ISO/IEC 27001, the international standard for information security
How an organisation deals with information has a big influence on its success. For example, the confidentiality of personal data, the availability of IT systems and the correctness of financial information are all crucial elements for any type of organisation: big or small, public or private. Moreover, recent news stories show that no company or organisation is immune to cyberattacks or data leaks, which can not only lead to reputation loss but can also have serious financial consequences.
An information security management system (ISMS) based on ISO/IEC 27001 can help you keep above risks under control.
- What is ISO/IEC 27001?
- Why apply ISO/IEC 27001?
- Who is ISO/IEC 27001 developed for?
- ISO/IEC 27001 certification
- ISO/IEC 27001 external audit
- Training courses on ISO/IEC 27001
- Part of the ISO/IEC 27000 family
Looking to establish an ISMS in your organisation?
Buy ISO/IEC 27001:2017 in the NBN web shop and get an overview of all the requirements.
The standard’s full name is ‘ISO/IEC 27001: Information technology — Security techniques — Information Security Management Systems — Requirements’ and shows you how to create, assess and continuously improve an effective ISMS with a set of requirements. The main goal: to protect the confidentiality, integrity and availability of all data within your organisation.
The core of any ISMS:
- Confidentiality – Only authorised people get access to the information.
- Integrity – The information is complete and correct.
- Availability – The information is available at the right moment and within set deadlines for authorised people.
ISO/IEC 27001: 10 chapters
The structure of ISO/IEC 27001 was adapted to the High-Level Structure (HLS) in its latest version. Tens of other ISO management standards went through the same change in recent years. With these changes, ISO ensures that all adapted standards share the same basic structure. The biggest benefit: it is now easier for organisations to integrate various management standards in one management system. For example, it is perfectly possible to establish an ISMS in combination with ISO 9001 (quality management), ISO 14001 (environmental management) or ISO 45001 (occupational health and safety).
Why is the High-Level Structure important?
Hendrik Decroos, representative of Belgium and NBN in the international work group that reviews the HLS, analyses its virtues.
More concretely, HLS requires ISO/IEC 27001 to consist of these ten chapters:
- Normative references
- Terms and definitions as defined in ISO/IEC 27000
- Context of the organisation
- Planning: objectives and risks
- Support of the ISMS
- Operation of the ISMS
- Performance evaluation
ISO/IEC 27001: from paswords to fire safety
Among others, the following topics are brought to light in ISO/IEC 27001:
- Regulations (protection of personal data)
- Organisation (roles and responsibilities of employees)
- Company means (IT infrastructure, networks and systems)
- Personnel (policy, human errors, theft, fraud and other abuse)
- Physical security (access to buildings or IT infrastructure)
- Communication and operation (management of systems, processes and procedures)
- Development and maintenance of systems and software (documentation and processes)
- Business continuity (policy and procedures)
The main benefits of ISO/IEC 27001:
- Protection of crucial data: with an ISMS, you reduce the risk of your information being misused, incorrect or not available in time.
- More clarity: written operational procedures and a clear definition of roles make it easier to systematically detect and adequately respond to weaknesses.
- Increased customer confidence: consumers and clients show an increased interest in the way their data are being managed. With an ISMS, you ease their minds and make sure they’ll turn to you in the future.
- Lower financial risk: noncompliance with GDPR and other regulations can result in big fines and reputational losses, which can in turn lead to financial damage and less clients.
- Tailor-made for every organisation: ISO/IEC 27001 is applicable to every organisation, independent of sector, size and type.
- International regard: the ISO management standard is internationally known and gives your credibility a serious boost abroad.
Information security and an effective ISMS are important for all organisations and companies, because information is everywhere. Just think of client information, data from production systems, records from R&D centres and financial reporting.
ISO/IEC 27001, the international standard for information security, is among the top 4 ISO management standards when it comes to valid certificates. According to the latest ISO Survey (2018) no fewer than 59,934 sites worldwide hold ISO/IEC 27001 certificates, of which 208 are in Belgium.
What is an ISO/IEC 27001 certificate?
The correct and full implementation of an ISO management standard is optional. For example, it is perfectly acceptable to implement part of the requirements. However, if you’re looking to get certified, you’ll have to comply with all requirements. In that case, an independent institution will evaluate your ISMS at your request. If everything goes as planned, you’ll receive a written document proving that you comply with all requirements of the standard. This certificate is valid for 3 years. Afterwards, you can renew your certificate (if you want) by repeating the whole process.
Why obtain an ISO/IEC 27001 certificate?
These are the 3 biggest advantages of an ISO/IEC 27001 certificate:
- New commercial opportunities: everyone wants to know that their data are safe with you. A certificate gives confidence to customers.
- Asset for tenders: governments and large enterprises that use public procurement approaches increasingly search for organisations that have a solid information security management system.
- Continuous improvement of data security: obtaining a certificate implies that you undergo periodic audits. That, in turn, means updating your objectives and procedures at set times.
We presented Peter Brosens, Innovation Manager at NBN, with 4 persistent myths about ISO/IEC 27001 certification:
- A certificate doesn’t offer my organisation any added value.
- Finding a competent certification institution is a gamble.
- A certificate always applies to my whole organisation and its processes.
- Certification is a long, expensive and complex process.
Wonder what he had to say?
How do you obtain an ISO/IEC 27001 certificate?
Although ISO, IEC and NBN facilitate the development of standards, these organisations are not involved in the certification process. In other words, you can never be certified by ISO, IEC or NBN. That is the job of independent certification institutions after the positive assessment of your ISMS.
Which institutions grant certificates for ISO/IEC 27001?
In Belgium, there are many institutions that certify organisations for ISO/IEC 27001 after an audit. However, not all of them are accredited by BELAC, the Belgian accreditation institution. This recognition isn’t necessary, but it does give you extra assurance that the audit process will be executed competently. Why? Accreditation guarantees technical competence, independency and impartiality.
ISO/IEC 27001 certification: checklist
Would you like to get your ISMS certified? Follow these steps:
- Support: It all starts with management buy-in. You can only truly set off when they are on board and acknowledge the value of an ISMS.
- Purchase NBN EN ISO/IEC 27001:2017: Visit the NBN e-shop.
- Training: Both beginning and experienced professional can gain useful insights from tailor-made courses. Therefore, make sure to check out the course overview for our NBN Learning Solutions.
- Baseline measurement: Establish a baseline measurement with your colleagues or an external service provider. This analysis of the current vs desired situation reveals what your biggest working points are.
- Preparation: With the previous analysis in mind, elaborate an action plan with specific targets for your organisation and its management. Make a plan, distribute roles and appoint project teams if necessary.
- Communication: Communicate your plan to all relevant stakeholders to make sure everyone is on the same page to facilitate the implementation of the management standard.
- Implementation: Execute all planned actions and work (steadily) towards full implementation of the management standard.
- Internal audit: As soon as your ISMS is up for the test, run an internal audit to check if you are ready to request an official, external audit. The internal audit is something you can do on your own or with the help of an auditing partner, but is a mandatory step towards certification.
- Certification audit: Contact a certification institution for an external audit. Afterwards, discuss shortcomings and how you can deal with them.
- Certification: If your organisation ticks all the boxes, you’ll be awarded a temporary certificate. Obviously, this implies continuing to work on your ISMS. Certification is not an end goal, but one of many milestones.
Depending on the size and complexity of your organisation, the execution time of this checklist takes about 3 to 12 months. A lot depends on your preparation, your understanding of the requirements of the standard and the maturity of your organisation.
ISO/IEC 27001 certification: costs
The price tag depends on various elements. For example, will you receive support from an external partner or do you everything yourself? Besides that, the size and complexity of your organisation can either raise or lower the costs. One thing’s for sure: you’ll need to contact a certification institution to perform the external audit. Normally, you sign a three-year contract with the institution – equal to the validity period of a certificate.
Important to note is that you define the scope of the certification and the related audits. For every service you provide, you can choose to include or exclude it. The ISMS of the services of your choice will then be assessed for compliance with the requirements of ISO/IEC 27001. This is done by an independent certification institution. Before the certification audit, you can carry out one or more internal audits to prepare.
What happens during an external audit?
Once three months have passed after the full implementation of the management standard, you can initiate the certification process and plan an external audit. That audit will take one or more days, depending on the size of your organisation. Are your facilities spread over various locations? The auditor will visit all relevant locations.
The audit consists of 2 phases:
- Phase 1: a thorough check of the documentation
- Phase 2: an on-site analysis of your ISMS
What happens after the audit?
During the audit, the certification institution decides if you implemented the requirements successfully and correctly. In case of a negative response, you will receive a report with non-conformities and things to work on. An additional audit will then provide you with a definite answer. In case of a positive response, you receive a certificate. Every year, an external auditor will assess the improvement of your ISMS. After three years, the validity period of the certificate, you can apply for renewal.
How to prepare for an audit?
These 4 tips raise your chances of success:
- Run an internal audit – alone or with external help – to track down shortcomings.
- Make sure the management team is present during the audit and that all employees are aware an audit is taking place.
- Store all necessary documents in a central location and verify if they are redacted using the terminology of the standard.
- Elaborate a list of successful, measurable actions and projects that guarantee continuous improvement.
All the guidelines for an audit laid out for you
Do you have an information security management system (ISMS) and wish to prepare for an internal or external audit? In the revised standard ISO/IEC 27007:2020 (Information security, cybersecurity and privacy protection – Guidelines for information security management systems auditing) you’ll discover clear guidelines.
Although ISO/IEC 27001 is the only certifiable standard within the ISO/IEC 27000 series, it might be interesting to combine the management standard with other standards from the same family. They indicate how to implement ISO/IEC 27001 and strengthen your ISMS by focusing on additional features. These are some of the standards that are worth considering:
- NBN EN ISO/IEC 27000:2017 – Information technology – Security techniques – Information security management systems – Overview and vocabulary: this standard provides an overview of the essential terminology in the series. Moreover, ISO/IEC 27000 gives you a good idea of how the other standards interconnect.
- NBN EN ISO/IEC 27002:2017 – Information technology – Security techniques – Code of practice for information security controls: a detailed summary of the actions you can take to comply with the requirements in ISO/IEC 27001.
- NBN ISO/IEC 27018:2019 – Information technology – Security techniques – Code of practice for protection of personal identifiable information (PII) in public clouds acting as PII processors: this standard allows you to guarantee the safety of personal identification information in a public cloud, such as Microsoft365, Salesforce and Gmail.
- NBN ISO/IEC 27701:2019 – Security techniques – Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management – Requirements and guidelines: an ideal tool for a strong privacy information management system (PIMS) that ensures your digital data are always safe.
Ready to start with NBN EN ISO/IEC 27001:2017?
Purchase the standard in the NBN e-shop an get an overview of all the requirements needed for an effective information security management system.
Do you want to get the latest news on standards, events, training courses and standardisation committees?
Sign up for our monthly newsletter.