HIPAA, CMMC, PCI, ISO, NIST - the range of potential security frameworks and certifications an organization has to choose from these days is an acronym soup that can make even a compliance specialist’s head spin!
Amid an ever-growing list of country and industry-specific options, the ISO 27001 standard has remained a popular choice because of its applicability across both continents and business verticals. If your organization is considering embarking on the ISO 27001 compliance journey, read on to learn more about what this standard is, how you can become ISO 27001 certified, and how Varonis can help!Get the Free Essential Guide to US Data Protection Compliance and Regulations
- Quick review: What is ISO 27001?
- How to become ISO 27001 certified
- ISO 27001 clauses and controls
- ISO 27001 Annex A: Reference control objectives and controls
- Tips to maintain ISO 27001 compliance
- How Varonis can help with ISO 27001 compliance
- ISO 27001 FAQs
Quick review: What is ISO 27001?
The ISO 27001 standard, more formally known as ISO/IEC 27001:2013 Information Security Management, focuses primarily on the implementation and management of an information security management system (ISMS). A joint product of the International Standards Organization (ISO) and the International Electrotechnical Commission (IEC), ISO 27001 is the most well-known of more than a dozen published standards in the ISO/IEC 27000 family. It’s also the only member of the family against which an organization can be certified, with ISO 27002 and beyond serving primarily as guidance and reference material for the “main” standard.
In contrast to some other standards and frameworks, achieving and demonstrating ISO 27001 compliance does not require strict adherence to specific technical controls. Instead, the focus is on risk management and taking a holistic and proactive approach to security across the entire organization. You’ll find more than a dozen controls listed in the standard’s “Annex A”, but there is no expectation that all ISO 27001 certified organizations will have implemented each and every one of these controls. Rather, each organization will apply an appropriate subset of these controls based on the unique risks to their business operations.
The ISO also makes a very deliberate attempt to portray the ISO 27001 framework as an “information security” framework rather than a cybersecurity one. While a great deal of a modern organization’s “information” exists in a digital form, policies and procedures, proprietary knowledge, and even buy-in from senior leadership are less tangible assets that can still adversely affect an organization were they to be lost or co-opted. The policies, procedures, people, documentation, and controls intended to maintain the Confidentiality, Integrity, and Availability of an organization’s information are known collectively as an Information Security Management System (ISMS).
Is ISO 27001 compliance or certification mandatory?
The simple answer is no. While some mistakenly conflate ISO 27001 compliance with legal requirements, only a few countries have laws on the books requiring organizations to implement the framework. Nothing in life is that simple, of course, and there may be instances in which your organization is required to have an ISO 27001 certification. Contracts and vendor procurement policies can and often do require ISO 27001 compliance, especially in sensitive industries like healthcare and finance. There are also market sectors where ISO 27001 certification is generally expected, even if not formally required. Varonis, for example, knows that enterprise customers looking at data security solutions will expect any potential vendor to have their own house in order, so we make all of our certifications, including ISO 27001, easily accessible on our trust page.
How to become ISO 27001 certified
The road to ISO 27001 certification can be a long one, with the entire journey often taking a year or more. The ISO itself does not hand out ISO 27001 certifications. Instead, third-party auditors or assessors validate that an organization has effectively implemented all of the relevant best practices in accordance with the published ISO standard.
This arrangement, as well as the framework’s emphasis on risk management rather than prescribed technical controls, means that there is not a universal “ISO 27001 compliance checklist” that guarantees certification. It’s up to each organization to decide how to implement the framework, and auditors will use a certain amount of professional discretion in how they evaluate each case.
There is, however, an established process for achieving certification once an organization is ready to bring in an auditor or certification body. It’s divided into three phases:
- Phase one: The external auditor or certification body performs a high-level review of the organization’s ISMS. Much of the work in this phase serves to determine whether the organization is ready to move onto the more detailed second phase. Lack of key documentation, weak support from management, or poorly identified metrics can all bring an ISO 27001 audit to a screeching halt.
- Phase two: A much more detailed audit is performed, examining how specific security controls are applied at the organization to meet the requirements spelled out in the standard. In this phase, an auditor will be looking for evidence that an organization is actually implementing everything in the documentation that was evaluated in phase one.
- Phase three: Following official certification, an organization must undergo annual surveillance audits to maintain ISO 27001 compliance. While these audits are not as rigorous as those carried out in phase two, non-conformance to any of the requirements can lead to the revocation of an organization’s ISO 27001 certification before its listed expiration date.
As you can probably tell, the certification process is fairly rigorous, and any organization wanting to become certified will need to do quite a bit of legwork before engaging a certification body. The cost and time commitment from employees required for this can vary. Outside consultants are frequently brought in to help a company prepare for a formal audit. Unofficial “gap analysis” audits are often recommended to help prepare for the official certification audit.
ISO 27001 clauses and controls
The most recent revision of the ISO 27001 standard, published in 2013, consists of 11 clauses numbered “0” through “10”, plus an “Annex A” that lists specific security controls. Each of the main clauses contains a number of sub-clauses except for the introduction. Clauses 4 through 10 are considered “mandatory”, and an organization cannot claim ISO 27001 compliance without meeting the requirements spelled out in these sections. These 11 main clauses are listed below:
- Introduction: Introduces the standard and its purpose.
- Scope: Provides a very high-level view of the information security management system and risk treatment requirements specified within the rest of the standard. Also clarifies that the standard is intended to be generic and applicable across different industries and business sizes.
- Normative references: Explains the relationship between ISO 27000 and 27001 standards.
- Terms and definitions: Covers the terminology that is used within the standard.
- Context of the organization: The first mandatory clause. Covers stakeholders, internal and external issues, and regulatory and compliance requirements. An organization must also define the scope, boundaries, and applicability of the ISMS as part of this clause.
- Leadership: True ISO 27001 compliance requires full support from top management. The leadership clause explains the responsibilities of senior executives in implementing and maintaining a functional ISMS. The audit process will involve interviews with top executives, which means the commitment from management must be truly genuine.
- Planning: The planning clause covers risk assessment, risk treatment, and the creation of objectives to measure the performance of an ISMS in relation to the company’s greater business objectives. An organization will need to define and document its criteria for assessing and analyzing risks, and also specify how the identified risks will be addressed.
- Support: This clause addresses the resources needed to successfully implement and support the ISMS. Think well-trained employees, effective communication of policies, and standardized procedures for creating and updating documentation.
- Operation: In the operation clause, an organization will put much of the work developed during the Planning clause into action. Where clause 6 consisted of defining criteria for risk assessments, clause 8 is where the assessments are actually performed and documented. This is also the clause under which the mandated Risk Treatment Plan is implemented.
- Performance evaluation: Measuring the performance of your ISMS is crucial for getting the most out of your ISO 27001 implementation. Clause 9 includes requirements for how to monitor and evaluate the policies, procedures, and controls that make up the management system. This clause also calls for regular internal audits and management reviews.
- Improvement: The final mandatory clause covers both nonconformity to the other sections of the standard and continual improvement of the information security program.
ISO 27001 Annex A: Reference control objectives and controls
In addition to the primary clauses, the official ISO 27001 document contains an annex of control objectives and controls that can be used to support an organization’s information security program. The annex contains 93 controls organized into 4 key groups. Note that these controls and control objectives are provided as reference material for best practices. An ISO 27001 compliance audit may examine whether an organization implements each control, but will do so through the lens of how each control meets the requirements in the mandatory clauses.
A brief summary of these reference controls is provided below:
- Organizational controls
- People controls
- Physical controls
- Technological controls
Tips to maintain ISO 27001 compliance
An ISO 27001 certification is only valid for three years, and even during those three years, annual surveillance audits are required. The framework is, therefore, not a one-off project but an ongoing effort that demands continuous attention.
As the business continues to grow and evolve, the ways in which the ISMS applies will also change. Consider an enterprise that’s moved from on-premises to cloud applications over the last decade: the ways in which information security is approached will naturally look very different.
To maintain ISO 27001 compliance, an organization may wish to form a “task force” composed of different stakeholders from across the company. This group should meet on a regular basis to review any open issues and consider updates to the ISMS.
- Build compliance into day-to-day business operations. Don’t look at the framework as something that only needs to be addressed periodically to maintain compliance.
- Keep senior management involved throughout the entire lifecycle. Buy-in from top-level stakeholders cannot end once initial certification is achieved.
- Monitor and evaluate the framework and the ISMS as part of your overall security posture. Security incident? Evaluate how your ISMS impacted the outcome, and document any corrective action.
- Stay on top of new risks. Remember that the ISO 27001 standard is largely about risk management. Risks are not static and evolve as new cyber threats emerge and the business continues to mature. The organization should continually evaluate and analyze new risks as they emerge.
- Perform regular internal audits and gap analysis. Recertification by an auditor is not the time to discover a critical control is no longer being applied.
- Involve other parts of the business. Did you notice that one of the items in Annex A covers people controls? This means that HR and other departments in the company must be involved in your ongoing ISO 27001 maintenance, not just IT.
- Document, Document, Document. Many of the actions your organization takes anyway will be applicable to the ISMS, but without proper documentation, they won’t help with future audits.
- Continue to follow through on what's in the documentation. Remember that during a phase two or recertification audit, the auditor will look for evidence that what’s spelled out in the documentation is actually put into action. If the company’s policy says employees should receive annual security awareness training, they must actually be receiving that training.
- Evaluate the scope on an ongoing basis. If the company is opening a new business unit or jumping into a new region, will ISO 27001 compliance need to extend to this new part of the company?
- Don't forget the supply chain! If cloud or SaaS services are a key part of your business processes, you need to address them in your ISMS as well.
How Varonis can help with ISO 27001 compliance
Identifying and addressing risks is at the heart of the ISO 27001 standard. But you can’t reduce risks that you can’t see. Organizations that lack visibility into who is accessing sensitive data, as well as how that access is occurring, can’t adequately identify or mitigate risk. Data Access Intelligence available from Varonis is the perfect tool to deliver this visibility. DatAdvantage Cloud provides an unprecedented look into overexposures and misconfigurations that can cause harm beyond the enterprise perimeter. As your company continues down the path of ISO 27001 maturity, other components of the Varonis Data Security Platform can boost efficiency and help you maintain compliance.
ISO 27001 FAQs
Q: What are ISO 27001 requirements?
A: ISO 27001 is an information security standard. In order to earn an ISO 27001 certification, an organization is required to maintain an information security management system (ISMS) that covers all aspects of the standard. After that, they can request a full audit from a certification body.
Q: What does it mean to be ISO 27001 certified?
A: To be ISO 27001 certified means that your organization has successfully passed an external audit and met all compliance criteria. This means you can now advertise your compliance to boost your cybersecurity reputation.
Q: What is the process to be ISO 27001 compliant?
While an organization can choose to implement the ISO 27001 framework without undergoing formal certification, “ISO 27001 compliant” generally refers to an organization that has been independently audited and certified to meet all the requirements of the standard. Compliance must be maintained on a continual basis.
Q: What is the latest ISO 27001 standard?
A: The latest standard is known officially as ISO/IEC 27001:2022. It was published in 2022 as the third official edition of ISO 27001.
Q: Is ISO 27001 GDPR compliant?
A: Because ISO 27001 is mainly a framework for developing an ISMS, it will not cover all of the specific rules of the General Data Protection Regulation (GDPR) instituted by the European Union. However, when paired with ISO 27701, which covers the establishment of a data privacy system, organizations will be able to fully meet the requirements specified in GDPR.
Q: What are the main similarities or differences between SOX and ISO 27001?
A: While ISO 27001 covers the general management of information and data, the Sarbanes–Oxley Act (SOX) is specific to how financial information is disclosed in the United States. Fortunately for companies who have a wide scope of data management, earning ISO 27001 certification will also help to prove compliance to SOX standards.
Q: What is the difference between NIST and ISO 27001?
The National Institutes of Standards and Technology (NIST), a US government agency, publishes several standards related to cybersecurity and data security, such as NIST 800-53 and NIST 800-171. These publications differ from the ISO 27001 standard in their focus on U.S. federal agencies and contractors and their more prescriptive, control-based structure. Compliance with a NIST standard generally requires implementing all controls as specified in the standard, while ISO 27001 compliance emphasizes a risk-based approach that allows an organization to tailor the controls to their unique needs.
Q: What is the purpose of other ISO?
A: The International Standards Organization (ISO) publishes standards on everything from energy management to healthcare. While ISO 27001 is the most well-known information security standard, dozens of other ISO standards cover specific security technologies like cloud services. Some ISO standards also provide guidance or best practices on implementing their better-known peers.
Closing Thoughts
Achieving full ISO 27001 compliance may seem like a daunting task, but in a world where customers, partners, and employees are increasingly concerned about their confidential data, it can be a substantial asset. Certification to the standard demonstrates a strong commitment to data security. And remember, Varonis is here to help you on your ISO 27001 journey with tools like DatAdvantage and DatAlert.
What should I do now?
Below are three ways you can continue your journey to reduce data risk at your company:
Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.
See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.
Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.