The year is 2025. Over 465 exabytes of new data is generated each day. The global cybersecurity market is worth $241 billion. Your managed services provider is still using a process document dated March 2019, and you’re starting to regret not having gone with that ISO 27001 certified provider.
Hell, at this point you’re starting to think even an in-house ISMS (Information Security Management System) implementation would have been a better option.
But I’m getting ahead of myself; let’s return to the present. Is ISO 27001 all it’s cracked up to be? Whatever your stance on ISO, it’s undeniable that many companies see ISO 27001 as a badge of prestige, and using ISO 27001 to implement (and potentially certify) your ISMS may well be a good business decision for you.
In this article, we’ll take a look at the foremost standard for information security management – ISO 27001:2013, and investigate some best practices for implementing and auditing your own ISMS.
Here is a summary of what we’ll cover in this Process Street article:
- ISO 27001: The basics & why standards are important
- Who needs ISO 27001?
- How to implement ISO 27001
- Free ISO 27001 checklist
- How to get ISO 27001 certified
- Integrating your ISMS with other ISO standards
If you just want the free checklist for implementing and auditing your ISMS, you can grab that here. Otherwise, read on!
ISO 27001: The basics & why standards are important
ISO 27001 is a standard designed to help you build, maintain, and continuously improve your information security management systems.
As a standard, it’s made up of various requirements set out by ISO (the International Organization for Standardization); ISO is supposed to be an impartial group of international experts, and therefore the standards they set should reflect a kind of collective “best practice”.
The requirements for each standard relate to various processes and policies, and for ISO 27K that includes any physical, compliance, technical, and other elements involved in the proper management of risks and information security.
Why use standards?
As a managed services provider, or a cybersecurity software vendor, or consultant, or whatever field you’re in where information security management is important to you, you likely already have a method for managing your internal information security infrastructure.
Whether you realize it or not, you’re already using processes in your organization. Standards are just a way of acknowledging “we do this process quite often; there is an opportunity here to look at how we can make things run more efficiently“.
The argument for using standards is essentially the removal of excess or unimportant work from any given process. You can also reduce human error and improve quality by enforcing standards, because standardization helps you to understand how your inputs become your outputs. Or in other words, how time, money, and effort translates into your bottom line.
If you’re not sold on standards, check out our article on why process standardization improves quality, productivity, and morale.
Information security management systems (ISMS)
It’s worth briefly touching on the concept of an information security management system, because it is often used casually or informally, when in most cases it refers to a very specific thing (at least in relation to ISO 27001).
Firstly, it’s important to note that the idea of the ISMS comes from ISO 27001. Many of the breakdowns of “what is an ISMS” you can find online, such as this one will talk about how information security management systems comprise of “seven key elements”.
This is accurate, but what they often fail to clarify is that these seven key elements directly correspond to the 7 main clauses (disregarding the first three, which are typically not actual requirements) of ISO’s Annex L management system standard structure.
Which brings me to the next important thing to understand about ISO 27001 – that it follows the Annex L management system standard structure, similar to many other ISO standards like ISO 9001, ISO 14001, etc.
What this means is that you can effectively integrate your ISO 27001 ISMS with other ISO management systems without too much trouble, since they all share a common structure. ISO have intentionally designed their management systems like this with integration in mind.
Breakdown of ISO 27001
Here are the seven main clauses of ISO 27001 (or in other words, the seven main clauses of ISO’s Annex L structure):
- Context of the organization
- Performance Evaluation
Of course, each of these clauses have several sub-clauses, and the requirements for each are rather in-depth. But this is the general structure of the scope of ISO 27001.
For a deeper look at the ISO 27001 standard, as well as a complete process for auditing (which can also be very useful to guide a first-time implementation) check out our free ISO 27001 checklist.
Who needs ISO 27001?
ISO 27001 is intended to be used by organizations of any size, in any country, as long as they have a need for an information security management system.
Here are some industries that are commonly implementing ISO 27001:
- Software development companies
- IT companies & managed services providers
- Financial technology (FinTech)
- Government organizations
- Any organization dealing with sensitive data
What problem does it solve?
ISO 27001 is about protecting sensitive user information. Many people make the assumption that information security is facilitated by information technology. That is not necessarily the case.
You can have all of the technology in place – firewalls, backups, antivirus, permissions, etc. and still encounter data breaches and operational issues.
This is because the problem is not necessarily the tools, but more so the way people (or employees) use those tools and the procedures and protocols involved, to prevent various vectors of attack. For example, what good will a firewall do against a premeditated insider attack? There needs to be sufficient protocol in place to identify and prevent these kinds of vulnerabilities.
That’s basically what ISO 27001 is all about; putting the systems in place to identify risks and prevent security incidents.
How to implement ISO 27001
There’s no easy way to implement ISO standards. They are rigorous, demanding standards that are designed to facilitate quality control and continuous improvement. But don’t let that deter you; in recent years, implementing ISO standards have become more accessible due to changes in how requirements are assessed and audited.
Basically, ISO has steadily been revising and updating their standards to make it easy to integrate different management systems, and part of these changes has been a shift towards a more process-based approach.
Here, “Process-based” means thinking about processes as systems, where the results of one process are important to consider as inputs to the next, and so-on, and so-forth. This is in contrast to thinking about processes as isolated instances, where the inputs and outputs are not considered.
As well as a focus on process-based thinking, relatively recent ISO changes have loosened the slack on requirements for document management. Documents can be in “any media“, be it paper, electronic, or even video format, as long as the format makes sense in the context of the organization.
Documents will also need to be clearly identified, which can be as simple as a title appearing in the header or footer of each page of the document. Again, as long as the document is clearly identifiable, there is no strict format for this requirement.
Version control is also important; it should be easy for the auditor to determine what version of the document is currently being used. A numeric identifier could be included in the title, for example.
Finally, documentation must be readily accessible and available for use. What good is a dusty old manual printed three years ago, pulled from the depths of an office drawer upon request of the certified lead auditor? This is one of the strongest cases for use of software to implement and maintain an ISMS.
Case study: TechMD
TechMD is an award-winning IT & managed services provider that specializes in building secure, scalable infrastructure to support growing businesses. TechMD is no stranger to difficult cybersecurity operations and deals with sensitive client data on a daily basis, and they turned to Process Street to solve their process management problems.
One of their main challenges was documenting internal processes, while also making sure those processes were actionable and avoiding process stagnation. This meant making sure that processes were easy to review and revise when needed.
Long story short, they used Process Street to ensure specific security requirements were met for client data. You can read the full TechMD case study here, or check out their video testimonial:
Free ISO 27001 checklist
All said and done, if you are interested in using software to implement and maintain your ISMS, then one of the best ways you can go about that is by using a process management software like Process Street.
Here’s an example of one of our free ISO 27001 audit checklists:
How to use this checklist
This ISO 27001 checklist was built from the ground up based on the core requirements of ISO 27001. It’s designed to be used for internal audits, and as such can be used to implement the key requirements of ISO 27001, or prepare for a third-party audit (and eventually, ISO 27001 certification).
How to get ISO 27001 certified
The simple answer is to implement an information security management system to the requirements of ISO 27001, and then successfully pass a third-party audit performed by a certified lead auditor.
Internal audits cannot result in ISO certification. You cannot “audit yourself” and expect to achieve ISO certification. You will have to enlist an impartial 3rd party organization to perform a full audit of your ISMS.
Types of ISO audit
That said, there are technically three types of ISO audit:
- 1st party (internal)
- 2nd party (somewhere between internal and external)
- 3rd party (external; impartial 3rd party)
A first-party audit is what you might do to ‘practice’ for a third-party audit; a kind of preparation for the final examination.
You can also implement and benefit from ISO 27001 without having achieved certification; the principles of continuous improvement and integrated management can be useful to your organization, whether or not you have a formal certification.
In this capacity, internal audits can be useful for maintaining and improving your ISMS.
Second-party audits are audits performed by, or at the request of, a cooperative organization. Like a vendor or potential customer, for example. They may request an audit of your ISMS as a token of good faith.
Third-party audits are always performed by a certified lead auditor, and successful audits result in official ISO certification.
It’s worth repeating that ISO certification is not a necessity for a well-functioning ISMS. Certification is often required by certain high-profile organizations or government agencies, but it is by no means necessary for the successful implementation of ISO 27001.
Integrating your ISMS with other ISO standards
As I mentioned above, ISO have made efforts to streamline their various management systems for easy integration and interoperability.
Some popular standards which share the same Annex L structure are:
- ISO 9001 for quality management systems
- ISO 14001 for environmental management systems
- ISO 19011 for auditing management systems (the standard for auditing)
- ISO 31000 for risk management systems
- ISO 45001 for occupational health and safety management systems
- ISO 50001 for energy management systems
In principle, these standards are designed to supplement and support one another in terms of how requirements are structured. If you have a document management system in place for your information security management system, it should be less effort to build out the same framework for a new quality management system, for example. That’s the idea, at least.
If you need to make changes, jumping into a template is quick and easy with our intuitive drag-and-drop editor. It’s all no-code, so you don’t have to worry about wasting time learning how to use an esoteric new tool.
Approvals will make internal audits a breeze; approve or reject work instantly from your inbox (yes, it works on mobile too).
Check out this video for a quick breakdown of how to use Process Street for business process management:
There are a lot of good reasons why you should consider using Process Street for your information security management system. There’s a good chance you’ll find a process for something else useful, while you’re at it.
Here are some other information security and general IT related checklists you might be interested in:
- 12 IT Processes to Avoid Server Failures and Client Headaches
- 6 Server Setup Checklists for Sysadmins
- 7 Documented Processes for IT MSPs
- 34 Linux Server Security Tips & Checklists for Sysadmins
Have some advice for ISO 27001 implementation? Leave a comment down below; your experience is valuable and there’s a good chance you will make someone’s life easier.