What's Inside

Sometimes, getting started is the hardest part, and an ISO 27001 audit is no exception. In this edition of Ask an Auditor, Steve Culen, from ARORA Solutions and Drata’s Director of Compliance Advisory Services, Troy Fine, broke down all things ISO 27001.

About Steve Cullen

Steve Cullen, MBA, ISO 27001 Lead Auditor, HITRUST CCSFP, is the Founder and Managing Director of ARORA Solutions LLC. Steve began his career working for one of the largest ISO certification bodies in North America, NSF International. 

Following his time in the Peace Corps, Steve founded ARORA Solutions, performing audits throughout Asia-Pacific and North American regions. Through working with a variety of cultures, clients, and certification bodies, Steve and his team have found that a human-centric approach can help pivot companies to embrace a security-centric culture that allows for flexibility and innovation.

How Do You Begin Your Journey for ISO 27001?

Initiating the project usually involves a few steps. Before conducting a readiness assessment or an internal audit, getting management buy-in for the project will be at the top of your list. Steve recommends clearly defining the benefits of ISO 27001, including ways strong cyber and information security can strengthen the brand, increase client trust, and save the organization millions of dollars by preventing data breaches.

Once management signs off, it’s always best to perform a readiness assessment or an internal audit to see which areas of your organization need improvement.

What is the Biggest Mistake Companies Make When Preparing for ISO 27001?

Not conducting a readiness assessment or internal audit beforehand can bring up a lot of problems down the road. Steve points out that it’s common for businesses to move forward with a project without actually assessing their implementation or usage of the controls they’ve put in place. 

Certification bodies want to see companies that fully understand and apply the measures they’ve set, so it’s important to keep your employees educated and accountable. It’s also wise to conduct a gap assessment once you’ve started to put controls in place to catch any of these issues.

Another common mistake both Steve and Troy have found is organizations with policies that don’t match the reality of their business. Since you can write your own policies, you don’t have to include anything that you either can’t do or is simply not necessary for your company. Steve recommends using policy templates, like the ones from Drata, to provide guidance when writing them.

Steve also warns against these things when preparing for ISO 27001:

• Improperly defining the ISMS scope

• Inadequate employee security training

• Improperly performed risk assessments

• Metrics and implementation plans for info sec don’t align with company objectives

• Improper record keeping—ISO is really big on having evidence

• Inadequate access controls and access management—especially in DevOps 

How Do I Know My Organization is Ready for an ISO 27001 Audit?

If you’re in a mature organization with several infosec controls, it could merely be putting those policies into place. For those starting from scratch, it could be a heavier lift. 

Once you have everything in place (internal audit, pre-certification readiness assessment), Steve recommends conducting a management review to make sure upper management is aware of the entire ISMS. These reviews go over every single part of the ISMS—including policies, metrics, operations, and any deficiencies in the internal audit.

Before undergoing an audit, Steve suggests you have:

• All the basic documentation in place, including running the system for a period of three to six months.

• A trained team that promotes a cyber aware culture.

• Risk assessment and risk treatment plans in place.

• A connection with your certification body—they can offer specific advice as to what you need to do to get ready and what you should be on the lookout for.

• At least 75% passing tests and controls in your compliance automation system.

“You’ll know if you’re ready. Do your internal audit, prepare your controls. If you have risk, identify risk and treatment plans.”

These were just some of the questions covered in this edition of Ask an Auditor. Check out the webinar to hear Steve and Troy’s answers to these questions and others, including:

• What is the best way to address exceptions or nonconformities?

• Are there areas or departments typically excluded from your scope?

• Which version of ISO 27001 should I start out with?

For more information about ISO 27001, other frameworks, or compliance automation, sign up for Trusted, our bimonthly newsletter.