Technically Speaking: Your ISO 27001 Checklist

You’ve heard it once, and you’ll hear it again – ISO 27001 compliance is complicated and complex to understand, let alone implement, especially if you’re a startup.

But for us to keep honing on about how complex it is won’t get you very far when it comes to actually getting compliant. Sometimes, all you need is for someone to tell it to you straight – technicalities and all, which is what we’re here to do.

In this piece, we’re putting on our tech-wiz hats and rallying all the ISO 27001 gurus to help you better understand our ISO 27001 checklist and gain a deeper understanding of the technical requirements and prep involved in getting (and staying) compliant.

Keep in mind that this by no means covers all requirements. For that, we’re going to need a whole book. Fortunately, you can look at that, too, if you want!

ISO 27001 for Startups: The Ultimate Handbook for SaaS Companies

Appointing Your ISO 27001 Implementation Team and Governing Body

This may seem like one of the more straightforward steps (and you’re right), but its technicalities and importance shouldn’t be overlooked. Your internal governing body will oversee and own the entire ISO 27001 process. This goes beyond delegated tasks and brushing up on “How to get compliant” articles. Your implementation team will ultimately determine the scope of the certification process, create all the information management practices and policies, and work directly with the auditor. They can either be your greatest asset or greatest vulnerability.

The team size will largely depend on the scope of the data you manage. However, regardless of the size of your team, we recommend you prioritize the following traits when appointing your team:

A good understanding of IT
A background in project management
An understanding of 27001 compliance and the ability to communicate this effectively, including familiarity with its legal and regulatory requirements.

Defining The Scope of Your Isms

In order to define your scope, you need to determine exactly what kind of information you need to protect. This needs to happen before you can even begin to build your ISMS. However, keeping your ISMS in mind from the beginning is crucial. This step is tricky because each business is unique and houses different types of data. You also need to accurately pinpoint which processes, assets, and other tasks that should be covered in the project. But it gets more technical than simply creating an overview document.

According to the ISO 27001 requirements, you have to do the following when defining the scope:

Take internal and external issues (defined in clause 4.1.) into account: This means considering the context of your organization in regard to external factors such as market and customer trends, perceptions and values of external interested parties, applicable laws and regulations, and technological trends and innovations. Internal factors also play a significant role, such as your organizational structure and organizational drivers (like values expressed in its internal culture)
Consider all the requirements of interested parties (defined in clause 4.2.): An interested party, often referred to as a stakeholder, is someone or an organization that has the potential to affect or be affected by your information security or business continuity efforts.
Evaluate whether interfaces and dependencies influence the scope: For instance, if employees from two distinct departments share identical office space, software systems, and data repositories, including one department within the ISMS scope becomes highly challenging without encompassing the other. Be sure to document any justifications for including or excluding certain departments in your ISMS scope.

Once these three core areas have been thoroughly researched and defined, businesses can then proceed to define any exclusions from the scope – e.g., private devices are excluded- and continue to write the ISMS scope document.

Performing a Risk Assessment and Risk Treatment

A formal risk assessment is required for ISO 27001 compliance. This means that organizations must have documented evidence of the data, analysis, and results of their risk assessments, which can be tricky without a designated compliance team. Nonetheless, it needs to be done. Why? Well, a risk assessment aims to determine your information security risks and their likelihood of occurrence and impact. Once this is completed, your risk treatment plan is the process of identifying which security controls are needed to mitigate the specific incidents outlined during the risk assessment. During the risk treatment process, the relevant security controls are chosen from Annex A, which specifies 93 controls.

During this stage, you must also create your Statement of Applicability. This document serves as the security profile of your company, derived from the outcomes of the risk treatment process outlined in ISO 27001. It necessitates the comprehensive listing of all implemented controls, the rationale behind their implementation and the methodologies employed. Additionally, this document holds significant importance as it is the primary reference point for certification auditors during the audit process.

Choosing Security Controls

As mentioned above, during your risk treatment phase, you must decide which security controls to implement (and then actually implement them). For many startups, this is one of the most daunting aspects of the certification process.

The list of controls is found in Annex A, and contrary to popular belief, they aren’t all technical controls. It’s segmented into four core domains to make the list more digestible.

A.5 Organizational controls: Controls for setting the most important security processes and documentation.
A.6 People controls: Controls related to secure management of human resources.
A.7 Physical controls: Controls related to secure areas and equipment protection.
A.8 Technological controls: IT and communication controls.

Practically speaking, most businesses will have to involve specialists within each department to gauge which controls fit. For example, if your risk treatment involves your IT landscape, you must involve your IT team to tap into their expertise. If, for instance, your risk treatment plan involves controls related to security awareness training, you will have to involve your HR team.

Needless to say, this may prove challenging for small businesses that may not have compliance experts in each relevant department.

Performing Internal Audits

Internal audits are critical when it comes to ISO 27001 compliance. An internal audit facilitates the identification of issues, commonly known as ISO 27001 non-conformities, that might otherwise remain undetected, posing potential risks to your business operations. Moreover, internal audits serve as a primary source of information for management reviews. By engaging in ISO 27001 internal audits, employee awareness regarding ISMS issues is heightened, fostering active participation in the continual improvement of the management system. Consider using internal audits as a tool for engagement and education within your organization, promoting a culture of security awareness.

Management Review and Corrective Actions

Even with a full-blown compliance team, upper management doesn’t get away scot-free. Although they don’t have to be involved in the nitty-gritty, top management is still required to keep tabs on the overall ISO 27001 certification process, whether everyone has performed their duties, and whether the ISMS is achieving the desired results. Based on their understanding and overview, management must consider the state of compliance and align it with the overall business strategy. It is also the responsibility of upper management to ensure all non-conformities are corrected (or even prevented) and that all non-conformities are systematically identified, resolved, and verified.

Sound overwhelming? It doesn’t have to be.

Achieving ISO 27001 compliance is a significant milestone for any startup, demonstrating a strong commitment to information security. While the journey requires effort, the benefits in terms of customer trust and risk management are invaluable.

Diving Beneath the Surface: We’re Afraid That’s Only the Tip of the Iceberg

Although we’ve only just scratched the surface regarding the certification process, it’s clear that without experts in your corner, achieving ISO 27001 compliance can put a startup or small business at a complete standstill. That is, of course, assuming nothing has slipped through the cracks.

Fortunately, although it’s a full-time job – it doesn’t have to be yours.

We’ve got you covered. At Scytale, we provide end-to-end ISO 27001 compliance (and fast) to help you get and stay compliant.

Ditch the stress and opt for effortless compliance instead.

You may also like

Blog

April 24, 2024
The 5 Best Practices for PCI DSS Compliance

This blog discusses the essentials of PCI DSS compliance, and the 5 best practices for maintaining compliance.
Product Update

April 23, 2024
More Time Selling, Less Time Questioning – Introducing Scytale’s AI Security Questionnaires!

Scytale’s AI Security Questionnaires helps you respond to prospects’ security questionnaires quicker than ever.
Product Update

April 22, 2024
Scytale’s Multi-Framework Cross-Mapping: Your Shortcut to a Complete Compliance Program

With Scytale's Multi-Framework Cross-Mapping, companies can implement and manage multiple security frameworks without the headaches.
Webinar

April 17, 2024
To Comply or Not to Comply: GDPR Guidelines for Startups

This webinar is your opportunity to demystify GDPR compliance and ensure your startup is on the right track to compliance.
Product Update

April 17, 2024
Scytale and Kandji Partner to Make Compliance Easy for Apple IT

Scytale and Kandji have partnered to become your all-in-one solution for all things Apple security, management and compliance.
Blog

April 16, 2024
Lessons From the Sisense Breach: Security Essentials Companies Can’t Afford to Forget

This blog gives an overview of the Sisense breach, the types of data compromised in the hack, and lessons for companies to learn from.
Expert Takes

April 15, 2024
Cyber Essentials Explained

Compliance Success Manager, Ronan Grobler, walks us through the essentials of the Cyber Essentials framework.
Expert Takes

April 15, 2024
How Scytale Helps Organization Get Compliant and Stay Compliant

Compliance Success Manager, Lee Govender, explains how Scytale helps organizations get (and stay) compliant with our technology and people.
Expert Takes

April 15, 2024
ISO 42001 Explained

Compliance Success Manager, Merton-Curtis Nortrem, talks through ISO 42001 - the first-of-its-kind AI framework.
Expert Takes

April 15, 2024
A Day in the Life of a Scytale CSM

Compliance Success Manager, Robyn Ferreira, walks us through what a normal day as a CSM looks like at Scytale.
Expert Takes

April 15, 2024
Scytale’s Audit Readiness Process from Start to Finish

Compliance Success Manager, Robyn Ferreira, shares a quick overview of what the audit readiness process will look like.
Expert Takes

April 15, 2024
The Benefits of Scytale’s Platform

Compliance Success Manager, Robyn Ferreira, shares how Scytale makes the audit readiness process stress-free for both CSMs and customers.
Expert Takes

April 15, 2024
What it’s like working as a CSM at Scytale

From the amazing company culture to working with global customers, Robyn Ferreira walks us through her experience of working at Scytale.
Blog

April 15, 2024
Breaking Down the EU’s AI Act: The First Regulation on AI

This blog breaks down the key objectives of Europe's first AI Act and why this critical Act is already making its impact felt.
Compliance Guide

Achieving CCPA Compliance: A Guide for SaaS Companies

This comprehensive guide breaks down everything you need to know to get your SaaS company up to speed on CCPA compliance.