Last Updated on September 16, 2019
Recently I conducted a surveillance audit for a SaaS provider that has been ISO 27001 certified for over three years. I logged five nonconformities… so something was off. Their information security program wasn’t moving forward as it should have been—especially with new data privacy regulations like GDPR and CCPA that were impacting them.
In line with discussing the audit results, I had a conversation with their CISO about their evolving regulatory compliance needs and how ISO 27001 could help. My goal was not just informational, but also to help the company “reconnect” with the ISO 27001 framework, which they’d worked hard to align with.
Remember, ISO 27001 is a system for managing information related risk. As your risks change, the standard adapts to guide you in making changes that effectively manage your new risks.
It’s important for ISO 27001 certified businesses to remember the standard is fluid and nonprescriptive. As such, your ISMS can readily evolve to support new requirements. In fact, re-evaluating your ISO 27001 scope and context as your environment and risks change is a vital part of maintaining certification over time.
If your view of ISO 27001 is static, you might be overlooking its ongoing, dynamic value and viewing it as laborious and expensive—when, in fact, it’s vital to your survival in a marketplace that increasingly demands proof that you can keep data secure. (Not to mention a world teeming with fast-evolving threats…)
In this case, I recommended the CISO and his team leverage ISO 27001 to help them achieve, prove and maintain compliance with data privacy mandates by mapping relevant ISO controls to those requirements.
If you feel like your ISO 27001 program would benefit from some “re-energization,” ask yourself why you pursued ISO 27001 certification in the first place. One of the top reasons was probably to develop an information security culture and solid technical controls that could “rise to the occasion” to address new issues.
If your ISMS is ISO 27001 certified, don’t lose sight of how far you’ve come to get there. The ISO 27001 framework can be the starting point you build on to obtain and maintain regulatory/industry compliance and meet client demands with far less stress and cost. Remember, ISO 27001 is a system for managing information related risk. As your risks change, the standard adapts to guide you in making changes that effectively manage your new risks.
Pivot Point Security specializes in providing the ongoing support organizations need to successfully maintain their ISO 27001 certification, manage evolving risks and execute your internal audit program. Contact us to speak with an ISO 27001 expert about your needs and goals.