There are several standards available in the information security industry for establishing and managing internal security processes and related activities. Such standards provide organizations insight and best practices for protecting their important assets and operations. Organizations can choose to use these security standards only as a reference and guidance, or they can also get certified against certain standards. Being certified against the selected standard demonstrates that an organization has implemented the required security controls and is officially following them as part of the daily work. These certifications are granted by an external certification authority after completing an extensive audit process conducted by a 3rd party auditor.
One of the most common security standards is the ISO 27001 standard for Information Security Management. The ISO 27001 is a de facto industry standard that offers a holistic approach for information security management addressing various security controls related, for example, to access management, cryptography, supplier management, security awareness, and software development.
Some time ago, we at Nixu decided to formalize our information security management practices and started working towards certification against the ISO 27001 standard. Recently, we achieved this goal for Nixu Identity Governance and Administration (IGA) services and Nixu business support functions. Based on our experiences, Nixu’s Chief Information Security Officer, Johannes Kossila, will share tips and pointers for achieving the ISO 27001 certification for your own organization.
Ensure stakeholder commitment: before even dreaming of the certification, you should discuss your organization’s ambitions with the relevant stakeholders. This should include top management, business and service owners, technical and support staff, and even employees. It is crucial to get their commitment and support for the certification project since they will be the ones working towards the end goal. Getting certified typically requires effort, time, and money, and you need to convince your stakeholders that the certification is worth the hassle. However, after convincing your stakeholders, you are already well-prepared for the journey ahead.
Put effort into defining the scope: while engaging with your stakeholders, you should also start defining the scope for your certification. ISO 27001 standard works in a manner that allows you to certify all parts of your organization or just a smaller unit or service. With a more comprehensive scope comes a greater workload. It makes sense to start the scoping by defining where the biggest need is for more mature security management and start from there. This can be, for example, the security processes supporting a product, service, or business unit. You can also naturally extend the scope of your certification in the future if needed.
Understand the context of your organization: the context of an organization consists of all the relevant external and internal requirements and expectations directed towards your organization. These can include, for example, customer and contractual requirements, legal obligations, and the expectations of your employees. However, in addition, you might also want to consider the requirements arising from the nature of the industry you are operating in, your competitors, geographical location, or political atmosphere. All the decisions for selecting the security controls for your organization should be based on these requirements which form your context of organization.
Start documenting, now! To be honest, a big part of the ISO 27001 standard is about documentation. You must document your requirements and processes for security management. You must also have sufficient documentation and evidence in place confirming that you are following these requirements. Therefore, you should start documenting every meeting, decision, gap analysis, and identified risk from the very beginning of your certification journey. This documentation will demonstrate that you have consistently worked towards the certification, and it also makes it easier to track the improvements you make. The auditor is certain to notice this as well.
Find just the right controls for your needs: The ISO 27001 standard consists of two main parts: the Clauses and Annex A controls. While the typical implementation of the standard implements both parts, it is also possible to implement just some of the Annex A controls or implement a completely different set of controls. This gives flexibility for the implementing organization to select the controls which are applicable and important for its operations. However, you need to be able to justify the selected controls and the controls which were left out. Having a solid definition of your certification scope and context of organization plays a key role here.
No need for perfection, continuous improvement is enough: an important thing to remember when planning your certification journey is that the standard does not require you to be perfect before getting certified. Perfection is never achieved in information security. That is why it is more important to aim for continuous and holistic improvement while taking into consideration the relevant risks and threats to your organization. The same applies to implementing the selected security controls; they need to be defined and in use, but they do not need to be perfect. You are expected to manage your security processes actively, and this management should also include continuous improvement and mitigation of the identified deficiencies. Hence, identifying your possible gaps and working towards mitigating them will land you your certification.
With the above tips in mind, you are already many steps closer to achieving the ISO 27001 certification for your organization. In case you need further help, reach out to Nixu to make your certification journey run even smoother.