How to build an ISO 27001-Compliant Cybersecurity Program
Introduction
ISO 27001 is a standard on how to manage an information security program. It’s divided into two main parts, clauses 4 through 10, which describe the foundational requirements of the standard, and Annex A, which is called reference control objectives and controls.
The term clauses are sections of the standard. It is important to note that the first three clauses at the beginning of the standard are ignored for compliance purposes because they don’t contain any fundamental compliance requirements. Therefore, we only care about clauses 4 through 10 in the first part. In clauses 4 through 10, you are introduced to a term and concept, the Information Security Management System, or ISMS, used throughout this standard and ISO 27002. It’s a management system — notably, a management system for information security.
A detailed look into the ISO 27001 standard
The ISMS is a never-ending security management cycle, which includes four main parts.
· Establish the ISMS,
· Implement and operate the ISMS,
· monitor and review the ISMS
· maintain and improve the ISMS.
These parts of the ISMS correspond to the classic Plan Do Check Act, or PDCA, continuous improvement method. Clauses 4 through 10 fit well into the PDCA model.
· Plan. Establish the ISMS corresponds to clauses four through six.
· Do. Implement and operate the ISMS corresponds to clauses seven and eight.
· Check. Monitor and review the ISMS relate to clause nine.
· Act, maintain and improve the ISMS corresponds to clause 10.
In this article, I’ll give you a detailed overview of clauses four through 10, which will help you start your ISO 27001 compliance journey. In the second part of the ISO 27001 standard, we find the Annex A controls. These controls are requirements to follow if you want your organization to comply with ISO 27001. There are 14 control areas in Annex A and 114 controls. Some people might call the 14 control areas domains. These controls are aligned with the controls defined in the ISO 27002 standard.
The next article will discuss all 114 controls required in Annex A of ISO 27001. It’s important to note that ISO 27001 doesn’t contain any implementation guidance for the Annex A controls. It’s just the controls and the control objectives. You can find implementation guidance for the controls in ISO 27002.
Why build an ISO 27001-compliant cybersecurity program?
Other companies might frequently ask a company to prove that they have adequate security measures to protect their information. When a company gets ISO 27,001 certified, it shows other companies that your company has met the requirements of this security standard. However, your organization doesn’t need ISO 27001 certification to benefit from it.
Why should your organization comply with ISO 27001? There are several reasons why organizations choose to build an ISMS program that is ISO 27001 compliant:
· help improve and validate their security program, which emphasizes continuous improvement, risk management, and the 114 security controls; complying with ISO 27001 is an excellent way to ensure that your organization has built and is maintaining a solid security program.
· Help assure the leaders in your organization and other interested parties that you’re following good security practices.
Some organizations go one step beyond complying with ISO 27001 to get certified by an authorized third party that they’re ISO 27001 compliant. This certification is time-consuming and expensive, so why do they do it? While every organization is different, common reasons to get ISO 27001 certified include:
· to demonstrate that your organization has the necessary controls to protect sensitive information. This is important for organizations who handle sensitive data for other organizations because ISO 27,001 is an international security standard that can help businesses that are expanding find customers who want to do business with companies that follow vigorous security practices.
· Demonstrate that your organization conforms to the requirements of ISO 27001.
· Improve your organization’s reputation, and lead to more business.
Whether it’s to improve your cybersecurity program, prove to others that you have reasonable security measures, or get more customers, there are many good reasons to build an ISO 27001-compliant cybersecurity program.
Supplement your ISO 27001 compliance with other security standards and frameworks like the NIST Cybersecurity Framework.
What to expect when getting ISO 27001 certified
If your organization decides to get ISO 27001 certified, and you’re going through it for the first time, expect it to be a long process. Depending on the scope of your ISMS and how well prepared you are, the certification process can take many weeks to several months. Also, don’t expect to pass the certification on your first try. It’s possible to have a fully compliant ISMS the first time you go for the certification, especially if you have an ISO 27001 expert on staff or hire a qualified consultant. But I wouldn’t count on it because you need too many requirements to get it just right. Don’t be surprised when you are unsuccessful in trying to get a company ISO 27001 certified the first time. The certification body we hire may find some minor and major nonconformities. Nonconformities are deviations from the ISO 27001 standard. Minor nonconformities are not significant deviations from the standard and won’t cause you to fail a certification.
On the other hand, major nonconformities are severe deviations from the standard and must be corrected to get certified. When that happens, you must correct both the major and minor nonconformities before getting your company certified. Those corrections cost you extra time and money to get done. Therefore, it would be wise to factor in the possibility of not getting certified the first time into your overall plan. Many certification bodies offer pre-certification consulting, where they work with you to get you as prepared as possible before the certification audit. For example, USGEBS, www.usgebs.com can help prepare your organization for the certification. This pre-certification consulting costs extra, but it may help you avoid the cost and hassle of not passing the audit the first time. The cost to get your organization ISO 27001 certified can vary based on many factors, including the gaps between where you are now and full compliance. You may need to hire staff or consultants depending on where you’re starting. If you have a lot of gaps, these costs can be high — the certification body you use.
Different certification bodies have different rates they charge for the certification review. So it pays to shop around, especially if you’re on a budget.
The physical and logical scope of your ISMS. The scope for your ISMS could be just a single network in one location, all the way to a major company with networks worldwide. The larger the scope, the higher the cost. And how quickly you want the certification. Faster usually means more expensive. Maintaining compliance also comes with a cost that you should keep in mind. Getting your ISO 27001 certification is good for three years, but that comes with a catch. It would be best if you still got audited every year. The good news is that the audits in years two and three are called surveillance reviews, and they only cover parts of the ISO 27001 standard to ensure you’re still in compliance. These audits are smaller and less expensive than the full certification audit in year one. You can still fail surveillance audits, so ensure you follow ISO 27001 requirements if you want to stay certified. Also, you’ll need to conduct an internal audit of your ISMS annually. The rule for this internal audit is it can’t be done by anyone who implements the controls. So unless your organization has its internal audit department, you should plan on hiring an outside consulting or auditing firm to conduct the audit of your ISMS. If you do that, it will be another cost associated with maintaining compliance. It’s essential that your organization knows about these ongoing costs and that the ISO 27001 certification isn’t just a one-time cost. Once certified, your organization will receive an actual certificate, which you can show to outside parties and prove that your ISMS complies with ISO 27001.
Building your ISO 27001 compliance plan
Planning is very crucial when it comes to ISO 27001 certification. It’s essential to follow a plan to make sure nothing gets missed. In this section of the article, I’ll discuss a plan you can follow to help you successfully lead your organization to comply with ISO 27001. It is recommended that you treat your compliance journey like a project. Appoint a project manager to oversee the effort and keep track of project objectives to ensure that schedules, costs, and risks are identified and managed appropriately. It’s vital that whoever manages this project has a strong understanding of security and the need for compliance, as well as the authority and leadership skills to organize others on the team. Doing this will improve your chances of succeeding. You can build your ISO 27001 compliance plan in five stages.
Stage one, assemble a team and develop an implementation plan. This is where you pull the right resources, including people who will primarily be responsible for planning and implementing ISO 27001 compliance. Every organization is different, but this team might include a project manager, an executive sponsor, and members from various departments, including security, legal, HR, IT, and finance. Work with this team to outline the ISO 27001 compliance implementation plan. Here, you’ll define your information security objectives and ISMS goals. At this time, you’ll also start communicating and raising the awareness of your organization about the project. Stage two, scope and baseline the ISMS. In this crucial step, you’ll define the scope of your information security management system or ISMS. What your ISMS includes will drive the rest of your project. Next, conduct a gap analysis to baseline where your organization is today against the ISO requirements. Use the ISO 27001 and 27002 standards or checklists from this and my other ISO 27001 course to baseline the current state of your ISMS.
Then prioritize the gaps you found based on level of effort, impact, and cost. This will give you a roadmap of the next steps and identify any more significant actions that should be spinoff projects. Stage three, implement the ISMS. You’ll recruit and appoint information security steering committee members at this stage. One of the responsibilities of this committee will be to review and approve your organization’s information security policies. You’ll also begin writing these policies, starting with the information security policy. This is also the stage where you will implement the plan built-in in stage one and the missing controls you found in stage two. Stage four, define and implement the risk management process. ISO 27001 is based on managing information security risk. In this stage, you’ll determine how your organization identifies, prioritizes, and remediates risks. You’ll build the risk register for your organization and begin listing risks found during the previous stages. And stage five measure, monitor, and review the ISMS.
The only way you’ll know if your ISMS is ISO 27001 compliant is to implement the systems and tools necessary to measure and monitor it. That’s what you do in stage five. This can include security metrics dashboards, regular security review processes, log monitoring systems, third-party reviews of your ISMS, etc. Use the results of these measurements, monitoring, and reviews to improve your ISMS and security program’s state continuously.
Beginning the ISO 27001 compliance process: Introduction to Clauses 4 through 10
These clauses contain essential ISO 27001 compliance requirements.
Following a plan helps make sure none of the requirements gets missed. Because of the magnitude and level of effort it takes to comply with ISO 27001, it’s essential to follow a plan to ensure nothing gets missed.
let’s talk about beginning the ISO 27001 compliance process, starting with clauses 4 through 10 of the standard. We start with clause 4 because the first few clauses of the standard include the introduction and terms and definitions that aren’t requirements for organizations to follow. Don’t skip these clauses and go straight to annex A, which are the controls most commonly associated with ISO 27001. That would be a mistake because clauses 4 through 10 are the foundation for complying with the ISO 27001 standard. They contain essential compliance requirements, including the documented statement of applicability, the scope of the ISMS, and the risk treatment plan. Without these, your organization is not compliant with ISO 27001 and will undoubtedly fail a certification audit.
Clauses 4 through 10
Clause four, the context of the organization. This clause requires your organization to define its context and how it meets the needs and expectations of other parties. Clause four also requires you to define the scope of the information security management system or ISMS.
Clause five, leadership. This clause requires your organization to have the proper oversight and commitment to implement the ISMS. It must also write and approve information security policies and define roles and responsibilities for implementing the ISMS. Clause six, planning.
Clause six requires your organization to define information security objectives and how you plan to achieve them. It also includes the need to address risks and opportunities for your organization.
Clause seven, support. This clause requires that your organization have the right resources with the right level of competence to implement the ISMS. You also must ensure the appropriate level of security awareness training for all users. Security must be communicated to all users, and all necessary information security policies and procedures must be documented. Clause eight, operation. In this clause, your organization must plan and control the security operations required to implement the ISMS.
Clause eight also requires information security risk assessment and risk treatment.
Clause nine, performance evaluation. This is where your organization must monitor, measure, analyze, and evaluate the ISMS. It must also conduct internal audits to ensure that the isms function as required by the standard. In addition, management must review the ISMS.
Clause 10, improvement. In the final clause, you must improve the ISMS, including responding to nonconformities and taking corrective actions. You must implement a continual improvement process.
These clauses might seem helpful suggestions and can easily be overlooked, but they are essential to comply with 27001.
Context of the organization and interested parties’ needs (Clauses 4.1 and 4.2)
Every organization has its own set of internal and external issues that can impact how it builds and maintains its information security management system ISMS. For instance, an organization like a heavily regulated hospital would create a different ISMS than a retail business. This is what ISO 27001 means by the context of your organization. There will likely be various internal and external parties with needs and expectations related to your ISMS, depending on the type of your organization.
In this section, you’ll learn how to describe the context of your organization and identify the interested parties relevant to your ISMS.
Clause 4.1 is called Understanding the Organization and Its Context. It challenges you to determine your organization’s external and internal issues and its ability to protect the information using the ISMS. To do this, take the time to brainstorm with knowledgeable people in your organization to identify anything that could impact your business and its ability to protect information. Think about and capture any external sources of impact like security requirements of customers, clients, or regulators, external attacks on infrastructure, natural disasters, and services provided by third-party suppliers. Do the same for internal sources of impact such as data leakage and disclosure of information assets by employees through negligence or malicious activity, data loss or alteration through misuse or a malfunction of the software, system malfunctions or another unforeseen downtime, or unmanaged changes. Doing these exercises may seem meaningless because they should be evident to anyone who understands your organization’s work. But remember, every organization is different, and clause 4.1 is to make sure you take the time to think through these issues that could impact your ISMS. Here are some ways you might demonstrate compliance with clause 4.1.
First, work with the subject matter experts in your organization to build a list of external issues that could impact your ISMS. The more detailed, the better. Then do the same for internal problems that could affect your ISMS.
Clause 4.2 is closely related. It’s called Understanding the Needs and Expectations of Interested Parties. Here, you’re required to identify internal and external parties who are relevant to and have requirements for your ISMS. Think about anybody interested in your organization’s ability to protect information. These parties might include your organization’s board of directors, partners, management, employees and customers, or clients. If regulatory agencies audit your organization’s information security program, include them.
Next, think about the requirements of these interested parties. These could include an effective information security risk management program, data security practices for personally identifiable information, contractual or service level agreement obligations, service quality expectations, and regulatory requirements.
You could demonstrate compliance with clause 4.2 by building a list of internal and external interested parties relevant to your ISMS, then create a list of their requirements for your ISMS. It might not seem like you’ve accomplished much by defining the context of your organization and identifying parties relevant to your ISMS. Still, you’ve just started your journey to comply with ISO 27001.
References
Leaders, take note!: Four must-have coaching questions. https://www.linkageinc.com/leadership-insights/dbrown-leaders-take-note-4-must-have-coaching-questions/
Building an ISO 27001-Compliant Cybersecurity Program … — LinkedIn. https://www.linkedin.com/learning/building-an-iso-27001-compliant-cybersecurity-program-getting-started
