Guest contributor Naya Moss is an international IT pro and infosec leader. Here, she breaks down at a high level the key steps to prepare for a process that can be intimidating to many: ISO 27001 certification for your business. Don’t miss her free webinar on creating a human-centric security culture!
If your potential SaaS customers ask your sales team about your ISO 27001 compliance, you will likely consider acquiring this certification as part of your roadmap. You are probably seeking to gain international customers’ trust, assure them your security operations follow best practices, and that your software is enterprise-grade.
What is ISO 27001?
ISO 27001 is a non-governmental information security management system standard by the International Organization for Standardization (ISO) and International Electrotechnical Commission (ISO/IEC 27001:2013). Together the ISO and the IEC form a joint technical committee.
Want more related terms defined? Scroll to see the expandable glossary at the end of this article.
Before discussing ISO 27001, collaborate with executives from sales, legal, and marketing. Discuss with stakeholders whether ISO 27001 is right for your organization at this time. ISO/IEC 27001:2013 is an internationally recognized standard in which you can achieve certification. However, if your primary customer base is in the U.S., as of 2021, SOC 2 certifications are in high demand. Speak with your head of sales and conduct a competitor analysis to determine which certificate is best for business and customer needs.
If you already have SOC 2 Type 1 or 2, you are already a step ahead as you already have existing controls in place. In this case, start your ISO 27001 journey by identifying and mapping existing controls. American Institute of CPAs (AICPA) has already done the work for you on the 2017 Trust Services Criteria (TSC) Mappings to Various Frameworks section of their website.
Benefits of ISO 27001 certification
Companies in the SaaS industry typically seek ISO 27001 due to demand by potential customers, primarily in the enterprise and government sectors.
Cybercrime is on the rise, and so are supply chain attacks. Attaining ISO 27001 shows potential customers that your business is serious about security and that your organization has completed the necessary steps, time, processes, and resources towards the security of your operations and application.
Holding an ISO 27001 certification has both business and technical benefits such as:
- Increase in and acceleration of sales
- Achieve competitive advantage
- Acquire enterprise and government deals with stricter standards
- Develop trust with customers
- Adhere to commonly requirements and expectations
- Systemically approaching protecting people, processes, and technology and providing confidentiality, integrity, and availability.
- Reduce common cyber threats and risks
- Increase cyberattack resilience
- Protect customer and employee data
- Implement security best practices
- Set a baseline for similar compliance frameworks, regulations, and standards such as GDPR and CCPA compliance
In your compliance journey, it’s very important to remember that compliance does not equal security. You need to implement best practices, follow your information security management system (ISMS), and regularly measure effectiveness. Being ISO 27001 certified does not mean you are completely shielded from cyber-attacks. Be honest with yourself, internal employees, stakeholders, investors, and customers about your security.
In your compliance journey, it’s very important to remember that compliance does not equal security. You need to implement best practices.
There may often be confusion around internal infrastructure and, for SaaS companies, the application infrastructure. We are now in a world where most companies have completely on-premises environments and are transitioning to cloud-based infrastructure.
When reviewing ISO 27001 controls, many may be unsure how controls are implemented for hybrid or fully remote environments.
ISO 27001 assumes you have an on-premises infrastructure for both your internal IT operations and SaaS application.
Preparing for the audit
Buy and review the ISO 27001 and ISO 27002 standards. Learn about the 114 controls and how to implement them.
C-suite & management support
The team leading the ISO 27001 implementation and certification audit needs to be well versed in what ISO 27001 is before gaining C-suite and management support. These stakeholders must understand what is required of them in their departments.
Creating a roadmap
Set a roadmap for a gap assessment, internal audit, implementation timeline, and external audit.
Planning & implementation team
Many startups and small organizations may split responsibilities of IT and security across multiple individuals, many of whom may not have a background in or thorough knowledge in IT, security, and compliance.
Principal leads (governing body)
- An experienced IT lead
- An experienced security lead
- An experienced senior cloud infrastructure engineer (assuming you are a SaaS business with cloud-based or hybrid infrastructure) or senior engineering manager
Stages of ISO 27001
- Stage 1 – Review of your ISMS documentation review
- Stage 2 – Certification audit, where your accredited auditor reviews and tests the design and implementation of your ISMS
- Stage 3 – Surveillance audit (every 12 months)
Checklist: 10 Core Implementation Steps for ISO 27001
- Designate your team
- Information Security Officer (ISO), may also be the project leader
- Data Protection Officer (DPO)
- At least one team member within IT, security, and engineering
- Develop an implementation plan, following the Plan Do Check Act (PDCA) cycle framework
- Determine information security management system (ISMS) scope and objectives
- Create policies and procedures
- Perform a gap analysis and a risk assessment
- Conduct an internal audit with the ISO
- Address gaps and risk
- Formalize the Statement of Applicability (SoA)
- Add, update, and organize mandatory ISO 27001 documents and proof where applicable
- Request an external audit with a licensed accredited certification body
For small teams, it might be straightforward to hire a contractor to help the business move forward with becoming ISO certified. However, the most knowledgeable person must inform and train core team members within the Sales, Marketing, Legal, IT, Security, and Engineering departments.
How departments contribute to ISO 27001 & the customer acquisition journey:
The marketing team is often the folks who will work on copy for the website and usually work hand-in-hand with sales on marketing materials.
The sales team is typically the next point of contact after potential customers have read more about your business on your website or perhaps viewed marketing videos and material. It’s imperative to ensure that the sales team is equal to the security and engineering team. It is quite common that during customer discovery calls or product demos that a salesperson or sales engineer may be asked questions about your ISO 27001 status and possibly technical questions pertaining to it.
The sales team is also the north star and helps the businesses understand what customers care about and are looking for in companies that are ISO 27001 certified.
Of course, the security department is one of the main drivers. Implementing ISO 27001 I SMS works with all teams across the entire business and the auditors to determine your conformities and certification.
As the keepers of your company’s internal infrastructure, IT are the folks that will implement the control set within your ISMS and work very closely with the security department on project planning implementation, auditing, and measuring effectiveness.
Very similar to IT, the folks with engineering play a crucial part in obtaining your ISO 27001 certifications. While potential customers care about how you run your internal infrastructure operations, they care about your application infrastructure operation. Secure engineering is important to your customers. It is the responsibility of your engineers to follow secure engineering principles. Potential customers want to know that your application secures their data and assets using cryptography method best practices.
Engineers will also play a part in helping to educate the sales and marketing departments, as some application security questions may arise during the introduction and demo calls.
After controls are implemented and determined through an internal audit that ISO 27001 requirements are met, it’s time to request an external audit with a licensed accreditor (certification body).
Common mistakes & misconceptions
- Not hiring internal IT/internal security early, as well as not having an IT baseline
- Not running internal audits more frequently
- Not automating where possible to reduce human-made error
- Treating compliance as a phase to be replaced with security or using compliance instead of security
- Entirely relying on third-party auditors, external employees, or an automated compliance software and not ensuring core business teams are adequately educated
- Having templated documentation and not implementing or partially implementing ISO 27001 controls
Determine if your company’s core leads (discussed here) want to proceed in-house or use a compliance platform. Consider hiring a governance, risk, and compliance (GRC) lead. The GRC lead will help in assuring continued compliance and progress. They can serve as a point of contact for managing your compliance program, vendor risk assessments, and standard information gathering questionnaires (SIG) – required by customers (after you have already achieved certification).
Suiting up for ISO 27001 can be a long and manual process. Consider investing in compliance automation software—many, resulting in your company achieving your certification in as little as 6months-1year.
Suiting up for ISO 27001 is a great step towards best security practices, generating more sales, and laying the groundwork for other certifications and regulations such as ISO 27018, GDPR, CCPA, SOC 2, and more!
Glossary of Must-Know Terminology
Audit – The process of reviewing a system for compliance against a standard or baseline. Examples include audits of security controls, configuration baselines, and financial records. It can be formal and independent or informal using internal staff.
Guideline – Best practices and expectations of behaviors and tasks.
ISO – International Organization for Standardization.
IEC – International Electrotechnical Commission.
ISO/IEC 27001:2013 – Provides controls to ensure an effective Information security management system.
ISO/IEC 27002:2013 – Provides techniques, guidance, and best practices for implementing an effective Information security management system.
ISO 27001 Control’s – practices implemented to reduce risks to acceptable levels. Controls can be technical, organizational, legal, physical, and human.
ISMS – Information security management system (ISMS) standards provide a set of processes and corresponding security controls to establish governance, risk, and compliance structure for information security for an organization, an organizational unit.
Policy – Documents dictating and describing the organization’s strategic goals.
Procedure – Procedures Explicit, repeatable activities to accomplish a specific task. Procedures can address one-time or infrequent actions or common, regular occurrences.
Risk – Possible event that can have a negative impact on the organization.
Standard – A specific set of mandates stating expectations of performance or conformance. Standards can be defined by one entity and adopted by others or internal commissions exclusive to an organization.