We hear you loud and clear! In this post, we will try to answer all questions related to the ISO 27001 that often come to us from prospective and current clients. If you prefer to read it on some other time, you can download the page in PDF by clicking this link here. No contact details will be collected. But if you would like to give feedback or ask further questions don’t hesitate to contact us.

• What is ISO 27001?
• What are the benefits of having an ISO 27001 certificate?
• What is the content of ISO 27001?
• Do I have to go for it? What are the considerations to take the certificate?
• How do I get it? How is the process of obtaining ISO 27001?
• How do I maintain it?
• What should I do to get it? What is the preparation?
• How long does it take from the initial plan until the awarding?
• ISO 27001 vs SOC 2: which one do I choose?
• Which framework is the best for information security? ISO 27001 or COBIT or NIST?
• Will I be free from Security Questionnaires if I have ISO 27001?
• Do I need to hire an external consultant to help me get it?
• Do I need to buy compliance software (SaaS) to help me get an ISO 27001 certificate?
• Company A claims to hold the ISO 27001 certificate. So does Company B. Do they mean the same thing?

What is ISO 27001?

As stated in the document, ISO/IEC 27001:2022 provides requirements to establish, implement, maintain, and continually improve an information security management system (ISMS). An ISMS preserves confidentiality, integrity, and availability of information by applying a risk management process. 

The requirements are general and hence meant to be applied to any organization. Therefore, as for the ISMS’ implementation, they can be scaled to your organization’s characteristics. 

⚠️ Starting from 2024, ISO/IEC 27001: 2022 will replace ISO/IEC 27001: 2013 which is used at the moment.

What are the benefits of having an ISO 27001 certificate? 

First, holding the certificate means that your organization has an international-standard information security management system that has been verified by external auditors. Second, it indicates that you have a good system capable enough to keep your customers’ data secure. These two benefits will definitely attract new customers and keep your existing ones.

Third, as government’s regulations on cyber- or information security refer to ISO 27001 standard, holding the certificate denotes that your organization is already in (full or partial) compliance with the regulations. 

Fourth, if you keep getting security questionnaires from potential clients, now you can handle them easier and faster. There is also a chance that your customers will relieve you from the questionnaires. To know more about how an ISO 27001 certificate can help you with security questionnaires, read this post.

What is the content of ISO 27001?

According to the ISO/ IEC 27001: 2013, there are 114 controls that an organization has to pass around the following topics:

According to the ISO/IEC 27001:2022 there are 95 controls. The topics are the same as above. Most of the controls are the same as the 2013 version. Here the additions are:

• Collecting threat-related information to produce threat intelligence
• Establishing the management of cloud services
• Implementing security measures for remotely working personnel
• Applying data masking in accordance with your organization’s situation
• Implementing information processing facility with redundancy 
• Managing access to external websites to reduce exposure to malicious content 

As a starting step, you are allowed to implement this standard for a certain, instead of all, scope of your business. Further information on this, you can read in our blog post “Are all ISO 27001 certificates the same?”

Do I have to go for it? What are the considerations to take the certificate?

The benefits for holding the ISO 27001 certificate are mentioned above. Your efforts to obtain it are as follows:

Cost

It depends on your location. If you are located in Europe, the external/certification audit costs around 15,000 - 25,000 Euros per year for a small and medium-sized business (SMB).  You may add:

1. An internal audit fee if you choose to outsource it.
2. A consultancy fee for implementation guidance if needed. 
3. An automation software purchase. This is also optional. 
4. The opportunity cost of using your human resources to organize this. 

If you are wondering whether you need a consultant and a software to help you with all these, please read our blog post “Do you need a consultant or a software to help you get the ISO 27001?”

Time

The external audit is divided into two stages. Stage 1 is the documentation review and lasts for 1-3 days for a SMB. Stage 2 tests whether your information security management system works well and lasts for 2-5 days. If the ISMS is not built yet and you would like to hire a consultant for it, allow 6-12 months prior to your target date in getting the certification. 

If you want to employ compliance software, that will speed up the process. However, please be informed that the software works best only if your organization has implemented all controls mentioned in the ISO 27001 requirements for around 3-6 months. 

Maintenance
In order to maintain the certification that you have got, you have to pass two audits periodically. First, an internal audit. Second, an annual surveillance audit conducted by an external party. Having discussed the cost and benefits, you are free to decide whether you will take it or leave it. Whatever you choose, having a solid IT risk management system is a necessity in the current days. 

“To be ISO 27001 certified is not a must. But you can always refer to ISO 27001 as reference when building and maintaining your company’s information security management system.” Twitter @FeHa

How do I get it? How is the process of obtaining ISO 27001?

First, gap analysis. Through interviews and evidence review, gap analysis seeks the difference between ISO/IEC 27001: 2013 controls requirements and the design of your information security management system (ISMS). This brings forth an improvement plan, taking the form as an implementation roadmap. 

The implementation prepares you for the second step i.e. internal audit. You will then have time to solve the findings from the internal audit before you face the third step i.e. external audit. The external audit is followed by another improvement in your ISMS before you are granted the certification.

How do I maintain it?

In order to maintain the certification that you have got, you have to pass two audits periodically. First, an internal audit. Second, an annual surveillance audit conducted by an external party. Therefore, right after you’ve got the certificate, make a plan to review each ISO 27001 control requirement quarterly or half-yearly. 💡Tip: always allow some time for improvement before the surveillance audit.  

What should I do to get it? What is the preparation?

1. Download the documents: ISO 27001 and ISO 27002. Read them through. 
2. Make sure all mandatory and relevant policies according to ISO 27001 controls are available and approved by management to be used in the organization.
3. Check whether the day-to-day processes that people follow match the policy or not. Describe these processes in procedures documentation if not yet available. Documented procedures ensure that everyone can follow the same steps.
4. Based on the gap analysis conducted in Step 1 and 2, plan and implement the remediation actions to ensure that people follow and are enforced to always follow the policy and procedures.
5. Ask an independent party to do an internal audit: check whether the policies, procedures, and how they are implemented are already aligned with ISO 27001 controls requirements.

“Policies and procedures cannot be just a paper exercise. If I may argue why this project was a big success because everyone involved really follows the procedures defined.” Twitter @FeHa 

How long does it take from the initial plan until the awarding?

It depends on your organization’s situation. After Stage 2 audit, normally it will take 1-2 months until the awarding. This is with the assumption that there's no major non-conformities identified during Stage 2 audit. In total, a small and medium business may need approximately 6-12 months. For a detailed timeline, see above.

ISO 27001 vs SOC 2: which one do I choose?

If you and your customers are located in the US, SOC 2 is most likely to be more suitable for you. If you and your customers are located elsewhere in the world such as Europe and Asia, ISO 27001 is most likely to be more suitable for you. 

Compared to SOC 2, ISO 27001 is more prescriptive in the sense of relatively easy to be translated into actionable steps. This is an advantage for small businesses which usually do not have a well-established ISMS yet.

On the other hand, SOC 2 is more flexible. Out of 5 categories, only one category is mandatory i.e. security. The rest is optional. You can choose any other categories which are in line with your business and your business’ maturity level.

If you still have doubts about this, feel free to discuss with us here. 

Which framework is the best for information security? ISO 27001 or COBIT or NIST?

This is a common question people ask. Unfortunately, there is no best framework for your information security management system (ISMS). Having a certificate of one of those frameworks does not guarantee you are free from data breaches forever. 

Whichever framework you choose, you still need to improve your ISMS from time to time. New threats emerge as technology advances. Therefore, the goal of your security management journey should be sustainable data protection instead of merely a certificate. 

You can find more explanation about this here. 

Will I be free from Security Questionnaires if I have ISO 27001?

Perhaps Yes. There is a chance that your potential client relieves you from the security questionnaire once they see your ISO 27001 certification. They might still ask you security-related questions if there are things they need further clarification. But it’s not a full questionnaire.

You may still get security questionnaires in spite of holding an ISO 27001 certificate. But this time you will deal with the questionnaires differently in two ways:

First, since the content of the questionnaires are most of the time similar to the content in ISO 27001 requirements, you can copy your answers from existing documentation and paste them onto the questionnaires. The answers have been examined by the auditors and hence are good ones. 

Second, you will get much less follow-up questions from your clients’ security officers. For example, when you answer ‘Yes’ to the business continuity management question, they will not ask you further on the business continuity plan. Your ISO 27001 certificate indicates that you have that plan and it’s been verified by an auditor. 

If you need more food for thought on this issue, we’ve written Why bother getting ISO 27001 and SOC 2 when you still have to fill in Security Questionnaires?

Do I need to hire an external consultant to help me get it?

It depends on three things. 

First, how many certifications are you targeting? If your target is more than one certification, then it is most likely you need an expert’s assistance. 

Second, when do you need the certificate? If you need it immediately e.g. less than five months, you’d better contact a consultant soon. 

Third, do you have manpower to do it? Talk to your team to know whether everyone is confident to do it themselves. 

If you aim for only ISO 27001 in at least one year with an ample human resource, you can do it yourself. You may consider buying document templates to speed up the process. 

💡Tip: a consultant and an online tool are not perfect substitutes. Although the tool helps with evidence collection workflow, an experienced consultant may still need to tailor many things to fit the company.

Do I need to buy compliance software (SaaS) to help me get an ISO 27001 certificate?

No/Yes. It depends on your objectives, time, and staff.  

No, you don’t need SaaS. It is possible to pursue the certification with just the tools you have had such as Spreadsheet, JIRA, Trello, and Sharepoint. Remember that 10 years ago when such specialty softwares was rare, organizations could manage to meet all the requirements and pass the audits. 

Yes, you need the software if time is limited and you don’t have a dedicated team to work on it. There are many compliance tools available in the market. One of them is Vanta, which is a platform that will help you continuously be compliant with the standard and reduce a lot of manual work during preparation and annual maintenance. 

💡Tip: If you decide to work with an automated compliance tool, then select an auditor who understands and is familiar with that tool.

Company A claims to hold the ISO 27001 certificate. So does Company B. Do they mean the same thing?

Not necessarily. A detailed look at the certificate and the companies determine the difference:

1. Whose certificate is that? If it’s their hosting providers’ or their sister companies’, then they are not certified. It has to be their own certificate. 
2. What is the certified coverage in terms of locations and products/services? Sometimes not all locations and not all products/services are in the coverage. 
3. What was the scope of the certification audit? ISO 27001 allows exclusion of the control requirements. Two certificates mean differently if one excludes a critical control. 
4. How does the system work on a day-to-day basis? A certificate is more valuable than the other as its owner implements the ISO 27001 principles on their day-to-day work. 

"Being compliant does not necessarily mean we are secured, but being secured most of the time shows that we are compliant" ~Ferry Haris

We have written some “flexibility” in the practice of ISO 27001 that you need to know as you are going for it. It is here. 

If you have more questions, please drop us an email.