Much like eating an entire elephant, Information Security is hard and should be done one bite at a time. While both may result in indigestion, unlike eating an elephant, there are major repercussions if we fail to maintain sound Information Security controls.*

Eating the InfoSec Elephant in 27001 Bites
*No elephants were harmed in the writing of this post.

In 2018, companies must defend against a seemingly endless number of threats and vulnerabilities to their infrastructure and data. They ask questions like:

  • How do we lock down systems and data to only those users who require access?
  • How do we ensure the integrity of our software?
  • What about our ever-expanding vendor security risk?
  • What systems should we monitor, and how do we monitor them?

These questions are important, but they barely scratch the surface of what is required when evaluating enterprise risk. In order to conquer the overwhelming task of securing the enterprise, organizations must adopt a systematic risk management approach based on a set of industry standards and benchmarks. A number of these kinds of standards are published. Each organization should choose the framework that best suits the business.

One of the most recognized standards of this kind worldwide – and the one we employ for our security program here at SalesLoft – is ISO 27001.

What is ISO 27001?

ISO 27001 is an information security standard published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). It lays out a framework for establishing and maintaining an information security management system (ISMS) to help address issues like the ones noted above. The purpose of an ISMS is to help minimize an organization’s overall information security risk through periodic assessments, corrective actions, technical controls, and continuous improvement.

The ISO 27001 standard is divided into two parts:

1. ISMS Clauses – These clauses define the requirements for scoping, support from senior leadership, risk assessment, periodic updates to policies and procedures, monitoring, operationalizing the ISMS, and implementing corrective actions, among others.

2. Annex A Controls – The Annex A controls (all 114 of them) define security control requirements across 14 domains. An organization’s statement of applicability defines the controls that are in scope for their ISMS. Examples of these controls might include endpoint protection for employee laptops, or encrypted VPN access via two-factor authentication for access to a production environment.

All of the documentation outlined in the ISMS Clauses and Annex A controls should be updated periodically by the ISMS owner, as well as other process owners involved in delivering.

Why Does it Matter?

Having a defined ISMS allows an organization to adapt its security and risk management posture to environmental changes over time. For example, at SalesLoft, we recently completed the acquisition of a software company, which became our Meeting Intelligence offering. We encountered many security risks as part of that business decision. However, our ISMS enabled us to identify, analyze, prioritize, address, and monitor those risks seamlessly.

In less than two months after the initial acquisition, we designed and implemented controls that ensured our people, processes, and data were compliant with ISO 27001, SOC 2, and GDPR. Because these types of changes occur constantly in a high-growth organization, if an ISMS or similar system is not in place, information security risk quickly becomes daunting and unmanageable.

How Can My Company Become Compliant?

While anyone can implement controls that align with the ISO 27001 standard, companies who wish to receive ISO 27001 certification must undergo a series of rigorous audits by an independent third party. The initial certification process usually takes anywhere from 90 to 180 days. The third-party certification process comprises the following types of examinations:

  1. Stage 1 Review
  2. Stage 2 Review
  3. Surveillance Reviews
  4. Re-certification

The process begins with a Stage 1 review, which focuses on the operation of the ISMS rather than the effectiveness of technical controls. This audit is relatively short (no more than 1 week). It results in a list of gaps that indicate readiness (or lack thereof) for the Stage 2 review.

The Stage 2 review usually occurs roughly 30-90 days after Stage 1. Its purpose is to evaluate the design, implementation, and effectiveness of the ISMS. The scope of the Stage 2 review includes the requirements outlined in the ISMS clauses as well as controls in Annex A. After the organization passes the Stage 2 review, the third party makes a recommendation for certification. If they pass the audit, a certificate is issued.

Annual surveillance reviews are then conducted for the two calendar years following the initial certification. These reviews exist to ensure the ISMS is still operating effectively, and that no major nonconformities with the standard have arisen. Three years after the initial certification date, a re-certification review is required. This review closely mirrors the Stage 2 examination.

If you or anyone in your organization has questions about any of SalesLoft’s security and privacy practices, please review our Security & Compliance page. For additional inquiries, do not hesitate to contact our security team at security@salesloft.com.

If you have questions about eating an elephant, here’s an article on goal setting.