Achieving ISO 27001 compliance and certification will open countless doors with governmental, industrial, and other business relationships. As an internationally-recognized and trusted security framework, it’s taken quite seriously. That means you have to put your all into achieving certification if you hope to pass the auditing process.
At Ignyte, we can help. Our platform was designed as a way for businesses to collaborate internally on numerous security frameworks, and our team are experts in all of the largest frameworks you might pursue. We’ve produced the checklist below as a way to help streamline the ISO 27001 process. If you have any questions, or if you feel we left something out, please let us know!
BLUF - Bottom Line Up Front
To achieve ISO 27001 compliance, form a dedicated team, define your scope, and create an asset inventory. Assess your current security, identify your ideal security baseline, and perform a gap analysis. Develop a Statement of Applicability, close security gaps, and establish an ISMS. Train employees, assess risks, maintain a risk register, and mitigate threats. Conduct internal audits, undergo external audits, remediate findings, and maintain compliance for certification. An ongoing commitment ensures long-term success.
□ Do Your Reading
A significant part of ISO 27001 is going into it with the right mindset. You need to know why it’s important, how it affects your operations, and what the benefits – and drawbacks – may be for achieving it. To that end, we’ve produced several pieces of content that can help lay that groundwork. You can also read the ISO 27001 documents themselves.
When Is ISO 27001 Considered Mandatory? 5 Examples. – This post covers reasons why your business might want to pursue ISO 27001 compliance and what kinds of doors might be opened to you when you do – or that might remain closed if you don’t.
What is an Information Security Management System (ISMS)? – This post covers one of the core terms of the ISO 27001 framework, the ISMS. What is it, how does it work, what goes into it, and how does it help keep you and your customers secure? Learn all about it here.
FedRAMP vs. ISO 27001: How They Compare and Which Do You Need? – This is one of a handful of posts we have comparing ISO 27001 to other security frameworks. FedRAMP is one of the closer comparisons and can give you an idea of how they stack up. This is especially relevant if you’re deciding between the two, or if you already have FedRAMP certification and want to add on ISO 27001 for expanded operations.
ISO 27001 – 2013 vs 2022: Changes, Transition & More. – This post covers the primary differences between the previous version of ISO 27001, published in 2013, and the modern version, published in 2022. It reviews the biggest differences and updates, what needs to happen to transition if you already have 2013 compliance, and some common questions we see asked about the transition.
What Steps Are Involved in An ISO 27001 Audit? – This is a more detailed rundown of what goes on in an ISO 27001 audit to achieve compliance or maintain certification. This will be critical information when you get deeper into the process, but when you’re first starting out, a simple overview is all you need.
Read through these posts, and let us know if you have any questions.
You can also review a case study of a company we helped achieve ISO 27001 certification: Riverain.
□ Organize a Team and Assign Roles
This step and the next step can be done in conjunction with one another, because they can influence each other, so keep that in mind.
A key part of ISO 27001 is not just that you have people performing tasks necessary for compliance but that you have people responsible for those tasks. These are specific people assigned to specific tasks and responsibilities and on whose shoulders the penalties can fall if they fail. You will generally need an overall project manager, representatives who guide and control the development and implementation of your ISMS, technical representatives like engineers who handle the technical side, leadership members, and more.
The number of team members and their specific duties and division of labor can depend on the scope of the changes needed, and on the size of your organization.
□ Define the Scope and Develop a Roadmap
After reading the basics of ISO 27001, you will need to define what level of compliance you need and how you will reach that level of compliance.
This doesn’t need to be extremely tangible and step-by-step, as that comes later in the process. However, having an idea of the scope will help you identify which areas of your business need to be part of the team and how many representatives you will need in various roles.
□ Create an Inventory of Assets
Before you can start developing and implementing an ISMS, you need to have an inventory of what you have to work with and what you have to protect.
An asset inventory needs to consider things such as the information you handle, how that information is handled, and what devices and assets store or handle that information. This might mean specific computers and servers, specific accounts, specific people, and even IP assets. If you don’t have a comprehensive inventory of devices used by your employees, you’ll need one. You may also need to plan to abolish any BYOD policies.
□ Identify Your Current Security Posture
A thorough evaluation of your current security posture is critical. Before you know how to get where you’re going, you have to know where you’re starting, right?
This will essentially involve a limited, somewhat casual internal audit of your current security. What are you doing, what are you not doing, and what is likely going to have to change? Don’t forget to document everything.
□ Identify Your Ideal Security Baseline
Unlike frameworks such as FedRAMP or CMMC, ISO 27001 does not have tiers of security to achieve; rather, they have a set of controls that either apply or don’t and may apply at different levels of importance or strength depending on the tier of information you’re handling.
Businesses handling only public and internal information will have an easier time of it than businesses handling restricted or confidential information. Identifying where your company falls within this framework gives you your eventual destination.
□ Perform a Gap Analysis
A gap analysis is the process of taking the previous two steps and figuring out how to go from where you are to where you need to be. This takes all of your documentation from those previous steps and transforms it into a series of action items, encompassing everything that needs to be done to achieve ISO 27001 compliance.
It’s likely that you won’t catch everything on the first pass. You can do as much work as you can, perform another internal review, another gap analysis, and more work until you’re satisfied.
□ Complete a Statement of Applicability
A key element of ISO 27001 is self-tailoring flexibility. Frameworks like FedRAMP require you to achieve a given tier, regardless of how well it fits your needs. ISO 27001 is one single set of standards, and the requirement is to follow as many of them as you can. There are, however, likely going to be a few security controls out of the 100+ in ISO 27001 that do not apply to you.
That said, you can’t simply ignore the controls that aren’t relevant to you. You need to create a document called a Statement of Applicability for each security control within ISO 27001. This document identifies which you adopt and which aren’t relevant and will be a key part of the review in the eventual external audit you’ll need to pass to achieve certification.
□ Create a Plan to Close the Gap
The gap analysis you perform, alongside your internal documentation telling you what you need to establish as part of your ISMS, will help you create a plan to close that gap.
Again, this is an iterative process; you’ll perform a gap analysis and do the work, then establish a new baseline and figure out if you need to take further action to reach the ideal security posture.
□ Create Your ISMS
An ISMS is a combination of plans, procedures, and processes aimed at maintaining security, proactively identifying risks, and dealing with problems as they arise.
Many factors go into creating a full ISMS, including employee training, policy publication, technological implementation, and more. Putting together the ISMS is a large portion of the work you’ll be doing to establish ISO 27001 compliance.
□ Implement Security Improvements
During this process, you will need to identify and implement technological and security improvements.
These can be things like implementing multi-factor authentication, utilizing encryption, restricting access to systems that handle information, and even restricting physical access to your facilities. The exact array of improvements you need to make will, of course, vary depending on the results of your gap analysis.
□ Train Employees on ISMS Policies
Equally important to successful ISO 27001 compliance is employee behavior. The most secure system in the world can be breached easily if the weak link is a person, which is why social engineering is so much more prominent than technological hacking in today’s world.
Therefore, a huge part of compliance is training. You need to establish policies and rules for employee behavior and conduct, construct appropriate training courses for them, and ensure that your entire employee base is trained properly. Tests and evaluations will ensure that this training has been performed adequately.
□ Conduct a Risk Assessment
Security is only one side of a coin, and you cannot be properly secure without knowing what you’re securing against. Another critical component of ISO 27001 compliance is proactively assessing the risks that you face. You will need to establish a risk management framework and use it to identify potential risks. As you document these, you need to assign values to them, including the potential impact of the risk and the likelihood that those risks can occur.
Finally, you will need to put together a response plan for each risk should it occur. A response plan doesn’t necessarily need to be deeply detailed or unique for every risk, but it does need to adequately cover a valid response to protect your information, close the risk vector, and disclose any breaches that occur.
□ Create a Risk Register
Everything that you put together while conducting your risk assessment needs to be recorded in a risk register, which becomes your guiding document.
It is also a living document; as the information security environment changes, as your business changes, as the information you handle changes, and as your employees change, your risk assessment and register will change with it all.
□ Mitigate Risks
Knowing the risks is one thing, but you will also need to address specific risks proactively and put procedures in place to prevent them as much as possible.
Depending on the risk, this can be a technological change or implementation, an upgrade, an additional verification or validation step, or even employee training and awareness. Whatever the case may be, as much mitigation as you can do needs to be done.
□ Implement Continuous Monitoring and Reviews
ISO 27001 compliance is not a one-and-done achievement; it is an ongoing, evolving, and growing posture.
Your ISMS encompasses everything involved, and you will need to periodically review and change your procedures and policies as the environment changes. Routine internal audits and evaluations will help.
□ Conduct an Internal Audit
When you believe you are ready to pursue ISO 27001 certification, you will want to perform as thorough and formal an internal audit as possible.
This internal audit will identify your full ISMS scope, produce records, and seek out gaps or issues that need to be fixed for full compliance. ISO 27001 documentation has a methodology for performing this audit to make it more standardized and effective.
□ Undergo an External Audit
If you believe you are ready to pursue full ISO 27001 certification, you will need a formal external audit.
This audit will review documentation, dig into your ISMS, check out your risk register, and more, all to validate your implementation of each relevant security control as outlined in your Statement of Applicability.
□ Remediate Audit Findings
After you undergo the external audit, there will potentially be gaps and problems that they found, which you may have overlooked.
Now is your chance to remediate those issues and fully achieve certification. When you’re done, there’s only one step left.
□ Achieve Certification and Maintain Compliance
Max Aulakh is a distinguished Data Security and Compliance leader, recognized for implementing DoD-tested security strategies and compliance measures that protect mission-critical IT operations. His expertise was shaped in the United States Air Force, where he was responsible for the InfoSec and ComSec of network hardware, software, and IT infrastructure across global classified and unclassified networks. He also developed strategic relationships with military units in Turkey, Afghanistan, and Iraq. After his tenure with the USAF, Max played a pivotal role in driving Information Assurance (IA) programs for the U.S. Department of Defense (DoD). As a Senior Consultant for a leading defense contracting firm, he led a team that ensured data centers met Air Force Level Security audits for regulatory requirements like HIPAA, SOX, and FISMA. Currently, as the CEO of Ignyte Assurance Platform, he is at the forefront of cyber assurance and regulatory compliance innovation, catering to defense, healthcare, and manufacturing sectors. Max is also an esteemed speaker, having presented at several conferences on topics including cybersecurity GRC, medical device security, and cybersecurity perspectives in vendor management. You can follow him in LinkedIn here.