Guide: Getting ISO 27001 Certified Or A ISAE 3402 Security Report
Introduction: Should I get a Certification or Security Audit?
At CyberPilot, we are seeing that it is a growing requirement for organisations to be certified for information security or to obtain a security audit for ISO 27001 or ISO 27002.
In this blog, we will provide an overview of the various ways of getting certified for information security. You will also learn the difference between the certifications and security audits. The goal is that you will be able to understand whether you should work towards certification. If you are looking to ensure that you are following the GDPR for handling personal data, take a look at the benefits of an ISAE 3000 report.
In this blog you get get an overview of the steps towards an information security certification. First, we will define the different types of certifications and security audits that concern information security. In the sections after, we will discuss the pros and cons of each, weigh out the potential costs, and finally, give a recommendation for how your organisation could proceed.
Why become ISO 27001 certified or get ISAE3402 security audit anyway?
Getting certified or audited is a good way to show clients and partners that your organisation is committed to good practices when it comes to information security, and to show that you are in control of things.
It can also improve your organisation’s reputation and can be used to help with marketing efforts (depending on your industry and context). For example, if you are a company that regularly processes confidential data, then a certification will undoubtedly put your potential customers at ease.
Besides holding a ISO certification, training your team is one of your strongest IT-security defenses, with people being the largest security risks for organisation. If you want to know more about how an educated team can boost your IT-secuirty, check out our Awareness training.
We understand that there are many aspects to consider, in order to make the right decision. In the following sections, we will try to further narrow it down for you. If you'd like you can also start by reading our general guidelines for staying compliant with GDPR.
What is an ISO Certification anyway?
The International Organization for Standardization (ISO) is an international standard-setting organisation. It is the world’s largest and most widely recognised developer of voluntary international standards. When it comes to information security management, we are concerned with standards in the ISO 27000 family.
The ISO 27000 family (also known as series) consists of information security standards, published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), which is why you will often see the two abbreviations being used. In other words, ISO 27000 and ISO/IEC 2700 are the same standard. Moving forward, we will mostly use the ISO abbreviation, and this will also apply to ISO/IEC 27001 and ISO/IEC 27002.
The series consist of more than a dozen standards. ISO 27000 provides an overview and vocabulary to be used for the standards. When it comes to certifications, most organisations are concerned with an ISO 27001 certification with the possibility of extending it to ISO 27002.
ISO 27001 is the most widely known standard when it comes to providing requirements for an information security management system (ISMS) – it is normally what companies mean when they talk about getting an ISO certification in information security. It contains all policies and processes relevant to how data is controlled and used. However, it does not define specific tools, solutions, or methods. Instead, it functions as a compliance checklist. The main objective is that the work will be an ongoing process and not a one-off. Therefore, we focus on the continuous process and continuous improvements.
When it comes to ISO 27001, a risk-based approach is used, and that’s why there are no specific requirements for an organisation to live up to predetermined requirements. On the other hand, there are requirements for the implementation of appropriate technical and organisational measures. Therefore, it is up to the individual organisation to assess what these appropriate measures are – the key here is ‘risk assessment’.
Assessing potential security risks can also help you to better foresee incidents and plan how to reduce risks relevant to your organisation. Use our guide and free template to create a risk analysis and you are one step on the way to becoming certified.
ISO/IEC 27001 includes ten short clauses and Annex A:
The clauses of ISO/IEC 27001:
Scope of the standard
How the document is referenced
Reuse of the terms and definitions in ISO/IEC 27000
Organisational context and stakeholders
Information security leadership and high-level support for policy
Planning an information security management system; risk assessment; risk treatment
Supporting an information security management system
Making an information security management system operational
Reviewing the system’s performance
Human resource security, which includes awareness training
Networks, which includes vulnerability scans
Physical and environmental security
An information security management system (ISMS) provides organisations with a systematic approach for managing their information security. It is a centrally managed framework that enables you to manage your organisation’s information through risk management. An ISMS contains all policies and processes relevant to how data is controlled and used.
The overall objective of the ISMS is to define and control the risk levels relevant for the organisation. There are three main areas to consider:
Confidentiality: the data can only be accessed by authorised people
Integrity: the data is accurate and complete
Availability: the data can be accessed when required
According to ISO 27001, the implementation of an ISMS follows a Plan-Do-Check-Act (PCDA) cycle for continuous improvement. This is an easy to use model that helps organisations avoid making repetitive mistakes. We recommend following our guide on applying the Plan-Do-Check-Act (PCDA) model for any sort of process that you want to improve, however we believe it to be especially useful within IT-security.
The basic methodology in ISO 27001 is that a risk-based approach is used. Thus, there are no specific requirements for an organisation to live up to requirements X, Y, Z, etc. On the other hand, there are requirements for the implementation of appropriate technical and organisational measures. It is thus up to the individual organisation to assess what these appropriate measures are. The key here is the ‘risk assessment’ or ‘risk analysis’.
What is ISO/IEC 27002?
ISO 27002 not a standard, but a code of practice that offers suggestions, rather than requirements for effective ISMS management. It is less comprehensive than ISO 27001 and does not include the Plan-Do-Check-Act cycle. Normally, it is implemented for organisations who are already in the process of getting ISO 27001 certified.
ISO 27002 guides organisations in selecting, implementing, and managing controls in their information security risk environment. It is designed to be used by organizations that intend to:
Select controls within the process of implementing an ISMS based on ISO 27001.
Implement commonly accepted information security controls.
Develop their own information security management guidelines.
What is an ISAE 3402 Report?
The International Standard on Assurance Engagements 3402 (ISAE3402) is an international assurance standard that prescribes Service Organization Control (SOC) reports. These reports give assurance to organisations’ customers and partners that they have adequate internal controls when it comes to information security. ISAE 3402 defines two types of reports: Type 1 and Type 2.
A Type 1 report includes a review of the documentation, but without the control of the implementation itself. In other words, a Type 1 statement is a snapshot of a given date.
The cost of obtaining a Type 1 report consists of two parts:
The internal preparation, implementation, and documentation
The review, preparation, and ongoing maintenance of the statement – this task must be handled by an authorised information auditor.
The cost will vary depending on the auditor and scope of the report.
A Type 2 report includes a review of the documentation and the verification of the implementation. Typically, this verification will be in the form of samples and a review of the documentation, and the systems. A Type 2 report typically covers a period of 6 or 12 months and aims to show how controls have been managed over time. Therefore, it is more comprehensive than a Type 1 report.
The cost of obtaining a Type 2 report consists of three parts:
The internal preparation, implementation, and documentation.
The ongoing work of complying with and documenting the controls.
The review, preparation, and ongoing maintenance of the statement.
The cost will vary depending on the auditor and scope of the report.
What is the difference between a Type 1 and Type 2 report?
Normally, organisations’ external partners will require a report, but will not specify if it should be a Type 1 or Type 2 report. It is also quite common for organisations to first prepare for a Type 1 report then extend it to a Type 2 report.
Our experience shows us that by working towards a Type 1 report then ‘upgrading’ it to Type 2, you get to mature the organisation’s documentation and processes before reaching a Type 2 report. On the other hand, if you go directly to try and obtain a Type 2 report, then you risk having remarks on the report if the documentation and controls do not meet the auditor’s requirements. With a Type 1 report, you can put the processes ‘on hold’, adapt the documentation and processes, then get audited again.
Another advantage of obtaining a Type 1 report first is that you can get it in a relatively short amount of time since it does not look at the documentation and processes over time. This aspect significantly affects the cost of obtaining a report, and we recommend getting a comprehensive price estimate from the auditor.
Here is our recommendation
For the reasons above, CyberPilot recommends that in most cases, you should work to get a Type 1 report first, then extend it to a Type 2 if necessary. The benefits include:
The cost of obtaining a Type 1 report is significantly less costly (up to two times less).
You have the opportunity to mature and improve the organisation’s processes and documentation before deciding if you would like to extend it to a Type 2 report.
It is faster to get a Type 1 report. A Type 2 report will take 3-6 months, during which time you must still be in operation while being audited.
As many external partners will not specify whether they expect a Type 1 or Type 2 report, you can ‘settle’ for a Type 1 report in most cases.
We understand that you may still want to get a further overview of what it takes to get a full ISO certification and see how it compares to getting an ISAE 3402 report. In the next section, we will dive deeper into the reasons why your organisation may want to pursue getting certified or audited and provide roadmaps to both options.
Should I even get certified or a security audit at all?
First, we must determine if it is a priority for your organisation to be certified or get a security audit at all.
The reason(s) you may want to get certified could be because:
It is a legal requirement.
It is required by external parties (often, customers or partners).
It is required by the board or company owners.
Since preparing to be certified or audited takes a significant amount of time and resources, it is important that you have identified the need to move forward before you begin.
However, we have seen that the process towards a certification or audit is a very valuable process for most organisations because it forces them to thoroughly evaluate the aspects of their information security. This is because you can become aware of the issues that you would normally not address, because there was no need for getting certified or getting a security audit previously. Undoubtedly, this will create value for your organisation in the long run.
Should I get the ISO Certification or an ISAE 3402 Report?
Next, we discuss whether you should go for a full ISO certification or if you can ‘settle’ with the simpler (and less costly) audit report.
A full ISO certification requires that there be a fully implemented ISMS that is documented and observed daily. The result is that great demands are placed on both the implementation, operation, initial, and ongoing certification process.
An ISAE 3402 report is given if the organisation has complied with a specific standard. That means it is still required to show documentation and the happenings in daily operations, but to a significantly lesser extent than with a full ISO certification. Much of the process of getting an ISAE 3402 report is included in the certification process.
Thus, there are still requirements for both documentation and daily operation, but to a significantly lesser extent than with a full ISO certification. This is also seen in the certification process itself, which for audit consists of samples and interviews.
The cost for a full ISO certification and security audit will naturally vary from organisation to organisation, depending on several parameters, such as the scope, maturity of the organisation regarding information security, internal resources, and competencies. As a starting point, it is expected that a full ISO certification will cost 4-5 times more than an audit statement (inclusive of all stages).
In general, we have seen that the full ISO certifications are very limited in use in the EU and the security audits are much more common. This can be seen as a statement that the market often deems the audits as sufficient. Often, it is mostly the very large corporations that aim for the full ISO certification.
When deciding on whether to obtain a full certification or security audit, one should also consider the tasks both processes entail.
It can be difficult to explain which exact tasks are associated with implementing, maintaining, maintaining the certification/report, as it will differ between organisations. However, we will start by illustrating this for the path we recommend for most organisations:
ISAE 3402 Assurance Report – Type 1 in relation to ISO 27002
The later sections in this blog post will further outline what is required, to further go from getting audited to a full certification.
What is required for getting a ISAE 3402 Type 1 report?
The following documentation must be available for review before the report can be prepared by the auditor.
Overall information security policy (statement from management), which contains objectives and responsibilities.
Documentation of risk assessment – documentation that this process has been completed and approved by management.
The information security handbook, which describes the overall process and measures on a high level. The manual follows chapters from the ISO 27002 standards. The information security handbook is for documentation of the measures that have been implemented to handle information security. It is a document for use in the IT department and for auditing, not for general staff.
Policies, guidelines, and procedures relating to information security. E.g., a contingency plan and guidelines for employees.
As ISO 27002 is a risk-based approach, it will also be relevant to look at the conclusions from the risk assessment and determine which improvements must be made to achieve an acceptable risk level.
Next, we will discuss the steps required to ‘upgrade’ to a Type 2 report and then to a certification in ISO 27001.
What is required to get an ISAE3402 Type 2 Report?
To get a Type 2 report, it will consist of mostly the same type of documentation as getting a Type 1 report. Here are other things to expect:
- Preparation: the organisation and description of the controls.
- Ongoing control and documentation of activities (time interval must be determined).
- Cost of audit statement – up to two times more compared to a Type 1 report.
A significant amount of time and cost should be expected to extend your report to a Type 2 report. This goes for the preparation, ongoing inspections, and cost for the auditor. There is also a risk that the auditor will object to the newly implemented control, which may mean you have unfavourable findings in the report.
Discuss the possibilities with your auditor
However, we recommend that you initiate the dialogue with the auditor about a future desire to get a Type 2 report, while beginning the process of getting a Type 1 report. In this process, it will become clearer which additional measures and controls must be implemented, in order to obtain a Type 2 report. Additionally, the auditor will also have a better idea for estimating the efforts to extend the report. By taking a step-by-step approach, you can often significantly reduce the cost of having the auditor.
This is a typical roadmap for getting a security audit:
- Determine the scope of the security audit with selected clients and partners. The purpose is to ensure that both parties accept the intended levels of review.
- Initiate a dialogue with the auditors to get an estimated cost for their preparation of the security audit.
- Come to a final decision on the type of security audit and its level of review.
- Gather the relevant documents, which include:
- The organisation’s information security policy
- The information security manual
- Additional guidelines and policies that can be relevant.
- Agree with the auditor about the preparation of the security audit.
- Implement the new processes.
- The Type 1 security audit is performed.
- The new Information Security Management System (ISMS) is operated for 6-12 months.
- It is possible that a Type 2 security audit is performed.
How to go from ISO 27002 to ISO 27001
The difference between ISO 27001 and ISO 27002 is in the documentation and the establishment of the management system, including the PDCA cycle. It is this part that must be implemented and operated to go from ISO 27002 to ISO 27001. In ISO 27001, Chapters 4-10 must be included in the organisation’s management system for information security.
The steps required with establishing this process partly lie in the documentation and organisation of the internal processes for the four phases, and partly in your organisation’s time that must be used to implement the processes.
The real difference lies in the ‘check’ and ‘act’ phases. Here, ISO 27001 requires that a continuous process be implemented to set objectives for the individual initiatives, check if the initiatives are effective, and continuously adjust if the results deviate from the objects.
As ISO 27001 has a larger scope than ISO 27002, it can be expected that the audit will cost significantly more, as the auditor will also review and revise the documentation from Chapters 4-10 as part of the certification process.
Here is what you can expect:
Preparation: Documentation and description of processes covered in chapters 4-10 of the ISO 27001 standard
Implementation and the processes associated with the four phases (Plan-Do-Check-Act)
Security audit – should be agreed on with the auditor.
It is primarily the extra internal time that is expected to make the difference from ISO 27002 to ISO 27001.
Just like working with a Type 1 vs Type 2 audit, it will be to your advantage to work step-by-step when expanding from ISO 27002 to ISO 27001. Getting certified in ISO 27001 may very well be suitable for organisations as they mature.
Why CyberPilot recommends getting a ISAE 3402 report
At CyberPilot, we recommend that the ISAE3402 report will be the optimal choice for most organisations to work toward. This is because of the following:
- The additional cost for before, during, and after a full ISO certification is likely to exceed its added value, rather than an ISAE 3402 report.
- If you later find that you want to ‘upgrade’ to a full ISO certification, the ISAE 3402 report will still serve as a good starting point.
Note: We ALWAYS recommend that you contact and discuss it with the customers and partners who require you to obtain certification or an audit, before you start to work towards it.
CyberPilot, your partner for information security
We hope that this blog has given you a better understanding of ISO certifications and ISAE 3402 reports. At CyberPilot, we offer solutions that can help you strengthen the information security in your organisation to prepare certification or an audit. These solutions include:
If you have any questions about our solutions, feel free to contact us at firstname.lastname@example.org. We will discuss what to do to put your organisation on the right path.
The Schrems II case makes it impossible for US organisations to use the so-called Privacy Shield framework. This will affect how organisations share data.
Learn what concrete steps you can take to measure the effect of cyber security awareness training in your organisation.
You will receive inspiration, tools and stories about good cyber security practice directly in your inbox. Our newsletter is sent out approximately once a month.