At CyberPilot, we are seeing that it is a growing requirement for organisations to be certified for information security or to obtain a security audit for ISO 27001 or ISO 27002.
In this blog, we will provide an overview of the various ways of getting certified for information security. You will also learn the difference between the certifications and security audits. The goal is that you will be able to understand whether you should work towards certification. If you find that it is still relevant to you, then you read further and get an overview of the steps towards an information security certification.
First, we will define the different types of certifications and security audits that concern information security. In the sections after, we will discuss the pros and cons of each, weigh out the potential costs, and finally, give a recommendation for how your organisation could proceed.
Getting certified or audited is a good way to show clients and partners that your organisation is committed to good practices when it comes to information security, and to show that you are in control of things.
It can also improve your organisation’s reputation and can be used to help with marketing efforts (depending on your industry and context). For example, if you are a company that regularly processes confidential data, then a certification will undoubtedly put your potential customers at ease.
However, we understand that there are many aspects to consider, in order to make the right decision. In the following sections, we will try to further narrow it down for you.
The International Organization for Standardization (ISO) is an international standard-setting organisation. It is the world’s largest and most widely recognised developer of voluntary international standards. When it comes to information security management, we are concerned with standards in the ISO 27000 family.
The ISO 27000 family (also known as series) consists of information security standards, published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), which is why you will often see the two abbreviations being used. In other words, ISO 27000 and ISO/IEC 2700 are the same standard. Moving forward, we will mostly use the ISO abbreviation, and this will also apply to ISO/IEC 27001 and ISO/IEC 27002.
The series consist of more than a dozen standards. ISO 27000 provides an overview and vocabulary to be used for the standards. When it comes to certifications, most organisations are concerned with an ISO 27001 certification with the possibility of extending it to ISO 27002.
ISO 27001 is the most widely known standard when it comes to providing requirements for an information security management system (ISMS) – it is normally what companies mean when they talk about getting an ISO certification in information security. It contains all policies and processes relevant to how data is controlled and used. However, it does not define specific tools, solutions, or methods. Instead, it functions as a compliance checklist. The main objective is that the work will be an ongoing process and not a one-off. Therefore, we focus on the continuous process and continuous improvements.
When it comes to ISO 27001, a risk-based approach is used, and that’s why there are no specific requirements for an organisation to live up to predetermined requirements. On the other hand, there are requirements for the implementation of appropriate technical and organisational measures. Therefore, it is up to the individual organisation to assess what these appropriate measures are – the key here is ‘risk assessment’.
ISO/IEC 27001 has ten short clauses and Annex A, which we will list below.
The clauses of ISO/IEC 27001:
Additionally, ISO 27001 consists of Annex A, which defines 18 individual areas of information security that organisations should work with, including:
In short, Annex A is a ‘best practice’ guide with controls you can compare the measures your organisation has implemented. If there are missing implementations, you are expected to either implement it or document the reasons why it may not be applicable to your organisation.
An information security management system (ISMS) provides organisations with a systematic approach for managing their information security. It is a centrally managed framework that enables you to manage your organisation’s information through risk management. An ISMS contains all policies and processes relevant to how data is controlled and used.
The overall objective of the ISMS is to define and control the risk levels relevant for the organisation. There are three main areas to consider:
According to ISO 27001, the implementation of an ISMS follows a Plan-Do-Check-Act (PCDA) cycle for continuous improvement.
The basic methodology in ISO 27001 is that a risk-based approach is used. Thus, there are no specific requirements for an organisation to live up to requirements X, Y, Z, etc. On the other hand, there are requirements for the implementation of appropriate technical and organisational measures. It is thus up to the individual organisation to assess what these appropriate measures are. The key here is the ‘risk assessment’ or ‘risk analysis’.
ISO 27002 not a standard, but a code of practice that offers suggestions, rather than requirements for effective ISMS management. It is less comprehensive than ISO 27001 and does not include the Plan-Do-Check-Act cycle. Normally, it is implemented for organisations who are already in the process of getting ISO 27001 certified.
ISO 27002 guides organisations in selecting, implementing, and managing controls in their information security risk environment. It is designed to be used by organizations that intend to:
The International Standard on Assurance Engagements 3402 (ISAE3402) is an international assurance standard that prescribes Service Organization Control (SOC) reports. These reports give assurance to organisations’ customers and partners that they have adequate internal controls when it comes to information security. ISAE 3402 defines two types of reports: Type 1 and Type 2.
A Type 1 report includes a review of the documentation, but without the control of the implementation itself. In other words, a Type 1 statement is a snapshot of a given date.
The cost of obtaining a Type 1 report consists of two parts:
The cost will vary depending on the auditor and scope of the report.
A Type 2 report includes a review of the documentation and the verification of the implementation. Typically, this verification will be in the form of samples and a review of the documentation, and the systems. A Type 2 report typically covers a period of 6 or 12 months and aims to show how controls have been managed over time. Therefore, it is more comprehensive than a Type 1 report.
The cost of obtaining a Type 2 report consists of three parts:
The cost will vary depending on the auditor and scope of the report.
Normally, organisations’ external partners will require a report, but will not specify if it should be a Type 1 or Type 2 report. It is also quite common for organisations to first prepare for a Type 1 report then extend it to a Type 2 report.
Our experience shows us that by working towards a Type 1 report then ‘upgrading’ it to Type 2, you get to mature the organisation’s documentation and processes before reaching a Type 2 report. On the other hand, if you go directly to try and obtain a Type 2 report, then you risk having remarks on the report if the documentation and controls do not meet the auditor’s requirements. With a Type 1 report, you can put the processes ‘on hold’, adapt the documentation and processes, then get audited again.
Another advantage of obtaining a Type 1 report first is that you can get it in a relatively short amount of time since it does not look at the documentation and processes over time. This aspect significantly affects the cost of obtaining a report, and we recommend getting a comprehensive price estimate from the auditor.
For the reasons above, CyberPilot recommends that in most cases, you should work to get a Type 1 report first, then extend it to a Type 2 if necessary. The benefits include:
We understand that you may still want to get a further overview of what it takes to get a full ISO certification and see how it compares to getting an ISAE 3402 report. In the next section, we will dive deeper into the reasons why your organisation may want to pursue getting certified or audited and provide roadmaps to both options.
First, we must determine if it is a priority for your organisation to be certified or get a security audit at all.
The reason(s) you may want to get certified could be because:
Since preparing to be certified or audited takes a significant amount of time and resources, it is important that you have identified the need to move forward before you begin.
However, we have seen that the process towards a certification or audit is a very valuable process for most organisations because it forces them to thoroughly evaluate the aspects of their information security. This is because you can become aware of the issues that you would normally not address, because there was no need for getting certified or getting a security audit previously. Undoubtedly, this will create value for your organisation in the long run.
Next, we discuss whether you should go for a full ISO certification or if you can ‘settle’ with the simpler (and less costly) audit report.
A full ISO certification requires that there be a fully implemented ISMS that is documented and observed daily. The result is that great demands are placed on both the implementation, operation, initial, and ongoing certification process.
An ISAE 3402 report is given if the organisation has complied with a specific standard. That means it is still required to show documentation and the happenings in daily operations, but to a significantly lesser extent than with a full ISO certification. Much of the process of getting an ISAE 3402 report is included in the certification process.
Thus, there are still requirements for both documentation and daily operation, but to a significantly lesser extent than with a full ISO certification. This is also seen in the certification process itself, which for audit consists of samples and interviews.
The cost for a full ISO certification and security audit will naturally vary from organisation to organisation, depending on several parameters, such as the scope, maturity of the organisation regarding information security, internal resources, and competencies. As a starting point, it is expected that a full ISO certification will cost 4-5 times more than an audit statement (inclusive of all stages).
In general, we have seen that the full ISO certifications are very limited in use in the EU and the security audits are much more common. This can be seen as a statement that the market often deems the audits as sufficient.
Often, it is mostly the very large corporations that aim for the full ISO certification.
When deciding on whether to obtain a full certification or security audit, one should also consider the tasks both processes entail.
It can be difficult to explain which exact tasks are associated with implementing, maintaining, maintaining the certification/report, as it will differ between organisations. However, we will start by illustrating this for the path we recommend for most organisations:
ISAE 3402 Assurance Report – Type 1 in relation to ISO 27002
The later sections in this blog post will further outline what is required, to further go from getting audited to a full certification.
The following documentation must be available for review before the report can be prepared by the auditor.
Overall information security policy (statement from management), which contains objectives and responsibilities.
Documentation of risk assessment – documentation that this process has been completed and approved by management.
The information security handbook, which describes the overall process and measures on a high level. The manual follows chapters from the ISO 27002 standards. The information security handbook is for documentation of the measures that have been implemented to handle information security. It is a document for use in the IT department and for auditing, not for general staff.
Policies, guidelines, and procedures relating to information security. E.g., a contingency plan and guidelines for employees.
As ISO 27002 is a risk-based approach, it will also be relevant to look at the conclusions from the risk assessment and determine which improvements must be made to achieve an acceptable risk level.
Next, we will discuss the steps required to ‘upgrade’ to a Type 2 report and then to a certification in ISO 27001.
To get a Type 2 report, it will consist of mostly the same type of documentation as getting a Type 1 report. Here are other things to expect:
A significant amount of time and cost should be expected to extend your report to a Type 2 report. This goes for the preparation, ongoing inspections, and cost for the auditor. There is also a risk that the auditor will object to the newly implemented control, which may mean you have unfavourable findings in the report.
However, we recommend that you initiate the dialogue with the auditor about a future desire to get a Type 2 report, while beginning the process of getting a Type 1 report. In this process, it will become clearer which additional measures and controls must be implemented, in order to obtain a Type 2 report. Additionally, the auditor will also have a better idea for estimating the efforts to extend the report. By taking a step-by-step approach, you can often significantly reduce the cost of having the auditor.
The difference between ISO 27001 and ISO 27002 is in the documentation and the establishment of the management system, including the PDCA cycle. It is this part that must be implemented and operated to go from ISO 27002 to ISO 27001. In ISO 27001, Chapters 4-10 must be included in the organisation’s management system for information security.
The steps required with establishing this process partly lie in the documentation and organisation of the internal processes for the four phases, and partly in your organisation’s time that must be used to implement the processes.
The real difference lies in the ‘check’ and ‘act’ phases. Here, ISO 27001 requires that a continuous process be implemented to set objectives for the individual initiatives, check if the initiatives are effective, and continuously adjust if the results deviate from the objects.
As ISO 27001 has a larger scope than ISO 27002, it can be expected that the audit will cost significantly more, as the auditor will also review and revise the documentation from Chapters 4-10 as part of the certification process.
Here is what you can expect:
Preparation: Documentation and description of processes covered in chapters 4-10 of the ISO 27001 standard
Implementation and the processes associated with the four phases (Plan-Do-Check-Act)
Security audit – should be agreed on with the auditor.
It is primarily the extra internal time that is expected to make the difference from ISO 27002 to ISO 27001.
Just like working with a Type 1 vs Type 2 audit, it will be to your advantage to work step-by-step when expanding from ISO 27002 to ISO 27001. Getting certified in ISO 27001 may very well be suitable for organisations as they mature.
At CyberPilot, we recommend that the ISAE3402 report will be the optimal choice for most organisations to work toward. This is because of the following:
Note: We ALWAYS recommend that you contact and discuss it with the customers and partners who require you to obtain certification or an audit, before you start to work towards it.
We hope that this blog has given you a better understanding of ISO certifications and ISAE 3402 reports. At CyberPilot, we offer solutions that can help you strengthen the information security in your organisation to prepare certification or an audit. These solutions include:
Join our 2000+ subscribers and sign up for our newsletter. You will receive inspiration, tools and stories about good cyber security practice directly in your inbox. Our newsletter is sent out approximately once a month.