ISO/IEC 27001 (commonly abbreviated at ISO 27001) is co-published by the International Organization for Standardisation and the International Electrotechnical Commission. The primary aim of ISO 27001 is to define the prerequisites for establishing, implementing, maintaining, and continually enhancing an Information Security Management System (ISMS). ISO 27001 has enriched the content inherited from BS7799-2 and harmonized it with standards formulated by rival organizations.

ISO 27001 is designed to cover much more than just information technology; it also includes controls that will be tested as part of certification. The specific controls to be tested is dependent on the certification auditor and applicability. This can include any controls that the organization has deemed to be within the scope of the ISMS. Testing can be to any depth or extent, as assessed by the auditor, or scope, as stated by the organization. This is important since management determines the scope of the ISMS for certification purposes and may limit it to a single business unit, location, or even department with the organization.

ISO 27001 includes the following three recommendations:

  1. Systematically examine the organization's information security risks, taking account of the threats, vulnerabilities, and impacts.
  2. Design and implement a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable.
  3. Adopt an overarching management process to ensure that the information security controls continue to meet the organization’s needs on an ongoing basis.

The ISO/IEC 27001 certification, like other ISO management system certifications, typically follows a three-stage external audit process outlined by the ISO/IEC 17021 and ISO/IEC 27006 standards.

This is done in two parts, with a follow-up, continuous process:

  • Part 1 is an initial review of the ISMS, where key documentation, like the information security policy, Statement of Applicability, and Risk Treatment Plan, are checked for existence and completeness. This stage helps familiarize the auditors with the organization.
  • Part 2 is a thorough compliance audit that independently tests the ISMS against ISO 27001 requirements. Auditors gather evidence to confirm the proper design, implementation, and operation of the management system. Passing this stage leads to ISO 27001 certification.
  • Ongoing regular follow-up audits to ensure ongoing compliance with the standard. Maintenance of certification involves periodic re-assessment audits, typically conducted annually, or more frequently, during the early stages of ISMS implementation.

When implementing an ISMS, organizations often question the distinction between ISO 27001 and ISO 27002. In simple terms, ISO 27001 outlines the requirements for the Information Security Management System Standard, while ISO 27002 offers guidelines and best practices for organizations seeking certification or implementing their security processes and controls. ISO 27002 provides more specific examples and guidance, serving as a code of practice for individuals within the organization.

ISO 27001 certification is globally recognized and confers at least several valuable benefits, including:

  • Requires maintenance of a baseline of fundamentally sound security practices, which can reduce your organization's cyber risk, including incidents of breaches and other negative security events.
  • Improves your organization's reputation, giving your customers and partners more confidence in the security of your solutions.
  • Helps your enterprise avoid regulatory fines, since many practices required of ISO 27001 are also applicable to other security frameworks, such as EU GDPR and HIPAA.
  • Simplifies the path to meeting other appliance initiatives, since many requirements and controls overlap across common compliance initiatives and frameworks.

BeyondTrust has successfully completed the International Organization for Standardization (ISO) 27001 certification. Achieving ISO 27001 demonstrates our ability to ensure customer data is safe from the most sophisticated methods of intrusion. The highly detailed validation process verifies the effectiveness of internal security operations, secure software development practices, and product capabilities. By utilizing BeyondTrust, organizations can meet ISO 27001 compliance, guaranteeing the utmost protection of customer data against advanced intrusion techniques.

These audits were conducted by Aprio, a nationally recognized, top 100 CPA-led business advisory firm.

BeyondTrust provides foundational security that helps our customers reduce cyber risk, ensure privacy of data, and achieve compliance with major initiatives, including ISO 27001. With BeyondTrust PAM solutions, you can:

  • Enforce least privilege access across all endpoints, identities, and accounts
  • Secure, VPN-less remote access, that includes 2-FA
  • Secure management of all privileged credentials (passwords, secrets, SSH keys, etc.)
  • Monitor, manage, and audit every privileged session--whether human, machine, employee, or vendor
  • Proactively detect and respond to identity-based attack vectors and attack pathways

To learn more about BeyondTrust can help you reduce risk and achieve ISO 27001 Certification, contact us today.

“BeyondTrust Endpoint Privilege Management really is a perfect solution. Not only does it implement least privilege, protect, and monitor our privileged accounts, it also allows us to maintain compliance with several regulations, which is hugely beneficial to us.”

Zensar logo

Contact us to discuss your ISO 27001 compliance needs.

Contact Sales
Prefers reduced motion setting detected. Animations will now be reduced as a result.