As one of the most thorough cybersecurity assessments an organization can go through, achieving ISO 27001 certification might initially seem daunting. At BARR, we aim to keep it simple. We clarify the ISO 27001 certification process by making each step of the way clear and easy to understand.
Director of Attest Services Cameron Kline and Lead ISO Manager Marc Gold answered some frequently asked questions about ISO 27001 and what to expect when working toward the certification.
Let’s look at a few of these FAQs and what our BARR experts have to say so you can confidently take the next steps on your path to long-term cyber resilience.
ISO 27001 outlines the requirements for establishing, implementing, maintaining, and continually improving an organization’s information security management system (ISMS). ISO 27001 is an internationally accepted standard and a valuable way to differentiate your organization and comply with industry standards.
The following steps outline what to expect during the certification process.
Pre-certification activities
Your organization can request new application requests for certification services through our contact us page. BARR will conduct a client evaluation and engagement acceptance review as part of our pre-certification activities.
We’ll gather information about your ISMS scope and boundaries of the system to determine fee arrangements and resourcing needs, such as:
Pre-assessment (optional)
A pre-assessment is not required, but a formal readiness assessment against the ISO 27001 standard can help organizations prepare for initial certification by identifying deficiencies in your ISMS.
Initial certification audit
Initial certification audits include two stages. In Stage 1 of the audit, the certification body will obtain documentation on the design of the ISMS covering the documentation required in ISO/IEC 27001. Based on the findings documented in Stage 1, BARR will develop an audit plan for Stage 2. In addition to evaluating the effective implementation of the ISMS, the objective of Stage 2 is to confirm that the client adheres to its own policies, objectives, and procedures.
Surveillance audit
The initial certificate issued is valid for three years from the issuance date. At least annually, surveillance audits are conducted to help ensure your organization complies with the standard.
Recertification
Before the certificate expires, arrangements for recertification are planned. Recertification activities include a full audit of your ISMS.
Notice of changes
The BARR team will discuss any changes in the scope of the certification (i.e., reduction or expansion) or changes to requirements during the three-year certification cycle.
At the heart of ISO 27001 is the development of your organization’s ISMS. Before your audit, it’s best to define the scope of your ISMS compared to your business needs, the structure of your organization, location, information assets, and technologies. The scope of your ISMS can be as small or as large as your organization wants to design it—covering a small part of your organization or the entire organization—as long as all of the requirements of the ISO 27001 standard are applied and operational.
The design and implementation of your organization’s ISMS will be influenced by your business and security objectives, security risks and control requirements, the processes employed, and the size and structure of the organization.
Additional considerations when thinking through the scope and design of your ISMS include:
At least once every five years, all ISO standards are reviewed. Standards are updated to remain current and reflect new and evolving security challenges. The changes made in ISO 27001:2022 can be broken down into two parts—changes to the management system clauses and Annex A controls.
Changes to the management system clauses are minor overall, with the most significant being clauses 4.4 and 8.1. Clause 4.4 adds to the context of the organization the requirement to identify necessary processes and their interactions within the ISMS. Clause 8.1 adds a requirement to define process criteria.
The Annex A controls changes are moderate and have been derived from ISO 27002:2022, released earlier this year. Organizationally, the former 14 families of Annex A have now been focused on just four themes. Most of the controls have stayed the same or have been renamed. Another group of rules was merged to reduce the total number of controls. Still, the requirements within those controls are almost the same. The most significant change has been the addition of 11 new controls.
In 2021, BARR earned the prestigious ISO 17021 accreditation for certification to ISO 27001 from the ANSI National Accreditation Board (ANAB). Accreditation by the ANAB—North America’s largest multidisciplinary accreditation body—validates BARR’s competence and independence in assessing the people, processes, and technology within a service organization’s ISMS.
Together, BARR Certifications and BARR Advisory are one of only a handful of firms in the nation that meet the ANAB, AICPA, and HITRUST requirements to issue ISO certifications, SOC 2 audit reports, and HITRUST testing for validation. BARR is also a PCI Qualified Security Assessor firm, allowing us to perform PCI DSS audits.
Since ISO 27001 auditors cannot provide guidance on fixing issues or mitigating gaps, HITRUST CSF can serve as a risk assessment for the ISO 27001 audit. If your organization has HITRUST in place, your external assessor can help by providing expert guidance and feedback on how to close any identified gaps ahead of time. This can help avoid potential nonconformities during your ISO 27001 audit.
ISO 27701 was released in August 2019 as an extension of ISO 27001. It outlines requirements for establishing, implementing, maintaining, and continuously improving an organization’s Privacy Information Management System (PIMS). It’s an internationally accepted standard and essential for organizations that process Personally Identifiable Information (PII).
Similarly to ISO 27001, ISO 27701 uses a risk-based approach, which means organizations adopting ISO 27701 are not required to implement every possible control for every situation. Instead, BARR will work with you to identify, prioritize, and mitigate risks according to your organization’s specific needs.
Organizations should also understand the context in which they handle data as either controllers or processors, which are terms that are part of the GDPR. A data controller is the entity that determines the “why” and “how” for processing personal data, while the data processor is the entity that performs the data processing.
You’ll want to consider ISO 27701 if your organization:
Have questions on how BARR can help you achieve ISO certification? Connect with us for a free consultation with one of our ISO experts.