The journey to ISO 27001 certification

In today's digital age, where data breaches and cyber threats have become an unfortunate reality, the need for robust information security practices has never been more critical. As technology evolves, so do the risks associated with storing and managing sensitive information. That's why we are thrilled to announce our achievement of the ISO 27001 certification (in addition to maintaining our SOC 2 report), a testament to our commitment to protecting our clients and their users as well as ensuring the highest standards of information security.

Today we'll cover:

What ISO 27001 is
How to prepare for certification
What's involved in the audit process
How to maintain certification
FAQs
Stytch's top three takeaways from our own certification

What is ISO 27001?

ISO 27001 is an internationally recognized standard for information security management systems (ISMS) that defines a set of requirements a company’s ISMS must meet. It provides a systematic and proactive approach to managing sensitive company and customer information by identifying potential risks, implementing security controls, and continuously improving processes.

History of ISO 27001 certification

Though the official ISO 27001 standard was minted in 2005, its history dates back to the early 1990s in the U.K. Rapid advancements in information technology prompted the government to request a set of standards for evaluating the security of IT systems and products from the Department of Trade and Industry's Commercial Computer Security Centre (CCSC).

The CCSC created a code of best practices called DISC PD003, which by the late 90s they organized into two major components: BS7799-1, which outlined controls and control objectives, and BS7799-2, which outlined a formal standard for information security management systems. By 2000, the International Organization for Standardization had adopted and re-christened the former as the ISO/IEC 17799 standard (or what would become ISO 27002). In 2005, they formally adopted the latter as ISO 27001.

Why does this history matter?

Once the CCSC's standards were adopted by the International Organization of Standardization, they gained a level of international legitimacy that is near unrivaled in the world of standardizations. The ISO is in fact an international, non-governmental body that issues standardizations across industries. 168 of the world's 195 countries are members. This means if you attain ISO 27001 certification, you literally open borders for your business by creating massive opportunities for scale.

Why is ISO 27001 important for an information security management system?

An information security management system is by default charged with one of the most important tasks on the internet: protecting the integrity of the information of people and companies. When that is your main function, an ISO 27001 certification is one of the surest way to accomplish the following:

Ensures enhanced information security

The ISO 27001 certification demonstrates our unwavering commitment to safeguarding our customers and their users. By implementing a comprehensive information security management system, we have put in place measures to protect sensitive information from unauthorized access, disclosure, alteration, or destruction.

Attests to compliance with regulatory requirements

ISO 27001 certification helps us meet and exceed legal and regulatory requirements related to data security. It ensures that our information security practices align with industry standards and best practices, providing peace of mind to our clients and stakeholders.

Offers competitive advantage

In today's competitive landscape, organizations that prioritize information security gain a competitive advantage. ISO 27001 certification sets us apart from the competition by showcasing the maturity of our information security program and our dedication to maintaining the confidentiality, integrity, and availability of customer information.

Earns customer trust and confidence

Data breaches can have far-reaching consequences, eroding customer trust and damaging a company's reputation. By achieving ISO 27001 certification, we provide our clients with the assurance that their information is in safe hands, building trust and fostering long-lasting relationships.

ISO 27001 certification vs. compliance

Technically, companies can be ISO 27001 compliant without being certified. If you're ISO 27001 certified, that means that an external auditor has gone through a specific set of evaluations and audits to confirm that you're ISO 27001 compliant. Generally, when companies request or refer to ISO 27001 for a vendor they're considering, they'll want that external certification, not just documentation that proves you're compliant.

Preparing for ISO 27001 certification

ISO 27001 certification is granted upon successfully completing stage 1 and 2 ISO 27001 certification audits, but there's a lot of preparatory work companies need to do before the audit takes place to make sure they're ready. Before engaging external auditors, a company should make sure to:

1. Scope and implement an information security management system or framework

This may sound like a no-brainer, but some companies, especially new ones, may have a hodge podge of different practices and protocols they use to protect information security at their company without having an explicit management system or framework. This includes delegated employees whose job it is to maintain that management system, oversee its quality and efficacy, and monitor its compliance with standards like ISO 27001.

2. Conduct a risk assessment, and mitigate any found risks with a clearly documented risk treatment plan

Any company looking to receive ISO 27001 certification needs to conduct regular, well-documented risk assessments followed by treatment plans with necessary controls and policies. Both for the sake of internal efficiency and a smooth certification, companies should remember that more does not necessarily mean better when it comes to controls. Controls are only as useful as they eliminate security risks without undue burden or friction on internal processes. Because of that, any control or policy should clearly dock to your company's use case and priorities.

3. Document all relevant systems and processes

ISO 27001 certification has many requirements, but companies do not need to meet every requirement to get certified. Instead, you should carefully evaluate their specific use case to understand which of these requirements apply to their business. Your ISO 27001 documentation should make it easy for both internal stakeholders and external auditors to assess whether or not their information security management system meets those requirements. This documentation should also clearly and succinctly show their approach to risk assessment and risk management.

The more thoroughly you show your work, i.e., document all your company has done and regularly does to maintain a compliant ISO 27001 service, the better. Note that without careful management and systems in place, this can get unwieldy, difficult to organize, and/or create bloat. Be very mindful of how you organize your risk assessments, your processes, and findings in ways that are usable to your internal stakeholders and accessible and clear for external auditors.

4. Conduct an internal audit & resolve any nonconformities

Every company applying for ISO 27001 certification is required to do an internal audit before an external audit or review – and hold regular internal audits in order to maintain their certification. This "internal" audit is intended to surface any nonconformities with the ISO 27001 standard, raise them to the relevant stakeholders at a company so they can be resolved before the external audit.

Though this final step is called "internal," companies can either choose someone who is in fact internal to their company, or hire an outside vendor to conduct this audit for them. That said, if you end up using someone in-house to conduct your internal audit, you must make sure they have no conflict of interest, i.e. are not responsible for implementing or maintaining any of the systems, controls, or policies they're evaluating.

5. Onto the external audit

Once you've completed all of the necessary preparatory work, you can then solicit an external audit.

The ISO 27001 certification external audit – what to expect

While the most important legwork for your own team takes place in the lead-up to your audit, the audit itself is clearly the moment of truth for any company seeking certification. There are three important steps to completing the audit: choosing your auditor, and stages 1 and 2 of the audit itself.

Choosing your ISO 27001 external auditor

When choosing an external ISO 27001 auditor, there are a few key things to look for:

1. Accreditation

Check an accreditation directory as your starting point. These directories do a fairly thorough job vetting for the auditors listed on their site, but it never hurts to do your due diligence and make sure the information listed in the directory corresponds to the auditor's website and own materials.

2. Industry alignment

Though not required, you'll likely find it helps to have an auditor who knows your particular industry well. They're more likely to ask you the right questions, give nuanced and helpful guidance, and understand the constraints and demands on your information security management system better than someone outside your industry.

3. Bundled or additional certifications

There are fewer more painful time-drains than vendor searches. If you know your company plans to scale at some point or have other security compliance certifications on your horizons, it could be nice to find an auditor that does more than one. Forming a strong relationship will make future certifications and audits smoother down the line. Furthermore, you can reduce your own audit fatigue by selecting an auditor to address multiple certifications/frameworks simultaneously.

ISO 27001 certification audit – stage 1

The ISO 27001 audit takes place in two stages. In Stage 1, your auditor is basically making sure that you have all the necessary documentation and processes established to undergo a stage 2 audit. At this time they'll review what are referred to specific clauses from the ISO 27001 standard, specifically clauses 4-10. Together, these clauses cover all the requirements an information security management system needs to meet to get certified. They are:

Clause 4: Context of the organization

This covers the very foundation of your company's ISMS – its scope, why you need one, what information you handle, and who your key stakeholders are.

Clause 5: Leadership

Clause 5 covers the roles and responsibilities of your ISMS team and the policies they must abide by.

Clause 6: Planning

Clause 6 offers a clear-eyed overview how your organization will achieve its objectives especially as it relates to risk and opportunities.

Clause 7: Support

Clause 7 outlines the resources your company has devoted to maintaining its ISMS.

Clause 8: Operation

Clause 8 is where you discuss your risk assessment and treatment plans, and whatever controls you've put in to mitigate those risks and other information security requirements.

Clause 9: Performance evaluation

Clause 9 is where you document how you evaluate your performance, how and how often you conduct internal audits and reviews.

Clause 10: Improvement

Improvement covers any nonconformities you may have identified in your internal audit, and how you plan to address those. Upon reviewing your documentation to make sure all these requirements are accounted for, your auditor will either pass you on to stage 2, or will first raise what are called "areas of concern" you need to address in order to pass stage 2.

ISO 27001 certification audit – stage 2

In ISO 27001 stage 2, your auditor moves on from reviewing your clauses to a second part of the ISO 27001 standard called Annex A. While Clauses 4-10 address the requirements for an ISO 27001 certified company, Annex A covers the possible security controls a company could use to meet those requirements.

As mentioned before, no company is expected to implement all controls. You are simply expected to have the necessary controls in place for your context and industry, and for the goals and measurements you've outlined in your own ISMS.

Maintaining ISO 27001 certification

Achieving ISO 27001 certification is not a one-time accomplishment. It requires continuous monitoring, assessment, and improvement of the ISMS. By establishing a framework for monitoring and reporting security incidents, conducting regular audits, carrying out management reviews, and continually improving, you can ensure the effectiveness of our ISMS on a recurring basis.

As part of maintaining your certification, you'll also need to undergo what are called surveillance audits, which are regular (generally annual) audits to make sure your company is still adhering to ISO 27001 standards.

This is another reason why the systems, documentation, and controls you set up during your prep work are so crucial: ISO 27001 is not just a box to check, it is a marathon you'll be running for the rest of your company's life! Dedicating the regular

ISO 27001 certification – FAQs

How many companies are ISO certified today?

According to the ISO 2021 Survey, nearly 60,000 companies worldwide had attained ISO 27001 certification. That may seem like a lot, but consider that the U.S. alone is home to over half a million technology companies.

While not every one of those companies may need ISO 27001 certification to do their business securely, it does show what a differentiator this certification can mean in the global market for an information security management system.

How long does it take to get ISO 27001 certification?

The amount of time required to get ISO 27001 certified can range depending on many factors, like:

• How established your company's ISMS was before beginning the process
• Your industry and use case, with its particular risks, information, and intellectual property to protect
• The resources you have available already, vs. how much headcount you may need to pull of other tasks to complete your prep work
• Whether the stakeholders involved at your company are familiar with the process or not

Generally, however, most small to mid-sized companies are able to finish the preparatory work for the audit within four to six months.

How much does it cost to complete ISO 27001 certification?

While some sources may give ballpark figures for an ISO 27001 certification process, the reality is it's highly dependent on many different factors that could influence the end costs. Some of which are: whether your internal audit is in-house or not, the specific audit firm you select, the scope of your assessment, and whether other frameworks are being simultaneously audited.

Best practice is to get quotes based on each of these factors so your company can budget appropriately.

Our take

Looking back on our own ISO 27001 certification process, we have a few learnings we think would be useful for companies considering this for themselves:

Lesson 1: Define the scope early

<It is important to clarify the certification’s scope early in the process so as to ensure you are thinking about all the relevant applications, services, controls, and processes for each requirement of the standard. While it is doable to fold an application into policies and controls after the fact, it is much easier to create the appropriate documentation and processes with all relevant applications and services in mind from the start.

Lesson 2: Documentation is incredibly important

As we’ve mentioned a few times in this post, documentation, and more importantly thorough and accurate documentation, is essential for a smooth implementation and certification. Documentation provides ongoing references to all personnel on the ISMS as a whole, the scope of controls and processes, as well as everyone’s responsibilities. Ensuring this is accurate and updated frequently, helps to avoid actions drifting apart from well established processes. It also helps with our next key learning…

Lesson 3: Continual (re)education

As part of any good information security program, continual (re)education is essential. Not only does this offer another opportunity to introduce and reinforce policies & controls, it also helps to remind everyone of their responsibilities and the importance of those to the overall success of the ISMS. Lastly, education offers an opportunity for personnel to offer insight in case there are use cases that do not align with historically documented controls/processes, for which, documentation can be updated to reflect this.

Conclusion:

As technology continues to advance, the need for robust information security practices becomes increasingly vital. Achieving ISO 27001 certification is a significant milestone for Stytch. It signifies our commitment to protecting sensitive information and fostering trust with our clients. With Stytch's robust Information Security Management System in place, we are well-equipped to navigate the ever-evolving landscape of cyber threats, ensuring the highest level of data security for our stakeholders.

At Stytch, we firmly believe that information security is not just a responsibility; it is a priority. Our ISO 27001 certification is a testament to our dedication to providing secure and reliable technology solutions. Together, let's embrace the future with confidence and trust in our commitment to protecting your valuable data.