We are ISO 27001 certified – What Next?

Author: Gary Hibberd

Date: 6th August 2020

Congratulations you’ve successfully implemented the international standard for Information Security Management, ISO 27001!  Welcome to the club!  No matter if you’ve simply aligned to the standard, or achieved full certification, you’ll quickly begin to reap the rewards this standard provides; Such as:

– Reduction in risk from Cyberattack

– Reduction in risk from Data breaches

– Increased market opportunities

– Reduction in time wasted in the tender process

– Increase in customer confidence/trust

It’s understandable that this standard is possibly the best known of all the security standards around.  Its popularity is possibly down to the fact that it covers ‘Information Security’, not just Cybersecurity. The standard provides organisations with a framework to improve security related to people, premises, policies, processes, systems, and third-party providers.

But once you’ve achieved ISO 27001, what next? 

ISO 27001 and beyond

Many organisations implement ISO 27001 so that they can demonstrate they are a safe and secure organisation, and therefore can be trusted. Many use the standard as a differentiator, to demonstrate to that in their sector, they do things differently to their competitors. But if ISO 27001 is now the foundation which many organisations have implemented, shouldn’t you be looking at additional standards?

Dependent upon the sector you operate in, there are a number of directions you can go in following your successful implementation of ISO 27001. But if your intention is to demonstrate your commitment to the security of Data, then you should probably look at the following standards.

ISO 22301 – Business Continuity Management

COVID19 meant that many organisations had to rapidly develop Contingency plans, or implementing plans that hadn’t been tested fully. Over the coming months, as organisations look for providers of products and services, there is a strong likelihood that they will seek further assurances that robust Business Continuity Plans have been developed and have been tested.

Now those of you who have implemented ISO 27001 may be thinking that as Annex A.17.1.2 talks about Business Continuity, you don’t need to do anything. But looking at that section closely, it states that “The organisation shall establish, document, implement and maintain processes, procedures and controls to ensure the required level of continuity for information security during an adverse situation.”

But it doesn’t explain how to do this comprehensively. ISO 22301 outlines how organisations should conduct a Business Impact Analysis (BIA) and identify their Recovery Time Objectives (RTO) and Maximum Tolerable Periods of Disruption (MTPD). 

ISO 22301 will be a standard that fits well with ISO 27001 because it’s a clear demonstration that your organisation has thought deeply about the Availability of your services and products.

ISO 27701 – Privacy Information Management System (PIMS)

In 2016 the world was introduced to the General Data Protection Regulation (GDPR), and on May 25th 2018 it became law. This outcome-focused regulation set out six very clear principles to which organisations of all shapes and sizes must adhere to. 

You may hear from some that they can make you ‘GDPR Compliant’. But until ISO 27701 this simply isn’t possible. GDPR doesn’t offer you a clear set of controls that you must implement; It’s down to you to decide how you implement the six principles, so being able to demonstrate compliance is more about building a body of evidence.

But ISO 27701 is a standard that sets out clear controls that organisations must implement, which will demonstrate compliance to the GDPR and commitment to Data Protection. This standard is an extension of ISO 27001 and therefore cannot be achieved without first implementing ISO 27001. 

This means you cannot be certified to ISO 27701, without having gone through the process of becoming ISO 27001 certified. While ISO 27001 talks generally about ‘Information Security’, ISO 27701 talks directly about Privacy. But like ISO 27001, it gives you direction on what you need to implement. It explains what policies and practices you must implement to demonstrate that you are considering Personal Data, as well as other forms of Data. 

The standard requires you to train staff, not only on Information Security but Personal Information Security. You’ll be required to update, extend or create policies around Data Protection, and Data Retention and Destruction.

And within your product/service delivery life cycle you’ll need to think about ‘Data Protection by Design’, not just ‘Security by Design’.

Conclusion

There are many other standards that organisations can and should think about implementing. If you’re a cloud provider, then looking at the code of practice for information security controls for cloud services, ISO 27017 would be a sensible decision.

If you’re a law firm, then perhaps looking at BS 1008:2014 is the standard which focuses on the evidential weight and legal admissibility of electronic information. Meaning that once documents have been digitised, they can’t be altered and would be admissible in courts of law.  While we’re on this, law firms would do well to implement Lexcel.

Lexcel is the Law Society’s legal practice quality mark for practise management and client care and helps firms to achieve excellence in compliance and practice management.

For the IT sector, ISO 20000 is the international standard for IT Service Management; Enabling IT companies to ensure that their service management processes are aligned with the needs of their clients. 

Finally, all organisations would benefit from looking more closely at BS 65000:2014, the standard for Organisational Resilience.  As you would expect, it’s a very broad standard and incorporates elements of Information Security, Business Continuity, Crisis Management, Cybersecurity, Risk Management and a host of other disciplines.  But as we have seen over recent times, the ability to ‘bounce back’ following a disruptive event (e.g. COVID19 or Data breaches), will be the true test that all organisations will be measured against.

ISO 27001 is a great start to demonstrate that you’re an organisation that can be trusted. If you only have this one standard, then that’s great. But it can’t stop there.

Like many things in life, you can’t do the basics and expect to be great. ISO 27001 is now seen as standard and good practice. I firmly believed when it is combined with other standards it becomes best practice.