ISO 27001 is a standard of the International Organization for Standardization (ISO). It was published in the revised version ISO/IEC 27001:2022 in October 2022. For companies and public authorities, compliance is not only a measure to prevent legal sanctions, but also to avoid IT risks on their own initiative and to take the protection of sensitive information seriously. In this context, ISO 27001 certification has proven to be an important cornerstone of ISMS risk management.
In addition to the IT infrastructure and IT systems, the standard also covers the staff and processes involved in data processing. This includes the financial sector, healthcare, technology and e-commerce companies, even government institutions: ISO 27001 is now essential for almost all organizations and institutions that process, store or transmit sensitive information. This is because the standard, which evolved from the British Standard 7799, has long since become more than just ensuring business continuity. It also serves as a structured framework for compliance requirements and helps to ensure customers, investors and business partners that data processing complies with the relevant regulations.
Testing and Certification on the basis of ISO 27001
However, the path to ISO 27001 certification is often a challenging task: In order to certify the ISO 27001 conformity of an ISMS, existing information security controls must first be identified, assessed and necessary improvements recognized. In this context, the gap analysis has emerged as a common approach. In this preliminary audit, an external auditor assesses the current and target status of the ISMS. The gap analysis can be used to detect vulnerabilities and identify appropriate response measures that need to be taken to close any gaps. Roles and responsibilities are also included in this preliminary audit.
Finally, the subsequent implementation phase includes the first steps towards implementation. This includes:
- Risk assessment in which threats to the company’s information are identified and evaluated. It includes the recording and classification of tangible and intangible assets, the identification of threats and vulnerabilities, the assessment of the potential impact of a cyber attack and the evaluation and prioritization of risks.
- Risk management plan based on the risk assessment. This plan determines which risks should be accepted, avoided or reduced by implementing appropriate controls. It also includes a risk calculation of the potential impact of threats and risks.
- Implementation of new processes, adaptation of existing processes and staff training based on the risk management plan.
- Preparation of documentation for the ISMS, including security guidelines, risk assessment and treatment procedures. In addition, statements of applicability (SoA) and records to verify ISMS effectiveness.
ISO 27001 Certification Audit
After implementation of the ISO 27001 requirements, the certification audit follows. It consists of a Stage 1 and Stage 2 audit, in which auditors review the documentation of the ISMS and put its practical effectiveness through its paces. If the audits are completed successfully, the organization receives the ISO 27001 certificate.
ISO 27001 framework as a pacemaker
The use of a framework has proven to be a good guideline for the implementation of ISO 27001. It contains tools, methods, best practices and resources for implementation and subsequent certification. The aim of the framework is to ensure the three essential aspects – confidentiality, integrity and availability of information – through continuous security controls.
At the heart of the framework is a process-based approach that follows a so-called Plan-Do-Check-Act (PDCA) cycle. PDCA ensures that the constantly changing security requirements are mapped in the ISMS and that new threats are included in the risk assessment.
ISMS according to ISO 27001 and CISIS12®
SITS is specialized in supporting companies with the implementation and certification according to ISO 27001. This includes customized consulting services. They ensure that the ISMS of companies and authorities meets the requirements of the standard and reflects individual business needs and objectives. To this end, SITS’ experienced consultants work closely with companies to develop a flexible and adaptable ISMS that optimizes information security processes while meeting global standards. In addition, SITS offers consulting services for companies wishing to use the CISIS12 standard. CISIS12 (Critical Information Infrastructure Security) was developed as a framework by the German Federal Office for Information Security (BSI) and is specifically tailored to the needs of small and medium-sized enterprises (SMEs).
Re-audit every three years
Regardless of whether ISO 27001 is in the specifications for large corporations or medium-sized companies, the following applies: certification alone is not enough. Rather, ISO 27001 certification should be seen as an investment in the long-term IT security of the company and should also be treated as such in day-to-day business. Continuous improvement of security-relevant factors and regular optimization of risk management are essential to turn compliance into an continuous process. In addition, in order to maintain ISO 27001 certification, organizations must carry out so-called re-audits every three years. These ensure the ongoing conformity and effectiveness of the ISMS. Annual surveillance audits, adjustments to the ISMS and regular employee training ensure that there are no unpleasant surprises.
ISO-27001: Driver for Digitization
Due to its high relevance, ISO 27001 certification plays a decisive role on the path to digital transformation with cloud and remote working as well as 24/7 online services. Data is the core of a company and securing it has become business-critical. ISO 27001 certification provides a standardized framework for effective information security management that enables companies to protect their digital assets from threats.