Streamline your ISO 27001 certification

Strike Graph’s risk-based methodology sets you up for an efficient Information Security Management System implementation and successful ISO 27001 certification. Our solution provides:

ISO compliant Risk Assessment
A library of audit proven policy templates
Implementation guidance
Automated, ongoing evidence collection for continuous compliance
Your Internal Audit assessments

Request a demo

What is the ISO 27001 standard?

ISO IEC 27001:2013 establishes a framework for how organizations should manage the security of their data.

It is one of many standards published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) shares ownership of the ISO 27000 family of standards. ISO 27001 is a framework for an organization’s ISMS or Information Security Management System. The ISMS establishes management processes, by means of information security controls, to address information and data security risks. Its focus on information security risk management and continuous improvement makes it the most widely recognized IT Security certification internationally.

What are the benefits from ISO 27001 Certification?

Any organization handling sensitive information can benefit from the ISO 27001 certification. Implementing an information security management system (ISMS) that adheres to the ISO 27001 standard provides organizations with a program to mitigate potential security breach risks that could have legal, business, and reputational implications. Organizations that benefit from ISO 27001 certification include IT companies, financial service providers, telecoms, government agencies, healthcare service providers, and any other company handling sensitive data.

Achieving ISO 27001 certification shows stakeholders that data and information are protected from unauthorized access, ensures information is accurate, allows only authorized users to modify information, and assesses and mitigates risks. ISO 27001 certification offers increased systems and information security, which improves business resilience, and confidence in the relationship between business partner and customer.

The ISO 27001 Framework

ISO 27001’s security controls address the three pillars of information security – people, processes, and technology. There are 114 ISO 27001 Annex A controls divided into 14 categories listed below:

Annex A.5 – Information security policies (2 controls)
Annex A.6 – Organization of information security (7 controls)
Annex A.7 – Human resource security (6 controls)
Annex A.8 – Asset management (6 controls)
Annex A.9 – Access control (14 controls)
Annex A.10 – Cryptography (2 controls)
Annex A.11 – Physical and environmental security (15 controls)
Annex A.12 – Operations security (14 controls)
Annex A.13 – Communications security (7 controls)
Annex A.14 – Systems acquisition, development, and maintenance (13 controls)
Annex A.15 – Supplier relationships (5 controls)
Annex A.16 – Information security incident management (7 controls)
Annex A.17 – Information security aspects of business continuity management (4 controls)
Annex A.18 - Compliance (8 controls)

What is an ISMS?

An Information Security Management System (ISMS) is a management framework of policies and procedures to keep confidential and sensitive information secure.

An Information Security Management System (ISMS) is a management framework of policies and procedures to keep confidential and sensitive information secure. It establishes a systematic approach to security through technologies, policies, procedures, systems, and processes. This approach is designed to manage information risks such as data leaks, cyberattacks, hacks, insider threats, or theft. An ISMS enables organizations to secure information in all its forms and increase their resilience to attacks.

An effective ISMS also helps businesses respond to evolving security threats to the confidentiality, integrity, and availability of the data it handles. Businesses can improve cybersecurity culture through ISMS’s integrated approach that covers people, processes, and technology. ISMS enables employees and partners to readily understand risks and embrace security controls in their working practices.

Becoming ISO 27001 Certified

Organizations that have adopted the ISO 27001 framework may choose to become certified or simply maintain their ISMS in a compliant state. For companies that desire the certification or that are in industries where the certification is a requirement, achieving certification should not be treated as a one-off initiative. Attaining and maintaining the certification requires organizations to treat information security as a critical business process and to invest resources, effort, and time into ISO 27001 compliance on a year-round basis.

Companies can maximize their ISO 27001 certification journey by investing in training programs for employees that can develop and maintain the company’s ISMS internally. Employees can also become certified as an ISO 27001 Lead Implementer to help their organizations document and implement information security-related requirements for the certification.

ISO 27001 certification is conducted by an independent third-party assessor. A successful certification audit results in an ISMS certified against ISO 27001.

Staying ISO 27001 Certified

Organizations stay ISO 27001 certified by ensuring their ISMSs meet all procedures and controls in the standard. Apart from operating and updating the ISMS, businesses should update documentation and policies to accommodate new products and requirements. Organizations should also conduct periodic risk assessment reviews as risks and threats evolve. ISO 27001 certification is valid for three years, after which a company needs a surveillance audit and recertification.

Apart from documentation, ISO 27001 requires organizations to perform internal audit management reviews and take corrective actions on nonconformities.

The cost of an ISO 27001 certification depends on various factors like training, technologies to be implemented and updated, external expertise, and the certification audit.

Helpful ISO 27001 Resources

ISO/IEC 27001 Information Security Management Official Site

ISO/IEC 27001: 2013: Information technology – Security Techniques – Information security management systems – Requirements

More About ISO 27001 Certification/ Choosing a Certification Body

ISO 27001 Glossary

Asset

An asset is something that has value to a business. An asset extends beyond physical items to include people, information, reputation, intellectual property (IP), and software.

Information Asset

Information or data that is of value to an organization. Examples include patient records, employees’ information, intellectual property, and company data.

Asset Management

Obtaining and updating an accurate inventory of all IT assets, including the discovery of security gaps related to the asset operations and configuration. Asset management also involves enforcing security requirements to address identified security gaps.

Threat

A potential cause of an incident that may result in a breach of information security or compromise of operations.

Cyberattack

An attack is an attempt by malicious criminals to compromise an asset by destroying, altering, or gaining unauthorized access.

Information Security

Measures, procedures, processes, and technologies that businesses deploy to ensure the confidentiality, integrity, and availability of information.

Controls

Processes, policies, and procedures for managing risk.

Information Security Management System (ISMS)

A management system or program focused on implementing, controlling, and maintaining information security.

Information Security Incident

A suspected, attempted, successful, or imminent threat of unauthorized access, modification, use, disclosure, or destruction of information assets. Information security incident also refers to the interference with information technology operation or violation of acceptable use policy.

Get a product demo to talk with our experts and see Strike Graph in action