You just heard from executives that your organization is ISO 27001 compliant! That’s fantastic! You’re a part of an elite group of companies that have gotten ISO certified like Google, Microsoft, Cisco Systems and Verizon.
The ISO 27001 certification is increasingly associated with building brand reputation and customer loyalty. On the other hand, a lack of ISO 27001 certification can be seen as a risk, especially in regulated industries. With so many high-profile data breaches in the news — most recently the Colonial Pipeline Ransomware attack — ISO 27001 compliance can make the difference between winning and losing new business, or even keeping your existing client base.
So, you immediately think about how this will put you above the rest of your competition and assuredly will have a whole new target market open to you. You start putting together a game plan to let the world know, with a big ISO certified badge of honor on your website, newsletters, emails, and snail-mail pamphlets. All those clients you had to turn away because they needed an ISO certified service provider will now come flocking back.
There is one problem, though.
Only a specific application or service was included in the ISO certification scope. As a result, some parts of the organization’s systems and services may not be ISO certified. I’m sure you imagine the slew of marketing compliance and customer issues that will come raining down on you when your customers realize the service you sold them isn’t ISO certified.
The biggest misconception regarding ISO certification is that once your company obtains it, it applies to your entire organization. Unfortunately, that is not the case.
When it comes to ISO 27001, scoping is more flexible than other data-driven frameworks like HIPAA, HITRUST, PCI or even GDPR. These standards dictate the scope based on the data types you process or store, like credit cards, health records, or personally identifiable information (PII).
With ISO, you can make the scope whatever you want it to be. For example, there have been instances where a single internet connection was certified under ISO 27001. With that, organizations don’t have to apply all 114 annexes (what ISO calls controls) enterprise-wide.
ISO 27001 Scoping
To help understand this a little more, here is ISO scoping in a nutshell:
Organizations looking to go through ISO 27001 certification are referred to as Service Providers. The standard focuses on what it calls the Information Security Management System (ISMS). This is a set of policies and procedures for systematically managing an organization’s sensitive data. The goal of an ISMS is to minimize risk and ensure business continuity by proactively limiting the impact of a security breach.
An ISMS typically addresses employee behavior, processes, data and technology. It can be targeted towards a particular type of data, such as customer data, or it can be implemented in a comprehensive way that becomes part of the company’s culture.
Scoping within the ISO 27001 standard is quite flexible. The entity/service provider implementing the ISMS is responsible for scoping its management system and for identifying the people, processes, systems, applications, and facilities to include in that scope. As part of this flexibility, the entity/service provider is allowed to determine functions of the business that are out-of-scope and will not interact with the ISMS. Entities can also indicate areas where responsibilities may be transferred to third-party vendors, such as a cloud provider like Azure, AWS, Google Cloud, Oracle, etc.
ISO 27001 dictates that scoping should focus on determining the key functions for developing, operating, or securing the critical systems, customer service offerings, and processes of the organization.
- The scoping exercise should first determine what internal or external drivers require the organization to be ISO 27001 certified.
- After determining drivers for the ISMS implementation, the next requirement is to consider the internal and external stakeholders that are interested in the success of the ISMS.
- Examples can include board members, executive team, sales or marketing team, customer, vendor, another framework that requires the company to align with an industry-accepted security framework, etc.
- Lastly, the ISO 27001 standard requires the consideration of both internal and external interfaces and dependencies to the ISMS.
The sales and/or marketing department will likely interface with the ISMS through a customer engagement role. Sales and marketing team members are responsible for appropriately representing the ISMS scope to customers. These folks are commonly viewed as a risk for unintentionally alluding to the fact that the entire organization is ISO 27001 compliant when only a subset of the company’s functions or locations are certified.
For marketing purposes, you’ll ultimately have to make sure that only the scope of services and applications that went through the process are mentioned when talking about ISO certified services.