Companies have many choices when it comes to demonstrating their information security capabilities to customers and prospects. For service organizations, we often talk about the System and Organization Control (SOC 2) examination. However, another prolific standard is an excellent option for companies that don't fit a service organization mold: ISO 27001.
ISO 27001 is a leading, widely recognized international standard and certification regime focused on how to manage information security. The standard is published and maintained by ISO, the International Standards Organization, in Geneva, Switzerland. ISO 27001's objective is to help organizations build and maintain an Information Security Management System (ISMS), which will help to ensure the confidentiality, integrity, and availability of a company's information systems.
Complying with ISO 27001 involves several steps:
ISO 27001 accredited certifications can only be performed by a Certification Body (CB) accredited by a national accreditation body, like ANAB in the United States. These certificates are valid for three years and involve annual surveillance assessments to ensure the organization remains in compliance with the standard.
The ISO 27001 standard is comprised of ten clauses, seven of which represent the "magic clauses" that comprise the required components of an ISMS that an organization is required to define and implement. Those clauses require:
These clauses and the requirements therein represent the standard. Also provided within ISO 27001 are the Annex A information security controls, which are 114 controls, suggested by ISO, to meet the requirements in the seven "magic clauses." It is not required for organizations to adopt these controls. However, if the controls are not adopted, the organization must explain how or why the Annex A controls are not applicable.
An ISO 27001 start-to-finish implementation program can take anywhere from three months to a year to complete, depending on the scope of the ISMS, the size and complexity of the organization, and the maturity of the existing information security program.
To ensure that your ISO 27001 compliance effort succeeds, consider engaging with certified experts. DGC’s IT Risk Assurance & Advisory team members are ISO 27001 Lead Implementer-certified and have experience both implementing the standard and performing internal audits of the standard.
DGC’s IT Risk Assurance & Advisory practice offers a range of IT Audit, compliance, and cyber & information security services that can help identify, evaluate, measure and manage compliance and cybersecurity risks. Our professionals are trained to identify areas of exposure and recommend size-appropriate, cost-conscious corrective actions. For more information, contact a member of your DGC client service team or Nick DeLena, CISSP, CISA, CRISC, CDPSE at 781-937-5191 / ndelena@dgccpa.com.
If you would like to get alerts and insights like this sent directly to your inbox, sign up here.
