ISO 27001 is an international information security standard developed by a joint committee formed by the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC). ISO/IEC 27001:2013 is the complete name of this standard since the latest version was published in the year 2013 (with a few minor changes made in 2017).
Having the ISO 27001:2013 certification automatically implies that the organisation is following the best practices relating to the Information Security Management System (ISMS).
At its core, the primary objective of ISO 27001 is to ensure that the information of the organisation has the following attributes:
- Confidentiality: Access to the data is given to authorised personnel
- Integrity: No unauthorised changes can be made to the data.
- Availability: The correct data is available to the authorised users as and when they request it.
The ISO 27001:2013 certification is not mandatory. However, the laws of some countries may mandate its applicability depending on the industry that an organisation operates in.
The ISO 27001:2013 standard consists of the following 14 domains within which controls are prescribed:
- Information security policies
- Organisation of information security
- Human resource security
- Asset management
- Access control
- Physical and environmental security
- Operations security
- Communications security
- System acquisition, development and maintenance
- Supplier relationships
- Information security incident management
- Information security aspects of business continuity management
An accredited certification body has to be appointed by the organisation. This body will audit the system to issue the certificate. The procedure will consist of the following steps:
Under the guidance of the certification body, the organisation has to initiate a gap analysis. In this, the organisation and its employees understand the requirements of the standard and check whether they comply with the international best practices. The necessary documentation is prepared, and the internal audit team is trained specifically to check whether the requirements of the standard have been followed. The management will then review the pros and cons of the existing system and prepare a program to improve the system continuously.
In this stage, the certification body will mainly focus on the documentation of the organisation. The organisation will have to ensure that the prescribed documentation has been prepared and the necessary records are maintained.
Based on the findings and observations in the Stage 1 Audit, the organisation will have to demonstrate to the certification body that the necessary controls and systems are in place. Generally, a walkthrough of the processes is arranged.
If the certification body is satisfied that the requirements of the standard have been met, it will issue the ISO 27001:2013 certification. This certification will be valid for three (3) years, subject to continuous assessment visits.
Once in 12 months, the certifying body will conduct a routine audit to ensure that the requirements of the standard are not compromised.
After the validity period of three (3) years has expired, the certifying body will again conduct a comprehensive review which may or may not include the Stage 1 Audit. The renewal audit may result in the suspension, withdrawal, extension or reduction of the scope of the certification.
The certifying body usually provides a list of documents. The most commonly asked documents are:
- Organisation structure
- ISMS manual
- Personnel details
- Responsibilities and duties of employees
- Internal audit report
- Management committee review meeting report
- IS policy and objective
- Risk assessment and treatment plan
- SoA controls
Some of the benefits of getting the ISO 27001:2013 certification are listed below:
- Based on the views of an independent third party, stakeholders can be assured that the organisation is following international best practices.
- A formalised system helps to identify risks and also implement the appropriate risk mitigation strategy in time.
- Customer satisfaction increases since they are assured that their data remains confidential and secure.
- Investors confidence in the performance of the organisation
- Security-conscious culture will be prevalent throughout the organisation.
- Regulatory compliance requirements will be consistently met.
- Information assets will be safeguarded against a majority of threats.
- Avoidance of information security accidents will help in cost-saving.
- Continuity of business operations can be