A Beginner’s Overview of ISO/IEC 27001

What is “ISO/IEC 27001”?

Unless you are a cybersecurity expert or an auditor that lives in the compliance world, managing an ISO/IEC 27001 (commonly referred to as, “ISO 27001”) audit is probably one of the last things you thought would be part of your job. To start, let’s understand ISO 27001 in its broader context. The International Organization for Standardization or “ISO” (from the Greek word isos meaning “equal”) came into existence after World War II when the United Nations Standards Coordinating Committee (UNSCC) and the International Federation of the National Standardizing Associations (ISA) formed a new global standards body.

Today, over twenty thousand standards are managed by the organization, including just about everything imaginable, from manufacturing to healthcare to food safety.

The “IEC” portion refers to the International Electrotechnical Commission which is an organization that prepares and publishes international standards for all electrical, electronic, and related technologies.

Collaboratively, ISO/IEC 27001:2013 (last reviewed in 2019) is the current version and provides the requirements for an information security management system (ISMS). In short, the standards were designed to help keep information assets held at organizations more secure with the goal of becoming ISO27001 certified. It is notable that ISO 27001 is the standard, whereas a certification happens with an independent, certified third party.

What are the benefits of ISO/IEC 27001?

Most cloud service providers have some level of security controls in place, but rarely are the measures comprehensive and centrally organized. More likely than not, the security controls were either implemented in response to a specific event or introduced as cybersecurity best practices by the executive or staff member sponsoring the initiative. ISO27001 aims to improve the structure and focus by organizing existing controls, updating weaker controls, and identifying gaps in a cloud provider’s ISMS. Stepping back from the security and data hygiene benefits, organizations can benefit in other areas as ISO 27001 is implemented, such as:

• Protecting the organization from fines, lawsuits, and financial losses associated with a data breach.
• Saving money associated with wasted hours spent shoring up the breach and then cleaning up the mess.
• Avoiding brand and reputational damage associated with lax security controls or a data breach.
• Demonstrating their commitment using a third-party opinion about the organization’s security posture.
• Gaining a competitive advantage over companies with lax standards when competing for new business and retaining existing customers.
• Stopping the disruptive, frequent requests for the organization’s current security controls during a competitive sales cycle or customer renewal.
• Remaining compliant with international business, legal, contractual, and regulatory rules.

How does ISO 27001 work?

Like most regulatory frameworks, ISO 27001 takes a top-down approach starting with the controls. At present, there are 114 controls in 14 groups and 35 control categories (https://en.wikipedia.org/wiki/ISO/IEC_27001#Controls):

• A.5: Information security policies (2 controls)
• A.6: Organization of information security (7 controls)
• A.7: Human resource security applied before, during, or after employment (6 controls)
• A.8: Asset management (10 controls)
• A.9: Access control (14 controls)
• A.10: Cryptography (2 controls)
• A.11: Physical and environmental security (15 controls)
• A.12: Operations security (14 controls)
• A.13: Communications security (7 controls)
• A.14: System acquisition, development, and maintenance (13 controls)
• A.15: Supplier relationships (5 controls)
• A.16: Information security incident management (7 controls)
• A.17: Information security aspects of business continuity management (4 controls)
• A.18: Compliance; with internal requirements, such as policies, and with external requirements, such as laws (8 controls)

ISO 27001 takes a risk-based approach to compliance meaning an organization must be proactive (has a plan in place if/when an event happens) versus being reactive (figuring it out if/when an event happens). It also means the amount of time and money you spend developing each control should be proportionate to your level of risk and accounts for how much risk you are willing to live with.

To obtain a complete list of controls, policies, and procedures, organizations need to purchase them from ISO directly, employ an auditor who has the questions, or access them through an audit readiness platform, such as ControlMap.

When I’m done, I’m done. Right? RIGHT?

Mostly. Whereas other certifications like the System and Organization Controls, Type 2 (SOC 2) framework focus mainly on demonstrating that the controls are implemented and are in place. The ISO 27001 framework likes to see that the controls are regularly reviewed to keep pace with emerging technologies and evolving security standards. So, while the heavy lifting is over after the first audit is complete an organization will need to schedule regular internal audits, update existing controls, and develop new preventive actions to keep pace. 

Executive sponsorship will be key. Unlike other frameworks, which are squarely focused on I.T., ISO27001 spans nearly all departments in an organization. And while the organization benefits from shared responsibility across the controls, this also requires a higher degree of ongoing coordination and management of parties that do not see themselves as having a vested interest in the audit. Thus, the ongoing management of ISMS can be challenging to keep evergreen when using a system of spreadsheets and email.

How much will an ISO 27001 audit cost my organization?

The hard costs will depend on your organization’s size and the maturity of ISMS needing certification. As of July 2020, the price ranged between $3,000 and $5,000 annually at the lower end of the spectrum. The cost goes up from there if the ISMS is non-existent or disorganized. Prior to the audit or re-audit, employees will need to spend time reviewing controls, formulating a response (usually in a shared and versioned spreadsheet), and writing policies and procedures. Unaccounted hours spent on prep work spans an organization, pulling away key players from strategic business initiatives.

However, the cost of not being ISO 27001 certified is dramatically higher when taking into account some or all of the following:

• The average cost of a data breach for an organization in 2020 was $3.86 million ).
• Lost new sales as more companies want to trust in place prior to signing a contract with a new vendor.
• Lost existing customers (and expansion sales) as many asked their vendors to provide proof of security posture.
• Time, money, and hassle spent responding to repetitive fragmented requests for information that is not organized or readily available.

Can I cheat and reuse previously existing work from another audit?

Yes! If you’ve completed a SOC2, FedRAMP, CMMC, or another cybersecurity certification in the last year, chances are the frameworks will have many controls, policies, and procedures in common with the ISO 27001 framework. If the audit is much older, some content may need to be updated prior to including it. Although most of the work to implement the control will be complete, be prepared for hours of copy and paste unless you are using audit readiness software to help identify and map your work to the new framework.

How can ControlMap help me with my ISO 27001 audit?

ControlMap is designed to help you prepare for your cybersecurity audit in several ways. If you’ve never been through the audit process, ControlMap has the questions and the answers to the audit. With just a few clicks, you can establish your initial baseline posture and fill in any gaps using pre-defined templates, ready to be tailored to your organization’s needs. Users can also assign requests, deadlines, and reminders and even collect evidence from team members in other departments.

If you’ve been through an audit process like SOC 2, FedRAMP, CSSM, or CSA, ControlMap can find overlapping requirements and automatically map the responses to the questions to your upcoming ISO 27001 audit using the Framework Crosswalk tools.

These are just a couple of ways ControlMap can reduce time spent on audit preparation by as much as 80%.