HIPAA, CMMC, PCI, ISO, NIST - the range of potential security frameworks and certifications an organization has to choose from these days is an acronym soup that can make even a compliance specialist’s head spin! Show
Get the Free Essential Guide to US Data Protection Compliance and Regulations
Quick review: What is ISO 27001?The ISO 27001 standard, more formally known as ISO/IEC 27001:2013 Information Security Management, focuses primarily on the implementation and management of an information security management system (ISMS). A joint product of the International Standards Organization (ISO) and the International Electrotechnical Commission (IEC), ISO 27001 is the most well-known of more than a dozen published standards in the ISO/IEC 27000 family. It’s also the only member of the family against which an organization can be certified, with ISO 27002 and beyond serving primarily as guidance and reference material for the “main” standard. In contrast to some other standards and frameworks, achieving and demonstrating ISO 27001 compliance does not require strict adherence to specific technical controls. Instead, the focus is on risk management and taking a holistic and proactive approach to security across the entire organization. You’ll find more than a dozen controls listed in the standard’s “Annex A”, but there is no expectation that all ISO 27001 certified organizations will have implemented each and every one of these controls. Rather, each organization will apply an appropriate subset of these controls based on the unique risks to their business operations. The ISO also makes a very deliberate attempt to portray the ISO 27001 framework as an “information security” framework rather than a cybersecurity one. While a great deal of a modern organization’s “information” exists in a digital form, policies and procedures, proprietary knowledge, and even buy-in from senior leadership are less tangible assets that can still adversely affect an organization were they to be lost or co-opted. The policies, procedures, people, documentation, and controls intended to maintain the Confidentiality, Integrity, and Availability of an organization’s information are known collectively as an Information Security Management System (ISMS). Is ISO 27001 compliance or certification mandatory?The simple answer is no. While some mistakenly conflate ISO 27001 compliance with legal requirements, only a few countries have laws on the books requiring organizations to implement the framework. Nothing in life is that simple, of course, and there may be instances in which your organization is required to have an ISO 27001 certification. Contracts and vendor procurement policies can and often do require ISO 27001 compliance, especially in sensitive industries like healthcare and finance. There are also market sectors where ISO 27001 certification is generally expected, even if not formally required. Varonis, for example, knows that enterprise customers looking at data security solutions will expect any potential vendor to have their own house in order, so we make all of our certifications, including ISO 27001, easily accessible on our trust page. How to become ISO 27001 certifiedThe road to ISO 27001 certification can be a long one, with the entire journey often taking a year or more. The ISO itself does not hand out ISO 27001 certifications. Instead, third-party auditors or assessors validate that an organization has effectively implemented all of the relevant best practices in accordance with the published ISO standard. This arrangement, as well as the framework’s emphasis on risk management rather than prescribed technical controls, means that there is not a universal “ISO 27001 compliance checklist” that guarantees certification. It’s up to each organization to decide how to implement the framework, and auditors will use a certain amount of professional discretion in how they evaluate each case. There is, however, an established process for achieving certification once an organization is ready to bring in an auditor or certification body. It’s divided into three phases:
As you can probably tell, the certification process is fairly rigorous, and any organization wanting to become certified will need to do quite a bit of legwork before engaging a certification body. The cost and time commitment from employees required for this can vary. Outside consultants are frequently brought in to help a company prepare for a formal audit. Unofficial “gap analysis” audits are often recommended to help prepare for the official certification audit. ISO 27001 clauses and controlsThe most recent revision of the ISO 27001 standard, published in 2013, consists of 11 clauses numbered “0” through “10”, plus an “Annex A” that lists specific security controls. Each of the main clauses contains a number of sub-clauses except for the introduction. Clauses 4 through 10 are considered “mandatory”, and an organization cannot claim ISO 27001 compliance without meeting the requirements spelled out in these sections. These 11 main clauses are listed below:
ISO 27001 Annex A: Reference control objectives and controlsIn addition to the primary clauses, the official ISO 27001 document contains an annex of control objectives and controls that can be used to support an organization’s information security program. The annex contains 114 controls organized into 14 key groups. Note that these controls and control objectives are provided as reference material for best practices. An ISO 27001 compliance audit may examine whether an organization implements each control, but will do so through the lens of how each control meets the requirements in the mandatory clauses. A brief summary of these reference controls is provided below:
Tips to maintain ISO 27001 complianceAn ISO 27001 certification is only valid for three years, and even during those three years, annual surveillance audits are required. The framework is, therefore, not a one-off project but an ongoing effort that demands continuous attention. As the business continues to grow and evolve, the ways in which the ISMS applies will also change. Consider an enterprise that’s moved from on-premises to cloud applications over the last decade: the ways in which information security is approached will naturally look very different. To maintain ISO 27001 compliance, an organization may wish to form a “task force” composed of different stakeholders from across the company. This group should meet on a regular basis to review any open issues and consider updates to the ISMS.
How Varonis can help with ISO 27001 complianceIdentifying and addressing risks is at the heart of the ISO 27001 standard. But you can’t reduce risks that you can’t see. Organizations that lack visibility into who is accessing sensitive data, as well as how that access is occurring, can’t adequately identify or mitigate risk. Varonis DatAdvantage is the perfect tool to deliver this visibility. DatAdvantage Cloud provides an unprecedented look into overexposures and misconfigurations that can cause harm beyond the enterprise perimeter. As your company continues down the path of ISO 27001 maturity, other components of the Varonis Data Security Platform can boost efficiency and help you maintain compliance. ISO 27001 FAQsQ: What are ISO 27001 requirements?A: ISO 27001 is an information security standard. In order to earn an ISO 27001 certification, an organization is required to maintain an information security management system (ISMS) that covers all aspects of the standard. After that, they can request a full audit from a certification body. Q: What does it mean to be ISO 27001 certified?A: To be ISO 27001 certified means that your organization has successfully passed an external audit and met all compliance criteria. This means you can now advertise your compliance to boost your cybersecurity reputation. Q: What is the process to be ISO 27001 compliant?While an organization can choose to implement the ISO 27001 framework without undergoing formal certification, “ISO 27001 compliant” generally refers to an organization that has been independently audited and certified to meet all the requirements of the standard. Compliance must be maintained on a continual basis. Q: What is the latest ISO 27001 standard?A: The latest standard is known officially as ISO/IEC 27001:2013. It was published in 2013 as the second official edition of ISO 27001. The standard was last reviewed and confirmed in 2019, meaning no changes were required. Q: Is ISO 27001 GDPR compliant?A: Because ISO 27001 is mainly a framework for developing an ISMS, it will not cover all of the specific rules of the General Data Protection Regulation (GDPR) instituted by the European Union. However, when paired with ISO 27701, which covers the establishment of a data privacy system, organizations will be able to fully meet the requirements specified in GDPR. Q: What are the main similarities or differences between SOX and ISO 27001?A: While ISO 27001 covers the general management of information and data, the Sarbanes–Oxley Act (SOX) is specific to how financial information is disclosed in the United States. Fortunately for companies who have a wide scope of data management, earning ISO 27001 certification will also help to prove compliance to SOX standards. Q: What is the difference between NIST and ISO 27001?
Q: What is the purpose of other ISO?A: The International Standards Organization (ISO) publishes standards on everything from energy management to healthcare. While ISO 27001 is the most well-known information security standard, dozens of other ISO standards cover specific security technologies like cloud services. Some ISO standards also provide guidance or best practices on implementing their better-known peers. Closing ThoughtsAchieving full ISO 27001 compliance may seem like a daunting task, but in a world where customers, partners, and employees are increasingly concerned about their confidential data, it can be a substantial asset. Certification to the standard demonstrates a strong commitment to data security. And remember, Varonis is here to help you on your ISO 27001 journey with tools like DatAdvantage and DatAlert. |