Last Updated on January 19, 2024
If your company is working towards ISO 27001 certification, you may be laser-focused on achieving that goal, and perhaps not worrying about what other cybersecurity and privacy efforts might need to come later.
But with a little extra thought and planning, you could also make significant progress towards compliance with other security mandates that are probably coming your way, saving you time and money in the near future.
To clear misconceptions and guide SMBs towards ISO 27001 best practices, Pivot Point Security CISO and Managing Partner, John Verry, recorded a “free consulting time” podcast in response to numerous customer requests.
Key “follow-on” attestation issues to consider
“Folks get very focused on getting to ISO 27001,” observes John. “I always like to take a step back and say, okay, let’s talk about what you’re trying to achieve today. And let’s try to think about where you might be going in the future.”
“The reason that’s important is that if you are choosing to get ISO 27001 certified, usually that means you’re processing someone else’s data, and you’re being asked for a strong form of attestation,” John continues. “And it’s highly likely that you’re going to be asked for one or more other forms of attestation. So as an example, if you are processing medical claims, then HIPAA comes into play and maybe you’re signing business associate agreements.”
“And as we’re proceeding towards ISO 27001, by overlaying HIPAA on top of that, and then either through the internal audit process or through the certification audit process, actually auditing and validating the HIPAA controls and being able to provide an additional layer of attestation there, we’re able to provide double duty, right? We’re killing two birds with one stone. You’re saving a little a bit of money,” John advises.
What about privacy attestations?
An increasingly critical area where more and more companies face compliance challenges is privacy. This makes working toward the ISO 27701 “privacy extension” in parallel with ISO 27001 certification an attractive option for many SMBs.
As John explains, “It’s important that we make good decisions now in order to capitalize on [the ISO 27001] effort and not lose any ground in the future. So, as an example, if you’re dealing with personal information and CCPA and APAC and GDPR apply, you might want to look at ISO 27701.”
“There’s value to doing ISO 27701 at the same time you do ISO 27001, right? Your net out savings are going to be a lot higher if we do it that way. Not that you can’t add ISO 27701 later, but you might save $30,000 this year. And if you were already thinking about dealing with that next year, beginning with that end in mind is going to be valuable,” recommends John.
Choosing your external audit partner
A final reason to broaden your focus as you’re pursuing ISO 27001 is that your future needs might impact your choice of an ISO 27001 registrar—the organization that’s going to perform your external audit and stand behind your certificate.
“If you are somebody who might need CMMC certification, or you might have to proceed towards FedRAMP, or you might want to go towards SOC 2 in the future, you’re going to want to make sure that you pick an ISO 27001 registrar that is able to do whichever of those you’re going to require,” says John. “So the registrar, if you want to go to SOC 2, needs to also be a CPA firm. If you want to go towards a CMMC, you want a registrar that’s also a C3PAO. If you need to go towards FedRAMP, you’re going to need a registrar that’s also a 3PAO. In the payment card industry data security standards, maybe you need a QSA registrar.”
“So, it’s important to understand where you’re going, and what does one year, two years, three years look like for you?” emphasizes John. “That way, as you’re building your information security management system, and you’re creating your partnerships with the people that you’re going to need to achieve them and certify them, make sure that you’re accounting for the future.”
What’s Next?
To maximize the value and optimize the cost of your ISO 27001 investment, don’t miss this “consultation/podcast” with ISO 27001 expert John Verry: EP#62 – John Verry – What People Get Wrong About ISO 27001 Compliance – Pivot Point Security
Looking for some more meaningful information around managing your ISO 27001 Certification? Check out this blog post: Don’t Rush Your ISO 27001 Certification – Pivot Point Security