ISO 27001: A First Look
ISO 27001 is a substantial undertaking, often daunting for newcomers. Initially, you might hope that the standard will offer clear guidance and a definitive list of requirements, but as you delve deeper, you quickly realize this isn’t the case.
The ISO 27001 standard provides advice that is both highly general and multifaceted, presenting both advantages and challenges.
Every business is unique and typically has its own set of requirements. For instance, a company operating from a single office with employees using Linux computers and accessing generic data will have vastly different needs compared to a multinational corporation with 2000 employees spread across various offices and continents, employing a mix of computers and operating systems while dealing with highly confidential data.
What is and what are the benefits of ISO 27001?
ISO 27001 is an internationally recognized standard for information security management systems (ISMS). It provides a framework and guidelines for organizations to establish, implement, maintain, and continually improve their information security policies and procedures, helping them protect sensitive data and manage security risks effectively.
There are several benefits of ISO 27001 certification, including:
1. Improved information security:
Implementing the standard helps organizations improve their information security posture by identifying and managing risks to their information assets.
2. Legal and regulatory compliance:
Compliance with ISO 27001 can help organizations meet legal and regulatory requirements related to information security.
3. Enhanced customer confidence:
ISO 27001 certification demonstrates to customers and other stakeholders that an organization takes information security seriously and has implemented best practices to protect its data.
4. Competitive advantage:
ISO 27001 certification can provide a competitive advantage by demonstrating that an organization has implemented robust security controls and is committed to protecting information.
5. Cost savings:
Improving information security can help organizations reduce the risk of data breaches and other security incidents, which can result in significant cost savings.
6. Improved business continuity:
ISO 27001 requires organizations to implement business continuity management processes, which can help ensure that critical business operations can continue in the event of a disruption.
7. Continuous improvement:
The certification process encourages organizations to continually assess and improve their information security management system, which helps ensure that they remain up-to-date with evolving threats and security best practices.
When can we get certified?
This is a common question, often with a desire for quick results, especially from C-suite customers.
Businesses typically embark on ISO 27001 certification due to pressure from potential customers and other stakeholders who seek assurance of sound operations with proper processes in place.
However, achieving certification involves demonstrating not only the existence of policies but also their real-world implementation, necessitating the provision of evidence such as risk assessments. For instance, the procedures for onboarding and offboarding employees and adherence to legal requirements must be documented and validated. This process can be challenging when recent staff changes haven’t occurred, and it becomes even more complicated if no one has left the company. T
hese complexities highlight the need for a thorough and comprehensive approach to certification
Excel spreadsheets are the way or are they?
Are Excel spreadsheets the solution?
Many businesses rely on Excel spreadsheets to manage their processes and track their status, but it’s evident that this approach is highly manual. This becomes especially overwhelming when dealing with ISO 27001 for the first time, as it requires constant monitoring of numerous evolving components.
Some businesses successfully complete the certification process and achieve compliance, only to revisit ISO 27001 a year later, repeating the same cycle. What’s certain with this Excel-powered approach?
We know the business was compliant for at least 2 days, coinciding with the annual tests, but what about all the days in between? It’s anyone’s guess. The challenge lies in understanding risk management and the ever-changing dynamics of daily business operations. Businesses evolve continuously, with new equipment, policy changes, new hires, and departures. Compliance fluctuates, and the question is when and for how long the business is non-compliant. Spreadsheets are ill-equipped to answer these critical questions.
So, what’s the solution?
Continuous compliance with ISO27001
Drata.com is a new kid on the block, it is a fairly new team but they are quite big, $2.5B big. They created a nice portal at drata.com where you can apply for ISO 27001, SOC2, GDPR, PCI and other standards.
What is really cool about Drata, is that it has mapped all controls that are required for your certification. You can use Drata as a guide for internal audits before you talk to auditors and ensure that you get all the control under control. Then you can talk to the certification body to agree on a date when they can perform a full audit and if you don’t have any major non-compliances you could obtain the certification.
Auditors can use the Drata panel as well, you can set the auditor to read only so they will not be able to make any changes but they will be able to obtain all the information they require.
In one place you can see your security risks, monitor evidence collection, and quickly identify any non-conformities such as the employee didn’t adhere to the new company policies. Even more, you can easily find out which person didn’t agree with the policies allowing you to investigate this further.
Continuous compliance does not reduce costs, as mentioned earlier (even though it does save costs by preventing data breaches), but it compensates for them by enhancing security and offering a systematic approach to organizations.
In future blog posts, I will guide you through various Drata features, discuss the benefits of continuous compliance, and delve into risk management processes.
For now, if you have any questions regarding ISO 27001 and how our team can assist, please don’t hesitate to reach out. We’re here to provide support, just as we’ve done for all our customers – contact us!
Sign up below to join the Operum newsletter