP Privacy Fellows, ISO 27701
Lead Auditors, and more

Our Promise of Quality:

Christian White
We pride ourselves on our ability to President
provide outstanding service, meeting our CISA | CISSP | GPEN | PCI ASV
clients’ deadlines, and exceeding HITRUST CSSFT | MCSE
expectations. The bottom line is that if
you aren’t satisfied with the quality of
our services, we’ll make it right. Period.

Speak With An Expert

(404) 692-1324

12