Last Updated on November 2, 2023
ISO 27001 is the most trusted cybersecurity standard worldwide. It specifies best practices for an information security management system (ISMS) that can effectively mitigate an organization’s unique cyber risk.
A major advantage of ISO 27001 is that certification requires an audit by an independent, accredited third-party. This is the “gold standard” for proving you can safeguard sensitive data.
ISO 27001 is both comprehensive and flexible to support businesses of all sizes and industries. As such, experience with the standard can be very helpful for defining and implementing the most efficient and effective ISO 27001 compliant ISMS.
This article alerts teams pursuing ISO 27001 certification to 5 of the top mistakes they’re likely to make.
One: Starting with a gap assessment
Many companies pursuing ISO 27001 certification start with a gap assessment. This is meant to tell you where you are versus where you want to be.
Why not start there? Because ISO 27001 is not prescriptive. It doesn’t specify how you should implement controls. Instead, each control should be based on key organizational factors, like:
- Your risk profile, including your risk appetite
- Your ISO 27001 environment scope or context
An ISO 27001 information security management system (ISMS) is built on understanding scope/context and cyber risk. You need this understanding before you can assess your level of ISO 27001 compliance or what controls you need.
Questions to help you gauge SO 27001 scope and risk include:
- What information are we trying to protect?
- For what stakeholders are we protecting this information?
- What cyber threats are most likely to manifest in our environment and what would be the ramifications?
- What other laws and regulations impact how we handle and secure certain data (e.g., payment card data, healthcare data)?
- What do our contracts require us to do for information security and privacy?
- Where exactly is our sensitive data stored?
- Who has access to sensitive data, including employees, vendors, etc.?
Once you understand scope and risk, you can define the correct controls you verifiably need to mitigate your risk and meet ISO 27001 requirements. Then you are ready for a gap assessment.
Two: Defining the wrong ISO 27001 scope
Incorrectly defining your ISO 27001 scope is like putting the ladder against the wrong wall. Nothing you do after that will be correct.
Many organizations have the mistaken view that ISO 27001 allows them to define what their ISO 27001 ISMS will protect and what it will not protect.
For example, you might want to protect just your email system and SharePoint environment. But that is only acceptable if those are the only two places where sensitive data resides.
If not, you need to expand your ISO 27001 scope to provide meaningful assurance to stakeholders that you can protect their data—even when it’s on laptops or in the cloud.
A good way to view this challenge is to let your information define your ISO 27001 scope.
Three: Viewing ISO 27001 as an “IT project”
A very common misperception about the ISO 27001 certification journey is that it can just be an “IT project” that the IT team can largely handle. But because ISO 27001 requires you to build and certify a holistic management system, you need to involve the people, processes, and systems that handle data across its lifecycle.
For example, your HR team may need to be involved so they can facilitate training on cybersecurity and privacy responsibilities for each role. Legal and compliance team are needed to confirm that contractually mandated security controls are in place, and to manage compliance processes. The physical security team also has a key role to play in protecting data.
Perhaps most importantly, senior management involvement and commitment is central to ISO 27001 certification and ongoing governance. Cybersecurity is a business issue at the C-suite and boardroom levels, and ISO 27001 requires confirmation that leadership is championing the certification effort.
Four: Failing to leverage ISO 27001 for other compliance needs
The challenge of achieving ISO 27001 certification can monopolize organizational focus. But it is also important to take a step back and think about longer-term cybersecurity goals you can advance at the same time.
Many companies seeking ISO 27001 certification are being asked for a strong form of attestation because they are processing sensitive data belonging to others. Such companies often need to show compliance with other cybersecurity and/or privacy guidance as well, such as HIPAA or PCI-DSS.
In these situations, it can be helpful to plan to implement, audit, and validate additional compliance requirements alongside ISO 27001. Planning upfront to build and manage controls to do “double duty” can save time and money while simplifying compliance governance.
To cite a common use case, more and more firms pursuing ISO 27001 because they handle customer personal data are also under pressure to comply with privacy regulations like California’s CPRA and/or the EU’s GDPR. Could the ISO 27701 privacy extension to ISO 27001 support those compliance needs?
A longer-term view of ISO 27001 compliance could even impact your choice of a third-party audit firm.
For example, a cloud service provider (CSP) may be working towards ISO 27001 certification today, while planning longer-term to seek a FedRAMP Authority to Operate (ATO). In that case, you could consider choosing an ISO 27001 certification body that is also a third-party assessment organization (3PAO) for FedRAMP.
Using the same partner for multiple audits can save time and money while improving the value of audits for feedback and continuous improvement.
Five: Failing to stay focused after achieving your initial certification
After gaining their coveted ISO 27001 certificate, it is common for teams to put ISO 27001 processes on the back burner and get back to business as usual. However, an ISO 27001 ISMS is an ongoing effort that requires monitoring and maintenance in between annual audits.
ISO 27001 compliance also requires certified organizations to show continuous improvement in their security posture. Newly certified teams need to stay focused and operationalize cybersecurity activities so they become part of the business culture.
Getting off to a strong start with cybersecurity awareness training not only helps operationalize an ISO 27001 ISMS, but also helps neutralize threats and reduce cyber risk.
Businesses looking to avoid missteps on the path to ISO 27001 certification should prioritize planning, stakeholder collaboration, and risk assessment. A trusted partner can support a wide range of essential tasks in the certification process, from policy and documentation updates to ISMS scoping to risk assessment to developing efficient controls.
Pivot Point Security is a leading consulting firm for ISO 27001 certification and has a 100% success rate bringing over 100 organizations of all sizes to certification. Contact us to talk about how we can optimize your ISO 27001 efforts, costs, and ROI.