ISO 27001 Overview

In this article, you will find out:

• What ISO 27001 is
• Who needs ISO 27001 and why it’s important
• The 3 Principles of ISO 27001
• How to achieve compliance and helpful tools

What is ISO 27001?

ISO 27001 is the globally recognized standard for information security management systems (ISMS), jointly developed by the International Organization for Standardization (ISO) and the International ElectroTechnical Commission (IEC).

It provides companies of any size and from all sectors with a systematic and structured approach to managing and protecting sensitive information. 

It employs a Plan-Do-Check-Act (PDCA) cycle and provides a framework for organizations to:

• Identify and assess information security risks
• Implement controls to mitigate risks
• Monitor and review the effectiveness of of those controls on an ongoing basis

Why is ISO 27001 Important?

With cyber-crime on the rise and new threats constantly emerging, it can seem difficult or even impossible to manage cyber-risks. ISO 27001 promotes a comprehensive approach covering vetting possible employees and clients, policies and technology, reducing the risk of data breaches, cyber attacks, and other security incidents. Furthermore, software companies are usually required to be ISO 27001 compliant if they want to operate internationally.

Benefits of ISO 27001

•  Resilience to cyber-attacks
•  Preparedness for new threats
•  Data integrity, confidentiality, and availability
•  Security across all supports
•  Organization-wide protection
•  Cost savings 

Who Needs ISO 27001?

ISO 27001 can benefit organizations of all sizes that handle sensitive information including businesses, agencies and nonprofits. Your company will also need the certification if you’re selling services or softwares to international organizations and businesses that are ISO 27001 compliant or have sensitive data.

What Are 3 Principles of ISO 27001?

The three principles of ISO 27001 are confidentiality, integrity and availability.

• Confidentiality: only the right people can access the information.
  • Counterexample: hackers get hold of your clients’ login credentials and sell them on the Darknet.

• Integrity: data is reliably stored and not erased or damaged.
  • Counterexample: a staff member accidentally deletes a row in a file during processing.

• Availability: data is accessible whenever necessary to satisfy business purposes and customer expectations.
  • Counterexample: the enterprise database goes offline because of server problems and insufficient backup.

An information security management system that meets the requirements of ISO 27001 protects the confidentiality, integrity and availability of information by applying a risk management process and gives confidence to stakeholders that risks are adequately managed.

What Is the ISO 27001 Certification?What Does It Mean to Be ISO 27001 Certified?

ISO 27001 certification by accredited certification bodies is one way to demonstrate your commitment and ability to manage information securely. 

Companies implementing ISO 27001 can choose to go through the certification process or simply implement the standard for best practices. ISO 27001 is prevalent around the world, with over 70,000 certificates reported in 150 countries across various sectors.

How Are ISO 27001 Certifications Obtained?

To obtain ISO 27001 certification, you’ll need to undergo a series of audits. You can search on ANSI-ASQ National Accreditation Board (ANAB) directory for a list of ISO 27001 accredited certification bodies.

Here’s what you can expect to prepare for and achieve your certification:

Phase 1: Project Plan 

Learn the details of ISO 27001 standards & controls, assign a project lead, plan your certification timeline and get executive buy-in.

Phase 2: ISMS Scope

Decide what type of information your ISMS needs to project. Start by asking yourself:

“What service, product, or platform are our customers most interested in seeing as part of our ISO 27001 certificate?”

Phase 3: Risk Assessment and Gap Analysis 

Conduct a risk assessment, gap analysis & remediation plan to evaluate your current security posture and identify any outstanding tasks before an audit.

Phase 4: Policies and Controls 

Determine how your organization will respond to the risks & gaps identified in Phase 3, write your Statement of Applicability and Risk Treatment Plan.

Phase 5: Employee Security Training 

Complete formal employee security training to meet ISO 27001 requirements.

Phase 6: Evidence Collection 

Collect evidence of your processes and policies to prove to your auditor that you’ve satisfied ISO 27001 requirements. Compliance automation software for ISO 27001 can eliminate hundreds of hours of busy work by collecting this evidence for you.

Phase 7: Certification Audit 

In this phase, an external auditor will evaluate your ISMS to verify that it meets ISO 27001 requirements and issue your certification.

A certification audit happens in two stages:

• Stage 1: auditors review your ISMS documentation to make sure you have the right policies and procedures in place.
• Stage 2: auditors review your business processes and security controls. 

Once Stage 1 and Stage 2 audits are complete, you’ll obtain an ISO 27001 certification that’s valid for three years.

Depending on your company’s size and the complexity of the data you maintain, the certification can take months or years to complete.

Phase 8: Maintain Compliance  

Continue to monitor and improve your ISMS to maintain your ISO 27001 certification. You’ll also need to complete internal surveillance and recertification audits.

Tools & Technologies Needed to Pass an ISO 27001 Audit 

Achieving ISO 27001 compliance often involves utilizing specialized tools and software to address specific application and data security requirements. Below, we outline some key tools and technologies that are important to be aware of. Most of these tools are also helpful for SOC 2 compliance but encompass a broader range due to ISO 27001’s comprehensive scope:

Vulnerability Scanning: the process of discovering, analyzing and reporting on security flaws and weaknesses in your computers, networks or applications. Vulnerability scanning needs to be done regularly (at least quarterly) using scanning tools. 

There are 5 types of vulnerability scanners:

• Network-based scans: identify possible network security attacks and vulnerable systems.
• Host-based scans: find vulnerabilities in workstations, servers or other network hosts.
• Wireless scans: detect rogue access points and validate that a company’s network has secure configurations.
• Application scans: identify vulnerabilities and misconfigurations in web apps.
• Database scans: find weaknesses in database

Ongoing Logging & Monitoring: 

Logging information security entails collecting and storing data about system and network activities, such as user logins, logouts, file access, network connections, and system events. Frequent loggings are crucial for investigating and responding to incidents. Below are some recommended logging controls:

• Event Logging: record user activities, exceptions, faults, and information security events and regularly review them.
• Log Storage: when managing multiple applications, it can be advantageous to consolidate the generated logs from each application onto a central server. 
• Protection of Log Information: logging facilities and log information shall be protected against tampering and unauthorized access.
• Log Analysis: regularly analyze event logs to promptly detect and investigate unusual behavior and errors.
• Clock Synchronization: configuring all systems with synchronized time and date settings to facilitate traceability across different systems when an incident occurs.

Firewalls: hardwares and softwares that provide protection against outside cyber attackers by shielding your computer or network from malicious or unessential network traffic. Firewalls can be configured to block data from certain locations (i.e., computer network addresses), applications, or ports while allowing relevant and necessary data through. 

Load Balancer: spreads requests across multiple servers, helps minimize the attack surface and defend an organization against security risks such as distributed denial-of-service (DDoS) attacks, in which hackers send out abnormally large packets to disrupt or crash a web server.

Auto Scaling: a cloud computing technique for dynamically allocating computational resources. It helps protect against application, hardware, and network failures by detecting and replacing unhealthy instances while still providing application resiliency and availability.

Tabletop Disaster Recovery Exercises (TTX/TTE): are group sessions in which team members discuss their role, responses to specific disaster scenarios and how to restore critical business operations in case of a disaster. Tabletop exercises help test out your organization’s Disaster Recovery Plan and Incident Response Plan and identify weaknesses.

Penetration Testing (Pen Testing): a security assessment technique where ethical hackers simulate real-world attacks to uncover vulnerabilities in a system or network. More information regarding Pen Testing is available here.

Network Diagram: visualizes how network components interconnect or separate from each other. It helps understand the data flow, network segments and security zones, facilitating risk mitigation and security policies enforcement.

Network Segregation (Network Segmentation): the practice of dividing a network into multiple subnetworks to improve performance and security. By isolating the network into separate contained parts, network segmentation effectively prevents unauthorized users from compromising the entire network. There are a few ways to segment your network, such as a combination of firewalls, Virtual Local Area Networks (VLANs), and Software Defined Networking (SDN).

Application session timeout: initiates a screen lock after a period of inactivity (i.e., session timeout) and performs user authentication again. This helps prevent hackers from reusing a valid session ID and hijacking the associated session. Common idle timeouts can range from 2 minutes to 30 minutes, depending on the context of the application.

Project-Specific Risk Assessment: a systematic process that involves evaluating unique risks associated with individual projects within an organization. It aims to identify vulnerabilities, threats, and derive measures for risk mitigation, serving as the first step in the Secure Software Development Lifecycle (SDLC) process.

Documented Operating Procedures: operating procedures for information processing facilities should be documented and made available to personnel who need them. Your organization generally needs to document all processes and procedures, such as backups, media handling, error handling, and so on.

Quality Assurance (QA) Control Processes: organizations must integrate quality assurance procedures throughout the entire product development, manufacturing, and installation phases. The primary objective of quality assurance is to detect and rectify any flaws or issues prior to delivering the products or services to customers. This process can be structured using the Plan-Do-Check-Act (PDCA) model.

Backups: a backup procedure should be developed and implemented to ensure that all critical data, software and systems are regularly backed up and can be recovered following some events like business interruption, failure of systems, data loss and intrusion.

Anti-Malware Solutions: install softwares to detect and prevent malware on your endpoints like computers, laptops and mobile devices.

Intrusion Detection System: a hardware device or software app that monitors inbound and outbound network traffic to detect vulnerability exploits, policy violations, and malicious activity. 

Security Information and Event Management (SIEM): a solution that helps detect, analyze, and respond to security threats before they harm business operations. SIEM systems vary in their capabilities but generally offer these core functions:

• Log Management: SIEM systems aggregate extensive data, arrange it, and subsequently assess whether it exhibits indications of a threat, attack, or breach.
• Event Correlation: sort log data to identify relationships and patterns to quickly detect and respond to potential threats.
• Incident Monitoring and Response: SIEM technology monitors security incidents across an organization’s network, issuing alerts, and conducting audits of all incident-related activities.
• Data Encryption at Rest: encrypt data that is stored in the databases, including offline backups, and is not moving through networks. 

Management Review of the Information Security Management System (ISMS): management reviews should be pre-planned and conducted often (at least once per year, within the external audit period) to make sure the ISMS continues to operate effectively and achieve the objectives of the business. 

Policies: With 28 base policies and about 8 hours per policy,  ISO 27001 requires a minimum of over 200 hours for writing policies, such as Asset Management Policy, Data Protection Policy, Risk Management Policy, Information Security Policy, and so on.

Sign up for Agency today and find more about ways to stay ISO 27001 compliant.