It’s up to each organization to ework, and auditors will use a certain amount of professional discretion in how they evaluate each case
The road to ISO 27001 certification can be a long one, with the entire journey often taking a year or more. Instead, third-party auditors or assessors validate that an organization has effectively implemented all of the relevant best practices in accordance with the published ISO standard. This arrangement, as well as the framework’s emphasis on risk management rather than prescribed technical controls, means that there is not a universal “ISO 27001 compliance checklist” that guarantees certification.
There is, however, an established process for achieving certification once an organization is ready to bring in an auditor or certification body. It’s divided into three phases:
- Phase one: The external auditor or certification body performs a high-level review of the organization’s ISMS. Much of the work in this phase serves to determine whether the organization is ready to move onto the more detailed second phase. Lack of key documentation, weak support from management, or poorly identified metrics can all bring an ISO 27001 audit to a screeching halt.
- Phase two: A much more detailed audit is performed, examining how specific security controls are applied at the organization to meet the requirements spelled out in the standard. In this phase, an auditor will be looking for evidence that an organization is actually implementing everything in the documentation that was evaluated in phase one.
- Phase three: Following official certification, an organization must undergo annual surveillance audits to maintain ISO 27001 compliance. While these audits are not as rigorous as those carried out in phase two, non-conformance to any of the requirements can lead to the revocation of an organization’s ISO 27001 certification before its listed expiration date.
As you can probably tell, the certification process is fairly rigorous, and any organization wanting to become certified will need to do quite a bit ourteen network promo code of legwork before engaging a certification body. The cost and time commitment from employees required for this can vary. Outside consultants are frequently brought in to help a company prepare for a formal audit. Unofficial “gap analysis” audits are often recommended to help prepare for the official certification audit.
ISO 27001 clauses and controls
The most recent revision of the ISO 27001 standard, published in 2013, consists of 11 clauses numbered “0” through “10”, plus an “Annex A” that lists specific security controls. Each of the main clauses contains a number of sub-clauses except for the introduction. Clauses 4 through 10 are considered “mandatory”, and an organization cannot claim ISO 27001 compliance without meeting the requirements spelled out in these sections. These 11 main clauses are listed below:
- Introduction: Introduces the standard and its purpose.
- Scope: Provides a very high-level view of the information security management system and risk treatment requirements specified within the rest of the standard. Also clarifies that the standard is intended to be generic and applicable across different industries and business sizes.
- Normative references: Explains the relationship between ISO 27000 and 27001 standards.
- Terms and definitions: Covers the terminology that is used within the standard.
- Context of the organization: The first mandatory clause. Covers stakeholders, internal and external issues, and regulatory and compliance requirements. An organization must also define the scope, boundaries, and applicability of the ISMS as part of this clause.
- Leadership: True ISO 27001 compliance requires full support from top management. The leadership clause explains the responsibilities of senior executives in implementing and maintaining a functional ISMS. The audit process will involve interviews with top executives, which means the commitment from management must be truly genuine.