Technically Speaking: Your ISO 27001 Checklist

You’ve heard it once, and you’ll hear it again – ISO 27001 compliance is complicated and complex to understand, let alone implement, especially if you’re a startup

But for us to keep honing on about how complex it is won’t get you very far when it comes to actually getting compliant. Sometimes, all you need is for someone to tell it to you straight – technicalities and all, which is what we’re here to do. 

In this piece, we’re putting on our tech-wiz hats and rallying all the ISO 27001 gurus to help you better understand our ISO 27001 checklist and gain a deeper understanding of the technical requirements and prep involved in getting (and staying) compliant. 

Keep in mind that this by no means covers all requirements. For that, we’re going to need a whole book. Fortunately, you can look at that, too, if you want! 

ISO 27001 for Startups: The Ultimate Handbook for SaaS Companies

Appointing Your ISO 27001 Implementation Team and Governing Body

This may seem like one of the more straightforward steps (and you’re right), but its technicalities and importance shouldn’t be overlooked. Your internal governing body will oversee and own the entire ISO 27001 process. This goes beyond delegated tasks and brushing up on “How to get compliant” articles. Your implementation team will ultimately determine the scope of the certification process, create all the information management practices and policies, and work directly with the auditor. They can either be your greatest asset or greatest vulnerability. 

The team size will largely depend on the scope of the data you manage. However, regardless of the size of your team, we recommend you prioritize the following traits when appointing your team: 

  • A good understanding of IT
  • A background in project management
  • An understanding of 27001 compliance and the ability to communicate this effectively, including familiarity with its legal and regulatory requirements.

The ISO 27001 Bible

Everything you need to know about compliance!

Download the Whitepaper

Defining The Scope of Your Isms

In order to define your scope, you need to determine exactly what kind of information you need to protect. This needs to happen before you can even begin to build your ISMS. However, keeping your ISMS in mind from the beginning is crucial. This step is tricky because each business is unique and houses different types of data. You also need to accurately pinpoint which processes, assets, and other tasks that should be covered in the project. But it gets more technical than simply creating an overview document.

According to the ISO 27001 requirements, you have to do the following when defining the scope:

  • Take internal and external issues (defined in clause 4.1.) into account: This means considering the context of your organization in regard to external factors such as market and customer trends, perceptions and values of external interested parties, applicable laws and regulations, and technological trends and innovations. Internal factors also play a significant role, such as your organizational structure and organizational drivers (like values expressed in its internal culture)
  • Consider all the requirements of interested parties (defined in clause 4.2.): An interested party, often referred to as a stakeholder, is someone or an organization that has the potential to affect or be affected by your information security or business continuity efforts.
  • Evaluate whether interfaces and dependencies influence the scope: For instance, if employees from two distinct departments share identical office space, software systems, and data repositories, including one department within the ISMS scope becomes highly challenging without encompassing the other. Be sure to document any justifications for including or excluding certain departments in your ISMS scope.

Once these three core areas have been thoroughly researched and defined, businesses can then proceed to define any exclusions from the scope – e.g., private devices are excluded- and continue to write the ISMS scope document.

Performing a Risk Assessment and Risk Treatment

A formal risk assessment is required for ISO 27001 compliance. This means that organizations must have documented evidence of the data, analysis, and results of their risk assessments, which can be tricky without a designated compliance team. Nonetheless, it needs to be done. Why? Well, a risk assessment aims to determine your information security risks and their likelihood of occurrence and impact. Once this is completed, your risk treatment plan is the process of identifying which security controls are needed to mitigate the specific incidents outlined during the risk assessment. During the risk treatment process, the relevant security controls are chosen from Annex A, which specifies 93 controls.

During this stage, you must also create your Statement of Applicability. This document serves as the security profile of your company, derived from the outcomes of the risk treatment process outlined in ISO 27001. It necessitates the comprehensive listing of all implemented controls, the rationale behind their implementation and the methodologies employed. Additionally, this document holds significant importance as it is the primary reference point for certification auditors during the audit process.

Choosing Security Controls

As mentioned above, during your risk treatment phase, you must decide which security controls to implement (and then actually implement them). For many startups, this is one of the most daunting aspects of the certification process. 

The list of controls is found in Annex A, and contrary to popular belief, they aren’t all technical controls. It’s segmented into four core domains to make the list more digestible. 

  • A.5 Organizational controls: Controls for setting the most important security processes and documentation.
  • A.6 People controls: Controls related to secure management of human resources.
  • A.7 Physical controls: Controls related to secure areas and equipment protection.
  • A.8 Technological controls: IT and communication controls.

Practically speaking, most businesses will have to involve specialists within each department to gauge which controls fit. For example, if your risk treatment involves your IT landscape, you must involve your IT team to tap into their expertise. If, for instance, your risk treatment plan involves controls related to security awareness training, you will have to involve your HR team. 

Needless to say, this may prove challenging for small businesses that may not have compliance experts in each relevant department. 

Performing Internal Audits

Internal audits are critical when it comes to ISO 27001 compliance. An internal audit facilitates the identification of issues, commonly known as ISO 27001 non-conformities, that might otherwise remain undetected, posing potential risks to your business operations. Moreover, internal audits serve as a primary source of information for management reviews. By engaging in ISO 27001 internal audits, employee awareness regarding ISMS issues is heightened, fostering active participation in the continual improvement of the management system. Consider using internal audits as a tool for engagement and education within your organization, promoting a culture of security awareness.

iso 27001 audit scytale

Management Review and Corrective Actions

Even with a full-blown compliance team, upper management doesn’t get away scot-free. Although they don’t have to be involved in the nitty-gritty, top management is still required to keep tabs on the overall ISO 27001 certification process, whether everyone has performed their duties, and whether the ISMS is achieving the desired results. Based on their understanding and overview, management must consider the state of compliance and align it with the overall business strategy. It is also the responsibility of upper management to ensure all non-conformities are corrected (or even prevented) and that all non-conformities are systematically identified, resolved, and verified. 

Sound overwhelming? It doesn’t have to be. 

Achieving ISO 27001 compliance is a significant milestone for any startup, demonstrating a strong commitment to information security. While the journey requires effort, the benefits in terms of customer trust and risk management are invaluable.


Diving Beneath the Surface: We’re Afraid That’s Only the Tip of the Iceberg

Although we’ve only just scratched the surface regarding the certification process, it’s clear that without experts in your corner, achieving ISO 27001 compliance can put a startup or small business at a complete standstill. That is, of course, assuming nothing has slipped through the cracks. 

Fortunately, although it’s a full-time job – it doesn’t have to be yours. 

We’ve got you covered. At Scytale, we provide end-to-end ISO 27001 compliance (and fast) to help you get and stay compliant. 

Ditch the stress and opt for effortless compliance instead.