Information security continues to be a primary concern for businesses in the digital age across internal and external operations. Overwhelmingly, organizations across the globe turn toward ISO 27001 to showcase and certify their internal security practices and requirements. OneTrust has held an ISO 27001 certification since 2018, and was the first organization to achieve certification with the privacy extension ISO 27701-1 in 2019. In addition, OneTrust helps customers across different markets to establish, maintain, and continually improve an information security management system (ISMS) as well as plan and implement industry standards such as ISO 27001.
OneTrust’s Chief Privacy Officer, Andrew Clearwater, and Lead Privacy Counsel, Brian Philbrook, shared their perspectives on the journey to certification.
Who developed the ISO 27001 certification?
As Chief Privacy Officer, Andrew provides counsel, leadership, and guidance on data protection and leads OneTrust’s ISMS Committee.
When asked about the development of ISO 27001, Andrew first mentioned that the standard is referred to as ISO/IEC 27001:2013 and was not only published by the International Organization for Standardization (ISO), but in partnership with the International Electrotechnical Commission (IEC).
He adds, “ISO is an independent body that works in 165 countries. Their goal is to promote proprietary, industrial and commercial standards worldwide. Additionally, the IEC is an international standards organization that prepares and publishes international standards for all electrical, electronic, and related technologies.”
What is the ISO 27001 certification?
As Lead Privacy Counsel, Brian provides guidance on global regulations and standards and leads OneTrust’s platform content development and innovation. He’s also a member of OneTrust’s ISMS Committee and was integral in the ISO 27001 certification process.
Brian explains that ISO/IEC 27001:2013 is the leading international standard that outlines the requirements for establishing, implementing, maintaining and continually improving an ISMS.
According to Brian, “The standard specifically works to protect the confidentiality, integrity and availability of information. The goal is for organizations to apply risk management process to their ISMS initiatives, thus giving confidence to any current or prospective stakeholders that an their risks are sufficiently managed. Organizations that meet the requirements of ISO 27001 can be certified by an accredited certification body after successfully completing an audit against the standard.”
Who uses the ISO 27001 certification?
ISO 27001 is among the most widely recognized security standards in the world due to the fact that the requirements are applicable to most organizations, no matter what size, industry, or geographic location.
Andrew expands on this stating, “The standard not only helps an organization ensure that security risks are managed in a cost-effective manner. It also demonstrates to customers and partners that the business is operating in a trustworthy manner, and trust differentiates the businesses people want to work with from the ones they don’t.”
OneTrust’s ISO 27001 Certification Journey
Brian stated, “OneTrust’s goal in leveraging an international security standard was primarily driven by a desire to demonstrate a comprehensive and trustworthy information security program to our customers.”
He went on to add that OneTrust was in a unique situation becoming ISO 27001 certified due to the fact that the organization also provides a tool to help companies operationalize an information security management program. Thus, OneTrust had an opportunity to obtain certification, while using their own software tools to get there (presenting an added bonus to showcas the platform’s power to customers).
According to Andrew, “In order to successfully create a security program, OneTrust initially identified stakeholders within the company that would be critical to success. We began with technical teammates because they own security controls, then worked throughout business owners in other departments including sales, marketing, web development, and more. In doing so, our security team was able to educate the organization on key security policies and procedures. As a result, the company we better prepared for our initial ISO 27001 audit.”
Typically, an organization hires a set of external, third-party auditors to kick off the ISO 27001 certification process. There are three steps to the process that require a financial investment:
- Readiness Assessment:: This initial review gives the organization a chance to identify program gaps at the outset, with the help of an experienced third party, and to address those gaps prior to beginning the certification process.
- Internal Audit:: This internal audit is required by clause 9.2 of ISO 27001 and can be conducted either by an internal party with sufficient ISO 27001 knowledge and independence from the ISMS or by a qualified third-party. The purpose of the internal audit is to determine whether procedures, controls, processes, arrangements and other activities within the IMS conform to the ISO 27001 and 27701 standards, applicable regulations, and the organization’s internal documentation, whether they are effectively implemented and maintained, and whether they meet requirements and set objectives. Internal audits should be conducted at least annually and ensure cumulative coverage of the entire IMS scope. Internal audits areCurr planned based on risk assessment and results of previous audits. They are typically conducted before management review, and always prior to ISO 27001 external certification audit.
- External (Certification) Audit: After any non-conformities identified in the internal have been remediated, organizations can schedule their external (certification) audit. This requires the organization to work with an accredited auditor. If certification is achieved, it is followed up by annual surveillance audits (two), and then a re-certification audit every third year.
As with many organizations who attempt certification for the first time, OneTrust learned many lessons along the way, and continues to evolve years later. A common hurdle for many ISO 27001 first timers is the development of a true “management system” as required for certification.
In many cases, first timers attempting certification have all the appropriate technical controls in place, but the policies, procedures, methodologies, objectives, metrics and meeting minutes are not. As a result, an organization must designate a committee led by a chairperson with documented minutes. Not only that, but security policies can’t just explain the need to distribute risk assessments, but they need to clearly delineate that the organization knows how to conduct these, has conducted these, and can prove so. In part, the creation of a risk register helps accomplish this.
After a year-long audit process, OneTrust received their ISO 27001 certification. Not only does the certification help to demonstrate to customers that OneTrust has reasonable security safeguards in place, but going through the process of getting audited by an external party prepared the company for future customer audits.
“Looking ahead, we remain committed to upholding our ISO 27001 certification as it drives the organization toward continuous security improvement. This is where the OneTrust platform of trust comes into play. With the help of the OneTrust, we can establish, maintain and continually improve our ISMS, as well as the planning and implementation of ISO 27001,” concluded Andrew.
To learn more about how OneTrust helps with ISO 27001, visit onetrustgrc.com.
Further ISO 27001 certification reading:
- Read the whitepaper: OneTrust for Information Security
Next steps on ISO 27001 certification:
- Watch the webinar: ISO 27701 New Privacy Standard: How We Got Certified & How You Can Too!