Your Questions About ISO 27001 Answered
An ISO 27001 certification can help your business stand out. It lets your customers and potential customers know you care about and will protect their information. It can also help you streamline internal processes.
But the certification brings with it its own set of unique questions. Here are answers to the most frequently asked questions about ISO 27001.
How much of a SOC 2 examination can be leveraged to give an organization a head start on becoming ISO 27001 certified?
There is a tremendous amount of overlap between the control set in the trust services principles in the SOC 2 and those within ISO 27001 Annex A—about 70 percent of the controls will be shared with both. If your organization has a successful SOC 2 examination and has those controls in place, then the majority of those controls will be shared within the ISO information security management system (ISMS) and can give an organization a great jump on preparing for the ISO 27001 initial certification review. However, there are not a lot of elements within SOC 2 that will support the requirements within the management system.
How can the 27001 certification compare to the SOC 2 examination?
Despite the commonality within the control sets, these two compliance efforts are very different. The SOC 2 examination is intended to show that an organization has the right controls in place to meet a generally accepted criteria set, in the case of a Type 1 SOC 2 examination, and how those controls are operating effectively, in the case of a Type 2 SOC 2 examination. The SOC 2 examination provides a robust report deliverable that includes a full narrative of the people, infrastructure, applications, processes, and data supporting the services within the scope. The third party examination, performed by a CPA firm, demonstrates the organization’s control set as of a point in time or during a review period. It is a historical report that is typically re-performed annually.
ISO 27001 certification, however, is intended to show that an organization meets the requirements of an information security management system, specifically those within ISO 27001. Though a report is issued, the report is intended to be internal only. The certificate, though, is evidenced that a third party certification body has validated that the organization has the people, processes, programs, and controls in place to identify, address, and remediate their information security risk, applicable to the scope, and that the necessary controls are monitored to ensure that they are operating effectively and continue to contain the organization’s information security risk.
Having both the ISO 27001 certification and the SOC 2 examination is a great compliance duo.
What are competing ISO standards and how does ISO 27001 compare?
ISO is trying to design each of its management system standards with the same common clauses—scope, planning, resources, leadership, measurement and monitoring, and continuous improvement—because it understands an organization may have multiple management systems in place and the need for multiple ISO certifications.
If you have multiple management systems, they are designed with a common set of standards. That means you can perform one internal audit for both and also have the external audits performed at the same time to lessen the audit footprint and audit fatigue.
If I have a finding in my SOC 2 report, does that mean I will fail the ISO certification?
No. With ISO 27001, the effort is not pass or fail. It’s about the active management system, and there may be things within your system that are weaker than others, but those areas may just need some support or attention to be able to meet the requirements with the key being risk mitigation and corrective action. For example, should you have an exception in a SOC 2 report, if there’s a corrective action plan around the issue, including the identification of the root cause, containment of the issues, immediate correction, and a going-forward plan to ensure the issue is addressed, then that should demonstrate a healthy management system, which would not result in a failure of the ISO 27001 certification review.
Are there any open standards for ISMS someone can follow before switching to ISO 27001?
No. The 27001 standard is unique in regards to what an organization has to have in place to be able to meet. An organization can adopt elements of ISO 27001 without having to go through the certification process, and this adoption would only result in a stronger information security risk management posture and prepare the organization for an ISO 27001 certification review as part of the future plan.
From an external perspective, how can I rely on the 27001 certification when an organization can specify its own scope?
When an organization scopes their information security management system, it's critical to keep the end result (and the customer) in mind. Part of the scoping requirements in ISO 27001 include identifying the interested parties, which could include customers, and the requirements of those interested parties. A certification body is required to assess that scope and its conformance to Clause 4 in the ISO 27001 standard as fit for purpose. However, an organization does the ability to scope their management system as they want.
About RYAN MACKIE
Ryan Mackie is a Principal at Schellman, and has been with the firm since 2005. Ryan supports the regional Florida market and manages SOC, PCI-DSS, ISO, HIPAA, and Cloud Security Alliance (CSA) STAR Certification and Attestation service delivery. He also oversees the firm-wide methodology and execution for the ISO certification services, including ISO 27001, ISO 9001, ISO 20000-1, and ISO 22301 as well as CSA STAR certification services. He has over 25 years of experience. Ryan also is an active member of the CSA and co-chairs the Open Control Framework committee which is responsible for the CSA STAR Program methodology and execution.