Statement: Coronavirus (COVID-19)

ISO/IEC 27001 - Q&A Session

1. What is the purpose of ISO/IEC 27001 and why is this standard so important? 

ISO/IEC 27001 helps organizations of any size to have processes that ensure confidentiality, integrity and availability of the information collected during the company’s operation. In other words, the Information Security Management Systems (ISMS) aims to ensure security of the information and to provide the opportunity to confidently learn from the best practices that are in the standard. Security is a very broad subject thus having a starting point is important, and this standard offers that landmark. 

2. Which are the most important clauses of the ISO/IEC 27001 standard?

Information security is all about risk management, therefore I consider Clause 6 – Planning the most important clause of this standard. In this clause, companies plan how to assess and treat the information security risks. Meaning, if we fail to plan properly the information security risk management, we plan to fail the whole information security management system.

After the Clause 6, the next important clause is Clause 8 – Operation, where we will implement what has been planned in Clause 6. Information security risks are the most important points that will be considered for an effective ISMS.

3. Which industries can benefit the most from the ISO/IEC 27001 standard and how?

Some industries, being obliged by law, are required to meet a certain level of confidentiality. More specifically, the healthcare sector, the financial industry, data centers, hosting or cloud computing industries are just some of the industries that are required to assure integrity and availability as part of their service provision. As such, they are considered to be the industries that can benefit the most from ISO/IEC 27001, since it offers the framework for an environment that meets confidentiality, integrity, and availability requirements.

4. According to ISO/IEC 27001, what is risk assessment and risk management?

The risk assessment, as defined in the ISO/IEC 27001 standard, is part of the risk management system. The standard requires to assess and treat the information security risk, and the identified risks shall be reassessed and treated as needed to an acceptable level. All this iterative activity is also known as risk management which is of absolute significance for an effective information security management system. Moreover, it is recommended to define the risk management process or risk management methodology that leads to the same results in different conditions and environment.

5. What is the relationship between ISO/IEC 27001 and ISO/IEC 27002? What other ISO management system standards are related to ISO/IEC 27001?

Typically, ISO/IEC 27001 is used in conjunction with ISO/IEC 27002 standard, even though it is not mandatory to do so. In fact, ISO/IEC 27002 standard provides guidance on how to implement the ISO/IEC 27001. When an interpretation issue arises during an audit, between an auditee and an auditor, the ISO/IEC 27002 standard helps to clarify the control objectives. Personally, I always have both standards handy, even when I am auditing an ISO/IEC 27001, I will simultaneously use the ISO/IEC 27002. ISO/IEC 27002 is not a certifiable standard but it helps you head in the right direction.

Many other standards are closely tied up to ISO/IEC 27001. The most frequent include:

  • ISO/IEC 27017: Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services. This standard is the variant of ISO/IEC 27002 specific for cloud services and it is also used in conjunction with ISO /IEC 27001.
  • ISO/IEC 27018: Information technology — Security techniques — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors. This standard sets out guidelines for the implementation of the control objectives as specified in ISO/IEC 27002 for the specific domain of cloud services acting as PII processor. Thus, it is related to the ISO/IEC 27001.
  • ISO/IEC 27701: Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management. This standard provides some additional requirements and guidelines specific to privacy management systems. It is difficult to implement or audit ISO/IEC 27701 without ISO/IEC 27001 since it is just an extension of that one. Thus, I strongly believe that the next version of ISO/IEC 27001 will combine all the requirements of the ISO/IEC 27701.

6. Is there a legal requirement to comply with or be certified to ISO/IEC 27001?

Like any other ISO standard, there is no legal requirement to comply with or be certified to ISO/IEC 27001. That initiative remains voluntary but the benefits of getting certified are immense. That goes from competitive advantage to a robust and confident information security management system. In fact, the certification is a tool for self-discipline towards continuous improvement in every system.

Most jurisdictions in the world have their own laws and regulations for information security. Most of the times that would be in the form of Privacy Act. Nevertheless, a company that is already certified to ISO/IEC 27001 would have covered most of State’s Privacy Act requirements. Simply saying, certification is not mandatory but recommended.

7. How does the certification audit against ISO/IEC 27001 help companies?

Audits are always an external view on a system and as such, it brings real value especially to the audited organization when the audit is done in a spirit of continuous improvement and not in a judgmental manner.

The audit itself is not intended to look for non-conformities, but rather to look for conformities. That means regardless of the audit outcome, the audited company always benefits from it. At least it provides an opinion whether the system is compliant, effective or not, and that will ultimately help the organization to seek improvement.

8. Please elaborate on the main similarities and differences of ISO/IEC 27001 and SOC 2 controls.

ISO/IEC 27001 and SOC 2 both address security concerns. The main differences are the fact that the first one is more generic and applicable to any type of organization, whereas the second one is focused more on data centers or cloud service providers. Additionally, ISO/IEC 27001 is more widely accepted worldwide, whereas SOC 2 is more predominant in the United States.

Furthermore, the SOC 2 is a framework and not a standard that applies to all technology services that store customer data in the cloud. Its objective is to ensure proper safeguard, privacy, and security of customer data.

In addition, the company that has the ISO/IEC 27001 and/or SOC 2, needs to periodically assess them to remain valid. An SOC 2 attestation is audited and issued by a licensed CPA firm, whereas an ISO/IEC 27001 certification is audited and issued by an Accredited Certification Body.

Considering the above mentioned facts, we clearly understand that ISO/IEC 27001 and SOC 2 are similar in the sense that their end goal is to assure information security but they differ in their nature and their implementation spectrum.

9. What are some tips to get ready for a certification audit against ISO/IEC 27001?

ISO/IEC 27001 is a pretty straight forward standard. Since the control objectives are typically not mandatory to implement, my advice to any company before a certification audit, are:

  • To make sure to have covered clause 4-10 of the standard,
  • To make sure to have a living risk management activities,
  • To have conducted a management review and internal audits along with proper action plans,
  • And as far as it is possible cover all the control objectives relevant to the business and exclude from the scope those that are not applicable and provide justification regarding their exclusion. Typically, that is known as producing a Statement of Applicability that contains the necessary controls.

About the Responder

Gérard KOFFI is a professional management consultant with a broad experience and education. Well versed in theories and principles of quality management.

He is a PECB MS certified Management Systems Auditor for ISO/IEC 27001, ISO/IEC 27701, ISO 9001, ISO 14001, and ISO 45001. Additionally, he has a diploma in Quality Control, a bachelor degree in Quality Management, another bachelor degree in Sustainable Development from Université Felix Houphouet Boigny – Abidjan Côte d’Ivoire, and a post graduate certificate in Quality Engineering from Conestoga College, Ontario, Canada. He has more than 16 years of experience in consulting, training, auditing and process optimization. Besides his responsibility as owner and president of Formatour Incorporated, a leading training organization, Gérard KOFFI is also involved in International Standard development with the Standard Council of Canada where he is member of the subcommittee CAC/JTC1/SC40 - IT Service Management and IT Governance.

The expertise of Gérard KOFFI has had an impact on organizations such as Orange, Cocitam, Geza Expertise, Clear Spider, Alimentiv, Curtis International, Nuday Networks, Coxautomotive, etc. Proven achievements from oil industries, consumer electronics industries, telecommunication, information technology, automotive industries, and the education sector.