ISO 27001 Part 3: Passing a Formal Audit to Get Certified
In Parts one and two of this series, we presented the basics of building an ISO 27001 compliance program. In this final chapter, we will walk through the last stage in the compliance process: obtaining ISO 27001 certification.
Now that you have implemented and optimized your ISMS, a formal ISO 27001 audit is the final hurdle. Passing a formal audit, in the language of ISO, means your company is certified.
In this blog, we will cover the audit process and some important considerations surrounding the ISO compliance process.
Selecting an Auditor
With standards like PCI or SOC2, you must hire a firm that is certified to perform those audits. The PCI Standards Council, for example, certifies Qualified Security Assessor Company (Anitian is one). Likewise, only a certified Certified Public Accountant can perform a formal SOC2.
ISO works differently. Any reputable third party audit firm with experience in ISO compliance can certify your company. One of the more common misconceptions about an ISO 27001 audit is that you must hire an accredited ISO certification body. You do not. The ISO 27006 document outlines an audit process. As long as your security assessor follows those guidelines, you can be formally certified.
While ISO does offer an accreditation program for audit firms, the requirements are onerous (to put it mildly). Not only must accredited firms follow rigid audit rules, but ISO requires the audit firm to share revenue with them. This significantly increases the costs of an audit. This partially explains why there are so few accredited ISO audit firms. There is, quite frankly, no compelling reason to hire one.
When selecting an auditor, it is more important to locate a partner that understands your business and culture. The more the auditor “gets you,” the better equipped they will be at interpreting how you do things and fairly assessing your diligence. At Anitian, we spend a lot of our ISO audit time getting to know the people and their approach to IT and risk governance. An ISO 27001 audit is an assessment of your due diligence, not of conformity to a rigid standard. As such, your relationship with the audit firm is crucial to success. We will talk more about this later.
Of course, beware of the dreaded “checkbox auditors.” These discount, high-volume shops will run through the motions of an audit, without providing any real insight, feedback, or understanding.
Preparing for an ISO Audit
Another way where ISO diverges from other standards is what is actually being audited. A PCI assessment, for example, looks at whether you implemented the required controls in a manner that the PCI-DSS dictates (this is a prescriptive standard.)
As mentioned in the last section, an ISO 27001 audit is an evaluation of your diligence at implementing, managing, and improving your ISMS. Many people overemphasize the control implementation, but that is the point of your internal audit function. You must perform your own audit of those controls and evaluate them against criteria you set. An ISO auditor will look at how well you audit your own program, as required by ISO 27001.
As such, be prepared to show your internal records (reports, audits, etc.) on the ISMS. This means showing risk assessments, their results, and how you responded to them. Be prepared to show policies, and how you evaluate your alignment to them. For example, if you have a password policy, how is it enforced? And how do you audit that policy to ensure that it continues to be enforced?
A little bit of organization can go a long way with an ISO audit. If your audit materials are disjointed, inconsistent, or incomplete, then any decent ISO assessor will fail you. If you use third party firms for some aspects of the internal audit, make sure you incorporate their data into your documents.
Lastly, remember that your ISO 27001 audit is focused on your diligence. It is not focused on your specific decisions about what NGFW vendor you selected or how long passwords must be. You have a tremendous amount of freedom to define an ISMS that aligns with your business.
A few parting suggestions to make your ISO compliance initiative a more rewarding experience:
- Make the most of ISO: Use the ISO compliance effort as a springboard to improve your overall security posture. Push security improvements out to the entire environment, not merely the in-scope areas.
- Automate: Auditing controls manually consumes valuable time. Automating your audit checks can not only reduce the time needed to conduct an internal audit, but also forces formality and structure on your audit process. There are many automation tools that can scan systems, environments, or configurations against established policies. This is especially true of anything deployed in the cloud.
- Get the Most out of Third Parties: Use penetration tests, social engineering tests, and other third party assessments as part of your internal audit process. For example, a quarterly penetration test could be part of your internal audit process, with the results being part of the continuous improvement practices.
- Write Policies People Respect: Policies are an integral part of ISO compliance. However, if people do not understand or read your policies, then your ISMS is not really working as intended. Write shorter, direct, and authentic policies. Address readers directly. Drop the stiff, informal, and defensive language. See more tips on writing security policies from Anitian.
As international laws and standards evolve, standards like ISO 27001 will continue to gain traction. If your company does business globally, especially SaaS providers, you can expect your customers and business partners to demand adherence to standards like ISO 27001.
However, remember that ISO 27001 gives you a great deal of freedom. Unlike some other standards, you get to build your own set of controls based on sound practices of risk management.
Even if ISO compliance is not a requirement for your business, ISO is a reliable way to build an effective security program.