Chris
01 Mar 2023

ISO 27001 Audit Insight

Zelt recently achieved ISO 27001 certification, demonstrating our commitment to best practices for information security.

ISO 27001 certification document

We want to share some insight into our recent audit, process, and ISO 27001 tips and learnings. For any teams considering ISO 27001 certification (we recommend it), this will guide you on where to get started.

We underwent a rigorous audit process to achieve certification, including reviewing our information security policies, procedures, and controls. The audit was conducted by British Assessment Bureau, which verified that Zelt’s met all the clauses of the ISO 27001 standard.

Our ISO 27001 certification is a significant milestone for the company and our customers. It demonstrates our dedication to protecting our customer’s sensitive data and assures that we’ve implemented rigorous information security practices.

UKAS accreditation

It is important to note that British Assessment Bureau is accredited UKAS, which is the official representation for ISO in the United Kingdom. There are many (usually cheaper) ISO 27001 auditors out there that are not UKAS accredited, which means their certification may not be accepted as valid by third parties.

What is ISO 27001?

ISO 27001 is a globally recognised information security standard that provides a framework for organisations to implement an information security management system (ISMS). The standard specifies requirements for establishing, implementing, maintaining, and continually improving an ISMS, which helps organisations manage and protect their sensitive information assets. ISO 27001 is relevant for organisations of all sizes and industries and is widely used by businesses to demonstrate their commitment to information security best practices.

What are the benefits of ISO 27001?

Achieving ISO 27001 certification can bring numerous benefits to a business, including:

  • Improved information security: The standard requires organisations to establish a systematic and proactive approach to managing information security risks, which can help to prevent security incidents and data breaches.
  • Enhanced customer trust: ISO 27001 certification is a globally recognised standard demonstrating a business’ commitment to protecting customer data.
  • Competitive advantage: ISO 27001 is increasingly a prerequisite for selling software to mid to large companies. As a result, ISO 27001 opens the door to winning more and more customers.
  • Regulatory compliance: The standard aligns with numerous data protection and privacy regulations worldwide, making it easier for organisations to comply with legal and regulatory requirements such as GDPR.

How long did it take?

Our process to achieve initial certification took around five to six months; however, if you can commit several days a week to the project or have previous experience implementing information security certifications, you should be able to do this within three months. At a high level, the steps we’d recommend following are:

  • Assign a lead implementor: Give ownership of the project to somebody with your team who can coordinate this from start to finish.
  • Pre-training: If you’re new to the topic, you could take a training course, such as a lead implementer course. If you go down this route, be careful not to overspend; an online course should cost around £100. We opted to stick to free online material and speak with people/companies in our network who had passed certification before. With some perseverance on Google and a handful of chats, you should be able to get up to speed on ISO requirements without spending money on a course.
  • Project kick-off: Make sure to get buy-in from your management team and key stakeholder(s) from your technical teams. At this stage, you should set expectations for the work involved and the cadence of work.
  • Define your scope: The scope is used to show your auditor, as well as your internal & external stakeholders, what information/parts of your business will be covered under your ISO 27001 certification.
  • Write your information security policy: This is a high-level document that should provide an overview of the information security policies within your business.
  • Conduct your risk assessment: You’ll need to define a risk methodology and assess your business and information assets. Once completed and based on your risk methodology, you should build a risk treatment plan, which shows how you will use Annex A controls to mitigate the risks you’ve found to be unacceptable.
  • Build out your SOA (Statement of Applicability): This document is a big part of ISO 27001 and shows which Annex A controls you’ve chosen to implement and how you’ve implemented them.
  • Stage 1 assessment: This stage is a documentation review, i.e. to check whether you have the required policies and processes written and, if so, do they conform with the ISO 27001 clauses. Your auditor will suggest the best point for you to do stage 1. However, it would help if you aimed to complete at least 50% of the above before organising it.
  • Implementation: Once you’ve completed stage 1 and have your policies, processes and risk assessments in place, you’ll want to start implementing the procedures and controls, i.e. creating to gather evidence that you do what you say you do.
  • Training: At this point, you should do an introduction session with your company, covering an overview of ISO 27001 and why it’s essential to your business. Further sessions should then be planned to run through as many policies as appropriate.
  • Internal Audit: Internal audits are not only a requirement but will highlight any potential areas of non-conformity that you will need to rectify before your stage 2 audit.
  • Management review: You should conduct management reviews at least once a year. They provide a framework to give your management team oversight on your information security policies & processes and approve audit & risk assessment findings, for example.
  • Stage 2 audit: Stage 2 consists of an auditor thoroughly reviewing your ISMS and information security policies to ensure they conform to all standard clauses. This is an evidence-based audit, so the auditor will ask to see proof to confirm whether you’re doing what you say that you’re doing.

How much does it cost?

For us, the all-in cost including preparation, pre-audit, template builders and audit cost was in the range of £3k – £5k. The cost depends on several things:

  • Team size: The audit cost will be based primarily on the size of your team
  • Software costs: If you buy third-party software to help with your implementation, this tends to add thousands to the overall cost
  • Consultants: Consultant fees (if you opt for one) are, on average, £140 per hour. Businesses typically have anywhere from 24-160 hours of consulting time. We have put together a few options for ISO consultants.
  • Training: Online training courses should be around £100-£200 for a lead implementor course
  • Templates: There are many template policy packs available to buy online. These often run into several hundreds of pounds.

What else do you need to keep data secure? While achieving ISO 27001 certification is significant, it’s important to note that information security is an ongoing process. To keep up with evolving threats and technology, businesses must continually monitor and improve their information security policies. Some additional measures that companies can take to keep their data secure include

  • Regular employee training: Ensuring that employees understand the importance of information security and how to identify and respond to security threats can significantly reduce the risk of data breaches.
  • Robust access controls: Implementing strict access controls, such as two-factor authentication and role-based access, can help to prevent unauthorised access to sensitive data.
  • Regular vulnerability assessments: Regular vulnerability assessments and penetration testing can help identify weaknesses in an organisation’s information security defences and address them proactively.

Our tips & learnings

  • Consultants not a must: If you have fewer than 20-30 people and you’re comfortable learning & implementing ISO 27001 yourselves, you don’t have to opt for a consultant. This will shave a lot off your total bill.
  • Pick a commercially-minded auditor: We used British Assessment Bureau, which provides access to its ISMS software and policy templates, which was very helpful for the documentation stage and keeping the costs down. Note that most auditors will not provide this to point out their independence from the preparation process, but as a customer, having some guidance from the company that will audit you (even if not the same person) gives some extra confidence.
  • Include stakeholders: Getting your team onboard to the project, especially if you’re non-technical and leading the implementation.

Software can help you with

  • People processes: Leveraging Zelt is a possible option to reduce some burdens, such as HR and IT related controls you will need to put in place. These include an asset register, access provisioning, document storage and tasks/checklists that need to be completed (and documented) by employees during on- and offboarding.
  • Continuous compliance: Tools like Vanta and Drata can help you with proving continuous compliance in between audits. ISO will require you to be re-audited at least once a year but certain third parties such as banks may require you to prove that you are compliant also in between audits.

Overall, implementing ISO 27001 is a great way to demonstrate to your stakeholders that you’re taking information security seriously. If you want to get the ball rolling with ISO 27001 this year, reach out to us a Zelt, and we’ll be happy to share any of our learnings in more detail.