Becoming ISO 27001 certified is becoming increasingly popular for a number of reasons. This also means that more businesses, in particular larger organisations, have come to expect this level of certification from their vendors and suppliers. By becoming ISO 27001 certified you can demonstrate to businesses and clients that you take your information security very seriously and that you’ve taken a risk-led approach to getting a strong security strategy in place. This shows a mature attitude and can make your business more credible, which in turn opens you up to more opportunities.
But what exactly is an ISO 27001 certification and how do you go about achieving this? If you’re not familiar with information security or you’ve never heard this term before, it can feel a little daunting. But don’t panic! The guide below will look at what ISO 27001 actually is and the requirements for becoming certified, so you can make this an important part of your security strategy.
What exactly is ISO 27001 certification?
In its simplest form, the dummies guide defines IOS 207001 as ‘a highly respected international standard for Information Security Management Systems (ISMS)’. These ISMS are designed to manage any risks to security information within a business. What this means is that businesses can certify their ISMS against ISO 27001, proving to others that they have strong security systems throughout and that any sensitive information they hold is managed against risks and data breaches.
Not only this, but if your Information Security Management System (ISMS) is ISO 27001 certified this ensures that all requirements for your information security are not only established and implemented, but that they are also monitored, looked after and improved where possible. Once again, this not only gives you piece of mind for the safety of your data, but it also makes your company look more reputable to others.
What are the requirements for ISO 27001 certification?
In order for a business to implement ISO 27001 and become certified, there are certain documents that they must provide to meet the requirements. Some of these are mandatory and others are recommend depending on the needs of the company. This is because not all businesses will have the resources to meet all the recommended standards. Below we’ll outline the required documents.
These are the mandatory documents for a strong Information Security Management System and are vital to ensure that some of the most important actions of the ISMS are repeatable:
The scope of the ISMS
Put simply, the scope of an Information Security Management System is defining what information you’d actually like it to protect. It also covers the literal scope of what is included if you have more than one office, for example, will this just cover the head office or a number of your workspaces. Deciding and defining the scope is absolutely crucial to the ISMS.
The information security policy and its objectives
This is one of the most important documents as it contains all the top-level information. As a general rule this document should outline the scope and management commitment, as well as listing the security objectives. These objectives should align with the overall goals of the business.
Risk assessment and treatment methodology
The next document/set of information that is needed is the risk assessment. In most cases an Information Security Management System will be created using a risk-based approach to protecting information. So while a business may already have a strategy in place to identify and manage risks to the different areas of the company, they can change or amend these in line with the ISMS in order to manage risks specifically to their information security.
Inventory of assets
A certified ISMS requires that your business identifies all assets that it deems to have value. This includes all hardware and software, and anything else you want protecting. Once these have been identified and documented they can be accounted for, but more than this, each one can be assessed individually to highlight any potential risks.
Security roles and responsibilities
Not necessarily a document, but it pays to define the roles your team will be taking on in regards to the Information Security Management System. By assigning individual roles and responsibilities you can ensure that each task is managed effectively and that progress is being made towards your information security systems. Providing evidence of these roles is key.
Statement of Applicability
The Statement of Applicability (SoA) is an important document used during the risk treatment process and outlines all the controls within ISO 27001 which your business has selected and explains why you chose them. Because some of the controls don’t always apply to every business, the SoA will require you to give a reason for any controls that have been omitted or excluded. What’s more, if a chosen control has additional documentation, you’ll also need to provide this too.
Records of staff training, skills, experience and qualifications
Documentation that outlines your employee’s experience and training can be helpful if staff are called upon to help out in the implementation of an ISMS. This should list the training your team has had, because after all, security systems are essential but can be limited if employee’s don’t understand what they are and what role they personally play in implementing these systems. It should also cover any relevant qualifications staff have should they be called on to help or given a management role during the implementation of an ISMS.
Documentation of user activity and security events
If you’ve faced security issues in the past, it’s likely that you would have documented what happened and how it was dealt with. While, you might think that providing these documents could make you look weak or vulnerable, the reality is that this shows growth and that your business is putting positive measures in place to avoid this happening again in the future.
’Password’ and ‘Information Classification’ policies
These two documents aren’t mandatory for ISO 27001 certification but can be helpful. The password policy can teach best practise for creating strong, safe passwords. What’s more, the information classification policy could help employees to identify how sensitive each type of data is and what measures should therefore be put in place.