ISO 27001: Your Step-by-Step Guide to Cybersecurity Improvement in 2023

Step 1: Initiate - Initiate the ISMS Project, Determine your Scope and Get Management Buy-In

This step is all about understanding the context of your organization and determining the initial scope of your Information Security Management System.

Determining the scope is entirely up to you at this point.

Is an auditor going to look at internal, non-customer-facing processes such as engineering or marketing? Or are you going to include all processes? This could include those interacting with your client, such as field services and sales.

It’s entirely up to you and your interested parties/stakeholders on how you want to proceed.

For more information on defining your ISMS Scope, check out our article here: ISMS Scope Confusion in ISO 27001: Don’t Get Lost - Information Security Management Systems Scope (arora-solutions.com)

Possibly the most important task of all at this step is to get management buy-in for this project.

You want them to understand why this kind of project is invaluable to the organization and what it could mean for potential future business prospects and impacts on client/customer interactions.

Many times, projects like these fail to start because the initial investment is perceived as high, and the short-term payoff is low. In the long-term, however, good cybersecurity is cheaper than a breach.

The cost of non-compliance and poor security can also be more detrimental to client trust.

Step 2: Select - Select the appropriate Security and Compliance Framework(s)

Now, when selecting a framework the organization’s context, legal, regulatory and contractual requirements should be considered. Also, marketing and differentiating factors, needs of stakeholders, and company goals may drive the decision to choose a different security or privacy framework.

Frameworks like HITRUST, SOC2, NIST Cybersecurity Framework, CMMC (NIST SP 800-171), NIST SP 800-53, ISO 27701, etc. are evolving and becoming more commonplace.

However, given most of these frameworks are based on ISO 27001, this guide will focus more on aligning your team’s cybersecurity improvement to that framework. We feel that ISO 27001 is the most recognized internationally, offers the most independence and flexibility, and is the best balance of cost and effort.

ISO 27001 is also a great starting point that scales with your organization’s growth and ever-changing requirements.

When adding on additional frameworks, security controls cross-mapping is much easier these days through compliance automation. (See Bonus Step: Automate below for a sneak peek.)

Step 3: Risk Access (your risks and security controls) - Risk Assess your Organization's Security Risks and Controls

The risk assessment is completed internally within your organization prior to internal or external audits.

We recommend using the framework established in ISO 27005, initially, and the MITRE ATT&CK® Framework when the ISMS is more functional.

As required by ISO 27001 Clause 6.1.3, you will need to draft the Statement of Applicability (SoA) document, which states the Annex A controls your organization determines to be necessary for mitigating security risks. It also states which controls are to be excluded. Finally, justification as to why the control is or is not included needs to be clearly addressed in the SoA.

At a more granular security control level, there are two ways a risk assessment can be executed: Event-based or Asset-based.

• Scenario-based looks at specific scenarios that could occur and assesses the risk of these possible threats as shown in the MITRE ATT&CK® Framework.

• Asset-based risk assessment looks at an individual list of assets and determines the associated risks.

We don’t recommend doing a scenario-based assessment.

The more timely and cost-effective method is an asset-based risk assessment. This allows you to start small and reference ISO 27001 and ISO 27005.

Step 4: Implement (your controls) - Implement the Selected Framework and Associated Security Controls

From the previous step, now you can go ahead and implement your controls in accordance with ISO 27001 Annex A using the implementation guidance in ISO/IEC 27002:2022(en), Information security, cybersecurity and privacy protection — Information security controls. It’s also vital to revisit the scope to make sure whatever you are implementing is correctly aligned with the organizational priorities.

We define Implementation of an ISMS in five layers:

1. High-level Policies and Plan: This layer includes essential documents which drive the Information Security Management System

   1. ISMS Plan: This internal document includes reference to ISO 27001 Clauses 4-10. It can include the ISMS Scope as well as information on how each clause will be addressed by the organization. It defines how you will plan, implement, operate, monitor and continually improve the ISMS.

   2. ISMS Scope: Sometimes, this document is included in the ISMS Plan, and it includes the scope, locations, people, infrastructure, systems, interfaces and dependent processes.

   3. Information Security Policy: Developed for a wider audience, including employees, stakeholders, suppliers and third parties. This policy establishes high level policy, principles, and objectives for information security within the organization.

2. Topic-specific Policies and Procedures: As defined in ISO 27002, topic-specific policies and procedures are “intentions and direction on a specific subject or topic, as formally expressed by the appropriate level of management”.

   1. Examples: Acceptable Use, Access Control, Asset Management, Backup, Incident Response, Management of Technical Vulnerabilities, Secure Development, Cryptography and Key Management, Information Classification and Handling, Networking Security, etc.

3. Documented Evidence Creation: “Artifacts”, or evidence, are required to audit the ISMS. Generating evidence can be in any form, as long as it is traceable, controlled, and reproducible. It should follow the Monitoring Schedule below.

   1. Examples: Risk assessments, Risk treatment plans, Management Review, audit reports, access reviews, tickets, business continuity tests, forms, logs, other reports, meeting minutes, presentations, training records, are all forms of evidence.

4. Monitoring Framework: A combined set of processes to ensure all evidence is available, metrics are being reported, and processes are being reviewed on a periodic basis

   1. Monitoring Metrics: These are forms of evidence which can be tracked over time to produce comparable and reproducible results in the form of KPIs (Key Performance Indicators). Metrics are required in Clause 9 Performance Evaluation

      1. Examples: Number of security incidents, percentage of individuals with security awareness trainings completed, total on time rate, % SLA controls met, average backup restore time, etc.

   2. Monitoring Schedule: The schedule would include the item to monitor, description, frequency of monitoring, and evidence location.

5. Functional Processes and Security Controls: Includes Organizational (Governance), Technological, People and Physical Controls. These are defined in Annex A of ISO 27001 and guidance provided in ISO 27002. They include all other required aspects for the organization considered in-scope and applicable in the Statement of Applicability for the organization.

There’s no need to fret if everything isn’t fully compliant at this point. Step 5 helps address gaps in implementation prior to external auditing, or Certification.

Step 5: Readiness Assess / Internal Audit - Readiness Assess your Security Controls to Ensure Compliance

Once you feel like your internal controls are in a good spot, now it’s time to have someone “check your work” with an internal readiness assessment. Also known as an internal audit.

However, don't be scared of the word “audit”.

This step is intended to add value and bring you closer to compliance with ISO 27001.

In order to know where we are going, we need to figure out where we are at. This is important in your cybersecurity improvement journey.

The purpose of this is to make sure that your organization meets the minimum acceptable requirements specified in ISO 27001. There will be room for continual improvement and you can’t fail here.

This internal audit is required on an annual basis under frameworks like ISO 27001 and HITRUST. You can do this process in 2 ways:

• Use an internal department with complete independence from security processes to conduct an internal audit.

• You can use an external organization, like us here at ARORA Solutions, to conduct a readiness assessment.

This step can cause some confusion internally about why it is necessary.

The two main reasons why it is necessary are:

1. It’s a requirement under ISO 27001 Clause 9.2.2 Internal Audit Program

2. It functions as a “dry run” prior to the Stage 1 and Stage 2 Certification audits

The readiness assessment goes through a similar process that an external auditor would. But rather than conducting a simple “check-the-box” approach, the readiness assessment takes it a step further. Gaps are identified and detailed implementation recommendations are provided. These help you close the gaps. Once all major gaps are remediated, an organization is ready for Step 6: Certify.

It is our recommendation that organizations risk assess these findings. Especially if there is a huge cost to making security control improvements. You don’t need to do everything to achieve compliance!

You should include major issues in the Risk Register, even if you don’t remediate them. If you have a risk treatment plan associated with the risk, it should help appease the external auditor. You can even accept the risk (with adequate justification) and still be compliant without fully treating it.

From a cost perspective, Internal Audits, which provide informative and value-added results for Management, run in the range of $10,000 (small enterprise) to $20,000 (medium to large enterprise).

This is often an unexpected cost of ISO 27001 Certification, but it is essential for success.

Annually, there would be a reduction in cost, as the internal auditor understands the organization’s processes.

Disclaimer: Costs depend on the organization’s size and complexity.

Step 6: Certify - Certify Your ISMS with an External Auditing Body

Now that the “dry run” has happened and the readiness assessment has determined your organization’s full security posture, it’s time for Certification.

Under ISO 27001, at this step, a Certification body will come in and perform their own assessment of the organization to see if it matches up to the framework.

It is best to select a Certification body with a major accreditation like UKAS or ANAB who have ISO 27001 within their Scope of Accreditation and who your Internal Auditor is familiar with. Having communication and familiarity with the Certification body can increase chances of success and improve your comfort in the process.

Furthermore, ISO requires an independent accredited conformity assessment body to make the final judgment on Certification. This body cannot offer consultation or advisory support, such as implementation or internal readiness assessments. Any consultants need to be a completely separate organization from the Certification Body and would not be conducting the Certification audit.

On the flip side, some frameworks operate a little differently.

Unlike ISO 27001, SOC2 can have the same organization that is doing the consultation also provide the attestation report under AICPA.

ISO does not work like this and requires complete independence and impartiality, as specified in ISO/IEC 17021-1:2015 - Conformity assessment — Requirements for bodies providing audit and certification of management systems — Part 1: Requirements.

Tip: Make sure your Certification body is not also doing either consultation or internal auditing for you, as this can be a conflict of interest under ISO 17021.

STAGE 1: At Stage 1, the Certification body will assess if governance, policies, procedures and processes are in place. Here, they will assess the “existence” of basic controls required in ISO 27001. A Stage 1 audit report is a simple recommendation by the auditor to move on to Stage 2.

The time requirement here is short (1-2 days audit) and shouldn’t take more than a few weeks to ascertain a decision.

STAGE 2: The Certification body will go even deeper to assess the effectiveness of the controls, as well as do a deeper dive into the Annex A security controls.

The time requirement here is dependent upon ISO 27006. This standard includes a table which specifies the number of auditor days that should be dedicated to Stage 1 and Stage 2 audits, for both Surveillance (annual) and Initial (first-time) audits. More information can be found here: ISO/IEC 27006:2015 - Information technology — Security techniques — Requirements for bodies providing audit and certification of information security management systems.

At the conclusion of Stage 2, the Certification body will reach a “Certification Decision” based upon the Stage 2 audit report. The decision will be whether to Certify or not.

If the company is Certified, the subsequent two years will require a Surveillance audit. At the third year, recertification will be required, similar to the initial Stage 1 and Stage 2 audit process.

From a cost perspective, ISO 27001 Certification can be anywhere from $15,000 (small enterprise, startup) to $25,000+ USD (medium to large). On an annual basis, there would be a 25% to 30% reduction for the Surveillance audit and Certification fees.

Disclaimer: Costs depend on the organization’s number of locations and full time employee count, as well as the Certification body’s standard fees.

Step 7: Monitor and Maintain - Monitor and Maintain your Information Security Processes and Control

Now your ISMS is running effectively!

You’ve got everything running smoothly like a well-oiled machine. The technologies, processes, and people are in the proper place and functioning like they should. But the journey doesn’t stop at certification.

Steps must be taken to make sure consistent evidence is available and continually produced. At this step we are ensuring that Monitoring Framework (that we detailed in Step 4: Implement) is being utilized and that it is producing the appropriate and auditable evidence.

The importance of this step is to be able to manage what you measure to remain in compliance with ISO 27001.

Keep up the good work by monitoring, maintaining and continually assessing the health of the ISMS.

Step 8: Continual Improvement - Continually Improve the ISMS Over Time

We love to be optimistic about achieving Certification.

However, we know that processes are hard to maintain consistently and we do have process breakdowns. If your processes, policies, and people aren’t evolving with the cybersecurity threat landscape, it is likely that you are subject to security vulnerabilities and weaknesses.

Just because your organization was considered compliant today doesn’t mean it will stay that way tomorrow. People leave and the nature of our work changes.

The Continual Improvement step ensures that any issues brought by any employees, suppliers, users, engineers, managers, and security professionals are appropriately addressed. We find that most organizations do not have a way to Continually Improve.

The steps here include establishing a Nonconformity and Corrective Action Process within your Information Security Policies or ISMS Plan.

This approach will have evidence of issue identification, root cause analysis, corrective action, preventative action, timeline for completion, responsibility, and learnings from the finding. Audit findings are usually managed within this process, as well as through Risk Assessment

Bonus Step 9: Automate - Automate Compliance with an Industry-Proven Compliance Automation Platform

As ARORA evaluates more companies in numerous sectors, we are finding that managing an ISMS is exceedingly difficult on a day-to-day basis.

We believe automation is the answer…

More and more MSP’s and tech companies not only encourage but rely on automation more and more every day. Automating regular tasks not only frees up your team to focus on what is really important, but it drives efficiency across the organization. When we talk about automation in the compliance space, we’re talking about Compliance Automation Platforms as we describe it in our article here.

We highly recommend utilizing a Compliance Automation Platform in conjunction with your existing GRC processes. This can be integrated into the Cybersecurity Improvement process defined in our 9 Steps process above.

At ARORA we have cultivated relationships with the leading Compliance Automation Platforms, such as Drata, Secureframe, Sprinto, Scrut, A-SCEND. You can find G2’s top performers here.