ISO 27000 Compliance Guide + Five Steps to Building Defensible Security & Privacy systems

How do you convince your partners & customers that your privacy and security practice is state-of-the-art?

 Maintaining a robust privacy policy and cybersecurity risk management practice is critical for businesses. U.S. companies may face monetary and other penalties for violations of multiple privacy laws international, federal and state-specific.   

IBM reported a 10% increase in the average total cost of a data breach in 2020-2021 from $3.86 million to $4.24 million. The highest average in 17 years, noting that costs were significantly lower for organizations with more mature security and privacy postures. 

The top 20 most significant GDPR fines of 2019, 2020, 2021 totaled over $1.2B. 

Penalties are rising, and compliance is increasingly complicated, all while data breaches and ransomware attacks continue to evolve and escalate. Common sense dictates that having a robust risk management program is critical for most organizations.  How do you know what you have built is defensible in court? 


ISO Certification 

One of the best ways to demonstrate the suitability of your Information Security Management System (ISMS) to your organization, customers, and partners is to achieve a globally recognized certification. ISO certification is a foundational layer in building a defensible position should it be needed.  

The globally recognized ISO/IEC 27000 family is the gold standard for building and maintaining secure ISMS systems. While the complex array of privacy laws continues to evolve, maintaining the ISO 27000 standards assists an organization in managing events, demonstrating a solid privacy/security posture, and defending itself against threats and legal liabilities. 

ISO27001 is the certifiable ISO standard that describes how to manage an ISMS securely. 27001 is compatible with other standards and regulations, including SOX, GLBA and other cybersecurity regulations. Completing 27001 certification helps demonstrate the effectiveness of controls to regulators and supports the principle that their security controls constitute “reasonable security” as required. 

ISO/IEC 27001:2013 ISMS Security Techniques 

ISO 27001 is the most widely recognized certifiable security standard for Information Security Management Systems. Until recently, it was the only core certifiable standard in the ISO 27000 family of standards.  

ISO 27001 is a flexible standard for organizations of all types and sizes. Essentially, it lays out a framework for building, operating, documenting, and maintaining an ISMS that protects and preserves the confidentiality, integrity, and availability of the organization's sensitive and critical information.  

7 sections of 27001 and their fundamental principles: 

1. Understanding the ISMS within the Context of the Organization
  • Determine the desired outcomes of the ISMS and the relative issues impacting the ability to achieve said outcomes. 
  • Identify the key stakeholders, their interests, requirements and responsibilities. 
  • Define and document the scope of the ISMS concerning the organization and the goals of the certification exercise. 
  • Document interfaces and dependencies to the ISMS and relevant activities performed by other organizations and systems.

    2. Leadership and Commitment
  • Commitment to security & privacy risk management by senior leadership, the risk owners, is critical to success. 
  • Ensure that the security policies and objectives of the ISMS are established, compatible with the organization's mission, and properly communicated. 
  • Assign sufficient resources necessary to achieve objectives effectively. 
  • Promote continual improvement and lend ongoing management support as necessary. 
    3. Planning for ISMS success 
  • The guidelines can be applied to both an audit exercise and the long-term successful operation and maintenance of information systems.  
  • Security Risk Assessment - Define a risk assessment process and methodology based on the organization's security policy and objectives of the ISMS. 
  • Apply the risk assessment to identify security risks that would compromise the confidentiality, integrity and availability of information within the scope of the ISMS. 
  • Evaluate and determine the level of the identified risks against the previously established risk tolerance criteria. 
  • Document a risk mitigation plan, “risk treatment process” based on the risk analysis, security policies and ISMS objectives. 
  • Leverage ISO 27002 to select security controls necessary to accomplish the defined objectives within the scope of the specified system. 
  • Determine the required resources and timeline. 
    4. Supporting the ISMS process 
  • Ensure adequate resources are available with the necessary competence. 
  • Formalize communications in terms of when, what, who and how. 
  • Controlled documentation is critical to operating, maintaining, certifying and defending the security of the information system.
    5. Controlled Operation of the ISMS 
  • Plan resources, processes and controls for continuous operation 
  • Maintain controlled documentation and change control. 
  • Perform risk assessments at planned intervals. 
  • Apply necessary mitigation measures or “changes to the risk treatment plan.” 

    6. Internal Audits 
  • Ongoing monitoring, measuring and evaluation 
  • The organization determines what, when, who, and how based on the security policy, objectives, and the system's scope. 

    7. Continual Improvement - The Endless Journey 
  • No security program is perfect, and the threat landscape rapidly evolves. Continual care and feeding are necessary to keep information security management healthy. 
  • As “nonconformities” are detected (e.g., defect, incident, new vuln or change in threat landscape), action needs to be taken to control, correct and remediate 
  • Review and make changes to the ISMS if necessary. 

ISO/IEC 27002:2013 Code of Practice for Security Controls 

ISO 27002 defines security controls that may be implemented by the ISMS system defined in 27001.  The standard sets up a framework for selecting and maintaining the appropriate controls to ensure the risks inherent in people, processes, management and systems are sufficiently mitigated within the scope of the ISMS. The organization decides which controls are applicable based on the security policy, scope and risk analysis.  

 The Three Main Sources of Information Security Requirements -1


 The Three Main Sources of Information Security Requirements 

Results of the Risk Assessment and the recommended risk treatment plan 

Legal, regulatory, statutory and contractual requirements 

The objectives and mission of the organization and its continuing operations 

Management Direction 

ISO 27002 tells us that the foundation of choosing and applying security controls is the management security policy. The policy lays out regulatory, legislative and contractual requirements, the current and projected threat landscape, business objectives and strategy regarding information security.  

ISO 27002 standard sets guidelines of what needs to be done in the context of the ISMS and the specific objectives. It does not specify precisely how to accomplish the task. For example, guidance on cryptography specifies that ‘cryptographic controls can be used to achieve security objectives.’ In terms of solution, the guidance reads, “Cryptographic algorithms, key lengths, key management systems, and usage practices should be selected according to industry best practice.”  The best practice is the responsibility of your IT security professionals and consultants. 

Encryption Use Cases 

Confidentiality - encryption of sensitive data at rest (storage) and in-flight (transmission) 

Integrity/authenticity - digital signatures, signed documents 

Non-repudiation - cryptographically verified chain of events (blockchain) 

Authentication - Encrypted passwords, smart cards, USB tokens 

Encryption Use Cases  (2)


ISO/IEC 27002 Highlights: 

The standard covers the following critical areas of your security practice 

  • Security Policies - Senior management directions for information security 
  • Human Resource Security 
    • Background checks, qualifications 
    • Security awareness and responsibilities  
  • Physical Security  
    • Secure areas  
    • Physical access controls 
    • Asset management 
  • Organization of Information Security 
    • Assets & systems 
    • Personnel & segregation of duties 
    • Support contacts 
    • Network security management 
    • Information transfer (in/out of the scope of the ISMS. API’s) 
    • System maintenance, development and acquisition 
    • Change control 
    • Mobile devices, remote workforce 
  • Operational Security 
    • IT access controls 
    • Malware/ransomware protection 
    • Data backup 
    • Logging and monitoring 
    • Software version control 
    • Vulnerability management 
    • ISMS audit considerations 
  • Supplier Relationships 
    • Protection of sensitive data associated with third party access 
    • Supplier agreements  
    • Control and monitoring of supplier IT services 
  • Incident response 
    • Processes for handling security events and incidents 
    • Incident reporting and investigating 
    • Analysis, learning and remediation  
  • Business continuity 
    • Continuance of information security under adverse conditions 
  • Compliance 
    • Maintaining legal, statutory, regulatory and contractual requirements 
    • Documentation, proof of evidence, protection of records 
    • Independent review 

ISO/IEC 27018:2019 - Protection of PII in Public Clouds acting as PII processors 

ISO 27018 is the first international standard about privacy in cloud computing services to be adopted by the industry and created in 2014 as an addendum to ISO 27001/27002. 27018 is primarily concerned with public cloud services acting as PII processors at the instructions of cloud service customers. 

ISO/IEC 27701:2019 Privacy Extension to 27001/27002 

Information Security and Privacy 

Consistent with global and U.S. privacy trends, see blog Privacy LawsISO 27701 adds the privacy component to 27001/27002 and specifies the Privacy Information Management System (PIMS) and requirements for privacy of PII principals within the context of the organization.  27701 applies to organizations of all sizes who collect or process Personally Identifiable Information (PII), including but not limited to name, address and IP address.  

The intention of 27701 is to augment the privacy-specific controls of the existing ISMS, thus introducing the concept of a PIMS. 27701 is a certifiable extension to 27001. Hence organizations seeking 27701 certification will need to have an ISO27001 certification first or, better yet, part of a dual compliance effort.   

Mapping ISO 27701 to GDPR & CCPA 

Included in ISO 27701 is a direct mapping of provisions in the standard to articles in the GDPR. It shows how ISO 27701 certification can be used to fulfill the requirements of GDPR. Similarly, the artifacts of 27701 certifications can be applied to meeting the requirements of CCPA and other federal and state privacy laws and regulations.  

 “If you are planning to achieve both 27001 (ISMS) & 27701 (PIMS) compliance, then do them both at the same time as it is far more efficient. Doing 27001 & 27701 one after the other would be a lot of repeated work.”  - Andy Cottrell CEO Truvantis 

ISO 27001 Begins with a Risk Analysis 

A risk analysis is the crucial first step for organizations building and maintaining ISO 27000 compliant ISMS/PIMS practices. It defines high-level threats and vulnerabilities based on the characteristics of the system managing the data assets and the potential cost to the business. 

Risk = Threat x Vulnerability x Probability x Impact 


Risk = Threat x Vulnerability x Probability x Impact 


Threat = Ransomware attack
Vulnerability = Loss of stored Customer Private Information (Personally Identifying Information) if the threat were to be successful
Probability - that a given threat is likely to occur in the defined scope of the analysis
Impact = Business losses incurred as a result. Regulatory fines, bad publicity, loss of reputation, legal fees, investigation and remediation costs, lost business etc.

As experienced in recent years, the risk of a ransomware attack is relatively high compared to the lower costs of deploying mitigation solutions like patch management, malware protection and data backup. In the face of ransomware threats, practical mitigation steps significantly reduce vulnerability, impact and risk.   

Just like setting policy and establishing the organization's risk appetite, the risk assessment needs to be approved and supported by senior leadership. A risk assessment shows the business cost of ignoring a risk versus the cost to mitigate those risks. The purpose of conducting a risk assessment is to inform decision-makers and help prioritize risk mitigation tasks by identifying the relevant threats, probability of harm, and the resulting business impacts. 

Targeted Risk Assessments 

Risk Assessment Process 

  1. Prepare for the risk assessment 
  • Identify the purpose of the assessment. E.g., ISO27001, 27701 certification pertaining to stored and/or managed consumer PII in the scope of ISMS/PIMS boundaries 
  • Identify the risk owners 
  • Identify any assumptions or given constraints going into the assessment 
  • Identify the data assets, sources of threats, vulnerability, probability and impacts 
  • Adopt a risk model which essentially diagrams the overall approach to the evaluation and the analysis of the results. What data will be collected, how will it be collected and interpreted.  
    2. Conduct the assessment 
  • Identify threat sources and their relevance to the organization 
  • Identify the events that known threats could produce 
  • Determine the probability or likelihood that threats would be successful 
  • Estimate the potential adverse impacts to operations, assets, individuals, other organizations or stakeholders. 
  • Calculate the risks based on the threats, probabilities and impacts 
    3. Share and communicate the assessment results 
  • Communicate the documented assessment results to the decision-makers so they can support the risk response plan 
  • Communicate documented assessment result with appropriate organizational personnel and other stakeholders 
    4. Maintain the assessment 
  • Monitor and analyze risk factors continually for relevant changes in those factors—for example, new ransomware threats. 
  • Update relative components of the risk assessment Example, guidance on proactive defensive upgrades. 

Risk assessment is the foundation of a holistic, organization-wide risk management process. It is the first step toward a robust mitigation and response plan, certification and building a defensible security and privacy compliance practice.  

ISO 27001 – Identifying the Risk Owners 

Equally crucial to conducting a proper risk assessment is identifying the risk owners. A risk owner should be someone who will “feel the pain” should a risk materialize. The risk owner is impacted, accountable, and has the authority to invest in a solution. Practical experience dictates that group ownership of risk is a recipe for failure. Even though the standard technically allows an entity or department to act as the risk owner, it is generally more effective for the risk owner to be a single person. They need to be high enough in the organization to allocate resources, timeline and drive the risk remediation process. An asset owner can have a different role than a risk owner. For example, a software asset owner could be an IT admin who will attend to the patching and updates required to secure the asset. However, the risk owner should be the head of the IT department because they own the investment and are ultimately responsible if risks are not properly remediated.  Identifying risk owners is part of the risk assessment process, and they then approve and support the remediation plan.  

Risk Analysis (27001-02 Security) vs. Data flow Mapping (27701 Privacy) 

27001-27002 ‘Security’ vs. 27701 ‘Privacy.’ 

Are security and privacy programs the same thing? Well, security is undoubtedly a prerequisite for privacy controls (for privacy protections, all bets are off in case of a data breach); however, privacy compliance adds additional concerns regarding data flow. A data-flow mapping determines how data is collected, processed and stored as well as access points. 

The security programs aim to keep data safe from breaches, malware, Ransomware and other nefarious attacks on the data systems. A privacy program assumes the security program is in place and concerns how the data is used, processed and complies with consumer assess and modification rights. A privacy program will typically begin with a data-flow mapping exercise. 

Good privacy programs are often much more customized to the business than security programs. For example, data centers running Windows servers all have similar patching and update programs for malware, ransomware and virus controls. Privacy programs are customized to the nature of the business, the data collected, processing, and other cloud services the organization uses. 

Experience a Relatively Painless Certification Process 

A business process to manage the protection of private data involves coordination with stakeholders from IT, HR, legal, auditors and certification bodies. Few businesses have the time and expertise in-house to efficiently complete a risk analysis and implement appropriate mitigation plans on their own. Most find it invaluable to hire a professional consulting organization such as Truvantis. 

It’s analogous to taking a car for service. If you are a qualified mechanic, have a garage full of equipment and time on your hands, you can maintain the vehicle yourself. You are more likely to take it to a specialist who has the tools and experience to service the car more efficiently. 

Beware of boxed all-in-one kits that claim to provide all the templates, checklists and instructions needed to complete your certification. That still leaves you with all the work of filling out the voluminous paperwork required, interpreting nuances in standards and laws related to your business environment and other work before the audit even starts. You're left where you started. For most organizations, it makes more sense to hire a consulting firm with the tools and experience to build and even maintain your ISMS/PIMS for you. 

What is the best way to mitigate cyber threats while managing the matrix of laws and regulations? The answer is don’t try to do them one at a time. Instead, build a robust risk management program that can support the entire matrix of laws and regulations and effectively mitigate cybersecurity risk. 

Working with Truvantis simplifies the risk assessment and certification process in concert. Truvantis works with your organization in advance to talk through the process, define the scope and boundaries of the evaluation and develop a five-step plan and ISO certification roadmap.  No matter which laws or regulations you are under, the threat landscape at your organization, or which security framework you choose to use, it all begins with a rigorous risk assessment. 


Truvantis Five-Step Risk Assessment Process:  

  1. Identify All Assets 
  • Protected sensitive data and the technical systems, people and processes used to manage, secure and monitor.
    2. Assess Your Asset Vulnerabilities 
  • All ways sensitive data could be exploited  
    3. Match Threats to Vulnerabilities  
  • Define the “risk scenario.” 
    4. Forecast Probability  
  • Determine the odds this threat will occur given an annualized rate of occurrence 
    5. Outline a Treatment Program 
  • Prioritized mitigation strategy, plan and budget 

Whether you need ISO 27001, PCI DSS or SOC 2 certification, Truvantis can help with crucial budget-saving recommendations based on the scope of your business and surrounding regulation and legal requirements. 

Want more information? Download our whitepaper, 6 Steps to Get Real Value Out of Your Security Risk Assessment.  

Ready to move forward?  Contact Truvantis for more information and to start your pre-audit consultation. 

Related Articles By Topic

CISO vCISO Security Program Risk Assessment ISO27001

Contact Us
Chat with one of our specialists about our vCISO service.
Schedule a call
   Contact Us