InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
ISO 27001: Building a Culture of Security and Continuous Improvement
More Than Compliance ISO 27001 is not just a certification; it’s a framework that embeds security into the core of your organization, fostering trust, efficiency, and resilience.
Security as a Journey ISO 27001 promotes a proactive, continuous approach to security, adapting to ever-evolving cyber threats and embedding security as a company-wide mindset.
Key Practices for Continuous Improvement
Regular Risk Assessments: Periodically evaluate vulnerabilities and prioritize mitigation measures to stay ahead of potential threats.
Employee Engagement: Train employees to actively participate in protecting information and identifying risks early.
Performance Monitoring: Use metrics, audits, and reviews to refine and align security measures with business goals.
Incident Learning: Develop robust response plans, analyze incidents, and strengthen systems to prevent future issues.
Why a Security Culture Matters A strong security culture builds trust, fosters innovation, and enables safe adoption of technologies like cloud computing and remote work, giving organizations a competitive edge.
Practical Steps to Embed Security
Set Clear Objectives: Align ISO 27001 goals with business priorities like risk reduction and client trust.
Engage Leadership: Secure top management’s active participation to drive initiatives.
Integrate Security: Make security a shared responsibility across all departments.
Encourage Communication: Foster open discussions about security concerns and solutions.
Scale with Growth: Adjust security practices as your organization evolves.
Overcoming Challenges
Resistance to Change: Highlight benefits to gain employee buy-in.
Resource Constraints: Use a phased approach to certification.
Integration Complexity: Leverage common principles with other frameworks like ISO 9001 for seamless integration.
The Way Forward ISO 27001 isn’t just about protecting data—it’s about building trust, improving operations, and achieving competitive advantage. Start embedding its principles today for a stronger, more secure organization.
Contact us to explore how we can turn security challenges into strategic advantages.
The document highlights the integration of penetration testing within ISO 27001’s framework, emphasizing its critical role in identifying system vulnerabilities and maintaining security posture. It links pen testing to the standard’s risk management and continuous improvement principles, focusing on Annex A controls, such as Operations Security and Compliance.
It details the importance of scoping, balancing business needs with potential risks. The guide underscores embedding pen testing into broader risk assessment efforts to enhance resilience.
There are three stages in your ISMS project when penetration testing can make a significant contribution:
As part of the risk assessment process, to uncover vulnerabilities in any Internet-facing IP addresses, web applications or internal devices and applications, and link them to identifiable threats.
As part of the risk treatment plan, to ensure that security controls work as designed.
As part of the ongoing performance evaluation and improvement processes, to ensure that controls continue to work as required and that new and emerging vulnerabilities are identified and dealt with.
ISO 27001 says that you must identify information security risks within the scope of the ISMS (Clause 6.1.2.c). This involves identifying all assets and information systems within scope of the ISMS, and then identifying the risks and vulnerabilities those assets and systems are subject to.
A penetration test can help identify these risks and vulnerabilities. The results will highlight detected issues and guide remedial action, and are a key input for your risk assessment and treatment process. Once you understand the threats you face, you can make an informed decision when selecting controls.
For further details, access the full document here.
Contact us to explore how we can turn security challenges into strategic advantages.
ISO 27001 certification is essential for SaaS companies to ensure data protection and strengthen customer trust by securing their cloud environments. As SaaS providers often handle sensitive customer data, ISO 27001 offers a structured approach to manage security risks, covering areas such as access control, encryption, and operational security. This certification not only boosts credibility but also aligns with regulatory standards, enhancing competitive advantage.
The implementation process involves defining an Information Security Management System (ISMS) tailored to the company’s operations, identifying risks, and applying suitable security controls. Although achieving certification can be challenging, particularly for smaller businesses, ISO 27001’s framework helps SaaS companies standardize security practices and demonstrate compliance.
To maintain certification, SaaS providers must continuously monitor, audit, and update their ISMS to address emerging threats. Regular internal and external audits assess compliance and ensure the ISMS’s effectiveness in a constantly evolving security landscape. By following ISO 27001’s guidance, SaaS companies gain a proactive approach to security and data privacy, making them more resilient against breaches and other cybersecurity risks.
Moreover, ISO 27001 certification can be a decisive factor for clients evaluating SaaS providers, as it shows commitment to security and regulatory compliance. For many SaaS businesses, certification can streamline client acquisition and retention by addressing data privacy concerns proactively.
Ultimately, ISO 27001 provides SaaS companies with a competitive edge, instilling confidence in clients and partners. This certification reflects a company’s dedication to safeguarding customer data, thereby contributing to long-term growth and stability in the competitive SaaS market. For more information, you can visit the full article here.
Need expert guidance? Book a free 30-minute consultation with a ISO27k expert.
The ISO 27001 risk management guide provides a structured methodology for managing information security risks aligned with ISO standards. It first covers setting risk criteria, helping organizations define their risk appetite and identify high-priority assets and vulnerabilities. Risk assessment follows, where risks are quantified based on their likelihood and impact, allowing for prioritization.
The guide emphasizes the importance of treatment planning, advising on risk responses: avoidance, transfer, mitigation, or acceptance, with decisions documented for compliance. Documentation ensures transparency and traceability, forming a record of risk decisions.
A key component is regular review, where organizations reassess risks as threats change, supporting ISO 27001’s principle of continuous improvement. This cyclical approach helps keep the risk management framework adaptable and responsive to evolving security needs.
Additionally, the guide underscores the role of management, recommending their involvement in review and support of risk processes. Management buy-in ensures that security efforts align with strategic goals, encouraging organization-wide commitment.
In summary, the guide helps organizations maintain a robust, adaptive risk management system that meets ISO 27001 standards, enabling proactive risk control. For more detail, you can access the document here.
ISO 27001 certification is more than just a standard; it’s a powerful statement that transforms how your customers perceive your company. This certification represents an unwavering commitment to data security, acting as a digital shield for your business. By safeguarding your most valuable asset—your data—you build unshakeable trust with your customers, showing them that their information is safe in your hands.
Achieving ISO 27001 means your business isn’t just adhering to standards; it’s setting itself apart as a leader in data protection. This certification opens doors to new opportunities, enabling your business to thrive in an increasingly digital world. It’s about ensuring your business’s long-term sustainability and demonstrating a serious commitment to information security.
ISO 27001 is more than a quality seal; it sends a clear message to the world. It shows that your company prioritizes data protection, adheres to the best practices of information security, and reduces the risk of cyber incidents. It also signals that your business is trustworthy, boosting confidence among customers, suppliers, and business partners. This trust gives you a competitive edge, setting you apart from the competition and attracting new business opportunities.
In essence, ISO 27001 is an investment in the future of your business. It not only helps in improving risk management by identifying and mitigating information security risks but also strengthens your business’s foundation. By demonstrating a strong commitment to data security, you can ensure the longevity and success of your company in today’s digital age.
Overall benefits of ISO 27001 certification for businesses include:
Enhanced Data Security: ISO 27001 provides a systematic approach to managing sensitive company information, ensuring that data is protected from unauthorized access, breaches, and other security threats.
Increased Customer Trust: Achieving this certification demonstrates a commitment to data security, building trust among customers, partners, and stakeholders. It shows that your organization takes information security seriously.
Regulatory Compliance: ISO 27001 helps businesses comply with legal and regulatory requirements related to data protection, which can vary across different industries and regions. This reduces the risk of legal penalties and compliance-related issues.
Competitive Advantage: Companies with ISO 27001 certification can differentiate themselves from competitors. It acts as a quality seal, giving you an edge in the market and attracting new clients who prioritize data security.
Improved Risk Management: The certification process involves identifying, assessing, and managing information security risks. This proactive approach helps businesses to mitigate potential threats and vulnerabilities effectively.
Operational Efficiency: Implementing ISO 27001 often leads to streamlined processes and better resource management, as businesses adopt consistent and structured approaches to handling data security.
Global Recognition: ISO 27001 is an internationally recognized standard, which means your business can gain credibility and access to new markets around the world. It assures clients globally that your security practices meet high standards.
Business Continuity: By focusing on risk assessment and management, ISO 27001 helps ensure that your business can continue to operate even in the face of security incidents or disruptions. This resilience is critical for long-term success.
In summary, ISO 27001 certification not only strengthens your data security framework but also boosts your reputation, enhances compliance, and gives you a competitive edge, making it a valuable investment for any business.
Andrew Pattison, a seasoned expert with over 30 years in information security and risk management, emphasizes the pragmatic nature of ISO 27001 in this interview. He explains that ISO 27001 is often misunderstood as a rigid framework when, in fact, it takes a flexible, risk-based approach. This misconception arises because many implementers prioritize certification, leading them to adopt a “you must do X” attitude, which gives the impression that the standard’s clauses are more rigid than they are. Pattison stresses that organizations can tailor controls based on risk, selecting or excluding controls as needed, provided they can justify these decisions.
He explains that a true risk-based approach to ISO 27001 involves understanding risk as the combination of a vulnerability, a threat to that vulnerability, and the likelihood of that threat being exploited. Organizations often focus on sensationalized, niche technical risks rather than practical issues like staff awareness training, which can be addressed easily and cost-effectively. Pattison advises focusing on risks that have a real-world impact, rather than obscure ones that are less likely to materialize.
To keep risk assessments manageable, Pattison advocates for simplicity. He favors straightforward risk matrices and encourages organizations to focus on what truly matters. According to him, risk management should answer two questions: “What do I need to worry about?” and “How do I address those worries?” Complicated risk assessments, often bogged down by mathematical models, fail to provide clear, actionable insights. The key is to maintain focus on where the real risks lie and avoid unnecessary complexity.
Pattison also believes in actively involving clients in the risk assessment process, rather than conducting it on their behalf. By guiding clients through the process, he helps them develop a deeper understanding of their own risks, linking these risks to their business objectives and justifying the necessary controls. This collaborative approach ensures that clients are better equipped to manage their risks in a meaningful and practical way, rather than relying on third parties to do the work for them.
For more information on Andrew Pattison interview, you can visit here
The blog post provides a detailed guide on conducting an ISO 27001 audit, which is crucial for ensuring compliance with information security standards. It covers both internal and certification audits, explaining their purposes, the audit process, and steps such as setting the audit criteria, reviewing documentation, conducting a field review, and reporting findings. The article also emphasizes the importance of having an independent auditor and following up on corrective actions to ensure proper risk management.
The post discusses whether ISO 27001 certification is worth it, highlighting its benefits like improved reputation, enhanced security, and competitive advantage. ISO 27001 offers a comprehensive framework for managing information security risks, focusing on people, processes, and technology. Certification, though not mandatory, provides independent validation of an organization’s commitment to security, which can also reduce penalties in case of data breaches. It positions organizations to stand out, especially in regulated industries like finance and healthcare.
On the morning of August 4, 2022, Advanced, a supplier for the UK’s National Health Service (NHS), was hit by a major cyberattack. Key services including NHS 111 (the NHS’s 24/7 health helpline) and urgent treatment centers were taken offline, causing widespread disruption. This attack served as a brutal reminder of what can happen without a standardized set of controls in place. To protect themselves, organizations should look to ISO 27001.
ISO 27001 is an internationally recognized Information Security Management System standard. It was first published in 2005 to help businesses implement and maintain a solid information security framework for managing risks such as cyberattacks, data leaks and theft. As of October 25, 2022, it has been updated in several important ways.
The standard is made up of a set of clauses (clauses 4 through 10) that define the management system, and Annex A which defines a set of controls. The clauses include risk management, scope and information security policy, while Annex A’s controls include patch management, antivirus and access control. It’s worth noting that not all of the controls are mandatory; businesses can choose to use those that suit them best.
Why is ISO 27001 being updated?
It’s been nine years since the standard was last updated, and in that time, the technology world has changed in profound ways. New technologies have grown to dominate the industry, and this has certainly left its mark on the cybersecurity landscape.
With these changes in mind, the standard has been reviewed and revised to reflect the state of cyber- and information security today. We have already seen ISO 27002 (the guidance on applying the Annex A controls) updated. The number of controls has been reduced from 114 to 93, a process that combined several previously existing controls and added 11 new ones.
Many of the new controls were geared to bring the standard in line with modern technology. There is now, for example, a new control for cloud technology. When the controls were first created in 2013, cloud was still emerging. Today, cloud technology is a dominant force across the tech sector. The new controls thus help bring the standard up to date.
In October, ISO 27001 was updated and brought in line with the new version of ISO 27002. Businesses can now achieve compliance with the updated 2022 controls, certifying themselves as meeting this new standard, rather than the now-outdated list from 2013.
How can ISO 27001 certification benefit your business?
Implementing ISO 27001 brings a host of information security advantages that benefit companies from the outset.
Companies that have invested time in achieving ISO 27001 certification will be recognized by their customers as organizations that take information security seriously. Companies that are focused on the needs of their customers should want to address the general feeling of insecurity in their users’ minds.
Moreover, as part of the increasingly rigorous due-diligence processes that many companies are now undertaking, ISO 27001 is becoming mandatory. Therefore, organizations will benefit from taking the initiative early to avoid missing out commercially.
In the case of cyber-defense, prevention is always better than cure. Attacks mean disruption, which almost always proves costly for an organization, in regard to both reputation and finances. Therefore, we might view ISO 27001 as a form of cyber-insurance, where the correct steps are taken preemptively to save organizations money in the long term.
There’s also the matter of education. Often, an organization’s weakest point, and thus the point most often targeted, is the user. Compromised user credentials can lead to data breaches and compromised services. If users were more aware of the nature of the threats they face, the likelihood of their credentials being compromised would decrease significantly. ISO 27001 offers clear and cogent steps to educate users on the risks they face.
Ultimately, whatever causes a business to choose implementation of ISO 27001, the key to getting the most out of it is ingraining its processes and procedures in their everyday activity.
Overcoming the challenge of ISO 27001 certification
A lot of companies have already implemented many controls from ISO 27001, including access control, backup procedures and training. It might seem at first glance that, as a result, they’ve already achieved a higher standard of cybersecurity across their organization. However, what they continue to lack is a comprehensive management system to actually manage the organization’s information security, ensuring that it is aligned with business objectives, tied into a continuous improvement cycle, and part of business-as-usual activities.
While the benefits of ISO 27001 may be obvious to many in the tech industry, overcoming obstacles to certification is far from straightforward. Here are some steps to take to tackle two of the biggest issues that drag on organizations seeking ISO 27001 certification:
Resources — time, money, and manpower: Businesses will be asking themselves: How can we find the extra budget and dedicate the finite time of our employees to a project that could last six to nine months? The key here is to place trust in the industry experts within your business. They are the people who will be implementing the standard day-by-day, and they should be placed at the wheel.
Lack of in-house knowledge: How can businesses that have no prior experience implementing the standard get it right? In this case, we advise bringing in third-party expertise. External specialists have done this all before: They have already made the mistakes and learned from them, meaning they can come into your organization directly focused on implementing what works. In the long run, getting it right from the outset is a more cost-effective strategy because it will achieve certification in a shorter time.
Next steps toward a successful future
While making this all a reality for your business can seem daunting, with the right plan in place, businesses can rapidly benefit from all that ISO 27001 certification has to offer.
It’s also important to recognize that this October was not the cutoff point for businesses to achieve certification for the new version of the standard. Businesses will have a few months before certification bodies will be ready to offer certification, and there will likely then be a two-year transition period after the new standard’s publication before ISO 27001:2013 is fully retired.
Ultimately, it’s vital to remember that while implementation comes with challenges, ISO 27001 compliance is invaluable for businesses that want to build their reputations as trusted and secure partners in today’s hyper-connected world.
I just wanted to inform you that, at the end of September, Advisera launched “Second Course Exam for Free” promotional campaign. The campaign will start on September 22, and end on September 29, 2022.
In this promotion the second course exam is completely FREE OF CHARGE.
The bundles are displayed on two landing pages, one with bundles related to ISO 9001 and another with bundles related to ISO 27001.
Foundations course exam bundles:
ISO 9001 Foundations exam + ISO 14001 Foundation exam
ISO 9001 Foundations exam + ISO 27001 Foundation exam
ISO 9001 Foundations exam + ISO 13485 Foundation exam
ISO 9001 Foundations exam + ISO 45001 Foundation exam
ISO 14001 Foundations exam + ISO 45001 Foundation exam
Internal Auditor course exam bundles:
ISO 9001 Internal Auditor exam + ISO 14001 Internal Auditor exam
ISO 9001 Internal Auditor exam + ISO 27001 Internal Auditor exam
ISO 9001 Internal Auditor exam + ISO 13485 Internal Auditor exam
ISO 9001 Internal Auditor exam + ISO 45001 Internal Auditor exam
ISO 14001 Internal Auditor exam + ISO 45001 Internal Auditor exam
Lead Auditor course exam bundles:
ISO 9001 Lead Auditor exam + ISO 14001 Lead Auditor exam
ISO 9001 Lead Auditor exam + ISO 13485 Lead Auditor exam
ISO 9001 Lead Auditor exam + ISO 45001 Lead Auditor exam
ISO 14001 Lead Auditor exam + ISO 45001 Lead Auditor exam
Lead Implementer course exam bundles:
ISO 9001 Lead Implementer exam + ISO 14001 Lead Implementer exam
ISO 9001 Lead Implementer exam + ISO 13485 Lead Implementer exam
ISO 9001 Lead Implementer exam + ISO 45001 Lead Implementer exam
ISO 14001 Lead Implementer exam + ISO 45001 Lead Implementer exam
2/ ISO 27001/EU GDPR-related bundles:
ISO 27001 Foundations exam + EU GDPR Foundations exam
ISO 27001 Foundations exam + ISO 9001 Foundation exam
ISO 27001 Internal Auditor exam + EU GDPR Data Protection Officer exam
ISO 27001 Internal Auditor exam + ISO 9001 Internal Auditor exam
ISO 27001 Lead Auditor exam + ISO 9001 Lead Auditor exam
ISO 27001 Lead Implementer exam + ISO 9001 Lead Implementer exam
Take ISO 27001 course exam and get the EU GDPR course exam for Free
DISC LLC presents a phase approach to deliver ISO 27001 Internal Audit services to SaaS businesses.
The Engagement:
We understand that your core business is your SaaS application and you desire an audit. The audit is to be an independent assessment of the company’s ISMS, to measure the maturity of the program, to identify if the program is ready to pass the certification audit for ISO 27001:2013 certification, and provide strategic guidance for achieving the certification. Our focus will be your application which is hosted at AWS/Azure and you have xxx employees who create, maintain, and manage the application.
The audit will be conducted remotely and we will have a dedicated contact person assigned to our audit team to facilitate access to documentation, records, and select staff for interviews. We will complete your standard audit process documentation according to the ISO 27001 standard.
The Plan:
Below is our high-level audit plan for your ISO 27001internal audit. We propose a staged and flexible approach so we may progressively tune our audit process to deliver maximum business value to you.
Phase 1: This phase starts within a week one of signing of an engagement contract. First step is a kickoff meeting to discuss the overall audit engagement, to finalize the formal audit plan, and to establish access to documents to be reviewed. We will review the available documents based on the ISO27001 standard. At the end of this phase we will present our findings in a briefing session.
Phase2: Phase 2 kickoff will be based on the document review and coordinate scheduling interviews that focus on critical processes to establishing the degree that the various control procedures have been activated. This is a critical part of the audit process. We will measure the maturity of required controls that has been implemented and present the findings for review within another review session (schedule subject to availability for interviews).
Phase 3: Recommendations will be the focus of this phase. This will also start with a kickoff meeting to establish a coordinated plan for what measures are already planned and what new measures are required to actually pass (to-be state) the certification audit. This final step can save you a lot of effort as we can help you navigate to the end goal of passing the audit and also create the precise measures that have maximum business value. The closing meeting of this phase will present our collective recommendations.
All of the efforts outlined above are aligned to a compliant internal audit process with a few enhancements that are value-add. These audit records will likely be a primary target of the certification audit so they need to be well executed. Your controls also have to be tailored to your business. We can help get you certified but that doesn’t mean you are actually secure. We can help you do both. Missing the secure part would be devastating to you and to all of your customers. This is our value-add.
If you have a question about ISO 27001 internal audit:
ISO 27001 is a widely-known international standard on how to manage information security.
In this Help Net Security video, Nicky Whiting, Director of Consultancy, Defense.com, talks about the challenges of achieving ISO 27001, a widely-known international standard.
ISO 27001 certification is not obligatory. Some organizations choose to implement it in order to benefit from the best practice it contains. Others decide they want to get certified to reassure customers and clients.
47 document templates – unlimited access to all documents required for ISO 27001 & 27017 & ISO 27018 certification, plus commonly used non-mandatory documents
Access to video tutorials
Email support
Expert review of a document
One hour of live one-on-one online consultations with an ISO 27001 & ISO 27017 & ISO 27018 expert
Upcoming: free toolkit update for the new ISO 27001 2022 revision
Fully optimized for small and medium-sized companies
For a limited time only, ITG is offering bestselling implementation guides free with each toolkit purchase.*
All the pre-written policies and procedures you’ll ever need.
Written by our expert team of in-house consultants, who have been delivering cyber security and data privacy consultancy for years.
Reviewed throughout the year to ensure you’re always working from the most up-to-date documentation, in line with the latest guidance and standard revisions, including free upgrades.
Accessible on our Cloud-based platform, DocumentKits, so you can collaborate with team members, viewing, editing and downloading documents any time, anywhere.
If you have planned an ISO 27001 implementation, but you are unsure of whether you should go with the 2013 revision or wait for the 2022 revision to be published, we have a solution for you.
If you want to understand ISO 27001, this handbook is all you need. It not only explains in a clear way what to do, but also the reasons why.
This book helps you to bring the information security of your organization to the right level by using the ISO/IEC 27001 standard.
An organization often provides services or products for years before the decision is taken to obtain an ISO/IEC 27001 certificate. Usually, a lot has already been done in the field of information security, but after reading the requirements of the standard, it seems that something more needs to be done: an ‘information security management system’ must be set up. A what?
This handbook is intended to help small and medium-sized businesses establish, implement, maintain and continually improve an information security management system in accordance with the requirements of the international standard ISO/IEC 27001. At the same time, this handbook is also intended to provide information to auditors who must investigate whether an information security management system meets all requirements and has been effectively implemented.
This handbook assumes that you ultimately want your information security management system to be certified by an accredited certification body. The moment you invite a certification body to perform a certification audit, you must be ready to demonstrate that your management system meets all the requirements of the Standard. In this book, you will find detailed explanations, more than a hundred examples, and sixty-one common pitfalls. It also contains information about the rules of the game and the course of a certification audit.
Information security, cybersecurity and privacy protection — Requirements for bodies providing audit and certification of privacy information management systems according to ISO/IEC 27701 in combination with ISO/IEC 27001 (DRAFT)
Within a year or so, organisations will be able to have their Privacy Information Management Systems certified compliant with ISO/IEC 27701, thanks to a new accreditation standard ISO/IEC TS 27006 part 2, currently in draft.
“Potentially, a PIMS certificate may become the generally-accepted means of demonstrating an organisation’s due care over privacy and personal data protection – a way to assure data subjects, business partners, the authorities and courts that they have, in fact, adopted good privacy practices.”
ISO/IEC 27006 | Wikipedia audio article
httpv://www.youtube.com/watch?v=3Bd_VXgmZ_o
