ISO 27001 Certification: Everything You Need to Know
With bad actors targeting sensitive data, many organizations are looking for new ways to monitor and improve their data security — Enter: ISO 27001. ISO 27001 certification is a useful way to establish credibility with stakeholders, customers, and partners, and in turn, helps demonstrate your organization’s commitment to cybersecurity.
Of course, like most standards, the certification process can seem daunting at first glance. Here’s what you need to know before your organization decides to pursue an ISO 27001 certification.
What is ISO 27001?
ISO/IEC 27001:2022 was first published by the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) in October 2005, revised in 2013, and again in 2022. It focuses on building a strong information security management system (ISMS) within organizations.
As one of the most widely used security frameworks around the word, ISO 27001 is a risk-driven standard that focuses on data confidentiality, integrity, and availability. The standard aims to help organizations have a stronger, more holistic approach to data security.
What are the benefits of ISO 27001 Certification?
- Defines responsibilities and business processes for information security
- Builds a culture of information security and diligence
- Reduces the potential for security incidents through implemented controls specific to your unique risks and assets
- Meets additional security compliance requirements
What is the difference between ISO 27001 and SOC 2?
ISO 27001 and SOC 2 are two of the most popular cybersecurity assessments that verify an organization’s ability to mitigate risk and protect information. However, the two standards are not interchangeable.
SOC, or System and Organizational Controls, is a framework developed by the American Institute of Certified Public Accountants (AICPA) with the aim of providing regular, independent attestation of the controls that an organization has implemented to mitigate information-related risk. There are three types of SOC audits: SOC 1, SOC 2, and SOC 3, although SOC 2 has become the de facto standard for cybersecurity.
Difference #1: Certification vs. attestation
The biggest difference between ISO 27001 and SOC 2 is that ISO 27001 is an audit process that results in a certification, and SOC 2 is an audit process that results in an attestation report. In an attestation report, a third-party assessor documents a conclusion about the reliability of a written statement over a prior time period. ISO 27001 certifications, on the other hand, are issued by an accredited certification body or the International Accreditation Forum (IAF) seal and lasts for 3 years.
Difference #2: Global reach
ISO 27001 is an international standard that is used as the principal cybersecurity standard throughout the world. SOC 2 is an American-born standard, and although it is gaining popularity in Europe, it has yet to have the same global reach as ISO 27001.
Difference #3: ISMS vs. Trust Service Criteria (TSC)
ISO 27001 focuses on the development and maintenance of an Information Security Management System (ISMS). In order to earn an ISO 27001 certification, organizations must implement all of the clauses and controls of the framework within the scope of its ISMS. The organization will then be issued a pass or fail of the audit. Organizations would need to implement, maintain and continually improve the ISMS in order to achieve an ISO 27001 certification.
SOC 2 is structured around five Trust Services Criteria (TSC): Security, Availability, Confidentiality, Processing Integrity, and Privacy. For a SOC 2 audit, organizations can mostly pick which criteria they’d like to have evaluated (Security is mandatory). The final report is not pass/fail but rather the auditor concludes an opinion based on the design and effectiveness of the operation of controls in place for each chosen TSC.
Difference #4: Certification bodies and renewal timelines
For SOC 2, the attestation is carried out by a licensed CPA firm. ISO 27001 certifications must be carried out by an accredited ISO 27001 certification body.
Steps to ISO 27001 Certification
While the road to ISO 27001 certification is well-established, it is still a multi-pronged process that requires attention to detail and a generous time commitment. The five steps to ISO 27001 certification include:
- Optional Pre-Assessment
- The Stage 1 Audit
- The Stage 2 Audit
- A Surveillance Audit
- Recertification
In order to make the ISO 27001 certification process as smooth as possible, A-LIGN offers end-to-end services, from pre-assessment to ongoing audits to recertification. Our experts ensure your organization can continue to run with minimal disruption while still helping you acquire the certification you need to strengthen your security.
Step 1: Pre-assessment
The pre-assessment is designed for companies that are undergoing the certification process for the first time. This assessment is only performed on an as-needed basis but is highly recommended prior to the actual audit.
The pre-assessment involves performing a review of an organization’s scope, policies, procedures, and processes to review any gaps in conformance that may need remediation before the actual certification process begins.
Step 2: Stage 1 audit
During a Stage 1 audit, an auditor reviews an organization’s ISMS to confirm that it has been established and implemented in conformance with the ISO 27001 standard. This audit also checks to see if the mandatory activities of an ISMS have either been completed prior to starting Stage 2.
Upon completion, the Stage 1 audit will reveal if an organization is ready to move forward to Stage 2 or if it needs to modify its policies, procedures, and supporting documentation before proceeding.
Step 3: Stage 2 audit
The Stage 2 audit tests the conformance of an organization’s ISMS against the ISO 27001 standard. Upon completion of Stage 2, A-LIGN will determine if an organization is ready for certification.
If any nonconformities were identified during the audit, they will need to be remediated by the organization before a certificate can be issued.
Stage 4: Surveillance audit
The ISO 27001 certification process doesn’t simply end after a certificate has been issued. For the two years following certification, A-LIGN will conduct annual surveillance audits to ensure an organization’s ongoing compliance with the ISO 27001 standards. This step ensures your cybersecurity practices are operating at the highest possible level.
Stage 5: Recertification
An ISO 27001 certification is valid for three years after the certificate’s issue date. Organizations need to recertify before the certificate’s expiration date or be required to begin the certification process again. Recertification audits combine the stage 1 and stage 2 audit into one seamless audit.
How do I choose an assessor?
Once an organization decides to pursue an ISO 27001 certification, they must then decide which path to take toward certification. This initial step in the process means choosing a certification body (CB).
A CB is an organization that provides certifications around a chosen standard. These organizations come in two forms: accredited and unaccredited.
Although the process taken by both accredited and unaccredited certification bodies are similar, there are enough differences to consider the risks that come from using unaccredited certification bodies before they begin pursuing ISO 27001 certification.
Accredited certification bodies
Accredited CBs must complete a rigorous evaluation process through an accreditation body. This is done to ensure the certification audit it conducts is performed in accordance with the audit requirements.
The evaluation process involves reviewing the competence of the audit team, the audit methodology used by the CB, and the quality control procedures an organization has in place to ensure both the audit and report are completed accurately. This can minimize the risk of failing to receive certification.
Organizations that use an Accredited CB for certification will receive their ISO 27001 certifications with the accreditation body and IAF seal represented on the certificate. These marks mean the certification body has an accreditation certificate that is accepted worldwide.
Unaccredited certification bodies
Because accreditation is not compulsory, non-accreditation does not always mean the certification body is not reputable. Accreditation, however, does provide an independent confirmation of competence. An Unaccredited CB is not audited to confirm their compliance with IAF certification audit requirements.
Oftentimes clients will only accept ISO 27001 certificates from accredited certification bodies. It is important for organizations to check if their clients have any specific accreditation requirements before they begin their certification process.
Common pitfalls
All certification processes come with the chance of not getting approved for certification, and ISO 27001 is no exception. Here are some of the most common ISO 27001 pitfalls organizations make, along with how you can avoid making the same missteps.
Pitfall #1: Failing to schedule the internal audit and management review
Both the internal audit and management review are critical to the success of the ISMS, as the internal audit feeds into the management review, and then both feed into the continuous improvement cycle.
However, the certification process can be easily disrupted if the internal audit and management review are not scheduled within the proper time frame. Organizations should make sure their internal audit is scheduled well in advance of the certification audits in order for management review and continuous improvement activities to have enough time to be completed. The internal audit management review of the ISMS must be completed prior to the Stage 2 audit.
A-LIGN starts the surveillance audit approximately nine months after receiving initial certification. This means an organization would start the next internal audit six to seven months after certification.
Pitfall #2: Changes in key personnel
Most times, the ISMS is implemented by someone who fields many of the questions during an audit, taking overall responsibility for the ISMS. If this person leaves their role, the ISMS can fall apart.
Organizations need to ensure they have a redundant person who has a basic understanding of the ISMS. Even if this person never has to step up and take over the process, having an established transition process ahead of time can alleviate any potential headaches down the line. Detailed documentation will be key to this transition and will help ensure the new ISMS Manager can continue carrying out the processes required.
Pitfall #3: Failing to be vigilant
ISO 27001 defines ongoing processes that should be in place throughout the year, not just during the audit itself. Management controls, which include periodic meetings, documented approvals for decisions, recording meeting minutes of oversight committees, etc., require maintenance for the ISMS to continue to function.
It is easy to fall into a period of false security and let oversight slip. Organizations should make sure their ISMS is a living process that is built into their day-to-day so that it continues to function as designed after certification is received.
Pitfall #4: Not considering environmental changes
ISO 27001 requires that all changes in the environment must be considered through the risk assessment process. It also requires new or modified controls to be mentioned in the statement of applicability.
The certification body you choose must also be notified and a new certificate issued if there are changes to the scope or statement of applicability.
When changes in the environment may impact the scope of certification, it is necessary to review and update the ISMS documentation to ensure it correctly reflects the environment post-change.
What is ISO 27701?
Acting as an extension of ISO 27001, ISO 27701 is the first international privacy standard to provide a certification path for organizations to demonstrate their privacy systems and controls.
The ISO/IEC 27701:2019 standard was first published in 2019. It details the requirements and guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS). Although this standard is most relevant for personally identifiable information (PII) controllers and processors, it can also be used by organizations of any kind, size, and location. An important thing to remember is that most organizations are at the very least a controller of their employees’ data.
To receive an ISO 27701 accredited certificate, organizations must either already have ISO 27001 certification or must undergo the ISO 27001 certification audit with the extension of ISO 27701.
Why organizations may want to pursue ISO 27001 and ISO 27701
Outside of simply gaining a better understanding of the PIMS implementation process, there are multiple benefits that come from pursuing ISO 27701 and ISO 27001. Combining the two certifications:
- Streamlines compliance obligations for ISO 27001 and the GDPR by integrating privacy directly into an organization’s ISMS
- Helps organizations surpass the competition and attract new customers by adding a level of increased security and privacy into the organization
- Maintains peace of mind for current customers as they know their personal identifiable information (PII) is protected
- Helps organizations avoid potential fines, especially as the enforcement of privacy protection continues to increase
The underlying, foundational framework of ISO 27001 creates a strong ISMS. Alongside the ongoing PIMS improvement structure of ISO 27701, organizations can benefit from combining the two and ensuring a certifiable commitment to privacy controls.
As one of a few ANAB accredited certification bodies, A-LIGN can issue ISO 27701 certification globally.
What are the ISO 27001 controls and requirements?
The ISO 27001 requirements provide a clear framework for protecting and managing valuable data and information. In the 2013 version of ISO 27001, controls were organized into 14 different domains. In the 2022 update, controls are placed into four themes instead:
- People controls (8 controls)
- Organizational controls (37 controls)
- Technological controls (34 controls)
- Physical controls (14 controls)
Below is a summary of the new controls in ISO Annex A:
- A.5.7 Threat Intelligence: This control requires organizations to gather and analyze information about threats, so they can take action to mitigate risk.
- A.5.23 Information Security for Use of Cloud Services: This control emphasizes the need for better information security in the cloud and requires organizations to set security standards for cloud services and have processes and procedures specifically for cloud services.
- A.5.30 ICT Readiness for Business Continuity: This control requires organizations to ensure information and communication technology can be recovered/used when disruptions occur.
- A.7.4 Physical Security Monitoring: This control requires organizations to monitor sensitive physical areas (data centers, production facilities, etc.) to ensure only authorized people can access them — so the organization is aware in the event of a breach.
- A.8.9 Configuration Management: This control requires an organization to manage the configuration of its technology, to ensure it remains secure, and to avoid unauthorized changes.
- A.8.10 Information Deletion: This control requires the deletion of data when it’s no longer required, to avoid leaks of sensitive information, and to comply with privacy requirements.
- A.8.11 Data Masking: This control requires organizations to use data masking in accordance with the organization’s access control policy to protect sensitive information.
- A.8.12 Data Leakage Prevention: This control requires organizations to implement measures to prevent data leakage and disclosure of sensitive information from systems, networks, and other devices.
- A.8.16 Monitoring Activities: This control requires organizations to monitor systems for unusual activities and implement appropriate incident response procedures.
- A.8.23 Web Filtering: This control requires organizations to manage which websites users access, to protect IT systems.
- A.8.28 Secure Coding: This control requires secure coding principles to be established within an organization’s software development process to reduce security vulnerabilities.
How does ISO 27001 relate to GDPR compliance?
Achieving ISO 27001 certification can cover many aspects of the General Data Protection Regulation (GDPR) but it’s impossible to fully swap a standard and a regulation. While ISO 27001 does not equal GDPR compliance, it’s a great starting point!
How much does certification cost?
On average, organizations will pay $15,000+ for the actual audit (depending on length of time and other factors), and 60% of the total audit cost per year for maintenance and continuous improvement.
How long is ISO 27001 Certification valid?
ISO 27001 certifications are valid for a three-year period with annual surveillance audits.
What’s an example of ISO 27001 in the real world?
Below are customer case studies in which the organization earned ISO 27001 Certification to drive revenue, build customer trust, and better their security posture.
- LinenMaster Works with A-LIGN to Earn ISO 27001, SOC 2, Gap Assessments and Penetration Testing
- TrialCard Completes ISO 27001 Certification
- Plutoshift Utilizes A-LIGN to Earn SOC 2 Report and ISO 27001 Certification
- eventcore Earns SOC 2 Report and ISO 27001 Certification, Further Gaining Client Trust
Getting started with ISO 27001
ISO 27001 is a longstanding cybersecurity framework used to build an ISMS within your organization. This internationally recognized framework is a risk-driven standard focusing on the confidentially, integrity and availably of the data in your environment.
As an accredited ISO 27001 certification body, A-LIGN can provide your organization with the experience and guidance needed to achieve certification.