In 2022, the FBI reported that total cybersecurity losses affecting businesses increased from $6.9 billion to$10.2 billionin a single year. Every organization must address its cybersecurity risks and put together a comprehensive plan. Businesses may submit their long-term security plans in the form of ISO 27001 mandatory documents for an audit by security experts. Successful businesses can advertise ISO 27001 compliance, bolstering trust within their field and reducing risk at the same time.
Thorough cybersecurity documentation is useful in its own right. The documentation involved in ISO 27001 compliance includes companywide policies that help prevent and control costly data breaches. Employees can consult concrete policies to improve their individual cybersecurity practices. Creating these policies greatly increases understanding of modern cyber threats at an executive level as well.
The main purpose of this documentation is to review and submit forISO 27001 compliance. ISO is the leader in cybersecurity certification, with 20% global growth in the sector in 2022. Maintaining ISO 27001 certification requires yearly audits of a business’s cybersecurity documentation.
Cybersecurity incidents do not always originate inside a business itself. Any business engaged in contract work or collaborative work with another business may have access to that company’s data and can potentially cause a breach as well.
Achieving ISOcompliance advertises to partners, clients and general consumers that a business has a certified plan in place to prevent and address data breaches. This increases trust and opens up collaborative paths for long-term growth. Megacorporations such as Microsoft, Apple, Verizon, Google and Intel have all achieved ISO 27001 compliance.
The clauses of ISO 27001 specify key factors of a business’s cybersecurity plan that a company must document to pass an audit and achieve compliance. While there is no official list of required documents, there is a common configuration of six that efficiently address all of the ISO 27001 clauses.
The ISMS Scope Document is a short document that lists the assets and departments your plan intends to protect from cyberattacks. Listing these vulnerable elements provides the scope of the overall security plan and is a vital starting point.
Senior management must create a comprehensive and specific security policy tailored to the needs and operation of their specific business. This policy must include hard evidence that the procedures are known and followed at all levels of the organization.
Clients and partners will ask to see and evaluate this policy, so it’s vital to take the time to make it as strong, specific and comprehensive as possible. Avoid fluffy reassurances in favor of facts and actionable, easy-to-visualize steps. Businesses should distribute this policy among all employees with scheduled training to explain each step and failsafe.
One of the most research-intensive ISO 27001 mandatory documents is the risk assessment and methodology report. This report lists the potential security risks specific to an organization and the relative threat level of each risk.
This document must include the methodology used to evaluate each risk. One example of a risk is company-issued laptops. The number of laptops in circulation, the type of laptops and the security settings on each laptop are examples of key factors in the assessment of this specific risk.
Annex A of ISO 27001 is a list of 114 additional security controls that apply to some organizations but not others. For example, Annex A requirements include NDAs for IT personnel, but this does not apply to organizations with no dedicated IT personnel.
The Statement of Applicability outlines and justifies which Annex A requirements apply and are included in the finished documentation and which are excluded. Each choice must include supporting evidence. All Annex A controls deemed applicable to an organization must include a report on how the organization is addressing this security concern.
This document outlines how an organization plans to mitigate the risks listed in the risk assessment. Risks identified as high priority should receive especially specific and comprehensive treatment plans that cross-reference with other ISO 27001 mandatory documents. The four accepted ways to mitigate risks are:
Organizations must use one of these four strategies to address each risk. Completing this risk treatment plan makes the overall security policies in step two concrete and highly actionable. Auditors are looking for solid treatment plans that include evidence of compliance and effectiveness, so it pays to be as specific as possible in this document.
This section lists an organization’s cybersecurity goals relevant to the risk assessment and treatment plans previously documented. Many businesses have goals in place prior to compiling ISO 27001 mandatory documents. Businesses should include steps they are already taking as well as future goals.
These objectives should be practical and measurable and provide real benefit rather than being purely administrative. Auditors will look for evidence of pursuing these goals and achieving concrete results. If one goal is to maintain a reliable cloud service, include data on the total uptime and downtime of the cloud service. Another measurable goal is to have employees successfully flag phishing emails and alert security personnel.
Achieving ISO 27001 compliance is not a simple or straightforward process. Developing a specific and actionable long-term security plan that identifies and addresses all risks is difficult. Documenting that process to ISO standards presents a major additional challenge.
At Compyl, our experienced compliance experts help businesses format and organize ISO 27001 mandatory documents that deliver the evidence auditors are looking for. Clients and partners also require specific and copious documentation of security plans.Contact usto begin crafting and documenting an effective cybersecurity system.