Nobody is born knowing how to keep information systems secure.
Organizations also can’t afford to make up best practices on their own. They need to lean upon those who have invested time and effort in developing the right expertise, which usually includes standards bodies.
That’s what makes complying with ISO 27001 so critical if you want to keep sensitive information safe.
What Is ISO 27001?
Standards aren’t always well understood outside of those specifically charged with compliance activities, but they spell out a lot of activities that support enterprise-grade data protection. This post will aim to educate you without making it too technical.
Definition and purpose of ISO 27001
As the acronym implies, ISO 27001 was developed and is maintained by the International Organization for Standardization (ISO) and is part of a broader family of information security standards known as ISO 27000.
Organizations use ISO 27001 to not only establish an IT security system but to ensure it’s properly implemented, has an appropriate level of monitoring and is maintained in such a way that it continuously improves.
Requirements and scope of ISO 27001
Getting started with ISO 27001 involves figuring out the answer to a pretty basic question: What information are you responsible for keeping safe?
This means putting your organization and its role in protecting information within the proper context, such as where it physically resides, what interested parties might need to be factored in and external issues such as market trends, economic or political headwinds and of course any other laws to which you have to adhere.
That last point may be a good example of “interested parties.” If your organization does business in the European Union (EU), for instance, your scope will include the personal data that is subject to the General Data Protection Regulation, or GDPR.
How LastPass meets ISO 27001 compliance
LastPass is continuously monitoring security standards and ensuring it adheres to any industry best practices. This includes not only ISO 27001 but other standards such as SOC 2 and SOC 3.
LastPass achieved ISO 27001 certification through a rigorous process based on providing detailed documentation about the company and its processes. The certification also involved outlining management responsibilities, internal audits and preventative actions LastPass takes to ward off cybersecurity threats.
More details on the certification can be found in the LastPass Compliance Center, which provides customers with the ability to view the ISO 27001 certificate.
Benefits of implementing ISO 27001
Complying with standards is sometimes discussed as though it were a necessary evil, but ISO 27001 provides immense value to any organization that cares about its data and its stakeholders.
By conducting a risk assessment as part of the certification process, for example, organizations can identify vulnerabilities in systems or processes and address them before an incident happens.
Compliance can also help galvanize new or better procedures around how to manage data, how to act when incidents arise, and improve overall preparedness in the event of an emergency.
In some fields achieving ISO 27001 could make an organization more attractive to potential employees that want to work where standards are taken seriously.
Most importantly, becoming ISO 27001 compliant is a good way to reduce the likelihood of falling victim to data breaches or other kinds of attacks.
Why Is ISO 27001 Important?
Adhering to ISO 27001 demonstrates to everyone – auditors, customers and other stakeholders – that your organization understands the critical importance of IT security protection. It’s also a global standard, which means compliance puts you in a better position to operate and provide a secure experience no matter how your organization chooses to expand.
For some customers, particularly those in regulated industries such as financial services, ISO 27001 compliance could be a requirement to bidding on contracts or providing services. It could also be a way to set your organization apart from others that compete within the same industry but haven’t achieved certification.
The significance of information security
Protecting the data that gets collected, stored, managed and shared through IT platforms and applications has always been a key organizational responsibility. However, the significance of information security is arguably becoming even bigger as more organizations and even consumers shift towards using digital tools and processes on an everyday basis.
Many of us now use digital channels for shopping, managing our health-care information, accessing government services and much more. Digital infrastructure also supports the way businesses connect and manage global supply chains.
Cybercriminals, meanwhile, are becoming ever more sophisticated in how they take advantage of the tools at their disposal, including artificial intelligence (AI) to steal data. The malware attacks that happen today, for example, can be conducted with more stealth and do far more damage than even a few years ago.
The role of ISO 27001 in protecting sensitive data
Based on the ever-evolving nature of cyber threats, ISO 27001 makes it clear that organizations should take appropriate measures. These include stipulating who is authorized to access various information systems, and what kind of access they should have.
The standard also provides considerations around the use of encryption, advising organizations to think through how cryptography can support the confidentiality, integrity and authenticity of sensitive information.
Compliance with regulatory requirements
Aligning with regulations such as GDPR and other data protection laws is a great way to build upon the framework ISO 27001 provides. It’s a way of combining best practices in information protection with the latest legal developments that can affect your organization, customers and other stakeholders.
Requirements for ISO 27001 Certification
Beyond establishing the scope that we went through earlier in this post, ISO 27001 certification requires organizations to assemble an internal team. This is to prove you’re devoting an adequate level of resources to protecting information systems and improving your approach on a continuous basis.
There will also be steps involving a gap analysis, then undergoing a series of tests and reviews from auditors to formally award certification under the standard.
Process for obtaining ISO 27001 certification
After informing employees and other relevant stakeholders that you’re going to pursue certification, you’ll take an inventory of your existing data and IT assets. Then you’ll develop an information security policy (or update any existing one) to formalize areas such as your organization’s purpose and commitment to security.
From there, you’ll define your team’s roles and responsibilities in terms of information management, conduct a risk analysis, set your security objectives and begin documenting your processes.
The certification looks at more than 90 different controls. These are divided into operational and physical controls, those that apply to people and technology controls. You’ll also conduct a management review before submitting to an external audit.
Benefits of being ISO 27001 certified
In addition to some of the benefits outlined earlier in this post, ISO 27001 certification means your organization is less likely to require frequent auditors by regulators, customers or others. It also encourages the kind of documentation that clarifies areas such as how employees should be trained to protect the information systems they use and the data they’re allowed to access.
Maintaining compliance and continuous improvement
Getting certified under the standard is far from a once-and-done kind of activity. In fact, continuous improvement is a key policy and asks organizations to not only spell out how they’ll identify opportunities to improve but who will be responsible and the process of measuring the end results.
Implementing ISO 27001
If you’ve already established your scope and are ready to put the standard into action, here is some advice on how the process should unfold.
Step-by-step guide to implementing ISO 27001
- The team you’ve assembled should design the implementation plan with an eye to minimizing business disruption but also ensuring all policies under the standard are properly covered. Map out timelines, costs and other details.
- Conduct a risk assessment. Do your research to look at all the relevant forms of cyber attack your organization can face, how your current processes mitigate the risks and any gaps that need to be addressed.
- Develop your information security policy to close the gaps identified during your risk assessment. Get the policy signed off by senior leadership and/or the board of directors.
- Put a risk treatment plan in place that speaks to any and all of the information security controls that are relevant to your organization and complete what the ISO calls a Statement of Applicability to explain and justify the decisions you’ve made.
- Conduct an internal audit. Depending on the result, you may need to make specific improvements and repeat this step until the auditor is satisfied.
- Connect with an accredited certification board and submit to any required external audit.
Identifying and assessing information security risks
If your organization has already experienced some form of cyberattack, you’ll already know some of the risks you face. Most organizations have been targeted by phishing schemes, for example, and this could be a good starting point to look at what kind of controls should be put in place to prevent a bad outcome.
You can also assess risks by looking at relevant market research, getting insights from trusted third parties like vendors or consultants, or learning from industry associations.
Developing an information security management system (ISMS)
A solid ISMS has clear objectives and maps out all the relevant information sources. You should be able to clarify how information is collected, stored, managed and shared.
There should also be measures in place to disseminate details and communicate how the system should work to employees and other third parties.
Finally, make sure you determine the right cadence for reviewing and testing your ISMS to prevent any part of it from becoming out of date or irrelevant.
ISO 27001 vs. Other Information Security Standards
Standards can become a confusing area, even to those who are responsible for implementing them. This section covers some answers to common questions.
Differences between ISO 27001 and ISO 27002
Despite what you might assume at first glance, ISO 27001 and ISO 27002 are not distinct or competing standards. In fact, one builds off the other.
While ISO 27001 covers international information security management, for example ISO 27002 is intended to supplement the former with a greater focus on the many controls an organization could implement. The most important thing to know (and it might come as a relief) is that only ISO standards that end with a “1” require certification, so you don’t have to undergo another set of audits and tests to comply with ISO 27002.
Comparisons with other industry security standards
ISO 27001’s focus on information security means it is broader than those that focus solely on cybersecurity, such as the Cyber Essentials standard. It is also broader than those that are primarily used by a single industry, such as TISAX in the automotive sector. Some organizations also comply with SOC 2, but that one is based primarily on auditing procedures as developed by the accounting sector.
ISO 27001 is highly regarded in part because of its emphasis on risk management and continuous improvement, as well as the fact it requires third-party validation in order to achieve certification.
Choosing the right standard for your organization
ISO 27001 may not be right for every organization, and the same is true of other standards. A lot will depend on the scope of the information you’re trying to secure, the resources you have in place to do so and the nature of risks you face.
How LastPass Benefits Users and Keeps You ISO 27001 Compliant
LastPass committed to ISO 27001 certification because it’s just one more way to ensure that customers using its password manager and other features can feel confident their data is being protected with the risk approach to risk management and industry best practices.
Enforcement of testing efforts
To reach ISO 27001 certification, LastPass updated policies that cover enforcing and documenting testing efforts during the change management flow and forming its own disaster recovery strategy.
Keeping information management secure
Many LastPass features were designed with ISO 27001-level security in mind. This includes the ability to put sensitive information in an encrypted vault.
Internal audits
LastPass believes in internal audits that provide a comprehensive look at core processes, technologies and other controls that can keep customer information safe.
Preventative actions
One example of how LastPass is working to stay ahead of information security issues is a policy to conduct annual fail over testing, which can expose any vulnerabilities that may need to be addressed.
Continuous improvements
LastPass documents its efforts at continuous improvements under ISO 27001 through the Compliance Center and is always ready to discuss its approach to privacy and data handling practices with regulators and customers alike.
Choose the first password manager to earn ISO 27001 certification: Start your LastPass trial today.
