ISO 27001

In order to work suc­cess­ful­ly and securely in the age of dig­i­tal­iza­tion, companies need to meet high standards of in­for­ma­tion security. The In­ter­na­tion­al Stan­dard­iza­tion Or­ga­ni­za­tion (ISO) has created a standard for in­for­ma­tion security in companies. En­ter­pris­es that comply with this standard can obtain a cor­re­spond­ing cer­tifi­cate. This cer­ti­fi­ca­tion was developed by renowned, globally rec­og­nized experts for in­for­ma­tion security. It describes a method­ol­o­gy that companies should implement to ensure a high level of in­for­ma­tion security.

The in­ter­na­tion­al standard ISO 27001 allows companies and or­ga­ni­za­tions to follow a benchmark for in­for­ma­tion security. The standard is struc­tured so that the company size and industry play no role at all for im­ple­men­ta­tion. Once the re­quire­ments are satisfied, it’s also possible to obtain ISO 27001 cer­ti­fi­ca­tion. Using this cer­tifi­cate, a company can demon­strate to customers and business partners that it is trust­wor­thy and takes in­for­ma­tion security seriously.

The ad­van­tages for companies relate to four different areas. On the one hand, this cer­ti­fi­ca­tion offers a basis for im­ple­ment­ing statutory reg­u­la­tions. On the other hand, the cer­tifi­cate can provide a com­pet­i­tive edge. After all, not all companies are certified according to ISO 27001. Companies that hold this cer­tifi­cate can prove to their customers that they securely handle sensitive in­for­ma­tion. Com­pli­ance with the standard reduces the risk of in­for­ma­tion security failures. This means ISO 27001 can also con­tribute to saving costs, since these incidents are typically as­so­ci­at­ed with financial expenses.

Plus, ISO 27001 cer­ti­fi­ca­tion optimizes processes in a company. The idle time of staff is minimized by defining the main company processes in writing.

Ad­di­tion­al benefits include:

• Reducing business risks
• Min­i­miz­ing liability risks
• Lower insurance premiums
• Reliable problem and threat detection

The ISO 27001 standard comprises multiple parts. Its foun­da­tions are the ISO/IEC 27001 standard created in 2005. This was thor­ough­ly revised in 2015 and amended by another catalog, the second part. This part is rep­re­sent­ed as an annex to the standard and describes the updated changes in detail. The standard can be divided roughly into three sections: The actual main body follows the in­tro­duc­to­ry chapters. The standard is rounded off with the annex mentioned above.

The normative main body is critical for the cer­ti­fi­ca­tion according to ISO 27001. This is where the ob­jec­tives of the measures are precisely explained. But these measures aren’t in­struc­tions for im­ple­ment­ing the re­quire­ments; instead they’re intended as sug­ges­tions for suc­cess­ful im­ple­men­ta­tion. These sug­ges­tions are largely based on the pillars of con­fi­den­tial­i­ty, avail­abil­i­ty, and integrity.

To simplify the processes and im­ple­men­ta­tion, ISO 27001 also adopts prin­ci­ples from other standards. Parallels with other standards – which you may already know – really help and encourage or­ga­ni­za­tions when im­ple­ment­ing ISO 27001 re­quire­ments.

The re­quire­ments of ISO 27001 changed con­sid­er­ably in 2013 compared to the first version from 2005. The general structure of the standard was not only altered but also tightened to a large extent.

The ISO 27001 standard follows a process-oriented approach in the im­ple­men­ta­tion of an in­for­ma­tion security man­age­ment system (ISMS). While an explicit reference to the PDCA model was included in the earlier version, this is no longer mandatory. The re­quire­ments apply to all sizes and types of or­ga­ni­za­tion.

ISO 27001 stip­u­lates that companies must define and consider all external and internal topics that affect their ability to suc­cess­ful­ly implement an ISMS. These primarily include the corporate culture, en­vi­ron­men­tal con­di­tions, reg­u­la­to­ry re­quire­ments, con­trac­tu­al and legal oblig­a­tions, as well as gov­er­nance guide­lines. ISO 27001 expects the top man­age­ment of an or­ga­ni­za­tion to define the in­for­ma­tion security policy as well as the re­spon­si­bil­i­ty and com­pe­ten­cies for im­ple­ment­ing the re­quire­ments. Moreover, the company must commit to raising awareness for in­for­ma­tion security through­out the entire or­ga­ni­za­tion.

Planning also plays a key role in ISO 27001 cer­ti­fi­ca­tion. For instance, the re­quire­ments include assessing specific in­for­ma­tion security risks for the or­ga­ni­za­tion as well as de­vel­op­ing an action plan. The re­spon­si­bil­i­ty for de­ter­min­ing the risks and their pre­ven­tion lies solely with the or­ga­ni­za­tion. What’s more, the standard stip­u­lates that the company must make resources available to safeguard con­tin­u­ous im­prove­ment as well as main­te­nance and re­al­iza­tion of the ISMS. The ISMS also needs to be carefully doc­u­ment­ed. Per­for­mance as­sess­ments must likewise be prepared at defined intervals. Companies need to review, measure and analyze the ef­fec­tive­ness of their ISMS – likewise at set intervals.

A catalog of the most important in­for­ma­tion as well as an annex con­tain­ing the most relevant changes since 2013 can be found on the Dekra website. As soon as the ISMS is set up, the company values are clas­si­fied. This also follows the three prin­ci­ples of con­fi­den­tial­i­ty, integrity, and avail­abil­i­ty. This clas­si­fi­ca­tion is divided into three levels.

Level 1 covers public documents, for example, whose fal­si­fi­ca­tion would cause rel­a­tive­ly in­signif­i­cant damages for the company of up to 500 dollars. This level applies to documents for which even the continued violation of ISO standards for over a week would scarcely result in sig­nif­i­cant damages to the or­ga­ni­za­tion.

Level 2 en­com­pass­es internal company documents, such as bills and payroll files. Here, vi­o­la­tions against the ISO in­for­ma­tion security standard would result in moderate financial damages of up to 5,000 dollars. Such an incident should not be permitted to last longer than 24 hours.

Finally, Level 3 covers highly sensitive, internal company documents. Fal­si­fi­ca­tion of these documents would result in damages over the 5,000-dollar threshold. This type of incident cannot be permitted to last longer than three hours.

Im­ple­ment­ing the ISO/IEC 27001 standard requires certain steps that aren’t iden­ti­cal­ly ap­plic­a­ble in every company. Depending on the or­ga­ni­za­tion, there may be unique chal­lenges and every ISMS has to be adapted to the re­spec­tive case. In the following section, we’ll therefore explain the steps that apply to most or­ga­ni­za­tions re­gard­less of industry.

The first step for suc­cess­ful­ly cer­ti­fy­ing the company is to ensure the support and com­mit­ment of top man­age­ment. Man­age­ment needs to pri­or­i­tize the suc­cess­ful im­ple­men­ta­tion of an ISMS and clearly define the ob­jec­tives of the in­for­ma­tion security policy for all members of staff.

After doing this, certain elements of the in­for­ma­tion security policy should be defined. The or­ga­ni­za­tion sets the goals of this policy and provides the strategic focus for the prin­ci­ples of in­for­ma­tion security. This will serve as a framework for future de­vel­op­ments.

As soon as the in­for­ma­tion security policy has been es­tab­lished, the or­ga­ni­za­tion defines the areas of ap­pli­ca­tion for the ISMS. Here, it’s important to specify all aspects of in­for­ma­tion security that can be ef­fec­tive­ly addressed with the ISMS. A risk analysis regarding the in­for­ma­tion security measures should also be prepared. This should identify the potential dangers that need to be con­sid­ered. The analysis therefore needs to address the weak­ness­es of the current system.

And to reduce the existing risks, the or­ga­ni­za­tion should then determine suitable measures. The result of this analysis is a catalog of measures that is con­stant­ly monitored and adjusted as necessary. After suc­cess­ful im­ple­men­ta­tion, the or­ga­ni­za­tion conducts a pre­lim­i­nary audit that takes place before the actual cer­ti­fi­ca­tion audit. This pre­lim­i­nary audit is intended to uncover potential vul­ner­a­bil­i­ties and issues that could neg­a­tive­ly affect the outcome of the real cer­ti­fi­ca­tion audit. Any areas of non-con­for­mi­ty with the ISO 27001 standard should be elim­i­nat­ed.

The final step for suc­cess­ful­ly im­ple­ment­ing the ISO 27001 standard is to conduct the actual cer­ti­fi­ca­tion audit. An in­de­pen­dent cer­ti­fy­ing body will now examine the ISMS in place and provide its as­sess­ment. If the plan fulfills the re­quire­ments of ISO 27001, the audit will be suc­cess­ful­ly completed and cer­ti­fi­ca­tion may go ahead. The cer­ti­fy­ing body will then issue the cer­tifi­cate. However, it’s important to perform regular mon­i­tor­ing audits. This ensures that the re­quire­ments of the standard are still met on an ongoing basis. Mon­i­tor­ing audits take place every three years. The cer­tifi­cate will only be renewed by the in­de­pen­dent cer­ti­fy­ing body by another three years if these mon­i­tor­ing audits are suc­cess­ful.

The costs of suc­cess­ful cer­ti­fi­ca­tion always depend on the in­di­vid­ual situation of the or­ga­ni­za­tion. Cost factors like training and spe­cial­ist lit­er­a­ture, external support, and costs of tech­nol­o­gy play a major role. Moreover, the or­ga­ni­za­tion shouldn’t forget that the induction period for staff will also cost money. There are also the costs of the cer­ti­fi­ca­tion itself.

Cer­ti­fi­ca­tion costs vary and depend on the size of the or­ga­ni­za­tion. Fur­ther­more, the costs are also de­ter­mined by the number of days required for the final audit. For an SME, the work involved typically only lasts around ten workdays. Larger companies or cor­po­ra­tions will ac­cord­ing­ly need to allow for more time and a bigger budget.