ISO 27001 – A Compass, Not a Cage

ISO 27001 is the first standard that I wanted to deep dive into. When deciding which compliance I want to learn more about, I kept finding myself gravitating toward ISO 27001.

Why ISO 27001? It is the “Gold Standard” of compliances. As an organization, ISO 27001 is something we can proudly display. We have this badge that says to the world, “We take our information security seriously, we have a system in place that reflects this, and we have the 3rd party audits that back up this claim”.

Where is ISO 27001 recognized? Universally. We can apply ISO 27001 to many different types enterprise organizations across many different countries. If you are a multinational corporation, this certification is often recognized across most of Europe, Asia, and the Middle East. I like the idea of learning this “Gold Standard” as a baseline before diving into other compliance standards.

How does an organization become ISO 27001 compliant? I am simplifying this but essentially, you will have an auditor from an accredited certification body come to perform an audit. They are going to examine your ISMS (Information Security Management System) and then they are going to test that ISMS to verify that it is working as intended. If the organization passes the audit, they are given an initial certification showing that you are ISO 27001 compliant.

When does this certification expire? It expires after 3 years but it’s important to note that after the initial audit, there will be surveillance audits in years 2 and 3 of holding this certification. These surveillance audits will ensure that you are still upholding the same security standards. At the end of year 3, you can get a recertification audit (a full scale audit) and the cycle repeats.