How to establish ISO 27001 compliance
Implementing ISO 27001 & all that comes with it
Published on February 23, 2023
Filed under operations
At the time of writing this, it’s 2023 and most companies are conducting their business online. And, as we know, the Internet is a wonderful place, but full of potential threats. Danger is lurking at every corner and, if you own a business, you should always try to be one step ahead of the “bad actors”.
There are thousands of bots constantly trying to exploit your systems, they never rest (and that’s just one spot where ISO 27001 might come in handy).
For example, if I provision a virtual server with a public IPv4 address, and leave the SSH service running for a week on a default port (without a firewall filtering those requests) there are going to be over a million failed login attempts (dependent on the IP range). Crazy! 🤯
If you want to read more, take a peek at Rackspace SSH Honeypot statistics.
So, what can you do to protect yourself and your company? Well, one option is to try and comply with all of the ISO 27001 standards. ISO 27001 is an international information security standard. It shows that your company follows the best security practices. Before we go into it, read a bit more about ISO 27001.
I’ve started implementing ISO 27001 for Ars Futura because we wanted to take security to the next level, and of course, get audited and certified by a team of technical professionals. Our goal was not to just obtain the certification so we could flash it in front of our client’s eyes, but to benefit from the implemented controls in the long run.
This is not my first time implementing ISO 27001 - so I’ve wanted to share some advice and a rundown of what can be expected when taking this path.
Before you even start the certification process, you should nominate somebody internally, a person who will be in charge of the technical implementation of ISO 27001. Try choosing someone who understands security and has extensive knowledge in the IT field, otherwise, you’re risking having security gaps.
The second step is to conduct a “Gap Analysis”. This is crucial because it’s going to show you the weaknesses of your organization. Its intent is to benchmark your current organization state versus the requirements of ISO 27001. There are many free templates available online that you can use while doing Gap Analysis.
The third step is to identify key missing aspects such as:
ISMS – Information Security Management System, the most important ISO 27001 document.
Implementation plan – to which parts of your organization will you implement the ISO 27001 standard first? Focusing on smaller chunks of the organization significantly lowers your risk of failing your audit.
Risk Assessment methodology – a document that contains rules for risk identification, impact, and chances of them actually occurring.
Information Security Policy – the purpose of this document is to explain what we can achieve by implementing ISO 27001 in our organization, as well as explaining how we control the implementation/maintenance. This document typically isn’t extensive.
Risk treatment register and Risk assessment – you can actually download the most common risks freely and assess how they impact your organization. It’s important to take your time while doing the risk assessment because bright ideas might pop up if you focus on the risks. 💡 After the risk assessment, you must decide and assign any of the below options to every identified risk:
Retain the risk – acknowledge that this risk might happen and you’re okay with it.
Mitigate the risk – apply controls that will prevent this risk from ever occurring.
Offload risk management to third parties – e.g hire a third party to secure your building.
Internal Audit – we’ve decided to make sure all of the above passes the official ISO 27001 Audit, so we hired an ISO 27001 Consulting company to do the Internal Audit. They discovered a major non-conformity in one of our documents. Best decision ever!
Official Audit – make sure to relax, there’s nothing that can surprise you at this point. You already passed the internal audit. Make sure to know how to navigate through your ISMS.
Implementing an ISO 27001-compliant information security management system (ISMS) has had a number of benefits for our organization. Some of them are:
Improved security: Probably the most obvious benefit of ISO 27001 - it helped us improve the security of our information assets. By following the standard's requirements, we’ve been able to identify and address potential vulnerabilities in our systems and help prevent any possible data breaches and other security incidents.
Enhanced trust: By showing we’re committed to information security through the implementation of an ISO 27001-compliant ISMS, we’ve built more trust with our clients. This is especially important in the world we live in today, where data privacy and security concerns are at an all-time high.
Streamlined processes: Implementing an ISMS helped us streamline our processes and improve efficiency. By having clear policies and procedures in place for managing information security, we can avoid the duplication of effort and ensure that our resources are used effectively.
Improved compliance: ISO 27001 requires organizations to meet a number of legal and regulatory requirements related to information security. By implementing an ISMS, we’re ensuring that we’re compliant with these requirements, helping to reduce the risk of fines and other penalties.
Overall, implementing an ISO 27001-compliant ISMS has a number of benefits. It has helped us improve the security of our information assets, build trust with our clients, streamline our processes, and improve compliance. Give it a try, you won’t regret it!
Join our newsletter
Like what you see? Why not put a ring on it. Or at least your name and e-mail.