What is the ISO 27001 and Do You Need It?

Notable among the many cybersecurity regulations and compliance standards is the ISO 27001. Much like newer compliance regulations such as GDPR and Cybersecurity Regulation 23 NYCRR 500, the ISO 27001 is designed to help organizations keep information assets secure.

ISO 27001 helps secure the data of financial, academic, and corporate entities by describing requirements for an information security management system (ISMS). Although the 27001 has existed for more than 10 years, it includes many of the best practices outlined in newer regulations.

ISO 27001 Timeline

ISO 27001 actually originated as British Standards Institute BS 7799 in 1999. In 2002, it incorporated a plan-do-check-act (PDCA) cycle:

• Plan: Establish ISMS policy, objectives, processes, and procedures relative to risk management. Fine-tune information security to provide results mirroring objectives of the organization.
• Do: Implement the ISMS policy, processes, procedures, and controls.
• Check: Monitor, review, and assess your ISMS
• Act: Initiate any relevant update and or improvements to your ISMS based on the results of an internal audit.

In 2005, the regulation was officially adopted by the International Organization for Standardization and became the ISO 27001. Then in 2013, the regulation was extensively revised to keep up with current cybersecurity threats and approaches toward data security. The PDCA reference was dropped.

ISO 27002 is closely related to the 27001, but its definitions were established further back than BS7799. Instead of formally defining mandatory requirements for an ISMS, ISO 27002 simply suggests suitable IT controls within an ISMS and, therefore, acts more as best practices guideline.

Navigating the ISO 27001 is challenging, but a qualified audit partner can help chart your course toward certification and compliance.

Structure

ISO 27001 is written with about 10 sections, an annex, and a bibliography. The sections describe the following standard processes for managing information data risk:

• Scope: Describes general ISMS requirements for organizations.
• Normative references: Covers essential documents relative to users of the 27001 while identifying other optional standards.
• Context: Addresses the needs and expectations of “interested parties” and outlines the scope of the ISMS by defining how organizations should establish, implement, maintain, and improve it.
• Leadership: Addresses the information security roles, responsibilities, and authorities of top officers of an organization.
• Planning: Identifies, analyzes, and describes plans to treat information risks and clarify objectives of information security.
• Support: Describes how resources should be assigned and documentation prepared and controlled.
• Operation: Prepares organizations with specifics about treating information risks, managing changes, and keeping careful documentation of records so they can pass an audit by certification auditors.
• Performance evaluation: Covers how organizations can and review their information security controls, processes, and management systems.
• Improvement: This section covers how organizations can address the findings of audits and reviews and take corrective measures to improve their ISMS.

Do You Need It?

ISO 27001 certification primarily depends on what part of the world your organization operates in. For companies operating globally, both in the U.S. and abroad, it becomes a bit more complicated, however, as there is regulation crossover with GDPR compliance.

SOC audits will usually satisfy the compliance needs of U.S. companies; however, overseas businesses are starting to demand to see ISO 27001 reports more frequently. ISO 27001 requires both mandatory and non-mandatory documents in order to pass a certification audit.

If your organization collects data or initiates any kind commerce electronically with EU citizens, you will be subject to GDPR, which carries heavy penalties for noncompliance. In this case, ISO 27001 may be overkill.