How to Get ISO 27001 For Startups (Free Guide)
Anwita
Jan 29, 2024ISO 27001 is not an easy framework to understand, especially for startups new to compliance. It is not quite straightforward and does not provide checklists and examples to make your job easy. But without ISO 27001, startups lose out on a ton of growth opportunities.
To address this, we’ve drafted this article to bridge the gap and offer directional guidance on the next steps. In this article, you will learn about the steps involved in becoming ISO 27001 compliant as a startup and its associated costs.
What type of startup needs to be ISO 27001 certified?
First things first, ISO is not compulsory. The compliance policy (if there was one) won’t come knocking on your doors if you don’t have one. However, it is becoming increasingly common for businesses to prioritize security as one of the criteria to partner with other service organizations.
Having said that, you should consider ISO 27001 if:
- Your business collects, stores, processes, transmits, or has access to sensitive customer data.
- You conduct business mainly outside the North American region.
- Your business’s global presence would benefit from an internationally recognized certification.
No matter what the type of industry and service you offer, you can be ISO certified. The chart below shows the number of ISO certifications in 2021 by industry.
How to get ISO 27001 certified as a startup?
Depending upon the industry you cater to, each startup has its unique compliance needs. The process of acquiring certification is multifaceted and depends on the measures that you have already implemented to adhere to ISO 27001 and the work still required to be done. Once the ISMS is ready you can proceed with an informal assessment followed by a 2-phased audit process.
Here is the list of nine steps to get ISO 27001 certified as a startup :
Build your team
Before starting an extensive project, figuring out who takes care of what is crucial. ISO 27001 comprises a lengthy list of granular requirements, so assigning accountability for each task is a good practice. Ideally, these roles would include:
Upper management – Usually includes CEO, COO, CISO, or other roles who would be actively participating in this process (This usually depends on the organization). They are responsible to align information security with the company goals, manage resource allocation, and overseeing delivery.
Information security steering committee – Security decisions can be quite challenging for organizations with no existing structure for infosec management. Nevertheless, it is important to chalk out strategies with stakeholders and top decision makers from each department.
Information security steering committee deals with a plethora of issues: process approval, risks analysis, audit results, security strategy monitoring, security goals, performance indicators, disaster recovery plan, and more.
Chief information security officer – CISOs help to reduce interdepartmental chaos and improve coordination. You don’t necessarily need to hire someone for this role – anyone with a thorough knowledge of information flow should suffice.
CISOs engage with departmental heads to finalize security strategies, align business goals with security objectives, decide budget, set policies and processes, identify best options to mitigate risks, and monitor security activities. Additionally, they may conduct training and security awareness programs.
Some organizations assign the role of a system administrator to process data, make workflow changes, and be in charge of security controls.
Understand data protection requirements
Now that you have the roles sorted, it’s time to figure out which data and assets need securing. One way to figure this out is by using the top-down approach. You can use this data flow chart for reference.
In order to execute this process seamlessly, you should have clarity on each process and its type, who is responsible for what, and operational workflows. This helps to gain insight into the link between assets and activities.
System administrators have a comprehensive understanding of this and can help others too.
Another way to approach this is by the bottom-up method. This is an ideal choice if you don’t sufficiently understand the processes. The bottom-up approach relies on your ability to understand the type of information your organization handles throughout its end to end process.
For example, you may consider sensitive and non-sensitive personal data, enterprise data, design data, and more. Once you have the asset map ready, use it to know your data on a conceptual level.
Apart from electronic data, physical data storage facilities should be identified to secure them. You can use the bottom-up technique to identify physical assets like paper documents, endpoint devices, hard drives, physical offices, and even employees. After identifying these assets, list them in categories. For example, CRM solutions and other tools can fall under software. Servers, laptops, and smartphones can go under hardware. Third-party providers like cloud hosting solutions or TLC providers.
Once you are done cataloging, use an excel sheet to track how information is connected to assets. Use the sheet below for convenience and keep it updated.
Download your Information Value Tracking Sheet
Evaluate risks
The saying “know your enemies to defeat them” holds true for ISO – know your threats to mitigate them. A comprehensive insight into the existing and potential risks throughout your infrastructure is a crucial step towards ISO 27001 for startups. Knowing risks helps to prioritize them, implement appropriate controls, investigate breaches effectively and contain them.
The first step to your risk assessment is to know the level of risk. Use the asset flow map above to assign a value to each. A simple way to execute this is by assigning security based values like availability, integrity, and confidentiality. Use the table below to figure out where each stands.
Using the table above can result in the example shown below
Since all other assets have their main values related to the information they store, process or transmit, this first evaluation can be inherited by all assets connected with the evaluated information in the asset map. This assumes that their relationship with the highest evaluated information gives them their true value for the organization, as shown below.
The relationship with the highest evaluated information shows the actual value, as you can see in the downloadable sheet below.
Download your Information Asset and Tracking Sheet
Evaluate context to prioritize risks
Here, you need to understand your organization’s environment better. It will be required to define your information security requirements. To simplify this step, you could align your model with the EU Agency for Network and Information Security (ENISA) threat model.
Threat category | Examples |
Disaster | Earthquake, fire, flood, |
Outage | Power shortage, service unavailability |
Physical threats | Theft or sabotage |
Legal | Violation of regulation or inability to follow law |
Unintended damage | Device loss, unintentional disclosure of information |
Malfunctioning | Hardware failure, technical glitches, device malfunctions |
External data threat | Ransomware, trojans, zero day attack, social engineering |
Internal data threat | Eavesdropping, espionage, man in the middle |
Use historical data and employee expertise to evaluate the level of threat for each of the threats in the table above. Now try to evaluate how prone your assets are to these threats using a questionnaire. For example, How prone is your office location to floods? How trustworthy are your employees? Or, Are there any gaps to compliance within the business?
You can use a rating system to answer these questions – like High, Medium, Low, and None.
Use the table below to quantify the level of risk. Assets that are not marked as “none” should be considered a potential risk.
Identify controls for ISMS
Annex A of ISO 27001 document is about security controls. These are simply measures and processes you implement to protect data from threats. It has a list of 114 controls, but not all are compulsory. You can choose the ones partially or fully applicable to you.
Once you have an idea of risks and assets, you can proceed to the next step – plan how to address the risks, a budget, and timeline. System administrators, steering committee, and system processing officers are ideally involved for this task.
The decision making process for which control to implement in a given environment is easier said than done. For many organizations, this turns out to be a tedious process that is a combination of trial and error as well as permutation combination. The outcomes are almost always difficult to project and end up stretching the budget. Depending on the type of data, your team can make a call on which controls are required and which can be passed for the time being.
Check out: List of ISO 27001 controls and clauses
Conduct frequent internal audits
Periodic assessments are crucial to measure your progress as per the plan. Security administrators monitor this regularly; monthly or quarterly. This involves all the concerned members of the team – their input regarding updates, new requirements, changes, roadblocks, and more is to be reported. Even for minor changes, keep the top management in the loop.
A good practice that helps to stick to the plan is through audits. Auditors are independent bodies who check your described controls against what is implemented and create a report based on their observations. Audits can be conducted by internal staff but should not be biased.
The report must list the areas of non-compliance and improvement. You should adequately address any gaps in compliance with corrective action to avoid issues in the future. Wherever you make changes, document it in your plan.
Monitor to ensure ISMS effectiveness
Continuously monitor activities to ensure that your ISMS is working as planned. Address and document gaps as and when required. A good practice to efficiently monitor is by using performance indicators – codes set up to trigger a notification when a breach or unauthorized action is detected. Additionally, you can use goal indicators to measure your business objectives.
Use the suggested table below to measure performance in percentile values. Indicators vary from one organization to another.