I recently led an ISO (27001:2022) Certification for a company and wanted to write about the experience. There is a lot of information online about getting certified and what's needed as both a company and an individual, but I never saw a particularly practical guide with everything in one place, so I'm writing what I would have liked to have seen when I was starting, plus some lessons picked up along the way.
What is ISO27001?
In Corporate Speak: "ISO 27001 is an internationally recognized standard for managing information security. It provides a framework for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). The goal of ISO 27001 certification is to help organizations protect their information assets in a systematic and cost-effective manner, through the adoption of this ISMS."
How I viewed it: It's a way of showing you meet a minumum set of security standards, which is useful/required when talking to customers and gives you some comfort personally as a tech leader that there are no glaring information security holes (software/framworks out-of-date or vulnerabilities in your system). What it doesn't do is guarantee that your software is bug free or perfectly secure.
There are two versions, the 2013 version and the 2022 version (referring to the year of publishing (I think)). At the time of writing, the 2013 version is still technically possible to certify against, but you'll have to transfer over to the 2022 version soon anyway (which isn't all that different to be honest) and you'll have less time before re-certification (you have to do it every 3 years afaik, or 2025 if you're using the 2013 version) so it doesn't really make sense to do the 2013 one unless you have a particularly unique situation. In our case, we started with 2013, but upon being advised to move to the 2022 version by our auditing company, were able to complete the additional 2022 requirements very quickly and successfully passed the audit with minimal changes.
Why should you get ISO 27001 Certification?
If you feel like you need some sort of official security standard for your company against (maybe you're getting asked by potential customers about security or standards and 'we're really secure' isn't a good enough answer), ISO 27001 is a good standard to begin with - lots of other standards build on top of it, especially in medtech/fintech. Relatedly, I have found that the questions asked in ISO 27001 also came up when getting cyber insurance (specificially, disaster recovery exercises and security reviews) and being able to answer them with ease was a great comfort and actually reduced the insurance costs.
Some other benefits (again in slight corporate speak but might be useful when speaking to management):
- Enhanced Information Security: ISO 27001 provides a comprehensive framework for securing sensitive corporate information, including financial data, intellectual property, employee details, and information entrusted by third parties. Implementing its standards helps prevent security breaches and data theft - personally, it was nice to compare our security against a standard and improve ours where important
- Risk Management: The standard requires organizations to assess the risk to their information assets and implement appropriate measures to mitigate these risks. This proactive approach to risk management is essential in today's digital landscape, where threats are constantly evolving - I think this is a
- Compliance with Regulations: Many industries and regions have regulations regarding data protection and privacy. ISO 27001 certification demonstrates compliance with these legal and regulatory requirements, which can be crucial for avoiding penalties and legal issues - I also found that customers are comforted when you start listing these standards in meetings.
- Competitive Advantage: In a market where consumers and partners are increasingly concerned about data security, ISO 27001 certification can serve as a key differentiator. It reassures clients and business partners that the organization is committed to maintaining high standards of information security.
- Building Trust with Customers: By achieving ISO 27001 certification, an organization shows its commitment to protecting sensitive customer data. I've definitely found this to be the case.
- Improved Organization and Efficiency: The process of achieving ISO 27001 certification involves streamlining information security processes. This can lead to more efficient, reliable, and secure operations. It also forces. you to keep an eye on systems, processes that you might otherwise ignore.
- Global Recognition: As an internationally recognized standard, ISO 27001 certification is respected and acknowledged worldwide. This can be particularly beneficial for organizations operating in or looking to expand into global markets.
- Continuous Improvement: The certification is not just about implementing a set of procedures; it's about a continual process of improvement that ensures the organization remains robust against information security threats over time. Certification isn't something that you do at a point in time, it's a continous process.
In addition to the above is that while the standard is useful for all the reasons listed, you still need to put in the work day-to-day and it won't magically fix every problem you have or every security issue in your company. You will still have your own organisation specific issues and challenges that may fall outside of what any ISO standard covers. It does however provide a level of comfort that you're not doing anything (t00) crazy.
The Process of Obtaining ISO 27001 Certification
At a high, level, the process for getting certified looks like this based on my experience.
- Understanding the Standard: It begins with a thorough understanding of the ISO 27001 standard, which covers the requirements for establishing, implementing, maintaining, and continually improving an ISMS. I personally think this is the hardest bit, the docs are comprehensive but translating them to the needs of your own company is complex to say the least. There are a number of companies that essentially map them to concrete steps - Vanta is the company I used (and would highly recommend). There is a charge for their software but I think it's worth it if you can afford it.
- Gap Analysis: Conduct a gap analysis to determine your current state of information security and how it measures up against the ISO 27001 requirements. Again, this is possible to do yourself, but this is where software like Vanta comes in as you can connect into your various systems (like Google Cloud, AWS, JIRA...) and it will show you the gaps and how to fix them. This feature alone made certifying so much easier and justified the costs for Vanta.
- Planning: This involves defining the scope of the ISMS and identifying the information assets that need to be protected. It also includes conducting a risk assessment and establishing a risk management process. In plain English, maybe you're only certifying a department or division, and not the entire company - or you're excluding a product for a very specific reason. This is all normal, you just have to decide what works for your company.
- Implementing Controls: Based on the risk assessment, the organization implements the necessary controls to mitigate identified risks. These controls are outlined in Annex A of ISO 27001 and include areas like access control, physical and environmental security, and communication security. Again, this is where Vanta comes in, as you can fix the gaps and controls identified in stage 1 and 4.
- Documentation: Creating the necessary documentation is crucial. This includes policies, procedures, and records that demonstrate compliance with the standard. You can find templates but again, you'll need to customise them to your needs; for example, you don't need an office policy if you're all working remotely.
- Training and Awareness: Employees are trained on the importance of information security and the specific roles they play in the ISMS.
- Internal Audit: An internal audit is conducted to assess the ISMS against the ISO 27001 standard and to identify areas for improvement.
- Management Review: Senior management reviews the performance of the ISMS and ensures its continuing suitability, adequacy, and effectiveness.
- Certification Audit: The organization engages an accredited certification body to conduct an external audit. This audit is conducted in two stages: the first to review the ISMS documentation and readiness, and the second to assess the implementation and effectiveness of the ISMS.
- Continuous Improvement: After certification, the organization must continually monitor, review, and improve the ISMS to ensure its ongoing effectiveness and compliance with the standard. There are generally monthly, quarterly and annual meetings to track all this.
This process can take 3-6 months depending on the size of the team and the amount of time dedicated to it.