So you're thinking about ISO 27001:2022… the international gold standard in security certifications.
So what does it take to achieve the certification?
Is it easy, or is it the gold standard for a reason?
There's a strain of modern marketing that sells - "Get X super-fast". Here's the shortcut. It's a transactional purchase, and you don't really need to work to achieve success. Getting ISO 27001:2022 certified is not that.
Best case scenario - if you have a fully functioning and mature security management programme, you should plan for the process to take 6 months. If you've only just started your cybersecurity journey - expect 18 months.
There's a reason one of the crucial audit questions is - Is there executive buy-in and is the programme supported (funded) over multiple years into the future? This process is not trivial.
The steps you'll work through are as follows:
- Defining the scope of the certification
- Risk assessments
- Risk treatment plans
- Defining policies
- Defining procedures
- Collecting evidence
Add in a pre-audit before the certification and annual surveillance certifications after… and that's ISO-27001.
So what goes into each step?
Defining the Scope of Your ISO 27001 Certification
I've previously written about choosing a scope to ensure you're only accountable for what you can control. The same applies to ISO 27001. However, there's sometimes a desire to reduce the scope to the least possible.
In one extreme example, I have seen an international company attempt to scope its certification to a small support team in one office in one country. This creates a tiny scope that is "easy" to certify, but then there's the inevitable question from security-aware customers…
Does your ISO27001 certification cover the service I am buying from you?
Well... not the development, hosting, maintenance, monitoring, accounting… But it does cover supporting the service.
The essential ingredient for choosing a scope for ISO27001 - Is the scope meaningful to your customer or partner? Is it what they would expect? After all, certification is a communication tool.
Risk Assessments & Risk Treatment Plans
Once you understand the boundaries you're working within, the focus moves on to - What dangers are facing us within this scope? And what are we going to do about it?
Some dangers are obvious, some less so:
- Malware infection
- A hacker getting access to your shared drives
- Leaving a laptop on a train that contains PII data
- and so on...
And for each danger, you'll need to assess how likely it is to happen, and if it did - what would be the impact? This is your risk assessment.
Once all reasonable risks are identified - what are the mitigations and multiple layers of defence needed to reduce your risk exposure?
- Running antivirus on all devices…
- Using a firewall to block access to internal systems
- Using complex passwords
- Using multi-factor authentication
- Using encryption on all endpoint devices
- and so on…
The risk treatment plan is a comprehensive list of the actions you will take to reduce the dangers you face to an acceptable level.
Defining Your Security Policies
Now you know what dangers you face and the things you're going to do to mitigate them… it's time to communicate this more widely. This is why we have policies, and it's the starting point for embedding security in business-as-usual processes.
Oddly, this is where some people fall into the trap of downloading policies from Google or trying to reuse generic policies.
But this is the critical point in the process.
This is when you state that we will live by these principles.
This is what we're going to do.
Maybe it's not the best idea to leave that kind of fundamental thinking to a Google search.
Policy's crucial purpose is to answer 'what' and 'why' questions. The implementation details come in the next step.
Defining Your Security Procedures
If policies answer 'What?' and 'Why?', then procedures answer 'How?', 'When?', 'Where?' and 'Who?'.
This is the mechanics of taking security intent and applying it to your business.
This is the glue that binds the security policy into the business and builds the business-as-usual processes. It's also the most personal and time-consuming element to achieve - it's about how you do what you do.
Do not underestimate the importance and uniqueness of this step.
[Intermission] - Stage 1 Audit
Once your procedures are in place, it's time to complete the Stage 1 Audit.
This audit is primarily a gap analysis to ensure that all your work so far is aligned with what ISO27001 auditors need to see.
It's a significant milestone and signals that you're close to the end of the process - albeit about halfway on the amount of effort.
Now that you're confident that all your procedures are aligned with ISO27001. And everything is in place to secure your business - there's one last step…
For every procedure…
For every control in your risk treatment plan…
For every system within the scope you defined…
Prove you're secure.
Prove that you do what you say in your policies.
Evidence gathering is a non-trivial effort. Moreover, it's ongoing and repetitive. But this is ultimately what your ISO27001 certification will be based on.
Certification - Stage 2 Audit
Have you done enough? Your certification in ISO27001 comes down to one final audit, which covers everything. You have:
- Identified your security dangers
- Decided what steps you're going to take to mitigate your risks to an acceptable level
- Answered What? Why? Who? When? Where? How? for each mitigation step
- Gathered evidence to prove you've implemented what you said
If your auditor is happy with all of this - you pass and get your ISO27001 certificate. Valid for 3 years.
[Postscript] - Surveillance Audits
And, of course, you need to demonstrate that you're still doing what you said… next year, the year after, and the year after that. ISO27001 is no longer a point-in-time certification - it's something that is monitored annually.
This is why executive buy-in and multi-year programme funding are so crucial.