ISO 27001 Frequently Asked Questions
Here are some common questions related to ISO 27001 and ISO 27701 to help you in your certification journey.
Jump to a question:
- How long does it take to get ISO 27001 certification?
- Who can issue ISO 27001 certification?
- What are the 14 domains of ISO 27001?
- Does ISO 27001 cover cyber security?
- Does ISO 27001 cover GDPR?
- Can an individual be ISO 27001 certified?
- How do you check if a company is ISO 27001 certified?
- What is the difference between ISO 27001 and ISO 27002?
- How do you manage personal data using ISO 27701?
- What is a Privacy Information Management System (PIMS)?
- Why was ISO 27701 developed?
How long does it take to get ISO 27001 certification?
There are a number of factors that can determine how long it takes. The crucial factor is the scope of the certification, which itself comprises things like: size of the organisation, the number and complexity of processes, number of locations and number of employees. And then the maturity of the information security capability and knowledge already within the organisation. In general, with increasing size and complexity comes greater time and effort. The process may also be quicker if the organisation already has experience of management system standards, such as ISO 9001 Quality.
We would always recommend that achieving ISO 27001 certification be treated as project and managed accordingly. This can either be done in-house or with the support of an ISO 27001 consultant – our Sales Team can help organisations decide and also recommend consultants with whom we have a high degree of confidence.
Well-run projects with experienced personnel can take 2-3 months, although over 6 months is not uncommon. In ideal circumstances the organization will have a fully functioning management system in place before the audits take place. Towards of the end of the project the organisation would undergo a short Stage 1 audit – this essentially a preparedness check. Then a Stage 2 audit is conducted, typically over several days, and is where every requirement of the standard and the organisation’s information security controls are reviewed.
Who can issue ISO 27001 certification?
Only Certification Bodies (CBs) that have been accredited to ISO 27001:2013 can issue ISO 27001:2013 certificates. You can check to see if a CB is accredited to a particular standard by searching the UKAS directory of accredited CBs.
It is worth an explanation of the global accreditation structure in order to better understand how CBs are able to issue certificates.
CBs are the organisations that are accredited to issue certificates to organisations. There are many CBs in several countries and due to the international accreditation regime all certificates issued by accredited CBs are mutually-recognised globally.
In order for a CB to be accredited to a particular ISO standard the CB must undergo an accreditation audit by an approved National Accreditation Body (NAB). The UK’s NAB is the United Kingdom Accreditation Service (UKAS).
UKAS is a signatory to the European Co-Operation for Accreditation’s (EA) Multi-Lateral Agreement (MLA).
The EA MLA is recognised at a global level by the International Accreditation Forum, which means that a certificate issued by an accredited CB in the UK is recognised globally. Similarly, a certificate issued by a CB in the USA that is accredited by the ANSI Accreditation Board has mutual standing in the UK.
What are the 14 domains of ISO 27001?
Annex A in ISO 27001:2013 lists 14 ‘control objectives’, each of which comprise a set of security controls (114 in total and are described in detail in ISO 27002:2017). These control objectives are:
A.5 Information security policies
A.6 Organisation of information security
A.7 Human resource security
A.8 Asset management
A.9 Access control
A.10 Cryptography
A.11 Physical and environmental security
A.12 Operations security
A.13 Communications security
A.14 System acquisition, development and maintenance
A.15 Supplier relationships
A.16 Information security incident management
A.17 Information security aspects of business continuity management
A.18 Compliance
Does ISO 27001 cover cyber security?
What is cyber security? There are various definitions but in general it’s taken mean the security of computer systems and services, typically in an online context. Which means it’s a very broad domain, comprising many technologies and techniques.
Whereas ISO 27001 is usually referred to as an information security standard and it’s actually a management system. But take a closer look at the cover of the BSI title page:
Information technology – Security techniques
Information security management systems – Requirements
It’s very hard to separate information technology from cyber technology. In almost every cyber context it is information that is being processed by the underlying technology in order to provide cyber services. So the terms information security and cyber security are often used interchangeably. And that’s further reinforced by the fact that the underlying security principles are common to both.
ISO27001:2013 is considered to be the industry standard for information security and is used by organisations in every sector, globally, to improve and demonstrate their security practices. Take a look at the major online providers of cyber services, such as Microsoft and Google, both of whom have various ISO 27001 certifications.
So ISO 27001 does cover cyber security, and it provides a framework for managing cyber security risks, as well as information security risks.
Does ISO 27001 cover GDPR?
GDPR refers to personal data which is a type of information. ISO 27001 is an information security standard. An organisation certified to ISO 27001 will have considered the security risks to the personal data it processes, in the context of GDPR. In that respect ISO 27001 is measure of compliance to GDPR Article 5.1 (d), (e) and (f), and Article 32 (Security of processing).
For full coverage of GDPR, insofar as it relates to the processing activities of an organization and as a measure of demonstrating compliance, then ISO 27701 would have to be implemented in addition to ISO 27001. This is a bolt-on to ISO 27001, and implements a Privacy Information Management System.
This is a quote from a press release in April 2020 from the French equivalent of the ICO, the CNIL: ‘The standard was drafted at an international level with contributions from experts from all continents and the participation of several data protection authorities. Experts from the CNIL actively contributed to this standard, with the support of the European Data Protection Board. It represents the state of the art in terms of privacy protection and will allow organisations adopting it to increase their maturity and demonstrate an active approach to data protection'.
Can an individual be ISO 27001 certified?
No. Only organisations can be certified. But this does mean that a sole trader business could be certified, but it is the business, not the individual.
How do you check if a company is ISO 27001 certified?
There isn’t a public register of certified companies. But certified companies will have been issued with a certificate by their certification body so you can ask to see a copy. You should check for the following items on the company’s ISO 27001 certificate:
- The current version of ISO 27001 is ISO 2001:2013. Any older versions are no longer valid. As and when a new version is issued there is a transition period during which organisations adopt the new version, so only then could there be a different version number (there is no transition currently in place for ISO 27001:2013).
- The expiration date.
- That the certificate is for the company. In multi-group companies it is often the case that a particular member company only is certified – the certification won’t cover other members of the group unless it is stated on the certificate.
- The physical sites covered by the certificate. This is only really helpful if you know from where your services are being delivered from.
- The scope of the certification. Does the scope of the certification cover what the organization is supplying to you? Just because an organisation states it is certified to ISO 27001 doesn’t always mean that it is relevant for you.
- The accreditation body that issued the certificate. In the UK this is likely to be UKAS, but because of the global mutual recognition scheme it could be a non-UK accreditation body. The important thing to check is that the accreditation body subscribes to the IAF.
- You can request a copy of the Statement of Applicability. Check it to confirm that they haven’t excluded any controls that may be necessary to secure the services they provide.
What is the difference between ISO 27001 and ISO 27002?
ISO 27001 specifies the requirements an information security management system. That includes the requirement to consider 114 industry standard security controls, which are specified in Annex A of ISO 27001.
ISO 27002 provides implementation guidelines for each of the controls in ISO 27001 Annex A. They are a really helpful amplification of the Annex A control requirement, and provide organisations with industry best practice guidance for security.
This means there’s an important difference in terminology. In Annex A the controls are worded ‘The organisation shall…’, whereas in ISO 27002 the same controls are ‘The organisation should…’. Shall is a mandatory requirement, whereas should is for guidance.
Organisations can be certified to ISO 27001, but not to ISO 27002.
How do you manage personal data using ISO 27701?
That’s a huge subject. But personal data is an information asset so it should be managed securely as would any other valuable information asset. But GDPR (or any other regional privacy legislation) specifies additional requirements that organisations and individuals must follow. In NQA’s opinion, the best framework for managing personal data is provided by ISO 27701. It provides control requirements and guidance for all the GDPR clauses organisations must comply with. And it’s not GDPR specific (although there is a GDPR mapping table in an annex), it can be applied to most other privacy legislations.
This is a quote from a press release in April 2020 from the French equivalent of the ICO, the CNIL: ‘The standard was drafted at an international level with contributions from experts from all continents and the participation of several data protection authorities. Experts from the CNIL actively contributed to this standard, with the support of the European Data Protection Board. It represents the state of the art in terms of privacy protection and will allow organisations adopting it to increase their maturity and demonstrate an active approach to data protection.’
What is a Privacy Information Management System (PIMS)?
A PIMS is a continual improvement framework for managing personal data and supporting compliance with relevant privacy legislation. PIMS are typically bolted on to Information Security Management Systems, and indeed, to implement an ISO 27701 PIMS an organisation must also have a ISO 27001 ISMS. This means that the clauses in ISO 27001 provide the foundation for all the privacy related activities.
Why was ISO 27701 developed?
ISO 27001 specifies an ISMS which is a management framework through which you identify, analyse and address your information security risks. The important thing to note is that it ensures that the security arrangements are fine-tuned to your business – it doesn’t drive the business – it enables the business - to keep pace with changes to security threats, to vulnerabilities and to business impacts.
Regardless of the maturity of an existing ISMS there’s no guarantee that data protection needs are adequately considered, especially since the introduction of legislation with privacy requirements – GDPR is a case in point. Existing certificates for ISO 27001 ensure that organisations demonstrate that information security is in place within an organisation – but data protection requires that organisations go a step further. ISO 27701 enables that next step.
Article 42 of GDPR provides for certification schemes which will be used to fully demonstrate compliance. The European Data Protection Board’s requirements for schemes have criteria for articles 5 and 6, 12 to 42, 44 to 48 and particular focus on technical and organisational measures for protecting rights and securing data. Yet there are no such schemes, and the likely to be a long time in development.
ISO 27701 can assist in demonstrating compliance to all of those articles.