Should Your Business Get Certified to ISO 27001?
As you may know, the International Standard Organization (ISO) is an organization, based in Switzerland, that publishes standards for commercial technology and business management.
- The technical publications cover detailed specifications for medical equipment, programming languages, and communications. These are useful for technology manufacturers and software developers to ensure their products will interoperate.
- The management standards may be used by a business as guides to implement practices that are known to be effective in achieving a given objective. A company may choose an independent auditing firm to get certified on a relevant management standard, to set itself apart from its non-certified competitors.
ISO 9001 (quality management) is probably the best-known of the management standards. This is most prevalent in manufacturing. Others cover topics such as care for the environment, human resources, occupational health and safety, and asset management.
ISO 27000 Series
The 27000 series is the ISO standard for information security management. It covers not just information technology, but also physical and administrative controls to ensure security of information even outside your computers or cloud systems. The ISO 27000 family includes ISO 27002 and ISO 27001, designed to be used together to build an information security program.
- ISO 27002 is an advisory document describing information security controls known to be generally effective. These include establishing policies, inventorying tangible and non-tangible information assets, establishing data owners, limiting user access and permissions, mitigating technical vulnerabilities and threats, and establishing incident response procedures. The document is very detailed in its description of controls and their implementation. But, it does not describe which controls are applicable to which kinds of organizations, or how you should decide what to apply.
- ISO 27001 is the standard for managing information security. This sets some minimum objectives that must be met, describes how to develop other relevant objectives and how information security controls would apply, and explains how achievement of these objectives might be measured. Its annex lists the same controls in ISO 27002, but only by reference.
In short, ISO 27002 describes what your company can do, while ISO 27001 describes how your company decides what to do, and how you ensure it is done properly.
ISO 27001 is the standard to which a business can get certified. Once a business has established its information security objectives, implemented appropriate controls, and is evaluating the effectiveness of the controls and adjusting its management systems and the controls themselves to sustain its security posture, it will have met the standard. Certification is achieved when an independent, third-party auditor confirms this by thoroughly examining your company's operations and your records relating to information security management.
If your company is heavily involved in technology, particularly if you offer online services or collect and manage private data for your customers, you might wonder whether or how to achive certification to ISO 27001. Following are some broad guidelines.
Whether to Get Certified
While considered the pinnacle of achievement in information security, being certified to ISO 27001 demonstrates only that:
- Your company manages information security using established techniques that are known to maximize effectiveness;
- You implement your plan—it becomes part of your standard operations, and is not merely something you have on paper; and
- Controls in place are managed properly and are appropriate for the value of your data and your company's tolerance for risks to the confidentiality, integrity, and availability for your information systems.
Your information security program and your security itself don't need to be perfect to be certified to ISO 27001. Security incidents will happen; so long as you have a response plan, and work to reduce repeated incidents, this is not a disqualifier for certification. You might even have lapses in following your own procedures, but if your overall management approach ensures these will be detected and fixed in a timely manner, your program can still be certified.
So, the certification does not mean that your information systems are immune from breach or failure, however that may be defined, and you shouldn't expect to ethically claim that it does.
Certification will be time-consuming, and requires fees, possibly in the tens of thousands of dollars, payable to the auditor.
Given all this, the value you get out of certification will be determined solely by your assessment of its net return value to your business. The benefit can be immediate and tangible, such as landing a new client that requires its service providers to have this certification, or something less easily measured, such as the elevation of your company's image and reputation in relation to your competitors, or as evidence of due care to your investors.
How to Get Certified
If you choose to get certified, you don't start with an auditing firm, or even with ISO. ISO documents were not written to be used merely as checklists for information security, and they are not intended to replace the knowledge and experience of a qualified information security professional. You must build your information security program first, aligned with your company's goals, objectives, and risk tolerance. This program will, if it meets the ISO 27001 standard, include internal auditing that can validate its compliance with the standard.
Once this is in place, and your information security program is stable and mature, you can apply to an auditor that offers certification. To maximize the value of your certification, you should choose an accredited auditor. The ANSI-ASQ National Accreditation Board (ANAB) is the most well-known of the accreditation bodies in the United States. Accreditation by ANAB means the auditor has demonstrated that it performs audits competently and in accordance with ISO 27006.
If you already know your business is too small to consider certification, you still should build an information security program, for one of two reasons:
- If you have plans to grow and think certification to ISO 27001 might be something you can achieve later, start by building an information security program now and then helping it grow as your company grows. This will get you ready for certification more efficiently than trying to integrate security into the systems you're going to build after they're built.
- If your growth plans are far off or non-existent, consider that all small businesses in our modern era should be building an information security program, as described in the article linked below. You can then look into attaining an alternative equivalent to certification to ISO 27001, such as the CompTIA Security Trustmark+. This is based on standards very similar to ISO 27001, but the audit is less rigorous and the cost lower. Just like the path to certification to ISO 27001, though, you should not start an audit on an alterative certification until your information security program is in place and validated internally.
Click here to read about Why and How to Implement an Information Security Program as a Small Business.