What is ISO Certification and Why is It Important?
The International Standardization Organization (ISO) is an international organisation that develops and publishes international standards. The ISO provides a framework for trade, reduces business costs, and enhances global trade. The ISO is a non-governmental organisation with participation from governments, industries and associations. It is a worldwide federation of national standards bodies.
The ISO was founded in 14th October, 1946 by 65 delegates representatives, at the institute of civil engineers in London. The founders established the principles for the operation and two essential elements: consensus and openness. The ISO is currently headquartered in Geneva, Switzerland.
Founders of ISO, London 1946
To ensure that the standards are consistent across industries, the ISO has a network of over 166 national organisations outlining these best practices, which can be applied to publishing standards, quality management, product development standards and more. These organisations are called “members” of the ISO and represent their country’s interests in standardisation.
The ISO keeps track of various standards, from ones that govern industrial safety to medical devices, electronic products and many more.
Types of ISO Management Systems and Their Uses
ISO management systems are a way to organise and communicate your company’s policies, procedures, and standards. They’re beneficial when it comes to quality assurance (ISO 9001), environmental management (ISO 14001), or information security management (ISO 27001).
Here are the three most common types of ISO management systems:
- ISO 9001 is used for Quality Assurance (QA) or Organization Management System (OMS). It’s also known as ISO 19011, which is the international standard that defines the requirements of a QA/OMS.
- ISO 14001 is used for the Environmental Management System (EMS), which means it’s a framework for environmental performance management. It’s also called ISO 14061, which specifies how an EMS should be designed, implemented and maintained.
- ISO 27001 deals with Information Security Management System and is also known as ISMS. This framework helps organisations protect themselves from cyber-attacks and other forms of information insecurity.
These systems can be used in different ways depending on the type of business you run. Regardless of how you use them, the goal is always to help your company improve its performance by reducing waste and increasing efficiency.
ISO Management Systems are organised around 3 main components:
- Policies: Policies are standards set by senior management and intended to guide all operational activities within an organisation.
- Procedures: Procedures define how things should be done for them to be done correctly. These explain how employees should carry out their jobs for them to be done safely and efficiently.
- Standards: Standards describe what needs to be achieved in terms of quality or performance concerning products or services provided by an organisation.
While there are many different ISO management systems, they all share the same goal: to provide businesses with a transparent and repeatable process for managing their operations.
How ISO 27001 Helps Protect Your Organisation?
In every organisation, there’s been a lot of focus on improving security after significant cyber-attacks. This typically involves systems such as local councils and hospitals. Data and information protection is a hot topic for all organisations, including the government, businesses, and the public.
To help organisations of all sizes keep their data and information safe and their reputations intact, the ISO created ISO 27001, an information security management standard that enables you to develop a framework for an ISMS (information security management system). Thus, it helps to protect your information by implementing several best practices.
The ISO 27001 goes beyond just IT. This comprehensive standard encompasses all aspects of a business to provide organisations with the security they need, developing risk management for an influential safety culture.
This means that you will develop processes covering legal, physical, human and technical aspects of your organisation – protecting both digital and physical assets – through diverse controls.
What is ISO 27001 Certification?
ISO 27001 is a standard that specifies the requirements for an information security management system (ISMS). It’s a framework of best practices that can be implemented in any organisation. An ISO 27001 certification ensures that your business has implemented effective security measures and will help you maintain compliance with legal and regulatory requirements.
ISO27001 framework is designed to help organisations manage their information security risks and protect their business assets from attacks.
What is Information Security Management System (ISMS)?
An ISMS is an organisation’s documented set of policies, procedures, and practices for managing the security of its information. These policies are specifically designed to protect data confidentiality, integrity and availability. After an ISMS is implemented, it’s possible to measure progress against a set of security objectives and identify security management gaps.
A Brief History of ISO27001: How It Became The Standard
The ISO 27000 series of documents outline standards for information security management. The standard most common and well-known document is ISO 27001, released in October 2005 and was revised in 2013, by the International Organization for Standardization and the International Electrotechnical Commission.
The ISO 27001 standard offers a framework to help organisations plan, operate, implement, monitor, and improve an ISMS.
An ISMS is an organisation’s documented set of security controls designed to protect the confidentiality and integrity of assets from vulnerabilities and threats. While some organisations pursue certification by a third-party, many use ISO 27001 as a framework for developing and implementing best practices.
ISO 27001 was the first International Standard series focusing on Cyber Security and Information Technology. This code was formerly known as ISO 17799 and was based on the UK standards of BS 7799-1. The current version is ISO 27002:2013.
ISO 27001 vs ISO 27002
ISO 27002 is a best practices guide for information security management. It can be used as a supporting document for an organisation under ISO 27001, which sets forth the requirements for an ISMS. While ISO 27002 is not a certification standard, it provides you with a guide to assist in developing your information security management system.
ISO Level of Hierarchy
ISO is a three-level system resembling a tree-diagram. It has a more centralised structure with the International Accreditation Forum (IAF), an international body that monitors the whole system, at its core. IAF selects different accreditation bodies representing various countries participating in the process. These standard bodies are responsible for drafting, amending and designing the necessary worldwide standards. There are different accreditation bodies that represent different countries including:
NABCB (National Accredited Board for Certification bodies) — India based
UKAS (United Kingdom Accreditation System) — UK based
IAS (International Accreditation Service)— US based
ANSI (American National Standards Institute) — US based
Key Stages for Implementing an ISMS
The ISO 27001: 2013 standard establishes requirements that an organisation must meet for the definition, implementation, review, and continuous improvement of its Information Security Management System (ISMS). This will ensure that the organisation appropriately protects information against threats affecting its confidentiality, integrity, and/or availability. In this context, information is understood as any organised set of data held by an entity that has value from its origin (from the organisation itself or external sources) or the date of elaboration.
As of the end of 2017, 39,501 companies worldwide had been certified in ISO 27001:2013. Japan has the highest number of certified companies, followed by China and the United Kingdom.
The following table is the 2020 ISO survey result, conducted by the ISOTC – ISO Standard Development;
Stages of ISO 27001 Data Collection
1. Pre- Verification Survey Stage
To determine the focus of the verification, you should conduct a risk-based assessment to identify which areas are out of scope. Including asset documentation such as industry reports, past data, and other documents are useful sources of information. Ensure that the audit’s scope is relevant concerning the organisation—it should typically match the scope of the ISMS being certified. In the case of large organisations, auditors may need to review the ISMS implementation of each business location. Suppose it’s not possible to review or check every site. In that case, you should at least take a representative sample during your pre-verification survey by identifying and contacting the ISMS’s main stakeholders to request any documentation they use during the audit process.
2. Planning Stage
After agreeing with the scope of an ISMS audit, auditors need to break down the ISMS audit in much in-depth detail. This involves implementing an ISMS audit checklist—a document specifying the audit’s resourcing and timings. The audit plan identifies and puts boundaries around each phase of the audit. It also includes checkpoints at which auditors can inform managers about their progress and any areas requiring extra attention. Such updates allow auditors to identify concerns regarding management and access to information to raise concerns regarding the audit process. Auditors must specify when certain parts of the ISMS will be assessed so they can prioritise aspects that they believe pose the most significant risk should the ISMS be found inadequate.
3. Data-Collection Stage
When auditing an ISMS, auditors will gather evidence by interviewing managers and staff, reviewing printouts and data, as well as observing ISMS processes in action. They must perform data collection tests to ensure accurate evidence is gathered, as well as work papers audits documenting the tests performed. The initial stage of data collection typically involves reviewing documentation related to the current data collection from the ISMS. Auditors’ findings may indicate the need for specific documentation for further recommend data collection testing to determine if it is in compliance to ISO 27001.
4. Analysis Stage
The collected data should be evaluated concerning objective controls and the risks. Occasionally, an analysis may reveal the need for more audit tests and gaps within the evidence, which might involve further testing or data collection.
5. Data Collection Reporting Stage
The data collection / audit report ideally has 6 major sections;
- The first section is an introduction that explains when, how, and why the audit was performed.
- The second section is an executive summary highlighting the key findings, a brief analysis, and a conclusion (whether or not significant problems were found).
- The third section consists of the intended recipients of the report and information on classification and dissemination.
- The fourth section contains detailed findings and analysis.
- The fifth section contains conclusions based on those findings, recommendations for improvement, and any disclaimers about incomplete information.
- The sixth section includes a statement from the auditor detailing any limitations on scope or recommendations for improvement.
ISO 27001: Annex A Category Controls
Annex A of ISO 27001:2013 is a technical section for controlling risks in Information Security, especially in Information Technology (IT). Annex A is the basis for establishing a Statement of Applicability (SoA). There are a total of 114 Annex controls but divided into 14 groups of control categories.
As in the requirements of ISO 27001:2013 Information Security Management System (ISMS), in addition to conditions following the existing HLS hierarchy, there are also more technical requirements described in Annex A of ISO 27001:2013 ISMS. This Annex has a reasonably large portion of the auditor’s questions because it is related to the technical capabilities of the IT system owned by the company/institution.
In assessing security risks, there should be necessary and confirmed controls on which ones are not in the ISMS.
The following is a list of 14 controls from Annex A regarding ISO 27001:
A-5. Information Security Policies
Designed to ensure that organisational policies are written and monitored in their entirety, following directives for information security.
A-6. Organisation of Information Security
It includes certain duties and responsibilities. This annex is divided into two, namely:
- A-6.1 ensures that the organisation has established a framework that can implement and maintain information security.
- A-6.2 discusses mobile devices and remote working. Anyone working from home or travelling, full-time or part-time can follow the rules.
A-7 Human Resource Security
Ensure that employees and contractors understand their rights and responsibilities in the company.
- A-7.1 The purpose of this annex is to clarify the obligations of workers and contractors, as well as the commitments expected from organisations when they hire them. The annex also addresses the employee’s rights if they leave or change roles within an organisation, or are asked to resign.
- A-7.2 This annex ensures that all employees and contract workers understand and meet the security requirements set forth by the organisation. Depending on the situation, there may be a variety of approaches taken.
- A-7.3 This annex focuses on termination and modification of employment arrangements. It is the goal of this Annex to safeguard the organisation’s interests during the process of terminating or modifying an employee’s job role.
A-8 Asset Management
Asset management is a method of accountability for valuable assets. It involves tracking, classifying, identifying and assigning ownership to them.
This category ensures how an organisation or company identifies information assets and determines protection responsibilities following applicable standards. This annex contains three parts, namely:
- A-8.1 Regarding companies to identify the scope of their ISMS and define who is responsible for protecting each asset. Assets may include network equipment, devices, IT infrastructure, data, information, and applications. These responsibilities must be specific to the type of asset.
- A-8.2 Regarding information classification ensures that information assets comply with applicable standards. A-8.2 annex is designed to satisfy information security requirements for an organisation’s information assets based on their importance and in alignment with stakeholder expectations.
- A-8.3 Regarding media handling ensures that data may not be disclosed, modified, deleted or destroyed if it is not legal. The aim of A-8.3 annex is to prevent the removal, disclosure, destruction modification of information assets stored on media without authority of the owner.
A-9 Access Control
This access control annex ensures that employees can only view and manage information relevant to their position.
Access control consists of four parts: business requirements of access control (A-9.1), user access management (A-9.2), user responsibilities (A-9.3), and access control on systems and applications (A-9.4).
- A-9.1 This annex requires the establishment and implementation of security procedures that restrict access to information and to information processing facilities. Access control policies must be developed in order to comply with this regulation.
- A-9.2 To ensure that authorised users can access your system and services, and to prevent unauthorised access, including appropriate security measures in your systems.
- A-9.3 To ensure that your user’s authentication credentials are not compromised, employees and all users with access should follow the instructions for using their authentication credentials.
- A-9.4 Ensures that systems are in place and prevent unauthorised access to the company’s information systems, software, and applications by user access control.
Cryptography discusses data encryption and sensitive information management, ensuring that companies use cryptography correctly and effectively to protect data confidentiality, integrity and availability.
A-11 Physical and Environmental Security
This section focuses on the protection of the physical landscape of an organisation. It defines and protects organisations from incidents that may occur in the physical landscape of an organisation, such as natural disasters, intentional destruction, power or hardware failures, careless handling of records, improper disposal of records, and so on. In this section, there is two annex categories, which are as follows:
- A-11.1 The objective of this annex is to prevent damage and unauthorised physical access to the organisation’s stored data, and interference to the organisation’s premises or the data contained therein.
- A-11.2 This control aims to prevent damages, theft, or losses of company assets and disruption of business operations whether software or physical files.
A-12 Operations Security
Operational security ensures that information processing facilities run securely.
- A-12.1 To ensure that data processing facilities are being operated in a secure and proper manner. This set of controls outlines the standards for all companies, regardless of size or industry.
- A-12.2 To protect the confidentiality and integrity of information from malware attacks by implementing protective measures that ensure the detection of such attacks, and recovery from them when they occur.
- A-12.3 To ensure the safety of valuable information, backup data must be stored in an offsite location.
- A-12.4 All security and event logs must contain information about the user, security events and system flaws.
- A-12.5 Is with regards to operational systems to be monitored to ensure their integrity. Software installation procedures should be formally implemented.
- A-12.6 Regarding all information systems to be protected from technical vulnerabilities. All such vulnerabilities should be evaluated and addressed through proper measures.
- A-12.7 To avoid excessive disruption of business operations, all audit requirements, such as access to systems, must be discussed in advance with management.
A-13 Communications Security
It emphasises the way companies protect information on the network and is divided into two parts:
- A-13.1 addresses network security management, ensuring the confidentiality, integrity and availability of information in the network remains intact
- A-13.2 discuss information security in the journey, whether it be to other parts of the company, third parties, customers or other interested parties.
A-14 System Acquisition, Development and Maintenance
This section ensures that information security becomes the company’s central and most important part.
A-15 Supplier Relationships
It contains contractual agreements that the company has with third parties and ensures that both parties maintain the level of information security and deliver agreed services.
A-16. Information Security Incident Management
In this section, we discuss how to manage and report security incidents. This process involves explaining which employees should be responsible for certain actions so that their handling can be consistent and effective.
A-17. Information Security Aspects of Business Continuity Management
This section aims to create an effective system for managing business interruptions.
This section ensures that organisations identify relevant laws and regulations to assist in understanding their legal and contractual requirements, reducing the risk of non-compliance and penalties.
Overt and ISO
Wondering why we’re writing this article? Guess what! Overt is now ISO 27001 accredited, ensuring we follow best practice with full implementation of ISMS, protecting our customers data even further alongside Cyber Essentials Plus.