Many organizations do not have the in-house expertise and/or bandwidth to manage an ISO 27001 implementation. Many companies find challenges in adopting the standard while remaining mindful of costs. Our team specializes in Information Technology Compliance Frameworks and Information Security Consulting. Our customized, flexible compliance model, combined with our team of experienced experts, guarantees a successful ISO 27001 implementation, certification, and continuous improvement. Our model is designed to provide practical and relevant guidance that not only meets your audit certification requirements but will enhance your security posture and demonstrate confidence to your customers – without breaking the bank.
Our clients benefit from our Security Compliance-as-a-Service (SCaaS) model where we guide our clients through the entire ISO 27001 lifecycle as well as provide Virtual CISO Services – on demand. Elevate has developed core packages that are customized to meet our client’s needs and are flexible to adapt to any business environment (from non-profits; to start-up technology firms; to Fortune 500). Our packages are designed to maximize client value by improving the control environment that mitigates cybersecurity threats; all while mapping the necessary improvement measures to the ISO 27001 standards.
How Elevate Can Help
Our SCaaS modules are designed to provide you with a customized combination of ISO compliance services, at the right level of service, to meet your specific needs and maximize your investment.
ISO 27001 Risk Module
- ISMS Standards Implementation
- ISO 27001 Risk Assessment + Risk Treatment
- ISMS Control Scope Definition
- ISMS Internal Audit + Annex A Controls
- Security Impact and Objectives Analysis
- External Vulnerability Scans
- Internal Vulnerability Scans
- Penetration Testing
- Corrective Action Plan (CAP)
ISO 27001 Incident Module
- Table-Top for Disaster Recovery Plan
- Table-Top for Business Continuity Planning
- Table-Top for Cyber Incident Response Plan
ISO 27001 Training Module
- KnowBe4 Training Licenses and Maintenance
- Phishing Campaigns
ISO 27001 Governance Module
- ISMS Documentation Management Policy
- Creation and Maintenance
- ISMS Statement of Applicability (SoA)
- ISMS Charter Creation and Committee Structure
- ISMS Manual Creation and Maintenance
ISO 27001 Reporting Module
- Information Security Objectives and Metrics
- ISO 27001 Information Security Assessment Report
- Consolidated List of Findings
Our customized service and modular approach demystify and simplify your ISO 27001 compliance certification process. Working with our team of security and IT compliance control experts not only reduces your certification readiness process but also enhances your security posture and confidence presented to your customers.
Elevate offers an ISO 27001 readiness assessment to assist organizations in configuring their ISO standards against the Annex A controls while securing your environment.
What is ISO27001?
The International Organization for Standardization (ISO) is a governing body that develops and publishes international standards covering almost all aspects of technology and manufacturing. ISO along with the International Electrotechnical Commission (IEC) has set the international standards on Information Security Management (ISMS) in the ISO/IEC 27000 series. Specifically, the guidance on the security techniques ‘ISO 27001’ and the code of practice for information security management ‘ISO 270002’ is commonly known as “ISO27001/2”. A number of regulating agencies, including the Data Protection Commissioner, have declared ISO 27001/2 to be a benchmark for prudent and competent practice.
It’s important to note that ISO/IEC does not issue certifications. Achieving an ISO certification requires the engagement of an independent accredited attestation firm (i.e. Certifying Body). In 2013, ISO and IEC revised the internationally recognized certifiable information security standard for Information Security Management Systems (ISMS): ISO/IEC 27001:2013.
At a glance, the ISO 27001/2 framework consists of two main components:
- Mandatory Requirements: 28 specific controls that are broken into 7 overall components consisting of governance, risk assessment, internal audit, information security awareness, and continuous process improvement
- Annex A Controls (ISO 27001:2013): 114 controls are divided into 14 categories
Who Gets ISO 27001 Certified?
- Like the other ISO management system standards, certification is completely voluntary. Some of our clients obtain certification to demonstrate and market their best practices, while others need to provide assurance to certain customers.
- ISO 27001/2 can be implemented in any kind of organization, for-profit or non-profit, private or state-owned, small or large. It was written by the world’s best experts in the field of information security and provides a methodology for the implementation of information security management in an organization. Organizations that want to become ISO 27001 certified, must engage an independent certification body.
- ISO does not provide certifications. However, a number of standards related to the certification process are provided by ISO’s Committee on Conformity Assessment (CASCO). Most independent certifying bodies use the CASCO standards to guide them through the certification process. Read more about CASCO Standards.
How Much Does ISO 27001/2 Cost?
- As with most compliance programs, the cost to achieve the first-year certification depends mostly on your scope. Organizations that have multiple physical locations and hundreds to thousands of employees tend to have highly complex environments with compounding IT security threats.
- The average cost of obtaining ISO 27001/2 certification can range from a few thousand up to a few hundred thousand dollars depending on your scope, service activities, IT platform complexity, security, and compliance maturity as well as other factors.
The following is a shortlist of cost factors to consider when creating a budget for your ISO certification.
- Scope: Depends on the complexity of your Information Security Management Systems (ISMS), activity type performed within your ISMS, varying degree of IT platform diversity, the number of sites (including disaster recovery sites), and the number of IT personnel (including outsourced functions) that are included in the scope. Make sure to map out your scope in your Statement of Applicability (number of Annex A controls that are applicable) using ISO 27006 to document your requirements.
- Consultative Approach: There’s no shortage of options when it comes to hiring ISO 27001 advisory services. If you can receive a quote for your ISO services via an internet form or 10-minute phone call with a software sales guy that sells compliance by the click, you’re not talking to the right organization. Any serious security and compliance consulting firm will need to schedule an in-depth call to understand your scope, your unique operating environment, and your compliance goals first before giving you a quote for readiness services.
- Certification Audit by Certifying Body (CB): It is critical to make sure your certifying body is accredited by a recognized internationally accredited body that is a member of the International Accreditation Forum (IAF). The IAF website provides a full list of recognized accredited certifying bodies where you can search by country. The bottom line, if your CB is not on the IAF list, your certification may not be valid.
- Surveillance Visits by Certifying Body (CB): Once you are ISO-27001 certified the certifying body must perform surveillance visits to determine if your ISMS is operating as intended. The surveillance visit focuses on areas that were out of scope during the audit. For example, a common area of interest during a visit is an inspection of incident response monitoring, measuring, reporting, and response plan. During the visit, the auditor will focus less on documentation and more on key operations. Failure to pass a surveillance visit may lead to failure in obtaining a re-certification. This is just another reason why we advise our clients to think through their ISMS strategy and not just merely meet a compliance requirement.
Each client’s unique environment, scope, and current control environment is individually assessed to determine a more accurate cost estimate. Contact us to receive a quote.
How Many Controls to Get ISO 27001 Certified?
Building a strategy for your Information Security Management System (ISMS) framework selection should consider your industry, compliance, and scope requirements. Proper scope determination and framework selection are crucial to successfully obtaining your ISO 27001 certification and maintaining your certification during your surveillance visits. For example, if you’re a technology service provider that processes insurance claims for federal agencies, you may need to leverage NIST 800-53, HITRUST CSF, ISO-27001 as well as other compliance frameworks (e.g. HIPAA). Your ISMS scope must be broad enough to satisfy multiple stakeholders (i.e. internal departments, clients, regulatory bodies, etc.) yet specific enough to meet your ISO 27001 requirements. Also, keep in mind, that every three years, you need to go through a recertification process that includes a surveillance visit by your certifying body. With that said, the ISO 27001/2 certification requirements consist of the following:
- Mandatory Requirements 28 specific controls that are broken into 7 overall categories including governance, risk assessment, internal audit, information security awareness, and continuous process improvement.
The latest revision of the ISO 27001 standard was published in 2013, ISO/IEC 27001:2013. The original ISO/IEC 27001 was adopted by the British standard BS 7799-2 which introduced the Plan-Do-Check-Act (PDCA) that contains 114 controls, divided under 14 chapters – which is under consideration to be restructured under ISO 27002:2021
- In 2018, ISO 27000:2018 was updated to provide an ISMS overview as well as commonly used ISM terms and definitions. This document applies to all ISMS family standards.
- In 2019, ISO 27701:2019 extended ISO 27001 which specifies standards for Privacy Information Management System (PIMS). This framework provides organizations a system to support compliance with the EU’s GDPR, California’s CCPA, and other data privacy requirements.
- In February 2022, ISO 27002:2022 was published. It is also expected that the ISO 27001:2013 will also be updated towards the end of 2022.
Certified organizations will have a transition period to update their certification, still to be determined by the Certification Body. Organizations without a certification should certify to the new 2022 standard. Elevate is receiving the latest information from both the Regulator and Certification Bodies to guide our clients through this transition process.
At a glance, the ISO 27002:2022 contains 93 controls divided over four chapters:
- Chapter 5: Organization (37 controls)
- Chapter 6: People (8 controls)
- Chapter 7: Physical (14 controls)
- Chapter 8: Technological (34 controls)
Each control will be tagged with:
- Control type (preventive, detective, corrective)
- Classification (confidentiality, integrity, availability)
- NIST concept (identify, protect, detect, respond, recover)
- Operational capabilities (governance, asset management, physical security, etc.)
Main changes between the 2013 and 2022 versions:
- Decreased the number of information security controls in Annex A from 114 to 93
- Introduced 11 new controls and merged controls to avoid redundancy
- Restructured the sections – 4 main domains now (instead of the previous 14)
- Greater emphasis on Cyber risks
The biggest challenge our clients face in obtaining the ISO 27001 certification is the ability to fully understand the scope of their Information Security Management Systems (ISMS) and selecting a narrow scope solely focused on obtaining the initial ISO-27001 certification. Every three (3) years, ISO 27001 certification requires a recertification process. For example, if your initial certification is obtained in November 2022, your certification is valid until November 2025.
Your certifying body guarantees that your ISMS is valid for a three-year period. In order to validate that guarantee, your certifying body must conduct periodic surveillance visits. Surveillance visits are typically conducted on an annual basis. Depending on your certifying body, they could visit bi-annually.
The purpose of the surveillance visit is to validate your ISMS is operating as intended. The auditors will check to see if the processes are working as described in the documentation and you will have to showcase how your company is achieving continual improvement of the program. This is why selecting the proper framework and controls to make sure they will perform as intended (from a design and maintenance perspective) before you begin your certification process, is critical to keeping your certification.