ISO 27001 certification

ISO/IEC 27001 describes the requirements for establishing, implementing, maintaining and continuously improving an organization's information security management system (ISMS). It is an internationally accepted standard and a valuable way to distinguish your organization because it demonstrates your compliance with industry standards and commitment to information security.

Why ISO 27001 certification?

An ISO 27001-certified organization demonstrates to the world that it can be trusted, has implemented an Information Security Management System (ISMS) in accordance with section 4.4 of the standard, and has demonstrated to an external auditor/independent ISO certification body that it complies.

ISO 27001 certification is a differentiator for organizations in competitive markets. It indicates that your partners, customers and employees can trust that your organization manages their information assets/data responsibly.

What are the benefits of ISO 27001 certification?

For all stakeholders, the most important message is the confidence and assurance that comes from externally audited information security management. Compliance with ISO 27001 offers multiple benefits - for example:

Benefits for you

• Protection of brand and reputation
• Gain more business from new & existing customers
• Reduce the cost of sales
• Retaining more business
• Improved processes leading to cost and time savings
• Avoid fines for non-compliance with regulations (such as the AVG)
• Avoid civil litigation as a result of a data breach
• Avoid costs of remedial actions due to incidents and/or breaches
• Attract better staff

Benefits for your employees

• Confidence in organizational sustainability
• Work (and home) security training.
• Clarity through policies and procedures
• Pride in the organization and their role in protecting it

Benefits for your customers

• Confidence and assurance in you and your supply chain
• Less chance of a costly breach
• Reduced vendor familiarization costs

The requirements for ISO 27001

The standard consists of two parts. The first (main) part consists of 11 chapters (0 to 10). The second part, called Annex A, provides guidelines for 93 objectives and measures.

Two parts of the standard

Chapters 0 through 3 of the main body of the standard (Introduction, Scope, Normative References, Terms and Definitions) serve as an introduction to the ISO 27001 standard. Chapters 4 through 10, which contain the ISO 27001 requirements, are mandatory if the company wants to comply with the standard and are discussed in more detail later in this article.

Appendix A of the standard supports the chapters and their requirements with a list of measures that are not mandatory but are selected as part of the risk management process.

Chapters 4 - 10

The requirements of chapters 4 through 10 can be summarized as follows:

Chapter 4 of ISO 27001 - The context of the organization. - A prerequisite for successfully implementing an Information Security Management System is understanding the context of the organization. External and internal issues, as well as stakeholders, must be identified and considered. Requirements can include regulatory issues, but they can also go much further.

With this in mind, the organization must define the scope of the ISMS.

Chapter 5 of ISO 27001 - Leadership & commitment - ISO 27001's requirements for adequate leadership are numerous. Top management involvement is mandatory for a management system. Objectives must be set in accordance with the strategic direction and goals of the organization. Providing resources needed for the ISMS and supporting individuals in their contribution to the ISMS are other examples of obligations that must be met.

In addition, top management must establish a top-level information security policy. The company's ISO 27001 Information Security Policy must be documented and communicated within the organization and to stakeholders.

Roles and responsibilities must also be assigned to meet the requirements of the ISO 27001 standard and to report on ISMS performance.

Chapter 6 of ISO 27001 - Planning - Planning in an ISMS environment must always consider risks and opportunities. An information security risk assessment provides an important basis on which to rely. Accordingly, information security objectives should be based on the risk assessment. These objectives should be aligned with the overall goals of the company and they should be promoted within the company because they are the security goals that everyone in the company should be working toward. From the risk assessment and security objectives, a risk treatment plan is derived based on the measures listed in Appendix A.

Chapter 7 of ISO 27001 - Resources, support and communication - Resources, employee competency, awareness and communication are essential to support the ISMS. Another requirement is documenting information according to ISO 27001. Information must be documented, created, updated and monitored. An appropriate set of documentation, including a communication plan, must be maintained to support the success of the ISMS.

Chapter 8 of ISO 27001 - Operational implementation. - Processes are required to implement information security. These processes must be planned, implemented and monitored. Risk assessment and treatment -- which, as we learned earlier, must be on the minds of top management -- must be put into practice.

Chapter 9 of ISO 27001 - Performance - The requirements of the ISO 27001 standard expect control, measurement, analysis and evaluation of the information security management system. In addition to monitoring key performance indicators of the work, the company must conduct internal audits. Finally, top management must periodically evaluate the organization's ISMS and ISO 27001 KPIs.

Hoof Chapter 10 of ISO 27001 - Enhancement - Improvement follows evaluation. Nonconformities must be addressed by taking action and eliminating their causes. In addition, a continuous improvement process must be implemented. Although the PDCA (Plan-Do-Check-Act) cycle is no longer explicitly mentioned in ISO 27001, it is still recommended because it provides a solid structure and meets the requirements of ISO 27001.

ISO 27001 certification process

After a company completes implementation, the ISO 27001:2022 certification process can begin - its three main stages are as follows:

Phase 1 audit - document review. In this audit, the auditor looks at the documented scope, the ISMS policies and objectives, the description of the risk assessment methodology, the risk assessment report, the declaration of applicability and risk treatment plan, along with procedures for document control, corrective and preventive action, and internal audit. You must also document a number of measures from ISO 27001 Annex A. You also need reports from at least one internal audit and management review. If any of these elements are missing, it means you are not ready for the next stage.

Phase 2 audit - Main audit. This phase usually follows a few weeks after the Phase 1 audit. The auditor checks whether your ISMS has actually been implemented in your company, or whether it exists only on paper. He will check this through observation and interviews with your employees, but mainly by checking your records. So you need to be sure that you are really complying with everything you have written down in your security policies and procedures. If there are no major discrepancies, the certification body will issue the ISO 27001 certificate to your company.

If the auditor has found a significant nonconformity, they will give you a deadline by which the nonconformity must be resolved (usually 90 days). It is your job to take the appropriate corrective action, but you must be careful - this action must resolve the cause of the nonconformity, or the auditor may not accept what you have done. Once you are certain that the proper action has been taken, you should notify the auditor and send him/her proof of what you have done. In most cases, if you have done your job thoroughly, the auditor will accept your corrective action and initiate the process for issuing the ISO 27001 certificate.

Phase 3 audit - surveillance audit. The certificate issued by the certification body is valid for three years - during which time the certification body checks to see if your ISMS is being properly maintained; hence, surveillance audits. The surveillance audits are very similar to the main audits, but they are much shorter - about 30% of the duration of the main audit. There will be at least one surveillance audit each year - for example, if your company is certified in February 2023, the first surveillance audit will take place in February 2024 and the second in February 2025; in February 2026, your certificate will expire and you will decide if you want to go for recertification. The recertification audit consists of the same three stages as the initial certification.

What questions will the ISO 27001 auditor ask?

Now let's take a closer look at the things an auditor might ask you.

1) Required documentation

The auditor will first review all documentation in the system (normally done during the Phase 1 audit) and ask for evidence of the existence of all documents required by the standard. In the case of security measures, he will use the Declaration of Applicability (CoA) as a guide. In addition to the required documents, the auditor will also review any document the company has developed to support the implementation of the system or implementation of measures. Examples include a project plan, network diagram, list of documentation, etc.

2) Proof

The next step is to verify that everything written corresponds to reality (normally done during the Step 2 audit). For example, suppose the company stipulates that the information security policy should be reviewed annually. What will be the question the auditor will ask in this case? For example, you might guess, "Have you audited the policy this year?" And the answer will probably be yes. But the auditor cannot rely on what he does not see; therefore, he needs evidence. Such evidence might include reports, meeting minutes, etc. The next question would be: "Can you show me documents showing the date when the policy was reviewed?"

Regarding security measures - he will also seek evidence that they have been implemented, although in this case the data may be logs, files in the system, schedules of the network, configuration of platforms, agreements with suppliers or customers, legislation, etc.

3) Interviews

At this point, the auditor knows what documents the company uses, so he must check whether people are familiar with them and whether they actually use them during day-to-day activities, i.e. check whether the ISMS works in the company. Therefore, the auditor should conduct interviews with employees to find out to what extent they are aware of at least the main documents that apply to them: Security policies, confidentiality clauses, acceptable use of resources, access control policies, etc.

An example of questions in an interview might look like the following:

• "Do you have access to the organization's internal rules regarding information security?"
• "Can you show me some of the related policies?"
• "Can you tell me what you think are the key points in the policy?"

On the other hand, the auditor can also interview those responsible for processes, physical areas and departments to get their perception of the implementation of the standard in the company. In these interviews, the questions will focus on getting familiar with the functions and roles these people have in the system and whether they comply with the implemented measures.

Who certifies organizations for ISO 27001?

First, ISO standards are published by the International Organization for Standardization (ISO) - this is an international body established by governments around the world. Its purpose is to publish standards and provide knowledge and best practices, but not to issue certificates.

Certificates for companies are issued by organizations called certification bodies. These are entities licensed by accreditation bodies to conduct certification audits and assess whether a company's Information Security Management System complies with ISO IEC 27001.

Not all certification bodies (also called registrars) are created equal. Chances are you will find at least a few in your country, so you can choose the one that suits you best. Price is obviously important, but this is not the only criterion you should use - what is also important is that the auditors know your industry, that they have a good reputation, that they can also certify other standards, etc.

Cost for ISO 27001 certification

There is no set cost for the certification audit - the certification body will charge you based on several factors, but these two are the most important: (1) the size of your organization and (2) the price of local certification auditors. For example, a small organization in the Netherlands will pay about €7,000 for the certification audit. To get a more accurate idea of ISO 27001 certification costs, it is a good idea to request quotes from a few different certification bodies.

How long is ISO 27001 valid once certified?

Once a certification body issues an ISO 27001 certificate to a company, it is valid for a period of three years. During this period, the certification body conducts surveillance audits to assess whether the organization is properly maintaining the ISMS and whether required improvements are being implemented in a timely manner.

How many companies are ISO certified?

ISO 27001 has become the most popular information security standard worldwide and many companies have certified to it - here you can see the number of certificates in recent years:

Source: The ISO overview of certifications of management system standards

Which companies are ISO 27001 certified? There is no official central list of ISO 27001-certified organizations, so information on which companies are ISO 27001-certified must be obtained directly from the ISO 27001 certifying companies.

Articles

How is ISO 27001 implemented?

How does implementing this standard work? In this article, we will take you through the world of ISO, the ISMS, the benefits, the investment and how to maintain an ISMS.

ISO 27001:2022 and ISO 27002:2022: What will change?

A new version of ISO 27002 was released in February 2022. What does that mean for your ISO 27001 certification?

Risk analysis tool

Are you in the process of achieving ISO 27001 compliance? We have developed a tool for your risk analysis that is free and non-binding to use. The information you enter can be downloaded as a PDF, but will not be saved.

Open the Risk analysis tool