How to achieve ISO 27001 certification for your organisation
15 February 2023
iO's campuses in Utrecht, Eindhoven and Den Bosch recently achieved a much-coveted certificate: ISO 27001. These are the first steps towards a fully ISO 27001 certified iO. The ISO 27001 certification is the international standard for information security that helps us to deal with information security in a structured way. Obvious? Of course, and essential for every organisation that operates in the digital environment.
Are you thinking about ISO 27001 certification for your organisation? Or do you want to convince your digital partners to take the leap, if only for the digital security of your shared data? Read more about our experiences with the certification process and the lessons we learned here.
But first: more about ISO 27001
ISO 27001 certification is the globally recognised standard for information security.
It covers complying with laws and regulations such as GDPR, safe on- and offboarding of employees, secure development, the security of assets including laptops and mobile phones, authorisations, cryptography, and physical security.
A breach of personal data, a DDOS attack or the circulation of phishing email traffic, the smallest error in an organisation can have major consequences. ISO 27001 certification in itself does not directly guarantee that the above situations will never occur, but it does guarantee that there are precautions and emergency procedures in place to guide your organisation on how to act quickly and thus reduce negative impacts.
To obtain ISO 27001 certification, you must demonstrate that your organisation has successfully implemented 114 unique control measures. This proves that your organisation is compliant with these measures to a team of external auditors, and you will be awarded official ISO 27001 certification for three years.
External auditors will visit your organisation to confirm that you are maintaining or improving on the ISO 27001 standards.
ISO 27001: Availability, Integrity, Confidentiality
The 114 control measures cover the most important characteristics of a reliable information security policy: availability, integrity, and confidentiality.
Availability: Data should only be available to authorised users when they need it. This also means that systems, networks, and devices must always remain operational.
Integrity: is your data correct and can you trust the source? A data policy with integrity means keeping data in the correct state – untouched and correct, authentic, and reliable.
Confidentiality: How secure is the data that your organisation uses? This often means that only authorised users and processes are allowed to access or modify data.
Why do you want your organisation to be certified?
Securing your information efficiently isn’t optional in the digital world, it’s an absolute necessity. ISO 27001 is the most reliable way to demonstrate to your clients that your organisation has everything you need in the field of information security, and it also makes you stand out from the competition.
Consider the road to an ISO 27001 certificate as an opportunity to raise employee awareness about information security : think of sharing new policies in this area and making the role that security has within your organisation more prominent. It’s a great opportunity to help your teams to understand that information security is a necessity in the digital world.
It’s important that you make sure that this level of information security fits with the culture and objectives of your organisation, to ensure that your efforts are widely supported.
Thinking of drafting your own information security policy? Keep it brief: a maximum of one A4 is enough.
Don’t think about ISO 27001 certification as the end goal, but as the starting point of implementing information security processes within your organisation. It is the start, rather than the goal, of a higher level of security.
Provide dedicated security teams as points of contact for information security, incidents, and privacy-related matters
Make sure that your security teams and the Information Security Officer are always accessible quickly and easily.
Time for a conversation about iO, ISO 27001 and your organisation?
Contact us. We are happy to share our knowledge on proper information security processes and give you an insight into the steps we took to comply with the ISO 27001 certification.
Roelof Jan VreelingInformation Security Officer | iO
Information security is far from new, but an innovative idea all the same. As Information Security Officer, Roelof Jan advises the organisation in achieving its strategic objectives, implements the information security policy and acts as the point of contact for colleagues and customers. With a critical eye where necessary - to bring tangible added value to every (digital) organisation.