In order to work successfully and securely in the age of digitalisation, companies need to meet high standards of information security. The International Standardisation Organisation (ISO) has created a standard for information security in companies. Enterprises that comply with this standard can obtain a corresponding certificate. This certification was developed by renowned, globally recognised experts for information security. It describes a methodology that companies should implement to ensure a high level of information security.

IONOS Cloud Compute Engine

Small and medium businesses choose Enterprise Cloud, the cloud made in Germany! Efficient and powerful cloud infrastructure, IaaS and PaaS for champions! 

  • Security
  • Simplicity
  • Scalability

What Is ISO 27001?

The international standard ISO 27001 allows companies and organisations to follow a benchmark for information security. The standard is structured so that company size and industry play no role at all for implementation. Once the requirements are satisfied, it’s also possible to obtain ISO 27001 certification. Using this certificate, a company can demonstrate to customers and business partners that it is trustworthy and takes information security seriously.

Definition: ISO 27001

The international standard ISO 27001 governs information security in private, public or non-profit organisations. It describes the requirements for establishing, realising, operating and optimising a documented information security management system.

Advantages of ISO 27001 for Companies

The advantages for companies relate to four different areas. On the one hand, this certification offers a basis for implementing statutory regulations. On the other hand, the certificate can provide a competitive edge. After all, not all companies are certified according to ISO 27001. Companies that hold this certificate can prove to their customers that they securely handle sensitive information. Compliance with the standard reduces the risk of information security failures. This means ISO 27001 can also contribute to saving costs, since these incidents are typically associated with financial expenses.

Plus, ISO 27001 certification optimises processes in a company. The idle time of staff is minimised by defining the main company processes in writing.

Additional benefits include:

  • Reducing business risks
  • Minimising liability risks
  • Lower insurance premiums
  • Reliable problem and threat detection

ISO 27001: Essential Components

The ISO 27001 standard comprises multiple parts. Its foundations are the ISO/IEC 27001 standard created in 2005. This was thoroughly revised in 2015 and amended by another catalogue, the second part. This part is represented as an annex to the standard and describes the updated changes in detail. The standard can be divided roughly into three sections: The actual main body follows the introductory chapters. The standard is rounded off with the annex mentioned above.

The normative main body is critical for the certification according to ISO 27001. This is where the objectives of the measures are precisely explained. But these measures aren’t instructions for implementing the requirements; instead they’re intended as suggestions for successful implementation. These suggestions are largely based on the pillars of confidentiality, availability, and integrity.

To simplify the processes and implementation, ISO 27001 also adopts principles from other standards. Parallels with other standards – which you may already know – really help and encourage organisations when implementing ISO 27001 requirements.

What Requirements are there for Certification?

The requirements of ISO 27001 changed considerably in 2013 compared to the first version from 2005. The general structure of the standard was not only altered but also tightened to a large extent.

The ISO 27001 standard follows a process-oriented approach in the implementation of an information security management system (ISMS). While an explicit reference to PDCA model was included in the earlier version, this is no longer mandatory. The requirements apply to all sizes and types of organisation.

ISO 27001 stipulates that companies must define and consider all external and internal topics that affect their ability to successfully implement an ISMS. These primarily include the corporate culture, environmental conditions, regulatory requirements, contractual and legal obligations, as well as governance guidelines. ISO 27001 expects the top management of an organisation to define the information security policy as well as the responsibility and competencies for implementing the requirements. Moreover, the company must commit to raising awareness for information security throughout the entire organisation.

Planning also plays a key role in ISO 27001 certification. For instance, the requirements include assessing specific information security risks for the organisation as well as developing an action plan. The responsibility for determining the risks and their prevention lies solely with the organisation. What’s more, the standard stipulates that the company must make resources available to safeguard continuous improvement as well as maintenance and realisation of the ISMS. The ISMS also needs to be carefully documented. Performance assessments must likewise be prepared at defined intervals. Companies need to review, measure and analyse the effectiveness of their ISMS – likewise at set intervals.

A catalogue of the most important information as well as an annex containing the most relevant changes since 2013 can be found on the Dekra website. As soon as the ISMS is set up, the company values are classified. This also follows the three principles of confidentiality, integrity, and availability. This classification is divided into three levels.

Level 1 covers public documents, for example, whose falsification would cause relatively insignificant damages for the company of up to 500 pounds. This level applies to documents for which even the continued violation of ISO standards for over a week would scarcely result in significant damages to the organisation.

Level 2 encompasses internal company documents, such as bills and payroll files. Here, violations against the ISO information security standard would result in moderate financial damages of up to approximately 5,000 pounds. Such an incident should not be permitted to last longer than 24 hours.

Finally, Level 3 covers highly sensitive, internal company documents. Falsification of these documents would result in damages over the 5,000-pound threshold. This type of incident cannot be permitted to last longer than three hours.

Implementation of the Standard and Subsequent Certification

Implementing the ISO/IEC 27001 standard requires certain steps that aren’t identically applicable in every company. Depending on the organisation, there may be unique challenges and every ISMS has to be adapted to the respective case. In the following section, we’ll therefore explain the steps that apply to most organisations regardless of industry.

The first step for successfully certifying the company is to ensure the support and commitment of top management. Management needs to prioritise the successful implementation of an ISMS and clearly define the objectives of the information security policy for all members of staff.

After doing this, certain elements of the information security policy should be defined. The organisation sets the goals of this policy and provides the strategic focus for the principles of information security. This will serve as a framework for future developments.

As soon as the information security policy has been established, the organisation defines the areas of application for the ISMS. Here, it’s important to specify all aspects of information security that can be effectively addressed with the ISMS. A risk analysis regarding information security measures should also be prepared. This should identify the potential dangers that need to be considered. The analysis therefore needs to address the weaknesses of the current system.

And to reduce the existing risks, the organisation should then determine suitable measures. The result of this analysis is a catalogue of measures that is constantly monitored and adjusted as necessary. After successful implementation, the organisation conducts a preliminary audit that takes place before the actual certification audit. This preliminary audit is intended to uncover potential vulnerabilities and issues that could negatively affect the outcome of the real certification audit. Any areas of non-conformity with the ISO 27001 standard should be eliminated.

The final step for successfully implementing the ISO 27001 standard is to conduct the actual certification audit. An independent certifying body will now examine the ISMS in place and provide its assessment. If the plan fulfils the requirements of ISO 27001, the audit will be successfully completed and certification may go ahead. The certifying body will then issue the certificate.

However, it’s important to perform regular monitoring audits. This ensures that the requirements of the standard are still met on an ongoing basis. Monitoring audits take place every three years. The certificate will only be renewed by the independent certifying body by another three years if these monitoring audits are successful.

Certification Costs

The costs of successful certification always depend on the individual situation of the organisation. Cost factors like training and specialist literature, external support, and costs of technology play a major role. Moreover, the organisation shouldn’t forget that the induction period for staff will also cost money. There are also the costs of the certification itself.

Certification costs vary and depend on the size of the organisation. Furthermore, the costs are also determined by the number of days required for the final audit. For an SME, the work involved typically only lasts around ten workdays. Larger companies or corporations will accordingly need to allow for more time and a bigger budget.

Page top