What Is ISO/IEC 27001?
ISO 27001, as it’s commonly known, specifies how organizations should implement, maintain and continually improve an information security management system. First published in 2005, the standard was updated in 2013 and reaffirmed in 2019. The latest release is scheduled for publication in October 2022.
At the heart of ISO 27001 are 114 security controls categorized under 14 domains of common concern for information security professionals. Under the information security policies domain, for example, the first control mandates that organizations clearly define and share their information security policies with employees and other stakeholders, while the second control states that these policies should be regularly reviewed and updated. Other domains and their respective controls focus on topics ranging from human resource security to cryptography, business continuity and incident management.
EXPLORE: Ransomware prevention best practices for state and local governments.
Debolina Sinha, senior advisory manager with Deloitte and an expert on ISO audits and implementations, notes that for an organization to be ISO 27001-certified, it needs to implement only those controls that pertain to it.
“It’s a very flexible standard, but you do need to be able to justify whether each control is applicable or not,” Sinha says. Organizations pursuing certification must complete a “Statement of Applicability” as part of the process. “That’s one of the most important things your auditor is going to want to see.”
How Does ISO 27001 Certification Work?
While many organizations around the world are ISO 27001-certified, others simply refer to the standard to ensure they’re following best practices for information security. Those that choose certification typically do so to gain credibility within their industry and with their customers.
“It shows that you’re taking cyberthreats seriously,” Sinha says.
DISCOVER: How to best spend upcoming cybersecurity grants.
The certification process is led by an external certification body, not by ISO or IEC, and ISO recommends that interested parties work with an accredited organization for this purpose. A list of more than 1,200 such organizations is available on the website of the International Accreditation Forum.
To earn certification, the organization must undergo a comprehensive certification audit. Auditors first review the organization’s ISO 27001 Information Security Management System documentation to ensure it has the required policies and procedures in place, and then they look closely at its major business processes and its respective security controls.
What Are the Benefits of ISO 27001 for Government Agencies?
In its decision to become ISO 27001-certified, NJ Transit is an outlier not only among transit agencies, but state agencies of all kinds.
“For most of these organizations,” says Srini Subramanian, principal with Deloitte Risk and Financial Advisory, “they’re already complying with the National Institute of Standards and Technology Cybersecurity Framework, so interest in ISO is really low.”
LEARN ABOUT: Best practices for state agencies to strengthen identity protection.
However, Subramanian says he can see why NJ Transit opted for certification: “It shows the people they’re serving — the residents of the state — that they’re fully committed to maintaining a security program of the highest level.”
Khan would agree with that. The controls that are part of ISO 27001 “help us maintain our guardrails,” he says. “They help us manage the tension between enabling business and making sure we have boundaries established so we’re not risking our systems to cybercriminals and malware and all the other threat vectors we’re facing every day.”
How Does ISO 27001 Help Agencies Improve Cybersecurity?
Two of the standard’s domains, asset management and supplier relationships, stand out for how they’ve helped his team mitigate cybersecurity risk, Khan says.
“It’s key for us to have a strong understanding of the assets that are connected to our network, and it’s equally important to know who our suppliers are working with” and the cybersecurity risks they may present, he says.
Many suppliers have business relationships with multiple layers of third-party vendors. “If our suppliers aren’t looking at their downstream risks, our own risks become exponentially higher,” Khan says.
Central to ISO 27001 is the concept of continuous improvement, where organizations use a model like the plan-do-check-act (PDCA) cycle as they seek to make changes to their systems and procedures.
REVIEW: The collective cybersecurity measures state and local governments are implementing.
For NJ Transit, Khan says this iterative approach to information security management has paid dividends to the agency.
“It’s allowed us to really drill into our processes and then formalize them,” he says. “We know that all these malicious actors are always morphing and adapting. With ISO 27001, we’re morphing as well. We’re moving toward better and stronger cybersecurity management systems.”
Organizations are certified for three years after they pass the initial audit, but they must submit to additional audits annually, and certification can be revoked if they don’t meet the standard’s requirements.
“It’s an ongoing process,” Khan says. “Each year, they expect you to take corrective actions to address any issues identified the year prior.”
NJ Transit’s ISO 27001 certification is valid through 2023, at which point the agency plans to get recertified. “It does take work, but it’s worthwhile,” Khan says. “It makes us a better organization.”