In this post, we’ll walk you through the basics of the ISO 27001 certification, and help you determine if it will serve your business goals and your customers’ needs.
ISO 27001 - What is it?
Published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), the ISO 27001 standard helps organizations organize their people, processes, and technology to ensure the confidentiality, availability, and integrity of information. The focus of ISO 27001 standard is on a company’s Information Security Management System (ISMS), which outlines how they’ve integrated information security into their business processes.
The ISO 27001 standard requires companies to identify information security risks to their system and the corresponding controls to address them. ISO 27001 comprises 114 controls divided into 14 categories. There is no requirement to implement the full list of ISO 27001’s controls. They simply represent the possibilities for an organization to consider based on its particular needs.
A primary goal of ISO 27001—as well as other compliance certifications such as SOC 2—is to prove to your clients and customers that security is a top priority.
ISO 27001 is considered the global gold standard for ensuring the security of information and supporting assets. Obtaining an ISO 27001 certification can help an organization prove its security practices to potential customers around the world.
Which is Best for my Business?
To decide whether you need an ISO 27001 certification, first consider the regions in which your company does business: are you primarily working in North America? Are you working internationally—or planning to expand your operations?
SOC 2 is a well-known U.S. security standard and has become a common business practice. If your company only performs business with U.S.-based customers, a SOC 2 may be sufficient.
If your company focuses much of its work outside of North America, or if your clients and prospects have sought proof of your company’s security against an internationally accepted standard, then ISO 27001 certification may also be important.
Your buyers are your best source of information to help you decide which standard to pursue. If a customer requires an ISO 27001 certification, then your next steps are clear. If a SOC 2 meets the requirements of your customer in tandem with your own company’s security and compliance needs, you’ll move forward with a SOC 2.
Many companies decide they eventually need both a SOC 2 and an ISO 27001 certification based on the demands of their growing customer base. Your company may first consider a SOC 2 and later the ISO 27001 standard as your business expands.
ISO 27001 Certification Process Overview
If you are moving forward with ISO 27001, the certification process involves…
- Clearly scoping and effectively implementing an Information Security Management System (ISMS)
- Establishing an ISMS governing body composed of senior management and key stakeholders from throughout the company
- Performing an internal audit to assess the organization’s ISMS and its implementation
- Undergoing an ISO audit with an external third-party auditor
The internal audit is one of the best ways to ensure that your organization’s ISMS is operating effectively and in alignment with the ISO 27001 standard. The internal audit is required under the ISO 27001 standard and internal auditors must be objective and impartial, and should not be responsible for implementing, operating, or monitoring any of the controls under audit. Once the internal audit is complete, results should be shared with the company’s ISMS governing body and senior management to address any issues before proceeding to the external audit.
The external audit is composed of two stages. Stage 1 Audit consists of an extensive documentation review, during which an external ISO 27001 auditor reviews an organization’s policies and procedures to ensure they meet the requirements of the ISO standard and the organization’s ISMS. Stage 2 Audit consists of the auditor performing tests to ensure that an organization’s ISMS was properly designed and implemented and is functioning appropriately.
An ISO 27001 certification is valid for three years, however, ISO requires that surveillance audits be performed each year to ensure that the ISMS and its implemented controls continue to operate effectively. This means that every 12 months during the 3-year cycle, an organization’s ISMS must undergo an external audit, where an auditor will assess portions of the ISMS.
Streamline & Simplify with Vanta
Vanta’s automated security and compliance software supports your company in building a strong security program that will enable you to prove compliance and prepare for multiple audit formats.
Vanta provides a suite of interconnected tools automating security and compliance to tackle ISO 27001, SOC 2, HIPAA, and more. Vanta helps you build a list of controls tailored to your company, then connects to your company’s software, admin, and security systems to continuously monitor your systems and services. Vanta eliminates the manual data collection with it’s platform to automate and consistently monitor your security systems. Once Vanta is connected to your systems, we can help to identify and resolve any gaps in your security implementation—readying you for a smooth and successful security compliance audit.
Interested in connecting with Vanta to learn more about how your company can achieve ISO 27001 certification? Get in touch! We’d love to partner with you!