ISO 27001:

The Path to
Certification (Part 1)
The Business Case for ISO
27001 Implementation

Bottom Line Up Front

Table of Contents
Cybersecurity is a business problem impacting the
livelihoods of companies and their owners. As a result, What is ISO 27001 ......................................................2
Management and Leadership must take steps to ISO 27001 Clauses 4-10 .............................................. 2
proactively mature their information security posture. ISO 27001 Annex A (Control Framework)................... 2
A great place to begin (or continue) maturing your ISO 27001 Business Drivers.........................................3
security environment is through the implementation of
Desire to Improve Security Posture ............................ 3
a security framework such as ISO 27001.
Partner and Client Certification Requirements .......... 3
If you are considering a security program
implementation, this three-part whitepaper series will More Stringent Regulatory Environment ................... 4
provide all the information you need to make an Growing Marketplace Acceptance and Adoption ...... 4
educated decision on ISO 27001 adoption. ISO 27001 as a Unifying Compliance Framework ....... 5
This Whitepaper Series Includes: Next Steps .................................................................5

Part 1: A business case for why organizations should

consider ISO 27001 certification

Part 2: An overview of the essential elements of the

ISO 27001 Framework

Part 3: A review of the ISO 27001 certification process

from start to finish

ISO 27001: The Path to Certification | Page 1

What is ISO 27001 systematically improving things where necessary. This is
where ISO requires an independent audit of the ISMS.
Before we begin dissecting the business reasons to
adopt ISO 27001, it is important that we establish a 10 Improvement - address the findings of audits and
common understanding of ISO 27001. reviews (e.g. nonconformities and corrective actions),
make continual refinements to the ISMS.
ISO 27001 is an internationally recognized information
security standard that is comprised of 10 clauses, 14 ISO 27001 Annex A (Control Framework)
categories, 35 control objectives, and 114 controls.
This is the section that outlines the 14 categories, 35
Companies may choose to align to ISO 27001 as part of
control objectives and 114 controls. You may refer to
security best practices and/or choose to pursue ISO
ISO/IEC 27002 for further detail on the controls,
27001 certificaiton.
including implementation guidance.
Clauses 4-10 are typically referred to as the Information
A.5 Information Security Policies – Defines
Security Management System, while the 114 control
requirements for policies and procedures.
requirements are called “Annex A.”
A.6 Organization of Information Security – Defines
ISO 27001 Clauses 4-10 requirements for roles and responsibilities.
When most people think of ISO 27001, they A.7 Human Resource Security – Defines requirements
immediately consider the 114 controls that make up ISO for pre-employment, during employment, and
27001’s Annex A. Often ignored, however, are Clauses termination.
4-10. These clauses are the core of ISO 27001 and
establish the system of management necessary to build A.8 Asset Management – Defines requirements for
and maintain an effective information security program. inventory, ownership, and use of assets.

4 Context of the organization - understand the A.9 Access Control – Defines requirements for user
organizational context, the needs and expectations of access management throughout the user lifecycle.
‘interested parties,’ and defining the scope of the ISMS. A.10 Cryptography – Defines requirements for
5 Leadership - top management must demonstrate cryptographic controls and key management.
leadership and commitment to the ISMS, mandate A.11 Physical and Environment Security
policy, and assign information security roles,
responsibilities and authorities. A.12 Operations Security – Defines requirements for
security operations such as system security, backup,
6 Planning - outlines the process to identify, analyze logging, malware, and vulnerability management.
and plan to treat information risks and clarify the
objectives of information security. This is the first clause A.13 Communications Security – Define requirements
that requires a risk assessment. for network security and information transfer.

7 Support - adequate, competent resources must be A.14 System Acquisition, Development and
assigned and awareness raised. Maintenance – Defines requirements for security in the
system development and change management lifecycle.
8 Operation - additional detail about assessing and
treating information risks, managing changes, and A.15 Supplier Relationships – Defines requirements for
documenting requirements. security as related to vendors.

9 Performance evaluation - monitor, measure, analyze A.16 Informaiton Security Incident Management –
and evaluate/audit/review the information security Defines requirements for management of security
controls, processes and management system, incidents.

ISO 27001: The Path to Certification | Page 2

A.17 Information Security Aspects of Business mature across all organizations. The desire to manage
Continuity Management – Defines requirements for supplier and vendor relationships manifests itself as
information security continuity and redundancies. stringent contractual and/or due diligence requirements
that focus heavily on information security.
A.18 Compliance – Defines requirements for legal and
contractual requirements. These security requirements can stretch the sales cycle
by months and even halt important relationships
ISO 27001 Business Drivers entirely. The bottom line is, if your organization is
unable to evidence a baseline level of security –
Now that we have established a basic understanding of customers may take their business elsewhere or burden
the ISO 27001 framework, let us discuss the business your organization with endless customer audits.
case for adopting ISO 27001 and pursuing certification.
If your organization desires to shorten the sales cycle,
The choice to align to ISO 27001 or pursue certification reduce customer audit burdens, and grow in a globally
can often be linked to one or more of the following five competitive marketplace -- it must instill absolute trust
factors: in potential partners and customers. As a result,
Desire to Improve Security Posture obtaining security certifications is considered a must-
have to drive revenue growth for most organizations.
For companies beginning their security journey, ISO
27001 is a good fit for organizations of all sizes that seek Banks Requiring ISO 27001 Certification
to mature their information security program. 30%
ISO 27001 is a worthy framework to consider because it
is both flexible and thorough. It permits organizations to
25%
structure their information security program in a 25%
fashion that suits their needs and aligns to business
objectives.

ISO 27001 also occupies the “goldilocks” zone of 20%

security frameworks in that it is thorough, but not
overwhelming (NIST 800-53, for example, is over 400
pages in length). It considers both organizational level 15% 14%
(clauses 4-10) and technical level (Annex A)
requirements to build and sustain an information
security program. 10%

Because ISO 27001 is considered right-sized, is

internationally recognized, and considers both
organizational and technical requirements, it is the 5%
framework of choice for many information security
professionals.

Note: An organization may choose to align to ISO 27001 0%

All Banks US Banks
without pursuing certification.
Figure 1 (above) - Survey results from 42 global banks asked if they
Partner and Client Certification Requirements require ISO 27001 certification as part of contractual requirements
for key service providers. As ISO 27001 certification continues to
With the rapid rise of business to business grow globally (see figures 2 and 3) these numbers will likely grow, as
interconnectivity and business process outsourcing, well.
third party risk management programs continue to

ISO 27001: The Path to Certification | Page 3

More Stringent Regulatory Environment ISO 27001 Certification for Selected
In May of 2018 the European Union made effective the Countries
General Data Protection Regulation (GDPR). In March 30000
2019, the State of New York department of financial
services’ cybersecurity regulation (23 NYCRR 500) final 25000
compliance deadline arrived. In January 2020 California
will make effective the California Consumer Protection 20000
Act (CCPA). These are just a few of the trending security
and privacy regulations enacted across the globe at all 15000

levels of government.1
10000

“Executives today must operate under 5000

the assumption that they will
experience a cyber incident that will 0

require them to notify their customers,

investors, and regulators.”2 United States Japan China
Germany France United Kingdom
As result, information security has risen beyond the
India
scope of the information technology department on to
the agendas for top level leadership and the board of
Figure 2 (above) - When compared to other developed nations the
directors. United States shows greater potential for ISO 27001 adoption in the
coming years. As result, organizations should position themselves to
This renewed focus on information security and ready for the potential wave of ISO 27001 certification requirements.
compliance makes globally acceptable security
frameworks like ISO 27001 an attractive means to ISO 27001 Certification in the U.S.
evidence compliance.
1600
Growing Marketplace Acceptance and Adoption 1400
1200
Another trend to consider is the rapid global adoption
of ISO 27001 and ISO 27001 certification. 1000
800
Based on a global analysis, ISO 27001 certification has
600
gained traction in all marketplaces globally since 20073
and shows accelerated adoption in the United States in 400
particular. 200
0
If these trends continue, ISO 27001 adoption will
continue to grow in the United States and act as a
common reference point in the marketplace to
communicate an organization’s security posture to Figure 3 - ISO 27001 certification in the United States continues to
grow and has accelerated in recent years. (2016 was an election year
customers and prospects.

1 Find whitepapers on each of these regulations on our website: 3Data source of all figures via ISO.org:
https://www.risk3sixty.com/category/whitepapers/ https://isotc.iso.org/livelink/livelink?func=ll&objId=18808772&objAction=br
2 Harvard Business Review: https://hbr.org/2017/11/the-avoidable-mistakes- owse&viewType=1
executives-continue-to-make-after-a-data-breach

ISO 27001: The Path to Certification | Page 4

and may be responsible for the decline in certifications in that year,
but this is speculative.)
Our Process Includes:
ISO 27001 as a Unifying Compliance Framework ✓ ISO 27001 Scope Determination
✓ Current State Assessment
For companies who must navigate multiple security
✓ Detailed plan/checklist and timeline to compliance
compliance frameworks (e.g., ISO 27001, SOC 2, PCI
✓ Project management to oversee remediation efforts
DSS, HIPAA, HITRUST, etc.), ISO 27001 can act as a
✓ All ISO 27001 policies and procedures
unifying compliance framework to align all other ✓ Risk Assessment and Risk Management Workshop
compliance activities. ✓ ISO 27001 Internal Audit Program
✓ Support during the certification audit
SOC 2 Type II
✓ Inview | ISO 27001 Audit and Compliance Platform
Framework
ISO 27001

PCI DSS

HIPAA
Let’s Get Started
HITRUST
Contact a Professional

Leveraging this strategy, companies can gain significant Christian Hyatt, Managing Director
efficiencies by managing a single set of controls rather CISA | CISM | ISO 27001 Lead Auditor | PCI QSA
than managing each compliance requirement in a silo. Christian.Hyatt@risk3sixty.com
Unifying compliance efforts may also result in a 404.333.1669
reduction in external audit fees and will certainly reduce
the burden on internal teams faced with producing Christian White, Managing Director
audit evidence throughout the year. CISA | CRISC | ISO 27001 Lead Implementer| PCI QSA
Christian.White@risk3sixty.com
Next Steps 770.289.3505

In summary, for companies who seek to enhance their

security posture, future-proof their business risk3sixty
relationships, navigate complex regulatory and
IT Audit | Cyber Risk | Compliance Advisory
compliance requirements, and enhance overall
compliance program efficiency – ISO 27001 may be an Risk3sixty, LLC, is an Atlanta-based Information Risk
excellent investment. Management (IRM) advisory firm focused on IT audit,
Cyber Risk, and compliance consulting and software
Our ISO 27001 Guided Implementation Program
solutions.
If you are ready to get started and would like a guide –
Our management-level consulting team leverages deep
risk3sixty can help! Learn why we have:
industry experience and unique technology solutions to
• 100% three-year client retention enhance risk visibility, reduce the burdens of
• 100% ISO 27001 certification success rate compliance, and create actionable programs which
• 100% of clients are references enable executives and their management teams to
make better decisions.

ISO 27001: The Path to Certification | Page 5