The ISO 27001 Certification Guide

ISO 27001, THE INTERNATIONAL STANDARD FOR CYBER RISK MANAGEMENT

What is ISO 27001?

The ISO 27001 standard was published in 2005 and revised in 2013, then again in 2022. It was developed by the specialized global standardization system known as ISO (International Organization for Standardization) and IEC (International Electrotechnical Commission). This explains why it is also known by the acronym ISO/IEC 27001:2022.

This international standard provides a framework for organizations to help them implement, maintain, and continuously improve their corporate ISMS. Its goal? To put in place the necessary protective measures to maintain the confidentiality, availability, and integrity of your organization's information.

ISO 27001 is sufficiently generic to be adapted to any type of organization, regardless of its size, nature, or sector of activity.

What are its areas of application?

This standard therefore addresses security through risk management. The 252 requirements of this standard (no less!) cover the following areas in particular:

• the protection of personal data;
• information security governance and data governance strategy;
• the security of material resources (infrastructure, networks, and computer systems);
• human resources (staff organization and responsibility, security policy, awareness, etc.);
• physical security (access to buildings or IT infrastructure);
• the development and maintenance of systems and software;
• business continuity (BCP, DRP, etc.).

A company that correctly applies all the requirements of the ISO 27001 standard can be certified by a qualified auditor.

Why was it implemented?

Generally speaking, prior to this text, organizations implemented security measures in response to incidents, but they did not have an assessment tool that enabled them to define requirements for maintaining the operational and security aspects of their IS.

By defining security requirements to address threats of intrusion, loss, theft, or alteration of your data, it is considered, along with ISO 27035 (Information security incident management), a benchmark in information security management.

BENEFITS AND CHALLENGES OF ISO 27001

5 benefits of the ISO 27001 standard

1. Improving information security

Implementing ISO 27001 helps organizations (better) identify cyber risks and implement controls to mitigate them. It therefore protects sensitive data against breaches, cyberattacks, and other threats.

2. Increased trust among customers and partners

ISO 27001 certification demonstrates a commitment to information security, which can be a differentiating factor in the market (particularly in sensitive sectors such as finance).

3. Compliance with other regulations

Obtaining ISO 27001 certification sometimes also means complying with other regulations and laws relating to data protection and confidentiality (such as the GDPR).

4. Continuous improvement

The standard encourages innovation and progress through regular audits and reviews of information security management processes. This ensures that organizations stay up to date with new threats and technologies!

5. Reduction in costs related to security incidents

By identifying and mitigating risks, companies can avoid the costs associated with security incidents (fines, data loss, service interruptions, etc.).

A sometimes complex implementation

While obtaining (and maintaining) ISO 27001 certification offers many advantages, its implementation can be a real challenge for organizations.

• Compliance can be costly in terms of time, money, and human resources (training, documentation, audits, etc.).
• The text and its requirements can be difficult to understand, especially for small businesses that do not have a dedicated cybersecurity department.
• Implementing an ISMS in accordance with ISO 27001 requires significant changes to internal processes and organizational culture.
• Maintaining compliance requires ongoing commitment and regular monitoring, as well as detailed (and voluminous!) documentation, which represents a significant administrative burden.

How can compliance with ISO 27001 be facilitated?

To implement ISO 27001 in your organization, you must first secure the support of your employees and management:

• Get the commitment of your executive committee, which must actively support the project and allocate the necessary resources.
• train and raise awareness among staff about the importance of the standard;
• Involve all stakeholders, including suppliers and partners.

Another important item: conduct a thorough assessment of the risks associated with your organization (threats, vulnerabilities, and impacts) to determine the controls that need to be put in place. Once this step is complete, perform internal audits as part of a continuous improvement process.

Also remember to clearly and comprehensively document security policies and audit reports.

Finally, you can rely on specialized tools (such as Tenacy!) that facilitate compliance management.

Accelerate and sustain your ISO 27001 compliance with Tenacy

Achieving ISO 27001 compliance can be a lengthy and complex process without the right tools. In fact, to

Tenacy allows you to speed up each step: risk identification, implementation of security measures, document management, audits and action plans, reporting to your management.

Thanks to intelligent centralization and automated workflows, the platform saves you valuable time in setting up your ISMS and preparing for the certification audit. Once certified, Tenacy helps you maintain this compliance over time: monitoring of deviations, periodic reviews, performance indicators, alerts, etc. You manage your information security continuously, without losing momentum. With Tenacy, ISO 27001 compliance becomes a smooth, controlled, and sustainable process.

3 steps to manage your ISO 27701 certification with Tenacy

1. Current situation

• Each ISO 27001 requirement modeled as a scale
• Self-assessment of entities, with comments and evidence

2. Action plan and management

• Automatic generation of an action plan
• Dashboard to track and delegate tasks, plan subtasks, prioritize, centralize evidence, and demonstrate results to management

3. Compliance maintenance

• Definition of a control plan
• Tracking recurring actions
• Management of non-conformities and their remediation

Using Tenacy on a daily basis: DIMO Software's feedback in video format

ISO 27001 VERSION 2022: AN IMPORTANT UPDATE

The necessary adaptation of ISO 27001

A decade has passed since the standard was last updated in 2013. Since then, threats have evolved significantly. On the one hand, our lifestyles and relationship with digital technology have been turned upside down, offering an increasingly broad attack surface:

• rapid acceleration of digital transformation;
• rapid adoption of remote working and hybrid working models;
• The predominance of the cloud, with a need for connection everywhere and at all times...

At the same time, cyberattacks continue to increase, with attackers becoming more professional and compromise techniques becoming more widespread. It has never been easier to carry out an attack: cybercriminal networks have become more structured and now sell malware and initial access on demand.

These developments made it increasingly complex to secure organizations. It was therefore necessary for the ISO standard to adapt to this new reality. And it all started with a change in the name of the standard. The title of the standard changed from "Information Technology" to " Information Security, Cybersecurity, and Privacy Protection."

What changes can we expect with ISO 27001:2022?

The 2022 version of ISO 27001 therefore aims to (re)define the standards and requirements for establishing your company's information security management system. Widely used in all types of organizations, this version change inevitably raises questions about the changes it entails.

Appendix A and its new features on controls

The changes in this new normative version mainly concern Annex A, which itself derives from the new version of ISO 27002:2022 published in February 2022. This annex is no longer considered to be a detailed and exhaustive list.

In the text of ISO 27001:2013, the measures were divided into 14 different areas. They have now been merged into four categories.

1. Personnel-related controls: remote working, confidentiality, non-disclosure of information, screening, etc.
2. Organizational controls: organizational information policies, use of cloud services, use of assets, etc.
3. Physical controls: security monitoring, storage media, maintenance, facility security, etc.
4. Technological controls: authentication, encryption, data leak prevention, etc.

Another notable development is the introduction of 11 new controls covering the following aspects:

• threat intelligence (A.5.7),
• security of information hosted in the cloud (A.5.23),
• preparation of ICT for business continuity (A.5.30),
• physical security monitoring (A.7.4),
• monitoring (A.8.16),
• web filtering (A.8.23),
• secure code design (A.8.28),
• configuration management (A.8.9),
• deletion of information (A.8.10),
• data masking (A.8.11),
• data leak prevention (A.8.12).

With regard to domains, despite the addition of controls, their number fell from 114 to 93 following consolidations and mergers.

What are its concrete impacts on the organization?

The evolution of the standard emphasizes procedures, criteria, and controls, which are an integral part of the SMSI. Objectives must now be documented and monitored; changes to the SMSI must be planned.

In practical terms, in order for the SMSI to comply with this new ISO standard, organizations will have to go through a transition phase over the next two or three years.

The main change lies in the statement of applicability (SoA) and in the evidence of the comparison made between the two versions of the ISO 27001 standard. Several tasks need to be planned:

• updating the reference framework and translating it into certification requirements;
• review of the risk treatment plan;
• revision of the WSIS communication plan;
• updating procedures and checklists used for internal or external audits.

Whether you are a certified company or not, you will need to assess the necessary adjustments to your third-party security tools. Fortunately, at Tenacy, we are taking the lead and the requirements repository is already up to date on the platform (and this does not require any action on your part). You can rest assured that the records you use to demonstrate compliance meet the new security requirements!

‍