ISO 27001 certification can help to overhaul and holistically strengthen your organisation’s information security strategy. This comprehensive set of standards holds you accountable for how you safeguard sensitive information, protect your IT environment, and manage your assets. Naturally, the ISO 27001 framework affects every part of your business, not least your HR and IT departments.
On first look, the road to ISO 27001 certification is not the easiest to navigate. Luckily, with tools like Zelt that help to consolidate your HR and IT management, adapting your processes to fulfill ISO requirements is not as hard as you might think.
In this article, we take an in-depth look at ISO certification, what that means for your business, and how ISO 27001 controls impact the way you manage your people and your devices.
What is ISO 27001 certification ?
Before we dive into the specifics, let’s take a moment to understand exactly what ISO 27001 is and what it means for your business.
ISO 27001 refers to a globally recognised framework that governs and standardises information security standards for organisations around the world. The ISO 27001 framework provides organisations with standardised guidance on best practices for data protection, cyber resilience, asset management, and data protection. They are comprehensive standards that cover everything from your business’ workflows and practices, your use of technology, and your people.
Using ISO 27001’s structured guidance, organisations can feel confident in their information security management protocols and systems. Additionally, ISO 27001 certification reassures clients and customers that they are taking proper measures to safeguard their information.
Why do businesses choose ISO 27001?
Uptake of business software has proliferated in recent years. And whilst this has led to optimized efficiency and streamlined workflows, there have also been rising concerns about data protection. That’s why demand for credible certifications has risen. ISO 27001 helps businesses to identify existing strengths and weaknesses in their current security protocols and gives structured guidance on how to address vulnerabilities.
Is ISO 27001 mandatory?
It’s important to understand that ISO 27001 controls are not a legal requirement, nor do businesses have to meet every standard. Organisations are free to ‘cherry pick’ the controls they feel align with how much security they want.
In order to get ISO 27001 certified, your business will have to complete a Statement of Applicability. In this Statement of Applicability, you will need to outline which of the ISO 27001 Annex A controls you’ve implemented and which you have excluded. You don’t need to have fulfilled all of the controls, but you will need to explain why you chose to exclude some of them.
How does ISO certification work?
Though not necessary, organisations usually opt to hire a ISO 27001 consultant to help them get certified. Engaging the support of an expert reduces your administrative load and also maximises your chances of getting certified.
Start by checking out our list of the top ISO 27001 consultants in the UK according to dozens of UK-based businesses.
Step 0: Before getting started with ISO certification, you first need to establish the context of your organisation. You need to plan ahead for securing the certification by setting objectives and understanding the scope the ISO 27001 will have. Additionally, you will need to complete an interested parties register, create OKRs, and undertake a business risk assessment.
Step 1: The first step to getting ISO 27001 certification is carrying out an ISO risk assessment. This will involve undertaking an audit of your organisation’s current environment, assessing the strengths or shortcomings of protocols you have in place, and profiling the cyber security risks you face.
Step 2: Using the risk assessment, the next stage is to identify gaps that need to be filled in your cyber and information security strategy. This will help you to design a new (or updated) risk management strategy, which in turn will indicate which ISO 27001 controls are most relevant to your organisation.
Step 3: Understand and elect your ISO 27001 security controls. This next step involves choosing the ISO 27001 controls that help you to implement your information security strategy. ISO 27001 implementation will probably involve changing certain workflows, updating key documentation, and educating your workers about new responsibilities.
Step 4: You will then need to complete the Statement of Applicability that we mentioned. If you’ve hired an ISO 27001 consultant, they should help you to draft your SOA so that it fulfills all requirements. As we explained, as well as stipulating which Annex A controls you have put into place, you will also have to justify the ones that you chose to exclude.
Step 5: Next, you need to roll-out and complete training to ensure that your company is up to date with the requirements and controls that you've set out in previous steps.
Step 6: You will then have to undergo two audits (stage 1 and 2) by an accredited third-party to confirm that you have fully met the required standards to receive ISO certification.
Step 7: Ensure ongoing compliance. Once you have gained your ISO 27001 certification, you need to make sure that you are aware of any compliance or regulatory updates that may affect your accreditation. As section 9.2 of the ISO 27001 stipulates, organisations are expected to conduct internal audits at planned intervals.
How much does ISO certification cost?
You can separate the various costs associated with ISO certification cost into a few different elements including training, an ISO consultant and audit.
Training can range from being completely free if you opt for free training resources up to a few thousands if you opt for a professionally developed course.
An ISO 27001 consultant typically charges £140 per hour and you’ll have to factor in a minimum of 24 hours to get your certification. Though this does, of course, depend on the size of your organisation.
Lastly, you’ll need to pay an accredited body to carry out your stage 1 and 2 ISO 21007 audits to verify and confirm your compliance. The cost of this will vary depending on how big your organisation is. Our article on how to keep employee data safe and prevent data leaks gives estimated costs depending on the number of employees you have.
Finally, you should factor in the ongoing costs of implementing and maintaining ISO 27001 compliant systems and protocols. The time required to produce compliant materials, provide training and up to date education, as well as carrying out internal audits are all costs that should be considered.
Benefits of ISO certification
If you’re still weighing up whether certification makes sense for your organization, here’s a quick look at ISO 27001’s benefits:
Minimised risk of information loss
By nature, ISO 27001 certification should reduce your organization’s risk of losing precious data. The protocols, checks and systems that ISO 27001 requires you to put in place give you, your employees and your customers valuable peace of mind.
Credibility & increased trust
In the same vein, since the ISO 27001 is a globally recognised framework, getting accredited will bolster your organization’s credibility, trust in how you handle sensitive data, and in the strength of your cybersecurity protocols.
Accountability, Structure & Scalability
The ISO 27001 controls help you to keep you and your employees accountable to a clearly defined framework. Moreover, having a solid foundation in place makes it easier to safeguard precious data and information even as your organisation grows and scales.
Keeps you compliant
Complying with ISO 27001 standards is likely to keep you on the right side of many data protection and privacy laws too. This again, gives you invaluable peace of mind and potentially protects you from legal liability.
ISO 27001 Checklist & How Zelt Can Help
Even once you understand what ISO 27001 is and the overall aims of the standards it sets, it can still be difficult to wrap your head around it. Especially when it comes to how its controls will translate into your organisation.
In this article we’re focussing on how ISO 27001 impacts your HR and IT management. That’s why we’ve unpacked some of the key Annex A controls that are relevant to different points in the employee lifecycle, directly affect HR, and lastly, how you manage your employees (and other assets). We’ll also explain how Zelt can help you to integrate ISO 27001 compliant practices into your organisation.
Prior to Employment & Onboarding
The first controls we’re looking at are those that focus on HR security prior to employing someone and during onboarding:
Under A.7.1.1, you’re expected to carry out thorough background verification checks on all candidates, ensuring that you’re fully compliant with relevant laws and ethics throughout the process.
This may mean you need to rework or tighten your hiring practices to include ISO 27001 compliant screening.
A.7.1.2 requires the inclusion of clear information around employees’ and the organisation’s information security responsibilities within the employment contract.
If you don’t already have a section of your contract dedicated to information security and relevant duties and responsibilities, you will need to add this in. Using Zelt, you can store your employment contracts in a centralised and secure deposit. Crucially, your new joiners will have instant access to their contract if they want to check a term or confirm a certain policy.
Communicating policies with new (and existing) employees
Another requirement under A.5.1.1 is that you create a defined set of policies that set out your information security strategy and, once approved by your management team, share this with your employees.
You will need to make sure to provide these policy documents to new employees as part of your onboarding process. With Zelt, you can set up a standard ‘new starter checklist’ that automatically prompts your recent employees to read all required material. Instead of sharing each document with them manually, employees can access all your key documents independently at any time.
A.5.1.2 stipulates that you need to review these policies at planned intervals and update and adapt them as and when necessary. And, if there are significant changes to these policies, you will need to inform your employees of these.
To ensure you don’t miss your regular review, you can set yourself reminders through Zelt ahead of time. You’ll get an automatic notification prompting you to schedule a full policy review and update session.
Granting new employees permissions & access
When a new team member joins, one of the first things you’ll think about is getting them set up across all your various systems. The ISO 27001 standards expect you to properly manage this process to ensure that ‘the allocation and use of privileged access rights is restricted and controlled’ (A.9.2.3). Additionally, you’re expected to share secret authentication information through a formally set out process and introduce a formal user registration process.
Zelt makes access management as stress free as it should be. You can manage all your user permissions from your dashboard and onboarding new employees to relevant applications. You also get crucial oversight over who is using which apps, and add or remove employees as and when necessary.
Next, let’s take a look at the controls that directly impact your workers during employment from section A.7.2.
Enforce active implementation of ISO 27001 compliant policies
As set out in A.7.2.1, you need to not only write up ISO 27001 compliant policies, but ensure their active implementation throughout your organisation.
Part of encouraging this uptake is taking the time to educate, train and update all of your employees about your new organisational policies, workflows and protocols, and how they affect their specific position (section A.7.2.2).
Finally, you’re expected to penalise non-compliance with your information security policies by introducing a clearly defined disciplinary process for employees who are found to be in breach.
You can store all your disciplinary policies direclty in Zelt for easy and direct access. This means your employees can remind themselves of your company policy whenever they need. You can also conduct performance reviews from the platform to track ongoing progress and compliance with your ISO 27001 policies.
A.9.4.3 requires you to create an interactive password management system that requires strong and secure passwords.
Using Zelt, you can also set organisation-wide password policies that stipulate certain features for user passwords to ensure their strength. For example, you can require a certain character composition and force employees to update their passwords at regular intervals.