How to secure your information with ISO 27001

Financial services firms might feel reluctant to commit too much time and resource to information security – especially when they are small or at an early stage. But firms cannot just ignore the significant threat of cyber risks and they are required to comply with the relevant regulations.

A practical and flexible solution is to seek certification from the international information security standard ISO 27001. This standard, along with ISO 27002, represents a useful and flexible framework which lays out the possible controls they could implement against cyber risk.

There are a series of steps that firms must follow to become ISO-certificated, and the standard was updated in October 2022 with changes that firms must implement by October 2025 to remain certificated.

Our cyber security experts Nick Gumbley and Will Finn – who have extensive experience both in carrying out and preparing firms for an ISO audit – recently held a webinar on how to use ISO 27001 to secure your company’s information.

 

Why should firms become certified?

It’s a fair question: why should you voluntarily undertake a certification process that requires a commitment of resource and staff time? Well, most firms recognise its value – including 93% of attendees at our webinar who were already certified or considering starting the journey.

That’s because the standard has many advantages:

  • It signals your information security compliance to customers and regulators: Being certified lets you demonstrate to customers and regulators that you are on top of information security risks and can act quickly when they arise.
  • It helps to manage supplier risk: When your firm outsources services to a supplier, you are still held responsible by the regulator for the information security around those services. Asking a prospective supplier if they are ISO 27001 certified is a good way to determine whether you can have confidence in their information security controls.
  • It is flexible and proportionate: Application of the standard can be scaled up or down in proportion to the size of your business and the risks you face.
  • It provides an off-the-shelf framework to ensure you implement the right controls: The standard specifies 93 possible controls that a firm might implement to manage information security risks. Certification takes firms through the useful process of understanding and justifying why they do or don’t need a particular control.

 

How do firms become certified?

Although a benefit of the standard is that firms can choose which controls are most appropriate for them, there are nonetheless seven controls that all firms must implement to become certified. These are found in Annex A of the standard, and ISO 27002 – a supplementary standard that provides guidance on implementing the controls. The mandatory controls include:

  • Leadership: Perhaps the key principle of the standard is that senior management must be committed to the process by leading on the establishment of an information security policy. One way of demonstrating this is to ensure a board member or senior manager chairs the company’s information security steering group.
  • Performance evaluation: The controls should be regularly monitored and tested so that you know if they are working and can detect any information security issues if they arise. This could be done with an internal or externally commissioned audit.
  • Improvement: Regulators will expect to see continuous improvement and corrective action taken to improve the controls over time.

 

The recent update to the standard brought in additional controls for firms to consider. These include a requirement to continually monitor access to the premises where data is kept, and measures to protect against data leaks and to carry out coding securely.

 

The journey to certification

When a firm applies for certification, they will be matched with a certification partner to work with them throughout the process and make the assessment. This involves eight steps:

  • Strategy and programme: Company leadership must first identify information security risks they face and the relevant regulatory requirements, then authorise a strategy to mitigate these risks.
  • Risk and requirements: A risk assessment should be carried out to inform that strategy.
  • Scope definition: Following the assessment, the firm should then define which controls should be implemented as a priority or later on – and report back on progress.
  • Gap analysis: Further testing should identify where the company’s policies are now and what should be prioritised to fill in any gaps in their information security preparedness.
  • Remediation: Even the best-prepared firms can still experience information security incidents, so the business must be prepared to respond to changing risks.
  • Stage 1 audit: At this point, the company is ready for the certification partner to come in and review their documentation. The partner will point out any improvements that are needed.
  • Stage 2 audit: When corrective changes have been made, the partner will schedule the second and final stage audit.
  • Certification: If that audit is successful, certification will be granted.

 

Certification lasts for three years and the partner will return to carry out a surveillance audit at least once a year before ultimately deciding if the company should be recertified. But although this process sounds onerous, auditors are usually supportive and work with you –not against you – to improve your cyber security.

Ultimately, getting certified as ISO-compliant is not supposed to be a process that pulls you apart, but it will identify what you are doing right and where you can improve further. If you would like to discuss how to improve your own cyber security, contact us today.

Related Posts