ISO 27001 is an international standard for information security management systems (ISMS). It provides requirements for establishing, implementing, maintaining and continually improving an ISMS. Key benefits of ISO 27001 include reducing information security risks, increasing transparency of security risks, and demonstrating assurance to customers through independent third-party certification. While growing in adoption globally, ISO 27001 certification is still only held by around 3.5% of organizations. It is commonly pursued by service providers and sectors involving data privacy like cloud providers and healthcare. The process of obtaining ISO 27001 involves designing and implementing an ISMS, undergoing two stage external audits, and maintaining conformity over the three year certification period.

1. Stand Out – ISO 27001 | 1
STAND OUT
Why You Should Become ISO 27001
Certified

2. Stand Out – ISO 27001 | 2
• Introduction
• ISO 27001 – What it is
• ISO 27001 – What it is not
• Internal Importance
• External Importance
• Sector-Specific Application
• The Process
Contents

3. Stand Out – ISO 27001 | 3
ISO 27001
What it is

4. Stand Out – ISO 27001 | 4
• ISO/IEC 27001:2013 – Information Technology –
Security Techniques – Information Security Management
Systems – Requirements
• Management system that can be certified by an
accredited registrar / certification body
• Information Security Management System (ISMS) and
supporting controls
What is ISO 27001

5. Stand Out – ISO 27001 | 5
• Management System
– Collection of policies, procedures, people, processes and
controls to address information security with the scope
• Not greenfield but not inherent
• Focused on the identification, treatment, and monitoring
of information security risk
The ISMS

6. Stand Out – ISO 27001 | 6
• Requirements within Clauses 4-10
• Scope
• Leadership
• Planning
• Support
• Operation
• Performance Evaluation
• Improvement
ISMS Components

7. Stand Out – ISO 27001 | 7
• 114 total controls across 14 control domains
• General information technology controls (access
management, change management, network security,
operations management)
• Additional considerations for human resources security,
supplier relationships, disaster recovery, compliance
• Applicable based on direct or indirect information
security risk
ISO 27001 Annex A – The Control Set

8. Stand Out – ISO 27001 | 8
• Valid for a three year term
• Active management system
• Evidenced with Certificate
• No centralized repository
• Continued integration and improvement
ISO 27001 Certification

9. Stand Out – ISO 27001 | 9
ISO 27001
What it is not

10. Stand Out – ISO 27001 | 10
• Not a controls-focused audit
• Not point in time or backward looking
• Not absolute assurance
• Not a simple effort
• Not an individual project
• Not an end but a beginning
What ISO 27001 Isn’t

11. Stand Out – ISO 27001 | 11
Internal Importance

12. Stand Out – ISO 27001 | 12
• Reduce information security risk within the organization
– From door locks to encryption
• Information security risk transparency
– Removes the unknown
– Allows for risk dashboard
• Commitment and participation from top to bottom
– Management commitment
– Security awareness
Why ISO 27001?

13. Stand Out – ISO 27001 | 13
• Fundamental foundation for related compliance efforts
– Most elements of common compliance efforts
– Compliance efforts included in planning and control set
• Focus (and requirement) on continued improvement
– Initial year prove conformance
– Subsequent years improvement and optimization
Why ISO 27001?

14. Stand Out – ISO 27001 | 14
External Importance

15. Stand Out – ISO 27001 | 15
• By the numbers
– From 429 in 2011 to 835 in 2014 (most recent numbers)
– US in top five countries in growth in 2014
– Still only 3.5% of total certificates globally (@24,000)
• Global market is growing
– Anticipating and meeting customer demands
Customer Assurance

16. Stand Out – ISO 27001 | 16
• Demonstration of “only a certificate”
– Actively monitoring information security risk
– Information security risk management in the fabric of the
organization
– Right policies, procedures, processes and people to address
security concerns
• Communication of trust
Customer Assurance

17. Stand Out – ISO 27001 | 17
Sector-Specific
Application

18. Stand Out – ISO 27001 | 18
• Service providers remain focus
• Increase in specific groups
– Cloud providers
– eDiscovery
– Law firms
• Common theme of data and privacy
27001 By Sector

19. Stand Out – ISO 27001 | 19
• ISO 27017 – cloud service providers
• ISO 27018 – PII in public clouds
• ISO 27799 – healthcare
• CSA STAR Certification
27001 Extensions

20. Stand Out – ISO 27001 | 20
The Process

21. Stand Out – ISO 27001 | 21
• Purchase the ISO 27001 standard
• Perform internal gap assessment
• Set reasonable planning expectations
• Obtain management commitment
• Secure proper resources to design and implement the
ISMS
Where to Begin

22. Stand Out – ISO 27001 | 22
ISMS Scoping and Planning
• Consider end result when scoping
– Customer expectations
– Focus on where the information security risk is
• Understanding the requirements
– i.e. security awareness, communication plan, documentation
management, independent internal audit
• Apply the risk assessment to the scope
• Be sure the controls don’t steal the stage

23. Stand Out – ISO 27001 | 23
• Two stage audit approach
– Stage 1 – ISMS design
– Stage 2 – ISMS operating effectiveness
• Nonconformities are common
– Major
– Minor
• Certificate issued once recommended post Stage 2
External Assessment

24. Stand Out – ISO 27001 | 24
• An active ISMS requires active participation
• Required continued conformance and operating
effectiveness
• Three year term for the certificate
– External surveillance during the lifecycle
• Recertification post three-year term
ISMS Maintenance

25. Stand Out – ISO 27001 | 25
LEARN MORE ABOUT ISO 27001
click here