ISO 27001

In order to work successfully and securely in the age of digitalization, companies need to meet high standards of information security. The International Standardization Organization (ISO) has created a standard for information security in companies. Enterprises that comply with this standard can obtain a corresponding certificate. This certification was developed by renowned, globally recognized experts for information security. It describes a methodology that companies should implement to ensure a high level of information security.

The international standard ISO 27001 allows companies and organizations to follow a benchmark for information security. The standard is structured so that the company size and industry play no role at all for implementation. Once the requirements are satisfied, it’s also possible to obtain ISO 27001 certification. Using this certificate, a company can demonstrate to customers and business partners that it is trustworthy and takes information security seriously.

The advantages for companies relate to four different areas. On the one hand, this certification offers a basis for implementing statutory regulations. On the other hand, the certificate can provide a competitive edge. After all, not all companies are certified according to ISO 27001. Companies that hold this certificate can prove to their customers that they securely handle sensitive information. Compliance with the standard reduces the risk of information security failures. This means ISO 27001 can also contribute to saving costs, since these incidents are typically associated with financial expenses.

Plus, ISO 27001 certification optimizes processes in a company. The idle time of staff is minimized by defining the main company processes in writing.

Additional benefits include:

• Reducing business risks
• Minimizing liability risks
• Lower insurance premiums
• Reliable problem and threat detection

The ISO 27001 standard comprises multiple parts. Its foundations are the ISO/IEC 27001 standard created in 2005. This was thoroughly revised in 2015 and amended by another catalog, the second part. This part is represented as an annex to the standard and describes the updated changes in detail. The standard can be divided roughly into three sections: The actual main body follows the introductory chapters. The standard is rounded off with the annex mentioned above.

The normative main body is critical for the certification according to ISO 27001. This is where the objectives of the measures are precisely explained. But these measures aren’t instructions for implementing the requirements; instead they’re intended as suggestions for successful implementation. These suggestions are largely based on the pillars of confidentiality, availability, and integrity.

To simplify the processes and implementation, ISO 27001 also adopts principles from other standards. Parallels with other standards – which you may already know – really help and encourage organizations when implementing ISO 27001 requirements.

The requirements of ISO 27001 changed considerably in 2013 compared to the first version from 2005. The general structure of the standard was not only altered but also tightened to a large extent.

The ISO 27001 standard follows a process-oriented approach in the implementation of an information security management system (ISMS). While an explicit reference to the PDCA model was included in the earlier version, this is no longer mandatory. The requirements apply to all sizes and types of organization.

ISO 27001 stipulates that companies must define and consider all external and internal topics that affect their ability to successfully implement an ISMS. These primarily include the corporate culture, environmental conditions, regulatory requirements, contractual and legal obligations, as well as governance guidelines. ISO 27001 expects the top management of an organization to define the information security policy as well as the responsibility and competencies for implementing the requirements. Moreover, the company must commit to raising awareness for information security throughout the entire organization.

Planning also plays a key role in ISO 27001 certification. For instance, the requirements include assessing specific information security risks for the organization as well as developing an action plan. The responsibility for determining the risks and their prevention lies solely with the organization. What’s more, the standard stipulates that the company must make resources available to safeguard continuous improvement as well as maintenance and realization of the ISMS. The ISMS also needs to be carefully documented. Performance assessments must likewise be prepared at defined intervals. Companies need to review, measure and analyze the effectiveness of their ISMS – likewise at set intervals.

A catalog of the most important information as well as an annex containing the most relevant changes since 2013 can be found on the Dekra website. As soon as the ISMS is set up, the company values are classified. This also follows the three principles of confidentiality, integrity, and availability. This classification is divided into three levels.

Level 1 covers public documents, for example, whose falsification would cause relatively insignificant damages for the company of up to 500 dollars. This level applies to documents for which even the continued violation of ISO standards for over a week would scarcely result in significant damages to the organization.

Level 2 encompasses internal company documents, such as bills and payroll files. Here, violations against the ISO information security standard would result in moderate financial damages of up to 5,000 dollars. Such an incident should not be permitted to last longer than 24 hours.

Finally, Level 3 covers highly sensitive, internal company documents. Falsification of these documents would result in damages over the 5,000-dollar threshold. This type of incident cannot be permitted to last longer than three hours.

Implementing the ISO/IEC 27001 standard requires certain steps that aren’t identically applicable in every company. Depending on the organization, there may be unique challenges and every ISMS has to be adapted to the respective case. In the following section, we’ll therefore explain the steps that apply to most organizations regardless of industry.

The first step for successfully certifying the company is to ensure the support and commitment of top management. Management needs to prioritize the successful implementation of an ISMS and clearly define the objectives of the information security policy for all members of staff.

After doing this, certain elements of the information security policy should be defined. The organization sets the goals of this policy and provides the strategic focus for the principles of information security. This will serve as a framework for future developments.

As soon as the information security policy has been established, the organization defines the areas of application for the ISMS. Here, it’s important to specify all aspects of information security that can be effectively addressed with the ISMS. A risk analysis regarding the information security measures should also be prepared. This should identify the potential dangers that need to be considered. The analysis therefore needs to address the weaknesses of the current system.

And to reduce the existing risks, the organization should then determine suitable measures. The result of this analysis is a catalog of measures that is constantly monitored and adjusted as necessary. After successful implementation, the organization conducts a preliminary audit that takes place before the actual certification audit. This preliminary audit is intended to uncover potential vulnerabilities and issues that could negatively affect the outcome of the real certification audit. Any areas of non-conformity with the ISO 27001 standard should be eliminated.

The final step for successfully implementing the ISO 27001 standard is to conduct the actual certification audit. An independent certifying body will now examine the ISMS in place and provide its assessment. If the plan fulfills the requirements of ISO 27001, the audit will be successfully completed and certification may go ahead. The certifying body will then issue the certificate. However, it’s important to perform regular monitoring audits. This ensures that the requirements of the standard are still met on an ongoing basis. Monitoring audits take place every three years. The certificate will only be renewed by the independent certifying body by another three years if these monitoring audits are successful.

The costs of successful certification always depend on the individual situation of the organization. Cost factors like training and specialist literature, external support, and costs of technology play a major role. Moreover, the organization shouldn’t forget that the induction period for staff will also cost money. There are also the costs of the certification itself.

Certification costs vary and depend on the size of the organization. Furthermore, the costs are also determined by the number of days required for the final audit. For an SME, the work involved typically only lasts around ten workdays. Larger companies or corporations will accordingly need to allow for more time and a bigger budget.