Professional Documents
Culture Documents
ISO 27001
Bible
Everything you
need to know
about compliance
02
Contents Introduction
03
What is ISO 27001
04
Who needs to be ISO 27001
06
The benefits of ISO 27001
certification? compliant? certification
08
How to get ISO 27001
13
How long does it take to
14
Trends, statistics,
compliant get ISO 27001 certified? and studies
15
Summary
SC Y TA L E | T HE I SO 270 01 B IBLE 1 / 15
Why is ISO 27001 so important?
Obtaining an ISO 27001 certification demonstrates that a
company complies with the highest internationally-recognized
information security standards.
INTRODUCTION
This certification demonstrates world-class operational
security in threat monitoring, security breach mitigation, and
sensitive data protection. With this exemplary reputation
Getting ISO 27001 certified is no for risk management, partners and customers of ISO 27001
accredited organizations are very confident in the security of
small undertaking. If you’re not their information assets.
sure how to set up an information
security management system or However, implementing ISO 27001 is more than a highly
effective way to enhance an organization’s information security
if you’re feeling overwhelmed, process. Becoming ISO 27001 certified is evidence of world-
you’re not alone. class security protocols and therefore offers a key competitive
advantage in any sector where robust security is a highly prized
asset. Indeed, SaaS companies without evidence of a robust
data security protocol may struggle to attract customers and
fail to meet clients’ demanding procurement requirements.
ISO 27001 is a rigorous and comprehensive information security We have created this guide to help you manage the demanding
protocol that covers an organization’s overall information ISO 27001 certification process from start to finish, reducing the
security protocols, including information security management time and resources normally required to do so, as well as having
systems, information security technology, and information a clear understanding of everything you need to know about
security requirements. ISO 27001 certification.
SC Y TA L E | T HE I SO 270 01 B IBLE 2 / 15
01
What is ISO 27001
certification?
ISO 27001 certification is an internationally recognized
compliance standard aimed at protecting critical information
assets, mostly customer data. ISO 27001 stipulates specific
requirements for the establishment, maintenance, and
continuous improvement of an organization’s information
security management systems (ISMS).
SC Y TA L E | T HE I SO 270 01 B IBLE 3 / 15
02
place? Believe it or not, IT isn’t the key element in protecting
information anymore. In the majority of cases, the companies
already have a lot of relevant technology in place – for example,
antiviruses, multi-factor authentication, and backups.
However, in any organization, suitable technology is necessary
but not sufficient. If the actual information security systems
are not organized effectively and deployed properly, then
Who needs to there are likely to be data security weak points. In addition,
without effective, ongoing monitoring, security risks are being
be ISO 27001
compromised at any point in time, and not getting the right
attention on time.
SC Y TA L E | T HE I SO 270 01 B IBLE 4 / 15
Let’s take a look at just
some of the industries that
are typically implementing
this standard:
Government agencies
Government agencies typically handle extremely
sensitive data. ISO 27001 is specifically designed to meet
the exacting data security demands of organizations,
making it an ideal methodology to manage information
security risk.
Tech companies
For cloud computing providers, Software as a Service,
and IT support businesses, implementing ISO 27001 is
good for business. Those companies can attract clients by
demonstrating that they can safeguard their information Telecoms
in the best way possible. Internet providers and telecommunication companies are
also very keen on protecting the huge amounts of data that
Many tech businesses also rely on ISO 27001 to guarantee they handle and also reducing the number of outages. ISO
compliance with contractual security regulations from 27001 is an invaluable framework for achieving those goals.
their main clients. Furthermore, as with financial institutions, ISO 27001 helps
telecom companies meet the ever-evolving set of laws and
ISO 27001 is also an excellent way for startups and regulations governing the industry.
fast-growing companies to resolve problems in their
procedures, as the standard forces companies to define
responsibility and implement the steps that need to be
taken in the most important operations.
A powerful standard
for any sector
In fact, ISO 27001 compliance is not limited to any
particular set of industries. It is a powerful standard that
Financial industry helps many organizations in various industries meet their
Insurance companies, payment companies, brokerage most exacting information security requirements.
houses, banks, and other financial institutions frequently
take advantage of ISO 27001 certification in order to comply Any company that stores sensitive customer information
with the high levels of information security required in the will benefit from implementing ISO 27001. For instance,
financial sector. ISO 27001 is the proven, generally accepted healthcare providers rely on the framework to protect
methodology for achieving compliance in these industries. sensitive patient information and comply with strict
confidentiality laws. Cybersecurity firms are able to assure
Financial services are also strongly motivated by the clients of secure, reliable service. Indeed any businesses
costs associated with poor risk management. Preventing that manage confidential information, such as HR data
incidents before they occur is significantly less costly than and personnel files, will benefit from the enhanced
suffering a serious breach. security ISO 27001 provides.
SC Y TA L E | T HE I SO 270 01 B IBLE 5 / 15
03 1
compliance teams. Being a advantage, especially when entering new markets. Customers
want reassurance that their providers will effectively safeguard
certified ISO 27001 supplier means their data, and ISO 27001 certifications signal precisely that.
major benefits for an organization.
2 3
SC Y TA L E | T HE I SO 270 01 B IBLE 6 / 15
4 5
6 7
SC Y TA L E | T HE I SO 270 01 B IBLE 7 / 15
STEP 1
04
Organize the
implementation team
Considering the scope and complexity of
Implementing an ISO 27001-compliant Information Security The project manager needs sufficient authority and
Management System (ISMS) can be challenging but extremely resources to implement all reasonable compliance
rewarding. After all, building watertight information security interventions.
systems across an entire organization takes an investment of
time and resources, especially for startups and first-timers. That said, ISO 27001 is not simply a top-down process.
For startups, in particular, implementation will
If you’re just starting out with the standard, we’ve put together potentially affect everyone in the business. There
this helpful ISO 27001 implementation roadmap to help you needs to be clear lines of communication and precisely
get it right the first time. define roles and responsibilities from the outset.
SC Y TA L E | T HE I SO 270 01 B IBLE 8 / 15
STEP 2 STEP 3
Define the scope Implement your
of your ISMS relevant policies
At its best, ISO 27001 compliance isn’t a one-size-fits-all process. Once the organization is clear on the scope of the ISMS,
Startups and all dynamic businesses can implement a rigorous you need to establish your security policies. These are high-
and independently-recognized security standard in a way that level policy documents detailing your security objectives.
fits their specific operations and needs. Remember, ISO 27001 is not a cookie-cutter standard. The
security policies are unique to your company, devised in
Of course, that means that, to get the most out of the process, context of your changing business and security needs. Your
the business needs to make a number of critical decisions at policies will ultimately shape the way information security is
each stage in the process. implemented throughout the business.
Once you’ve established the how, it’s time to clarify the what. Some required policies for ISO 27001 are the following:
That is, what people, systems, applications and processes will be
covered by your ISMS. This is defined in your scope statement.
Information Security Policy
After all, the ISMS is the system of controls that safeguards data
and ensures consistency and reliability. But each business has
different security needs and operational requirements. Not
Data Protection Policy
every ISMS will look the same.
SC Y TA L E | T HE I SO 270 01 B IBLE 9 / 15
STEP 4 STEP 5
Establish your risk Perform the risk
management procedure assessment
In order to perform a precise, verifiable risk assessment Once you’ve defined your assessment methodology,
of the company’s data security, you need to establish a it’s time to identify and evaluate any information
method for scoring risks. ISO 27001 doesn’t specify any one security weaknesses in the organization.
method for scoring risks. The company has the flexibility to
choose a method that suits its needs. You need to ensure, This is a sophisticated multi-stage process that goes
however, that the methodology is appropriate to your ISMS beyond simply identifying potential threats
policy objectives and that all relevant personnel are fully
briefed on the selected procedure. Once you have identified security gaps you should
i) assess their impact and
ii) devise a risk treatment.
SC Y TA L E | T HE I SO 270 01 B IBLE 10 / 15
To understand the details of Annex A controls and how they
could be implemented, you need to consult ISO 27002,
which serves as a guidance document of the ISO 27001
security controls.
A Statement of Applicability is a requirement for your The previous version of Annex A contained 114 controls
ISO 27001 audit. It outlines which Annex A controls are across 14 families, while the new version contains 93
applicable to your organization and therefore, included controls across 4 families:
in your scope.
Organizational
Technological
SC Y TA L E | T HE I SO 270 01 B IBLE 11 / 15
STEP 7 STEP 8
Cultivating a culture Measuring
of data security and monitoring
Turning your risk management blueprint into reality ISO 27001 isn’t meant to simply work on paper. It’s a
is about more than simply following a plan. The whole practical toolkit for delivering robust real-world data
organization needs to effectively adapt to the new ways of security. Ongoing monitoring and reviewing of all policies,
working. For startups, this may seem like a drastic culture procedures and security controls are essential to help
shift at first but will set a foundation for information ensure your ISMS is functioning properly and delivering
security excellence as the business grows. the results you require and your customers demand.
STEP 9
It’s time to get certified
One reason ISO 27001 is such a respected global standard
is that your compliance is carefully audited by an
independent third party. To become certified, you must
appoint a respected and accredited auditor, which will
issue certification following a successful audit.
SC Y TA L E | T HE I SO 270 01 B IBLE 12 / 15
05
How long does it
take to get ISO
27001 certified? Assessing operating effectiveness
The preliminary audit report can therefore provide an If your information security standards meet this criteria, this
important opportunity for the company to improve its should be the final step before certification. However, the audit
security posture and practices and enhance implementation process does not stop there. Ongoing reviews, in the form of
before the official audit. surveillance audits, are the norm in ISO 27001 certification.
SC Y TA L E | T HE I SO 270 01 B IBLE 13 / 15
06
Trends, statistics,
and studies However, it is no surprise that more companies are taking
measures to enhance their data security. Information security
is not simply a theoretical concern. It’s a critical business risk
The International Organization for Standardization issue. The IBM Cost of a Data Breach Report for 2021 reveals
survey shows that in 2020 that the average cost of a data breach is an eye-watering
44,486 $4.24
valid ISO 27001
certificates were
issued at 84,166 sites.
million.
The highest cost in the history of the report.
Of course, those are not the only reasons to adopt ISO 27001. However, as a UK government report indicates, large
Market pressure also plays a critical role. As one researcher organizations tend to have enhanced cybersecurity capabilities.
points out, most companies adopt an information security Smaller businesses and startups do not always have adequate
framework to meet clients’ demand. That is, many clients protection in place.
prefer, or even require, suppliers to implement a standard such
as ISO 27001. Fortunately, as the IBM report makes clear, automation
is transforming compliance. In fact, the report says that
In Europe, the standard is especially prized for helping to meet automation and AI “provide the biggest cost mitigation”
regulatory requirements and to meet customers’ procurement against breaches.
standards.
SC Y TA L E | T HE I SO 270 01 B IBLE 14 / 15
07
Summary
The benefits of ISO 27001 compliance and certification are
clear. Certified businesses can be confident that they comply
with the highest standard of information security and enjoy
a competitive advantage in global markets. And customers
gain the reassurance and trust that they are partnering with a
company that cares about information security.
90%
faster
and the total cost of
compliance half the price.
SC Y TA L E | T HE I SO 270 01 B IBLE 15 / 15