supernav-iconJoin Us at AWS re:Invent 2024

Contact Sales

  • Sign In
  • Get Started
HomeGRC CentralISO 27001Demystifying ISO 27001

Ask an Auditor: Demystifying the ISO 27001 Certification Process With ARORA Solutions

Ask an Auditor Demystifying the ISO 27001 Certification Process With Steve Cullen From ARORA Solutions

What's Inside

Achieving ISO 27001 can come with a lot of questions. Lead Auditor at ARORA Solutions, Steve Cullen, breaks down how to set your organization up for a successful ISO 27001 audit.

Contents
About Steve CullenHow Do You Begin Your Journey for ISO 27001?What is the Biggest Mistake Companies Make When Preparing for ISO 27001?How Do I Know My Organization is Ready for an ISO 27001 Audit?

Sometimes, getting started is the hardest part, and an ISO 27001 audit is no exception. In this edition of Ask an Auditor, Steve Culen, from ARORA Solutions and Drata’s Director of Compliance Advisory Services, Troy Fine, broke down all things ISO 27001.

Automate ISO 27001 Compliance With Drata

Meeting compliance requirements can be an arduous and manual effort. Let us take you from security novice to continuous monitoring in a few hours.

Learn More

About Steve Cullen

Steve Cullen, MBA, ISO 27001 Lead Auditor, HITRUST CCSFP, is the Founder and Managing Director of ARORA Solutions LLC. Steve began his career working for one of the largest ISO certification bodies in North America, NSF International. 

Following his time in the Peace Corps, Steve founded ARORA Solutions, performing audits throughout Asia-Pacific and North American regions. Through working with a variety of cultures, clients, and certification bodies, Steve and his team have found that a human-centric approach can help pivot companies to embrace a security-centric culture that allows for flexibility and innovation.

How Do You Begin Your Journey for ISO 27001?

Initiating the project usually involves a few steps. Before conducting a readiness assessment or an internal audit, getting management buy-in for the project will be at the top of your list. Steve recommends clearly defining the benefits of ISO 27001, including ways strong cyber and information security can strengthen the brand, increase client trust, and save the organization millions of dollars by preventing data breaches.

Once management signs off, it’s always best to perform a readiness assessment or an internal audit to see which areas of your organization need improvement.

Start Your ISO 27001 Journey With These 8 Steps

Download our eight-step checklist to help you get started on your ISO 27001 certification journey the right way.

Download Now

What is the Biggest Mistake Companies Make When Preparing for ISO 27001?

Not conducting a readiness assessment or internal audit beforehand can bring up a lot of problems down the road. Steve points out that it’s common for businesses to move forward with a project without actually assessing their implementation or usage of the controls they’ve put in place. 

Certification bodies want to see companies that fully understand and apply the measures they’ve set, so it’s important to keep your employees educated and accountable. It’s also wise to conduct a gap assessment once you’ve started to put controls in place to catch any of these issues.

Another common mistake both Steve and Troy have found is organizations with policies that don’t match the reality of their business. Since you can write your own policies, you don’t have to include anything that you either can’t do or is simply not necessary for your company. Steve recommends using policy templates, like the ones from Drata, to provide guidance when writing them.

Steve also warns against these things when preparing for ISO 27001:

  • Improperly defining the ISMS scope

  • Inadequate employee security training

  • Improperly performed risk assessments

  • Metrics and implementation plans for info sec don’t align with company objectives

  • Improper record keeping—ISO is really big on having evidence

  • Inadequate access controls and access management—especially in DevOps 

How Do I Know My Organization is Ready for an ISO 27001 Audit?

If you’re in a mature organization with several infosec controls, it could merely be putting those policies into place. For those starting from scratch, it could be a heavier lift. 

Once you have everything in place (internal audit, pre-certification readiness assessment), Steve recommends conducting a management review to make sure upper management is aware of the entire ISMS. These reviews go over every single part of the ISMS—including policies, metrics, operations, and any deficiencies in the internal audit.

Before undergoing an audit, Steve suggests you have:

  • All the basic documentation in place, including running the system for a period of three to six months.

  • A trained team that promotes a cyber aware culture.

  • Risk assessment and risk treatment plans in place.

  • A connection with your certification body—they can offer specific advice as to what you need to do to get ready and what you should be on the lookout for.

  • At least 75% passing tests and controls in your compliance automation system.

“You’ll know if you’re ready. Do your internal audit, prepare your controls. If you have risk, identify risk and treatment plans.”

These were just some of the questions covered in this edition of Ask an Auditor. Check out the webinar to hear Steve and Troy’s answers to these questions and others, including:

  • What is the best way to address exceptions or nonconformities?

  • Are there areas or departments typically excluded from your scope?

  • Which version of ISO 27001 should I start out with?

For more information about ISO 27001, other frameworks, or compliance automation, sign up for Trusted, our bimonthly newsletter.

Get Audit-Ready Faster With Drata's ISO 27001 Compliance Solution

Book a demo of Drata’s ISO 27001 compliance solution to learn how to get audit-ready faster.

Schedule a Demo

Get Started With ISO 27001

Everything you need to know before you pursue ISO 27001 compliance.

View All
ISO 27001 A Beginner’s Guide

ARTICLE

Beginner's Guide: ISO 27001 Compliance

Budgeting for ISO 27001 How Much Does Certification Cost

ARTICLE

How Much Does ISO 27001 Certification Cost?

ISO 27001 Checklist 8 Easy Steps to Get Started

ARTICLE

ISO 27001 Checklist: 8 Easy Steps to Get Started

Ask an Auditor Demystifying the ISO 27001 Certification Process With Steve Cullen From ARORA Solutions

ARTICLE

Ask an Auditor: Demystifying the ISO 27001 Certification Process With ARORA Solutions

Take Your Learning Further

Discover research, playbooks, checklists, and other resources on ISO 27001 compliance.

Explore ISO 27001 Hub