by Scott Jack
Content Contributor, E-N Computers
7+ years experience in healthcare IT and tech support.
Updated May 22, 2023
As cyber attacks become more common and more sophisticated, it is increasingly vital to take information security seriously. Attackers, looking for the weakest link, will often target small businesses that manufacture, supply, or provide services for larger organizations. With cybercrime estimated to cost $8 trillion in 2023, large companies are even more interested in ensuring that the small businesses they partner with have adequate information security measures in place.
Therefore, ISO 27001 was developed to help organizations of all sizes create a cost-effective system of protecting information. This article will discuss ISO 27001 fundamentals, why you might want to acquire this certification, what it requires, and the cost of becoming certified.
QUICK ANSWER:
What is ISO/IEC 27001:2022?
ISO/IEC 27001:2012 defines information security best practices for organizations. The standard calls for creation of an Information Security Management System (ISMS): a framework of policies and controls that balances risk and cost according to business realities. Certification to ISO 27001 standards is available through third-party Certification Bodies selected by ISO.
Basics of ISO 27001
The International Organization of Standards (ISO) and International Electrotechnical Commission (IEC) first published ISO/IEC 27001 in 2005; updated in 2013 and again in 2022, the current standard is identified as ISO/IEC 27001:2022. It defines information security best practices for organizations. The standard calls for creation of an Information Security Management System (ISMS): a framework of policies and controls that balances risk and cost according to business realities. ISO 27001 uses a plan-do-check-act (PDCA) model.
- Plan. Identify stakeholders, their expectations, complete a risk assessment, and define your security controls and mitigation techniques aligned with clear objectives.
- Do. Implement your security controls and mitigation techniques.
- Check. Continuously monitor the effectiveness of your plan as implemented, looking at both measurable indicators and observed behaviors.
- Act. Regularly refine your ISMS based on your collected data and observations.
When an ISMS is prepared this way, it provides a holistic approach to information security that ensures 3 basic needs are met: confidentiality, integrity, and availability.
- Confidentiality. Only authorized persons can access information.
- Integrity. Only authorized persons can make changes to information.
- Availability. Information remains available to authorized persons whenever it is needed.
Get the Quick Reference Guide
Want more information about ISO/IEC 27001? Download our free quick reference guide to see an overview of the requirements and benefits of ISO 27001 certification.
Don’t have time to read it right now? Enter your email address (totally optional!) and we’ll send you a link so you can download it later or share it with your team.
Reasons to get ISO 27001 certified
Compliance with ISO 27001 benefits your business in at least four ways. First, it improves your internal processes and documentation. Second, it promotes compliance with legal and contractual requirements. Third, it can help you attract and retain clients. And finally, it reduces costs associated with cybersecurity breaches. Let’s briefly consider each of these benefits.
Improve processes and documentation
The comprehensive nature of ISO 27001 certification means that it will often take months to prepare. In alignment with company objectives, many process will have to be reviewed, modified, and documented. Reviewing and refining processes in a methodical way improves efficiency. Documenting your processes provides a common reference to top management and employees with tasks that impact the ISMS. It also protects the company from losing critical knowledge when a team member leaves.
Comply with legal and contractual obligations
Being ISO 27001 certified and compliant demonstrates your commitment to protecting the sensitive information entrusted to you. As mentioned above, your planning starts with understanding the expectations of various stakeholders. During that stage, you will become thoroughly familiar with the legal requirements and contractual obligations you must meet. As a result, you will be able to develop an ISMS that fully responds to those needs.
Attract and retain clients
Increasingly, your current and prospective clients are recognizing that information security is as vital as your business’ core competencies. Your compliance with international standards like ISO 27001 gives them clear evidence that you take this seriously and are dedicating the resources necessary to protect their intellectual property from corporate espionage, cyberattacks, and other threats.
Reduce costs associated with cybersecurity breaches
IBM’s 2022 Cost of a Data Breach report states that detection and escalation is the biggest cost in a breach, followed by lost business. Detection and escalation costs “include forensic and investigative activities; assessment and audit services; crisis management; and communications to executives and boards” and amounted to $1.44 million for US businesses that year.
Requirements for ISO 27001 certification
Clause Four through Clause Ten of the standard describe its requirements, which are briefly explained below. Annex A provides a list of 93 security controls across four sections, some of which may not apply to you. The four control sections, which were added in 2022 are organization, people, physical and technical.
If your risk treatment plan does not call for the use of certain controls, you will create a Statement of Applicability that provides justification for their exclusion; it is one of the mandatory minimum documents and records required by the standard.
Clause 4, “Context of the organization”. Determine internal and external issues. This includes defining the scope of the ISMS, performing a risk assessment, identifying stakeholders and their expectations, regulatory burdens, and contractual obligations.
Clause 5, “Leadership”. Top management is ultimately responsible for development and implementation of the ISMS. They should be actively involved and demonstrably committed to the implementation and improvement of the system.
Clause 6, “Planning”. In accordance with the completed risk assessment, describe the security controls and risk mitigation techniques that will be implemented. These may be integrated with your organization’s policies and procedures
Clause 7, “Support”. Make sure that everyone responsible for the success of the ISMS has the experience, training, or education necessary to demonstrate competence. Develop awareness of your information security policies and how a person’s performance, or underperformance, can affect the ISMS. Create a communication plan that addresses how ISMS information is communicated, by whom, when, and who should receive it.
Clause 8, “Operation”. Implement your plan and maintain records that give proof you are implementing it as described. Generally speaking, your records demonstrate compliance with Clauses 7, 9, and 10 by detailing training, skills, and experience; results of monitoring, internal audits, management review, and corrective actions; and computer logs of user activities and security incidents.
Clause 9, “Performance evaluation”. Continually monitor and record ISMS performance using a combination of key metrics and behavioral observation. Plan internal audits and management review at regular intervals.
Clause 10, “Improvement”. Based on information from your performance evaluation, and after taking corrective actions in the event of an incident, update your ISMS to address any deficiencies and prevent recurrence.
Cost of ISO 27001 certification
The cost of certification depends on a variety of factors including the size of your organization, the scope of your ISMS, the complexity of your information systems, and any outsourcing or third-party arrangements. However, one estimate suggests an initial audit will take seven days and cost between $11,200 and $14,000 for a small business of 16 to 25 employees During this time, the certification body (CB) will review all documentation as well as the implementation of your ISMS. Once achieved, your certification is valid for three years.
Additionally, the CB performs a random surveillance audit each year that is not a certification or recertification year. These will generally cost 65% to 75% of your certification audit. You will also be responsible for an internal audit completed by an independent party; when completed by an external resource, the cost will be similar to the surveillance audit.
Next Steps: Learn more about information and cyber security
READ: How to Protect Your Data in the Cloud
READ: Why You Need an Enterprise Password Manager
WATCH: Cybersecurity Threats on Small Organizations
Whether you choose to pursue ISO 27001 certification or not, developing a comprehensive information security management system can still be a competitive advantage as it helps you understand your security risks and take steps to keep your information assets secure. By having such a system in place, your business will be ready to support clients with more stringent security expectations, more adaptable to changing regulatory requirements, and more resilient to downtime and security threats.
A managed service provider (MSP) like E-N Computers is an invaluable partner for enhancing your cybersecurity measures. We can help you identify the technical and policy controls that you need in order to achieve ISO 27001 certification. Then, our team of experts can help you to design, implement, and document solutions that will bring you into compliance. Tapping into the expertise of our technicians, engineers, and consultants will give you the security edge you need and allow you to focus on your core business. Take a look at our straightforward pricing structure, which is designed to give you the support you need without any surprises.
Get the Quick Reference Guide
Want more information about ISO/IEC 27001? Download our free quick reference guide to see an overview of the requirements and benefits of ISO 27001 certification.
Don’t have time to read it right now? Enter your email address (totally optional!) and we’ll send you a link so you can download it later or share it with your team.
