Professional Documents
Culture Documents
ISMS Riskusixty
ISMS Riskusixty
ISMS Riskusixty
Speak with a
Table ISO 27001 Clauses 4-10
Professional3" \h \z \u |No table of When most people think of ISO 27001,
contents entries found.}
they immediately consider the 114 controls
that make up ISO 27001’s Annex A. Often
ignored, however, are Clauses 4-10. These
clauses are the core of ISO 27001 and
establish the system of management
necessary to build and maintain an
effective information security program.
1
6 Planning - outlines the process to A.6 Organization of Information Security –
identify, analyze and plan to treat Defines requirements for roles and
information risks and clarify the objectives responsibilities.
of information security. This is the first
clause that requires a risk assessment. A.7 Human Resource Security – Defines
requirements for pre-employment, during
7 Support - adequate, competent employment, and termination.
resources must be assigned and
awareness raised. A.8 Asset Management – Defines
requirements for inventory, ownership,
8 Operation - additional detail about and use of assets.
assessing and treating information risks,
managing changes, and documenting A.9 Access Control – Defines requirements
requirements. for user access management throughout
the user lifecycle.
9 Performance evaluation - monitor,
measure, analyze and A.10 Cryptography – Defines requirements
evaluate/audit/review the information for cryptographic controls and key
security controls, processes and management.
management system, systematically
A.11 Physical and Environment Security
improving things where necessary. This is
where ISO requires an independent audit of
A.12 Operations Security – Defines
the ISMS.
requirements for security operations such
as system security, backup, logging,
10 Improvement - address the findings of
malware, and vulnerability management.
audits and reviews (e.g. nonconformities
and corrective actions), make continual
A.13 Communications Security – Define
refinements to the ISMS.
requirements for network security and
information transfer.
ISO 27001 Annex A (Control
Framework) A.14 System Acquisition, Development and
Maintenance – Defines requirements for
security in the system development and
This is the section that outlines the 14
categories, 35 control objectives and 114 change management lifecycle.
controls. You may refer to ISO/IEC 27002
A.15 Supplier Relationships – Defines
for further detail on the controls, including
requirements for security as related to
implementation guidance.
vendors.
A.5 Information Security Policies – Defines
A.16 Informaiton Security Incident
requirements for policies and procedures.
Management – Defines requirements for
management of security incidents.
2
A.17 Information Security Aspects of (Annex A) requirements to build and
Business Continuity Management – Defines sustain an information security program.
requirements for information security
continuity and redundancies. Because ISO 27001 is considered right-
sized, is internationally recognized, and
A.18 Compliance – Defines requirements considers both organizational and
for legal and contractual requirements. technical requirements, it is the framework
of choice for many information security
ISO 27001 Business professionals.
3
drive revenue growth for most arrived. In January 2020 California will
organizations. make effective the California Consumer
Protection Act (CCPA). These are just a few
Banks Requiring ISO 27001 Certification of the trending security and privacy
regulations enacted across the globe at all
30%
levels of government. 1
25%
25%
“ Executives today must operate under
the assumption that they will experience
a cyber incident that will require them
20% to notify their customers, investors, and
regulators.” 2
15% 14%
As result, information security has risen
beyond the scope of the information
technology department on to the agendas
10%
for top level leadership and the board of
directors.
5% This renewed focus on information security
and compliance makes globally acceptable
security frameworks like ISO 27001 an
0% attractive means to evidence compliance.
All Banks US Banks
1 Find whitepapers on each of these regulations on our website: 3 Data source of all figures via ISO.org:
https://www.risk3sixty.com/whitepaper/ https://isotc.iso.org/livelink/livelink?func=ll&objId=18808772&objActi
2Harvard Business Review: https://hbr.org/2017/11/the-avoidable- on=browse&viewType=1
mistakes-executives-continue-to-make-after-a-data-breach
4
United States and act as a common election year and may be responsible for the decline in
certifications in that year, but this is speculative.)
reference point in the marketplace to
communicate an organization’s security
posture to customers and prospects.
ISO 27001 as a Unifying
Compliance Framework
ISO 27001 Certification for Selected For companies who must navigate multiple
Countries
security compliance frameworks (e.g., ISO
30000 27001, SOC 2, PCI DSS, HIPAA, HITRUST,
25000 etc.), ISO 27001 can act as a unifying
compliance framework to align all other
20000
compliance activities.
15000
SOC 2 Type II
10000
Framework
ISO 27001
PCI DSS
5000
HIPAA
0
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
HITRUST
5
If you are ready to get started and would
like a guide – risk3sixty can help! Learn
why we have
6
Let’s Get Started About the Authors
Programs That Leave No Doubt
(404) 692-1324
12
ISO 27001:
The Path to Certification
(Part 2)
Understanding the ISO 27001
Framework
Speak with a
Table
ISO 27001 Clauses 4-10
Professional3" \h \z \u No table of
contents entries found. When most people think of ISO 27001,
they immediately consider the 114 controls
that make up ISO 27001’s Annex A. Often
ignored, however, is Clauses 4-10. These
clauses are the core of ISO 27001 and
establish the system of management
necessary to build and maintain an
effective information security program. If
you are considering ISO 27001
certification, clauses 4-10 are the main
focus of the audit.
1
to the ISMS, mandate policy, and assign A.5 Information Security Policies – Defines
information security roles, responsibilities requirements for policies and procedures.
and authorities.
A.6 Organization of Information Security –
6 Planning - outlines the process to Defines requirements for roles and
identify, analyze and plan to treat responsibilities.
information risks, and clarify the objectives
of information security. This is the first A.7 Human Resource Security – Defines
clause that requires a risk assessment. requirements for pre-employment, during
employment, and termination.
7 Support - adequate, competent A.8 Asset Management – Defines
resources must be assigned and requirements for inventory, ownership,
awareness raised. and use of assets.
8 Operation - a bit more detail about A.9 Access Control – Defines requirements
assessing and treating information risks, for user access management throughout
managing changes, and documenting the user lifecycle.
requirements.
A.10 Cryptography – Defines requirements
9 Performance evaluation - monitor, for cryptographic controls and key
measure, analyze and management.
evaluate/audit/review the information
security controls, processes and A.11 Physical and Environment Security
management system, systematically
improving things where necessary. This is A.12 Operations Security – Defines
where ISO requires an independent audit requirements for security operations such
of the ISMS. as system security, backup, logging,
malware, and vulnerability management.
10 Improvement - address the findings of
audits and reviews (e.g. nonconformities A.13 Communications Security – Defines
and corrective actions), make continual requirements for network security and
refinements to the ISMS. information transfer.
This is the section that outlines the 14 A.15 Supplier Relationships – Defines
categories, 35 control objectives and 114 requirements for security as related to
controls. You may refer to ISO/IEC 27002 vendors.
for further detail on the controls, including
implementation guidance.
2
A.16 Informaiton Security Incident information security environment. This, in
Management – Defines requirements for short, is the ISMS.
management of security incidents. There are many elements of a functional
ISMS that must be implemented in order to
A.17 Information Security Aspects of satisfy ISO 27001 certification
Business Continuity Management – Defines requirements. These requirements are
requirements for information security described in Clauses 4-10 of ISO 27001.
continuity and redundancies. For those unfamiliar with ISO 27001,
reading through these clauses for the first
A.18 Compliance – Defines requirements time and trying to understand the scope of
for legal and contractual requirements. what needs to be done to implement an
ISMS can be daunting and confusing.
ISO 27001 Explained in Thus, it is helpful to think about these
requirements as being a part of one of
Detail four categories: Governance, Risk
Management, Strategic Planning, and
In this section we will explore the essential Performance Monitoring.
elements of ISO 27001 including the “ISMS”
and “Annex A” controls. 1) Governance
Governance (Clauses 4 and 5) Governance includes establishing
Information Security Management
3
management are directly linked to clauses Establishing an effective governance
6 “Planning” and 8 “Operation.” structure that supports information
security program objectives is an essential
3) Strategic Planning element of the ISMS, primarily outlined in
clauses 4 and 5 of ISO 27001.
The strategic plan defines how the security
program will be tactically implemented. It
1) Scope and Context (Clause 4)
is typically a 12-month outlook on the
initiatives that comprise the security The organization should articulate the
program. It typically includes key projects, scope and boundaries of the ISMS
security program improvements, people, including relevant people, processes,
budgets, a communication plan, and key technologies, locations, and interested
performance indicators (measurables) parties. (See sections 4.1-4.4 in the ISO
required to execute on the information 27001 standard)
security program.
Strategic planning is most closely tied to 2) Leadership and Policy (Clause 5)
clause 6.2, but is especially relevant to
Clause 5’s primary concern is top level
clauses 6 “Planning,” 7 “Support,” and 8
leadership’s commitment to continuous
“Operation.”
improve of the information security
program. In addition, the clause lays out
4) Internal Audit/Performance
the requirement for leadership
Monitoring
involvement (clause 5.1), defined policies
Internal audit is the mechanism by which which articulate management’s intent
management gains visibility into the (clause 5.2), and defined roles,
information security program, identifies responsibilities, and granted authorities
areas for improvement, and drives (clause 5.3).
continuous improvement. The internal
audit function must be independent from At more than 20% per year, North America
the security program and qualified to do has the largest growth rate of ISO 27001
an effective audit. Internal audit and certifications in the world. ISO 27001 has
continuous improvement are key elements become table stakes to show clients we take
of clause 9 “Performance Evaluation” and security seriously.
10 “Improvement.”
Now that we have a basic understanding of -CEO, US Based Technology Company
4
with derivative policies on specific topics risk management program.
such as access control, cryptographic
controls, and change management. ISO 31000 Enterprise Risk Management
Statement of Applicability (SoA) – identifies ISO 27005 is an adaption of the ISO 31000
the security controls to be included in the framework for Information Security. ISO
ISMS, justifies the choice of included 27005 explains in detail how to conduct a
controls and whether they are risk assessment and is also aligned with
implemented or not, and justifies the ISO 27001 requirements.
excluded controls from Annex A.
Document Checklist :
Risk Management Risk Management
(Clause 6 & 8)
Risk Management Charter – Established
the information risk council and grants this
The Risk Management workstream helps
office the authority and responsibility to
the organization establish a defined risk
measure and treat identify risks.
identification, intake, and analysis process
and satisfies elements of clauses 6 and 8 Risk Management Policy – Policy that
of ISO 27001. outlines management expectations related
to risk management and risk assessment
1) Opportunities, Risk Assessment and process.
Risk Treatment (Clauses 6.1, 8.2, and Risk Assessment Report – Report outlining
8.3) the results of the risk assessment.
The risk management process is the Risk Register – Formal log of identified risk.
Company’s formalized approach to risk
identification, risk measurement, risk
treatment, and risk acceptance. It is
Strategic Planning (Clauses 6,
important that the organization establish a 7, and 8)
formal risk management office (often
called the information risk council (IRC)), The goal of the security program strategic
complete a formal risk assessment plan is to layout program priorities for the
process, and maintain a formal log of next 12 months. The strategic plan should
identified risks which are communicated consider all elements of the ISMS including
formally to the IRC. the context of the organization, results of
the risk assessment, and overall business
Authoritative Guidance objectives. The strategic plan should also
consider resources that will be required to
Executing an effective risk assessment is execute the plan, including personnel and
complex (and merits a separate budget.
whitepaper); however, there are several
accompanying standards that you should
familiarize yourself with to implement a Objectives and Planning (Clause 6.2)
5
Clause 6.2 requires that an organization including status reporting and meeting
establish formalized “security objectives” cadences.
and plans to achieve those objectives. The
security objectives should be in alignment
with the business’s goals. Internal Audit and
Performance Monitoring
1) Support (Clause 7.1) (Clause 9 and 10)
Clause 7.1 requires that an organization
“determine and provide resources” needed Understanding that no program is perfect
to establish, implement, maintenance, and or stagnant, ISO 27001 emphasizes
continue to improve the information Management’s commitment to continuous
security program. The term “resources” improvement. As a result, ISO 27001
includes both personnel and budget. requires that management measure the
program on a periodic basis and take
2) Operational planning (Clause 8.1) actions to improve the program based on
the results. On key element of measuring
Clause 8.1 reemphasizes the requirements the security program is internal audit.
outlined in clause 6.2, but adds that the
organization must have established The Internal Audit workstream satisfies
mechanisms in place “to have confidence clause 9.2 and requires that the internal
that the processes have been carried out audit function is formally defined and
as planned.” Most commonly, organizations authorized to carry out assessments. ISO
satisfy this requirement by implementing 27001 requires that the internal audit
agreed-upon key performance indicators function have: “Specified responsibilities;
(KPIs) and regular communication establish independence, objectivity, and
cadences including status reports and impartiality of the internal audit function; a
formalized status meetings. defined internal audit plan of audit
activities; allocated resources; defined
Document Checklist : audit procedures; executed audit activities;
Strategic Planning report on audit findings; and
nonconformity follow-up activities.”
Program Roadmap – Project plan outlining
what you are going to do, when you plan Included in the internal audit activities is
to do it, and who will execute. the testing of the ISMS to include clauses
Security Program Resource Plan – The 4-10 and the Annex A controls. Since not
resource plan should include budget for all organizations have an independent,
personnel, toolsets, implementations, etc. objective, and impartial internal audit
function capable of auditing the ISMS,
Key Performance Indicators (KPIs) – organizations may leverage third party
Defined measurables tied to program assessors to execute internal audit
success indicators. activities.
Communication Plan – Plan to
communicate with key stakeholders Document Checklist :
6
Internal Audit and Performance the controls, including implementation
Monitoring guidance.
Below we will outline each category and
suggest a few questions you may consider
Internal Audit Policy – Policy that defines
to assess your ability to align to the
the roles, responsibilities, authority, and
framework.
process that governs internal audit. The
policy should define auditor qualifications
A.5 Information Security Policies – Defines
and methodology.
requirements for policies and procedures.
Internal Audit Plan – The internal audit Sample Questions to Consider:
plan should be a 3-year plan (in alignment • Do Security policies exist?
with the 3-year ISO 27001 certification).
• Are all policies approved by
The plan must be “risk based” and include
management?
the entirety of the ISMS Scope.
• Are policies properly communicated
Internal Audit Report – Results of the
to employees?
annual internal audit in line with the
Internal Audit plan. • Are security policies subject to
review?
Management Action Plans – Management
commitments as a result of any internal • Are the reviews conducted at regular
audit findings. intervals?
• Are reviews conducted when
In summary, the foundation of the ISMS is circumstances change?
top level Management’s ability to control A.6 Organization of Information Security –
and continuously improve the security Defines requirements for roles and
program in alignment with identified risks responsibilities.
and opportunities. Next, we will take a Sample Questions to Consider:
deeper look into the 114 controls that • Are responsibilities for the protection
comprise Annex A and consider a few self- of individual assets clearly identified
assessment questions that may provide and defined and communicated to the
insight into your current alignment with relevant parties?
ISO 27001 requirements. • Do all projects go through some form
of information security assessment?
Annex A Controls • Does a mobile device policy exist?
Controls and Self-Assessment • Is there a set process for remote
Questions workers to get access?
A.7 Human Resource Security – Defines
ISO 27001 Annex A is the section that requirements for pre-employment, during
outlines the 14 categories, 35 control employment, and termination.
objectives and 114 controls companies Sample Questions to Consider:
should consider alignment with. You may
refer to ISO/IEC 27002 for further detail on
7
• Are background verification checks Sample Questions to Consider:
carried out on all new candidates for • Is there a documented access control
employment? policy?
• Are all employees, contractors and • Is access to all systems limited based
third party users asked to sign on the principle of lease privilege?
confidentiality and non-disclosure
• Is there a formal provisioning and
agreements?
deprovisioning process?
• Are managers (of all levels) engaged in
• Are privileged access accounts
driving security within the business?
separately managed and controlled?
• Do all employees, contractors and 3rd
• Is there a formal management
party users undergo regular security
process in place to control allocation
awareness training appropriate to
of secret authentication information?
their role and function within the
organization? • Do you perform periodic user access
reviews?
• Is there a documented process for
terminating or changing employment • Are complex passwords required?
duties? • Are privilege utility programs
A.8 Asset Management – Defines restricted and monitored?
requirements for inventory, ownership, • Is access to the source code of the
and use of assets. Access Control System protected?
Sample Questions to Consider:
A.10 Cryptography – Defines requirements
• Is there an inventory of all information
fo cryptographic controls and key
and physical IT assets?
management.
• Is the inventory accurate and kept up Sample Questions to Consider:
to date? • Is there a policy on the use of
• Is there a policy governing cryptographic controls?
information classification? • Is there a cryptographic key
• Is there a process by which all management policy
information can be appropriately
classified? A.11 Physical and Environment Security
• Is there a policy governing removable Sample Questions to Consider:
media? • Are sensitive or critical information
areas segregated and appropriately
• Is there a physical media transfer
controlled?
policy?
• Do secure areas have suitable entry
• Is media in transport protected
control systems to ensure only
against unauthorized access, misuse
authorized personnel have access?
or corruption?
• Are environmental hazards identified
A.9 Access Control – Defines requirements
and considered when equipment
for user access management throughout
locations are selected?
the user lifecycle.
8
• Is there a UPS system or backup • Is there a network management
generator? process in place?
• Is there a rigorous equipment • Does the organization implement a
maintenance schedule? risk management approach which
identifies all network services and
• Is there a process controlling how
service agreements?
assets are removed from site?
• Is security mandated in agreements
• Does the organization have a policy
and contracts with service providers
around how unattended equipment
(in house and outsourced)?
should be protected?
• Are security related SLAs mandated?
A.12 Operations Security – Defines
requirements for security operations such • Does the network topology enforce
as system security, backup, logging, segregation of networks for different
malware, and vulnerability management. tasks?
Sample Questions to Consider:
• Do organizational policies govern how
• Is there a controlled change
information is transferred?
management process in place?
• Are relevant technical controls in
• Is there a capacity management
place to prevent non-authorized
process in place?
forms of data transfer?
• Does the organization enforce
• Do contracts with external parties and
segregation of development, test and
agreements within the organization
operational environments?
detail the requirements for securing
• Are processes to detect malware in business information in transfer?
place?
• Do security policies cover the use of
• Is there an agreed backup policy? information transfer while using
electronic messaging systems?
• Are appropriate event logs maintained
and regularly reviewed? A.14 System Acquisition, Development and
Maintenance – Defines requirements for
• Are sysadmin / sysop logs maintained,
security in the system development and
protected and regularly reviewed?
change management lifecycle.
• Is there a vulnerability management Sample Questions to Consider:
program? • Are information security requirements
• Is there a process to risk assess and specified when new systems are
react to any new vulnerabilities as introduced?
they are discovered? • Are controls in place to prevent
• Do you perform penetration tests? incomplete transmission, misrouting,
unauthorized message alteration,
A.13 Communications Security – Define
unauthorized disclosure,
requirements for network security and
unauthorized message duplication or
information transfer.
replay attacks?
Sample Questions to Consider:
9
• Are there policies mandating the • Is there a process for reviewing and
implementation and assessment of acting on reported information
security controls? security events?
• Is there a formal change control • Is there a process for reporting of
process? identified information security
weaknesses?
• Is there a policy in place which
mandates when and how software • Is there a process to ensure
packages can be changed or information security events are
modified? properly assessed and classified?
• Do all projects utilize the secure • Is there a forensic readiness policy?
development environment
A.17 Information Security Aspects of
appropriately during the system
Business Continuity Management – Defines
development lifecycle?
requirements for information security
• Where systems or applications are continuity and redundancies.
developed, are they security tested as Sample Questions to Consider:
part of the development process? • Do BCP/DR Policies exist?
A.15 Supplier Relationships – Defines • Do you perform a BIA?
requirements for security as related to
• Do you perform BCP/DR testing?
vendors.
Sample Questions to Consider: • Are systems redundant to ensure
• Is information security included in availability?
contracts established with suppliers A.18 Compliance – Defines requirements
and service providers? for legal and contractual requirements.
• Is there an organization-wide risk Sample Questions to Consider:
management approach to supplier • Has the organization identified and
relationships? documented all relevant legislative,
regulatory or contractual
• Are suppliers provided with
requirements related to security?
documented security requirements?
• Does the organization keep a record
• Is supplier access to information
of all intellectual property rights and
assets & infrastructure controlled and
use of proprietary software products?
monitored?
• Does the organization monitor for the
• Are suppliers subject to regular
use of unlicensed software?
review and audit?
• Are records protected from loss,
A.16 Informaiton Security Incident
destruction, falsification and
Management – Defines requirements for
unauthorized access or release in
management of security incidents.
accordance with legislative,
Sample Questions to Consider:
regulatory, contractual and business
• Are management responsibilities
requirements?
clearly identified and documented in
the incident management processes? • Is personal data protected in
accordance with relevant legislation?
10
• Are cryptographic controls protected If you would like assistance with guided
in accordance with all relevant implementation and certification, risk3sixty
agreements, legislation, and can help. Following risk3sixty’s guided
regulations? implementation process, our clients have
100% ISO 27001 certification success rate.
• Is the organizations approach to
We can assist with every step of the project
managing information security subject
from complete implementation, auditor
to regular independent review?
selection, and working directly with the
• Is the implementation of security auditor during the certification process.
controls subject to regular
independent review?
100% Certification Success Rate
• Does the organization regularly
100% three-year client retention
conduct technical compliance reviews
of its information systems? Our clients consistently report 50% faster
implementation
Authoritative Guidance Supported by a complete team of security
and compliance experts
ISO 27001 is accompanied by ISO 27002 Leveraging our audit workflow platform
which provides detailed implementation Phalanx, we save our clients an average of
guidance for the 114 controls. 50% over attempting to implement ISO
27001 without assistance
Annex A Controls | Did you Know? Our firm is peer reviewed for rigorous
quality standards by an independent CPA
Did you know that you can achieve ISO firm (read our results here).
27001 certification even if some controls
are not currently implemented? It is a
common myth (and often costly) that all
controls must be implemented. Contact a
professional to learn more about the
nuances to ISO 27001 implementation and
how to achieve certification.
The Certification
Process
If you are considering ISO 27001
certification and would like to understand
the process in detail check out Part 3 in
our whitepaper series where we cover the
ISO 27001 certification process in detail.
11
Let’s Get Started About the Authors
Programs That Leave No Doubt
(404) 692-1324
12
ISO 27001
Certification Process
(Part 3)
A Step-By-Step Overview of the
ISO 27001 Certification Process
Bottom Line Up Front
Cybersecurity is a business problem impacting
the livelihoods of companies and their owners.
As a result, Leadership must take steps to
proactively mature their information security
posture and articulate their security posture to
current and prospective customers.
1
time and trying to understand the scope of The Risk Management workstream satisfies
what needs to be done to implement an components of Clauses 6.1.1-6.1.3, 8.2,
ISMS can be daunting and confusing. and 8.3 and includes the following
elements and attributes: defined risk
It is helpful to think about these requirements as assessment approach and methodology,
being a part of one of three buckets or risk identification, estimation, evaluation,
workstreams: treatment, and acceptance. This
workstream is of particular importance
1. Policies and procedures, because information security risk
2. Risk Assessment (Risk Management), management is the core element of an
and ISMS and chief driver of many of the other
3. Internal Audit. requirement and activities associated with
implementing and maintaining an ISMS
Policies and Procedures (e.g. an input for producing the SoA).
Included in the policies and procedures It is useful to note that ISO 31000 is a
workstream are the following items: generic framework on Risk Management
and ISO 27005 is an adaption of the ISO
• ISMS Document – This document 31000 framework for Information Security.
contains the context, requirements, ISO 27005 explains in detail how to
and scope of the organizations ISMS conduct a risk assessment and risk
and aligns with Clauses 4-10. treatment, and is also aligned with ISO
• Security Policies and procedures – 27001 requirements. Both ISO 31000 and
Depending on how the organization ISO 27005 may be helpful in guiding an
chooses to document its security organization to adopt a right-sized risk
policies, this may be a master security management program.
policy or a baseline security policy
with derivative policies on specific If an organization does not feel it has the
topics, such as access control, adequate knowledge and resources to
cryptographic controls, and change implement a risk management program,
management. that organization may seek out a third
• Statement of Applicability (SoA) – This party to conduct the risk assessment and
document identifies the security implement this workstream; this is
controls that are to be included in the common, even among large organizations,
ISMS; justifies the choice of included who may have the resources but not
controls; whether they are necessarily have the experience to
implemented or not; and justifies the implement an end-to-end risk
excluded controls from Annex A. management program that meets ISO
27001 requirements.
2
• Risk Management Policy Now that you have a basic understanding
• Annual Risk Assessment (Report) of the ISO 27001 framework. Let us review
• Current Risk Register (Risk Treatment a few of the business reasons adoption of
Plan) the ISO 27001 framework may make sense
for your organization.
Internal Audit
The Internal Audit workstream satisfies
The Business Case
Clause 9.2 and includes the following The ‘Why’ Behind Certification
elements and attributes:
• Internal audit program with a defined (If you would like a comprehensive business
role for the internal audit function case for adopting ISO 27001, read part 1 of
and specified responsibilities, our ISO 27001 whitepaper series.)
• Establish independence, objectivity,
and impartiality of the internal audit If you are trying to help your organization
function, decide if formal ISO 27001 certification is
• Plan audit activities, right for your organization, here are a few
• Manage and allocate resources, of the business reasons organizations
• Create an audit procedure, move forward with certification.
• Perform audit activities,
• Report on audit findings, and 1. Create a world-class Information
• Nonconformity follow-up activities. Security Program – ISO 27001
Certification is increasingly becoming
Included in the internal audit activities is a standard certification obtained by
the testing of the ISMS to include Clauses successful companies who take
4-10 and the Annex A controls. Since not information security seriously and
all organizations have an independent, want to communicate that.
objective, and impartial internal audit
2. Enable Business Development (Sales)
function capable of auditing the ISMS,
– In today’s connected world,
organizations may outsource this internal
companies know that prospects will
audit requirement to a third party
organization. be asking questions around
information security, and that vendor
Documents associate with this workstream scrutiny can slow down the sales
include: cycle. An ISO 27001 certification may
enable sales teams to lead with
• Audit charter security and compliance and close
• Audit procedures deals faster.
• Internal Audit Report
3. Meet Partner/Client Requirements
• Nonconformity follow-up report
Some companies specifically require
• Audit records
that their vendors obtain an ISO
27001 certification to demonstrate
3
adherence to and compliance with Scope and Plan
information security best practices. Agree on scope and detailed timeline
requirements.
30 days waiting on final certification.
4
improvement areas are where you want to
Step 1: Scope and Plan focus your attention.
5
• Detailed remediation timelines, Self vs. Guided
• Clear ownership of each item,
• Financial or effort analysis (if
Implementation Options
required), and
• Methods for reporting progress on There is one other important consideration
remediation efforts (e.g., periodic your organization should contemplate
status reports) when pursuing implementation: Do you
want to do it yourself or do you need a
Tip: One common pitfall of ISO 27001 guide?
implementation is over or mis-
implementation of ISO 27001 requirements. For a planning factor, consider the
If your organization finds itself spending following factors for a mid-size
$100,000 to solve a $10,000 problem – organization:
pause and ask if it is necessary. These errors
in interpretation can cost far more than the Option 1: Self-Implemented ISO 27001 Program
certification itself.
Some organizations may choose to
implement ISO 27001 with existing internal
Step 4: Program
resources. If an organization chooses to
Implementation implement ISO 27001 themselves, here are
a few considerations:
Program implementation is where the
organization executes against the • Best Fit: Self Implementation is best
remediation roadmap. Common activities fit for organizations with dedicated
include: security and compliance resources
with knowledge, desire, and expertise
• Formalizing an ISMS document,
interpreting and implementing
• Formalizing a governance structure,
security frameworks.
• Executing a risk assessment,
• Effort: 1,500-2,000 man-hour spread
• New or updated policies,
• Updates to existing technology or across the team including security,
configuration settings, engineering, operations, and
• Implementation of security tools, and leadership
• Formalizing and internal audit • Internal Resources: 1-2x strong
process. project managers (one ISO 27001
Lead Implementer is preferred); buy-
Once implementation is complete and your in from senior leadership; support
organization feels confident ISO 27001 from all departments.
requirements have been satisfied. It is time • Time: 6-18 months (It is rare to see
to pursue certification. an ISMS implemented in under 6
months unless the organization is
already mature, has implemented
security controls, and is
6
demonstrating compliance with and support from and access to all
another security/compliance departments.
framework (e.g. SOC 2, PCI DSS). • Benefits: Leveraging an advisor to
• Challenges: Organizations implement ISO 27001 will help
implementing ISO 27001 themselves expedite the implementation process
will need to be able to accurately by eliminating the guesswork. (At
interpret (the sometimes unclear) risk3sixty, we have 100% certification
requirements outlined in the ISO success rate.) The advisor also
27001 standard. This can be eliminates distractions – allowing your
challenging if internal resources are employees to focus on core business
also tasked with a full plate of existing activities.
responsibilities. ISO 27001 can also • Challenges: The advisor will need to
be a significant distraction to core be able to gain the trust of the
responsibilities; so be sure your organization to implement the
resources are bought in on dedicating program effectively. This will require
time and efforts on building an ISO top level leadership’s support.
27001 program.
7
For a typical SaaS organization of 100-500 If you are leveraging an implementation
people, with 1-2 locations, you can expect partner, like risk3sixty, we will have a pre-
an audit duration of 1-2 weeks and audit preparatory checklist to ensure the
certification costs ranging from $25-$55k. audit is executed successfully with minimal
burden to your organization.
Step 1 – Certification Body
Selection Step 3 – Stage 1 Audit
The first step in obtaining ISO 27001 The Stage 1 audit helps the auditor
certification is selecting a certification validate you are ready for ISO 27001
body. certification.
ISO 27001 certification can only be The Stage 1 audit is typically 1 day in
performed by an accredited certification duration and consist of providing the
body. A list of ANAB accredited certification auditor 20-30 documents for their review.
firms can be found on the ANAB directory. The auditor uses the stage 1 audit to
validate your organization is ready for a full
The certification body will require an ISO 27001 certification audit.
application letter outlining the certification
scope to provide a formal quote. The audit is typically virtual with the
auditor and the ISO 27001 program
Here is a guide on vendor and partners manager in attendance. They auditor will
selection that may be helpful. review policies, risk assessment results,
results of the internal audit, and discuss
how the organization is addressing key
Step 2 – Scoping and Planning elements of the ISO 27001 framework.
Your organization will work with the Upon successful completion of the Stage 1
certification body to define the certification audit the certification body will proceed to
scope and a detailed timeline of events. stage 2 audit. The stage 2 audit is 30-45
This will include: days after the stage 1 audit.
8
1 day in duration) with the auditor, the ISO
27001 program manager, and break out
sessions with various control owners.
9
Let’s Get Started About the Authors
Programs That Leave No Doubt
(404) 692-1324
12