What is ISO 27001?

Why would I want it, and what are some common questions and misconceptions?
David Morrison
April 13, 2023

One of the areas we do a lot of work in is compliance, especially ISO/IEC 27001 certification. With cybersecurity threats and attacks continually growing, along with more and more compliance demands from the government, industry watchdogs, and cyber-aware customer expectations, more organisations are turning to established and trusted industry standards like 27001.

Recently, ISO/IEC 27001 and its supporting standard, 27002, received much-needed updates that brought them more in line with current threats but also applied a more simplified structure and groupings that make it more appealing and understandable to executive teams and the board. The 2013 version always feels more aimed at IT and cybersecurity professionals, which back in 2013, was a different world.

So why this article? There is a LOT out there on ISO/IEC 27001, but most of it is overly complex, isn’t that relevant to those of you that don’t work in a 27001 implementation function, and is aimed at IT and infosec people. A lot of people just want to know what it really is, why you would even consider it, what are the benefits and impacts to your business, and what certification or compliance actually entails.

We also spend a lot of time with clients asking us what standards we recommend, why, what benefits and the return on investment they will see if they go down this path, and how they can get there with as little impact on their business as possible. So I decided to address some of these common questions and concerns so you have as much of this information as possible. If you have more questions just reach out. I could rant about this all day. Just look how long this article is! 😉

Over the next few weeks we will expand on this to cover the changes in the new 2022 versions, why they have been added, what is expected of you when implementing these controls, and advice on where to start.

What is ISO/IEC 27001?

ISO/IEC 27001 is a globally recognised standard for establishing, implementing, maintaining and continually improving an Information Security Management System (ISMS). But what is an ISMS?

An ISMS is just a systematic approach to managing an organisation’s sensitive information, including the policies, processes, and procedures used to manage risks. By doing this, you ensure the confidentiality, integrity, and availability (CIA) of your information.

ISO/IEC 27001 is designed to help organisations, regardless of size or business type, protect their information assets by applying a repeatable risk management process that identifies, manages and treats risks across their business. It covers a range of information security areas that address the confidentiality, integrity and availability of information, as well as covers the implementation of controls to manage your identified risks.

The standard comprises two parts.

The Management System

Clauses 4 through 10 of the standard address the ISMS component of the standard. Think of this as the overarching governance piece. It covers the establishment, implementation, maintenance and continual improvement of the ISMS. This is where you address the context for the ISMS, secure buy-in from your leadership, establish roles and responsibilities, define your risk assessment and management methodology, and how you will implement and manage controls, just to name a few. It also addresses how you will measure the effectiveness of the ISMS and improve it, as this is critical in any security plan. You want to continually assess, improve and mature your security posture.

Annex A

Annex A of the standard provides a comprehensive list of information security controls and objectives that can be applied to address various information security risks and threats. While there are 114 controls in ISO/IEC 27001:2013 and 93 controls in the 2022 version, these controls are the ‘optional’ part of ISO. This is where the term ‘risk-based approach’ comes in and why I have always been a fan of 27001. You leverage these controls where they address risks YOU have, in the context of YOUR organisation. You do not need to implement them all by default. This is one of the biggest misconceptions people have when first looking at ISO/IEC 27001. There is no point in implementing controls to address risks you don’t have.

ISO/IEC 27001 vs ISO/IEC 27002

So what is 27001, and what is 27002, and do I need both?

We just talked about the Annex A controls and control objectives. Well, ISO/IEC 27002 is a supporting document for 27001 that provides implementation guidance for these controls. Basically, it has more usable information on each of the controls in Annex A. For example, a control in Annex A that requires a policy to be developed and implemented, 27002 provides information on what should be included in that policy, whereas Annex A may have just said that a policy needs to be in place with no detail.

In the new 2022 version of ISO/IEC 27002, they have added a lot of additional and very useful information to each control such as what component of the CIA triad it addresses, operational capabilities, and alignment with the five framework functions of the NIST Cybersecurity Framework (CSF). This is a great addition, especially if you want to leverage NIST CSF for your controls instead of 27002. What? I can do this? Yes… yes you can! I’ve discussed this in more detail in another article and how you can mix and match controls frameworks and still satisfy your ISO/IEC 27001 certification requirements.

Why would I want ISO 27001 certification?

The other key point to be made about ISO/IEC 27001 is that you can be certified against the standard. This is one of the key differentiators between 27001 and other security standards, such as the NIST Cybersecurity Framework. Other standards you can align with or comply with, but you don’t have that shiny certification that you can show your stakeholders, investors or customers. Proof that you have implemented the standard correctly and are running an effective ISMS.

Fun fact: you cannot get certified to ISO/IEC 27002, only 27001. As discussed above, 27002 is a supporting document to help you implement controls in your ISMS. You will often see people write things like “Certified to ISO/IEC 27001/27002”. This is incorrect. It is just 27001. Yeah ok, maybe that fact wasn’t that fun 😉

ISO certification runs on a 3-year audit cycle, with a major audit every 3 years and ‘surveillance’ audits in the years in between that make sure you are actively running, maintaining and improving your ISMS. This provides validation to those that want to see you certified that you haven’t just passed an initial audit and then let all your processes go by the wayside.

ISO/IEC 27001 certification holds a myriad of business benefits to an organisation. The list is long but here are a few reasons current and previous clients we have worked with go down the certification path:

  • It instils confidence in your stakeholders, investors or customers and shows them that you take security seriously. If you hold their data, you are taking measures to protect that data. If you provide them services, security is an integral part of those services and your business processes around those services.
  • It can differentiate you in the marketplace. Customers and other organisations are becoming more and more security conscious. They want to know that the organisations they do business with are protecting their data, either their business data or personal information. Much of this is also driven by compliance requirements these organisations may have, especially around third-party management. If you can’t prove you are running your business securely, many organisations won’t even engage with you, and you can forget even getting a look-in for that tender, RFQ or RFP.
  • Insurance premiums are continually rising. It’s now at a point where organisations either can’t get insurance due to a lack of established controls or the cost is just too high. Some insurers, like Lloyd’s of London, have directed all underwriters to exclude losses arising from “state backed cyber-attacks”. I’m not even going to start on the difficulties in attack attribution and what this really means. While requirements and what different insurers look for vary, what they are trying to determine is how risky your business is and how likely you will have a breach and therefore make a claim. ISO/IEC 27001 certification provides a measure of assurance that you are invested in security and that you have or are in the process of reducing your risks to acceptable levels. This makes you less risky, making it easier to secure insurance at a reasonable price.
  • It’s rarely discussed when talking about cyber risk, but there is a flip side to the risk coin, being positive risk, or what we better know as opportunity. This is a whole discussion in and of itself and I don’t want to stray from the ISO discussion, but by addressing information security risk, you place yourself in a much greater position to exploit potential positive risks, such as those brought on by innovation, engaging new technology or suppliers, or a myriad of other use cases.

While these are all great business drivers for certification, most of all, ISO/IEC 27001 provides solid security practices, addresses current and emerging threats, manages risk, and continually matures your security posture. It’s not a box-ticking exercise and if that’s why you want to do it, I wouldn’t advise going down this path. It isn’t a set-and-forget standard. As an example, you can’t write policies, show them to the auditor and get your certification. You have to show, year-on-year, those policies have been implemented and personnel across the business know they exist and are following them. And you need artefacts from across the year that proves you are doing what you said you would do, and following your policies and processes.

Even if you ignore all the business reasons above, you want to ensure your business is cyber-resilient. This is the availability piece in the confidentiality, integrity and availability triad. You want your business to be able to defend against attacks, but if you do suffer a breach or another security incident that impacts your critical business processes, you want to be able to recover as fast as possible. This is cyber resilience, and ISO/IEC 27001 certification helps you achieve this and shows others that rely on you that you are resilient.

Am I too small for ISO certification?

This is one of the most common questions we get, along with ‘it’s too expensive for my business as we are only x people’. Not true on both counts. ISO/IEC 27001 is a flexible standard that can be implemented by organisations of any size, from small businesses to large corporations. As for being too expensive, not if you engage the right people. Shameless plug, but we specialise in SMBs and have supported very small organisations gaining certifications in very short time frames. The fact is 27001 is not so prescriptive that you need to treat all organisations the same. This is where most consultancies that provide these services fall short. Everything must be contextual to your business and adapted to your business, which is what we do and why it works.

One of the perceived highest costs is also the external audit cost, but again, with the right qualified external auditor, these costs can be reduced considerably. I’ve highlighted qualified as, like any industry, there are a lot of iffy companies out there. If you are an Australian business, ensure anyone you use is JAS-ANZ accredited. If you need an external auditor for your current certification, feel free to reach out and we would be more than happy to introduce you to a trusted and cost-effective JAS-ANZ accredited auditor.

Should I descope parts of my business?

This is another question we commonly get. Certification has a defined scope, that is, what is included within your certification. As an example, you could certify your whole company or just a small component of your company like a business unit. The main reason this question comes up is:

  1. If you make it a smaller scope, you would assume it would be a lot less work.
  2. If the scope is smaller and less work, you would assume the cost will be less.

The answer is, sort of. When we discuss this, it needs to be contextual to your business, but in general terms, there are a few things to consider.

First is your expected return on investment (ROI) on achieving certification. If your goal is to have great security across your business, what’s the risk if you only address a component of your business? Are the two areas actually segregated? Will that ‘insecure’ part impact the other? If you are doing it for marketing and business growth reasons, will those engaging you accept only part of your business being certified? Does it make people question why you only certified part? What’s wrong with the other parts of your business? Were you unable to get them certified due to insecurities? It makes you wonder.

The next is how easily you can segment one part of your business from the rest. This has two sub-components.

Most businesses overlap in their use of technology, their processes, and their policies. If you are implementing a governance structure and controls to certify one part, if there are a lot of overlaps, does it really make sense to just certify one part? Should you just put in a bit of extra effort and certify the lot?

The second part of segmentation is, can you easily segment without overlap that impacts your in-scope area(s). As discussed above, if there is an overlap in the use of resources, those un-certified areas may pose additional risks that need to be addressed. Wouldn’t it be easier to just apply the same controls over both areas?

The outcome of this discussion for every organisation we have worked with has been to certify the whole organisation. The difficulties in segmenting one piece of the business far outweigh the difficulties of just certifying the lot.

Can I offload my security requirements?

This came up recently when an organisation we were talking to had been informed by a previous consultancy that a whole swath of areas did not need to be addressed under their certification because “they were in the cloud” so were managed by someone else. Yeah, Nah. That’s not a thing.

It’s absolutely fine for you to leverage cloud services and other managed services, but you can’t just hand it to that organisation and wipe your hands. It’s your responsibility. This is the whole reason for section 5.23 in the 2022 version of 27001 which addresses the management of information security risks associated with the use of cloud services. While this is a new control in the 2022 version, it was still covered in the 2013 version under section 15 which covered Supplier Relationships.

Leverage cloud and third-party suppliers as much as you like, but you need to manage them under these areas of the standards to make sure they are addressing information security risks to the level expected by your organisation. Your security expectations must align. After all, when your data is breached via a third party, it’s your name in the news, not theirs. Just look at the recent Latitude Financial Services breach. Have you even heard who the third party was that enabled the breach? I had to go hunting for that link!

Do all my risks have to be remediated to get certified?

This is an interesting one and what most people who haven’t worked with ISO/IEC 27001 don’t realise, is no, all your risks don’t have to be remediated to be certified. But you have to have remediation plans, including implementation time frames, in place.

This is often one of the biggest roadblocks for people starting their certification journey. They think they need everything fixed and perfect before they even look at starting and engaging someone like Morrisec. The most important thing is to have performed your risk assessments, identified and documented your risks, and have plans in place. Yes, you could try and scam them, put a plan in place and not do it, but the external auditors will come back and check on your progress, and if it’s not done, goodbye to your certification. The good news is you can start now and get certified, as long as you have a plan and stick to it.

Like anything is security, it’s a journey. I use the word a lot. Honestly, I don’t really like the term very much. Probably cause it’s overused on reality shows and by social media influencers. Let’s just say you’re on a ‘cybersecurity pilgrimage’ 😂 It takes time to mature your security, and you don’t need the ‘best of breed’ solution for every risk remediation. All you need is a solution that reduces your risk to what is acceptable for your own risk appetite. Small consistent steps taken over time will get you there. If you wait till you can do it 100% from the start, you will never get started. Trust me. I’ve seen this same issue year after year for decades.

Can I certify my product or service?

Sorry, but this is a hard no! If you see someone that says their product, service or application is ISO Certified, they don’t understand how 27001 works or, more likely, the company that helped them certify doesn’t understand.

Let’s say you have a SaaS solution you plan to sell. It manages PII for the client so you want to ensure it’s secure and also being ISO-certified will help market your product by differentiating you in the marketplace. You can certify everything to do with that SaaS offering, but you can’t put an ISO stamp on that service. All the components that allow you to deliver that service are in the scope of your certification, such as software development practices, access control, third parties managing the data centre it’s hosted in, how you respond to incidents on the platform, and so forth. But you can’t say your service is certified. You are better to certify your organisation as a whole so you can say your company is certified. It sounds more impressive anyway 😉

Hopefully, this covers a lot of questions about ISO/IEC 27001 and certification to the standard. If you have any questions or comments, feel free to drop them in the comments or reach out directly.

David Morrison

David Morrison

David is the Co-CEO of Morrisec. With a wealth of experience spanning more than two decades, David has established himself as a leading cybersecurity professional. His expertise and knowledge have proven invaluable in safeguarding organisations from cyber threats across a gamut of industries and roles.

0 Comments