ISO 27001

In order to work suc­cess­fully and securely in the age of di­git­al­isa­tion, companies need to meet high standards of in­form­a­tion security. The In­ter­na­tion­al Stand­ard­isa­tion Or­gan­isa­tion (ISO) has created a standard for in­form­a­tion security in companies. En­ter­prises that comply with this standard can obtain a cor­res­pond­ing cer­ti­fic­ate. This cer­ti­fic­a­tion was developed by renowned, globally re­cog­nised experts for in­form­a­tion security. It describes a meth­od­o­logy that companies should implement to ensure a high level of in­form­a­tion security.

The in­ter­na­tion­al standard ISO 27001 allows companies and or­gan­isa­tions to follow a benchmark for in­form­a­tion security. The standard is struc­tured so that company size and industry play no role at all for im­ple­ment­a­tion. Once the re­quire­ments are satisfied, it’s also possible to obtain ISO 27001 cer­ti­fic­a­tion. Using this cer­ti­fic­ate, a company can demon­strate to customers and business partners that it is trust­worthy and takes in­form­a­tion security seriously.

The ad­vant­ages for companies relate to four different areas. On the one hand, this cer­ti­fic­a­tion offers a basis for im­ple­ment­ing statutory reg­u­la­tions. On the other hand, the cer­ti­fic­ate can provide a com­pet­it­ive edge. After all, not all companies are certified according to ISO 27001. Companies that hold this cer­ti­fic­ate can prove to their customers that they securely handle sensitive in­form­a­tion. Com­pli­ance with the standard reduces the risk of in­form­a­tion security failures. This means ISO 27001 can also con­trib­ute to saving costs, since these incidents are typically as­so­ci­ated with financial expenses.

Plus, ISO 27001 cer­ti­fic­a­tion optimises processes in a company. The idle time of staff is minimised by defining the main company processes in writing.

Ad­di­tion­al benefits include:

• Reducing business risks
• Min­im­ising liability risks
• Lower insurance premiums
• Reliable problem and threat detection

The ISO 27001 standard comprises multiple parts. Its found­a­tions are the ISO/IEC 27001 standard created in 2005. This was thor­oughly revised in 2015 and amended by another catalogue, the second part. This part is rep­res­en­ted as an annex to the standard and describes the updated changes in detail. The standard can be divided roughly into three sections: The actual main body follows the in­tro­duct­ory chapters. The standard is rounded off with the annex mentioned above.

The normative main body is critical for the cer­ti­fic­a­tion according to ISO 27001. This is where the ob­ject­ives of the measures are precisely explained. But these measures aren’t in­struc­tions for im­ple­ment­ing the re­quire­ments; instead they’re intended as sug­ges­tions for suc­cess­ful im­ple­ment­a­tion. These sug­ges­tions are largely based on the pillars of con­fid­en­ti­al­ity, avail­ab­il­ity, and integrity.

To simplify the processes and im­ple­ment­a­tion, ISO 27001 also adopts prin­ciples from other standards. Parallels with other standards – which you may already know – really help and encourage or­gan­isa­tions when im­ple­ment­ing ISO 27001 re­quire­ments.

The re­quire­ments of ISO 27001 changed con­sid­er­ably in 2013 compared to the first version from 2005. The general structure of the standard was not only altered but also tightened to a large extent.

The ISO 27001 standard follows a process-oriented approach in the im­ple­ment­a­tion of an in­form­a­tion security man­age­ment system (ISMS). While an explicit reference to PDCA model was included in the earlier version, this is no longer mandatory. The re­quire­ments apply to all sizes and types of or­gan­isa­tion.

ISO 27001 stip­u­lates that companies must define and consider all external and internal topics that affect their ability to suc­cess­fully implement an ISMS. These primarily include the corporate culture, en­vir­on­ment­al con­di­tions, reg­u­lat­ory re­quire­ments, con­trac­tu­al and legal ob­lig­a­tions, as well as gov­ernance guidelines. ISO 27001 expects the top man­age­ment of an or­gan­isa­tion to define the in­form­a­tion security policy as well as the re­spons­ib­il­ity and com­pet­en­cies for im­ple­ment­ing the re­quire­ments. Moreover, the company must commit to raising awareness for in­form­a­tion security through­out the entire or­gan­isa­tion.

Planning also plays a key role in ISO 27001 cer­ti­fic­a­tion. For instance, the re­quire­ments include assessing specific in­form­a­tion security risks for the or­gan­isa­tion as well as de­vel­op­ing an action plan. The re­spons­ib­il­ity for de­term­in­ing the risks and their pre­ven­tion lies solely with the or­gan­isa­tion. What’s more, the standard stip­u­lates that the company must make resources available to safeguard con­tinu­ous im­prove­ment as well as main­ten­ance and real­isa­tion of the ISMS. The ISMS also needs to be carefully doc­u­mented. Per­form­ance as­sess­ments must likewise be prepared at defined intervals. Companies need to review, measure and analyse the ef­fect­ive­ness of their ISMS – likewise at set intervals.

A catalogue of the most important in­form­a­tion as well as an annex con­tain­ing the most relevant changes since 2013 can be found on the Dekra website. As soon as the ISMS is set up, the company values are clas­si­fied. This also follows the three prin­ciples of con­fid­en­ti­al­ity, integrity, and avail­ab­il­ity. This clas­si­fic­a­tion is divided into three levels.

Level 1 covers public documents, for example, whose falsi­fic­a­tion would cause re­l­at­ively in­sig­ni­fic­ant damages for the company of up to 500 pounds. This level applies to documents for which even the continued violation of ISO standards for over a week would scarcely result in sig­ni­fic­ant damages to the or­gan­isa­tion.

Level 2 en­com­passes internal company documents, such as bills and payroll files. Here, vi­ol­a­tions against the ISO in­form­a­tion security standard would result in moderate financial damages of up to ap­prox­im­ately 5,000 pounds. Such an incident should not be permitted to last longer than 24 hours.

Finally, Level 3 covers highly sensitive, internal company documents. Falsi­fic­a­tion of these documents would result in damages over the 5,000-pound threshold. This type of incident cannot be permitted to last longer than three hours.

Im­ple­ment­ing the ISO/IEC 27001 standard requires certain steps that aren’t identic­ally ap­plic­able in every company. Depending on the or­gan­isa­tion, there may be unique chal­lenges and every ISMS has to be adapted to the re­spect­ive case. In the following section, we’ll therefore explain the steps that apply to most or­gan­isa­tions re­gard­less of industry.

The first step for suc­cess­fully cer­ti­fy­ing the company is to ensure the support and com­mit­ment of top man­age­ment. Man­age­ment needs to pri­or­it­ise the suc­cess­ful im­ple­ment­a­tion of an ISMS and clearly define the ob­ject­ives of the in­form­a­tion security policy for all members of staff.

After doing this, certain elements of the in­form­a­tion security policy should be defined. The or­gan­isa­tion sets the goals of this policy and provides the strategic focus for the prin­ciples of in­form­a­tion security. This will serve as a framework for future de­vel­op­ments.

As soon as the in­form­a­tion security policy has been es­tab­lished, the or­gan­isa­tion defines the areas of ap­plic­a­tion for the ISMS. Here, it’s important to specify all aspects of in­form­a­tion security that can be ef­fect­ively addressed with the ISMS. A risk analysis regarding in­form­a­tion security measures should also be prepared. This should identify the potential dangers that need to be con­sidered. The analysis therefore needs to address the weak­nesses of the current system.

And to reduce the existing risks, the or­gan­isa­tion should then determine suitable measures. The result of this analysis is a catalogue of measures that is con­stantly monitored and adjusted as necessary. After suc­cess­ful im­ple­ment­a­tion, the or­gan­isa­tion conducts a pre­lim­in­ary audit that takes place before the actual cer­ti­fic­a­tion audit. This pre­lim­in­ary audit is intended to uncover potential vul­ner­ab­il­it­ies and issues that could neg­at­ively affect the outcome of the real cer­ti­fic­a­tion audit. Any areas of non-con­form­ity with the ISO 27001 standard should be elim­in­ated.

The final step for suc­cess­fully im­ple­ment­ing the ISO 27001 standard is to conduct the actual cer­ti­fic­a­tion audit. An in­de­pend­ent cer­ti­fy­ing body will now examine the ISMS in place and provide its as­sess­ment. If the plan fulfils the re­quire­ments of ISO 27001, the audit will be suc­cess­fully completed and cer­ti­fic­a­tion may go ahead. The cer­ti­fy­ing body will then issue the cer­ti­fic­ate.

However, it’s important to perform regular mon­it­or­ing audits. This ensures that the re­quire­ments of the standard are still met on an ongoing basis. Mon­it­or­ing audits take place every three years. The cer­ti­fic­ate will only be renewed by the in­de­pend­ent cer­ti­fy­ing body by another three years if these mon­it­or­ing audits are suc­cess­ful.

The costs of suc­cess­ful cer­ti­fic­a­tion always depend on the in­di­vidu­al situation of the or­gan­isa­tion. Cost factors like training and spe­cial­ist lit­er­at­ure, external support, and costs of tech­no­logy play a major role. Moreover, the or­gan­isa­tion shouldn’t forget that the induction period for staff will also cost money. There are also the costs of the cer­ti­fic­a­tion itself.

Cer­ti­fic­a­tion costs vary and depend on the size of the or­gan­isa­tion. Fur­ther­more, the costs are also de­term­ined by the number of days required for the final audit. For an SME, the work involved typically only lasts around ten workdays. Larger companies or cor­por­a­tions will ac­cord­ingly need to allow for more time and a bigger budget.