For businesses navigating the complex cybersecurity threat landscape, ISO/IEC 27001 compliance represents positive assurance of information and data security.
This article discusses ISO 27001’s structured framework for information security management, outlines steps to obtain certification, and lists controls that can be outsourced to GoodAccess.
Table of contents
What is ISO/IEC 27001?
ISO/IEC 27001 is an international standard that deals with information security.
It does not focus on cybersecurity per se, but sets the framework for information security, and thus includes policies and procedures set to protect an organization’s information assets in both physical and digital form.
Information security risk management
Specifically, ISO 27001 describes information security management systems (ISMS), which are sets of security controls and documents describing procedures, which collectively ensure the security, confidentiality, and integrity of the organization’s information assets.
Categories of recommended controls
The standard’s Annex A lists a number of recommended controls that fall into four categories:
- Organizational controls—Policies, rules, processes, and organizational structures over a broad scope of matters related to information security.
- People controls—Controls focused on the human element in information security dealing with awareness and training, human resources management, and personal security.
- Physical controls—Controls dealing with tangible assets, such as storage medium protocols, asset disposal, or entry systems.
- Technological controls—Controls regulating the security of digital information and infrastructures, such as authentication, cryptography, monitoring, storage, or backups.
ISO/IEC 27001 is a member of the ISO/IEC 27000 family of standards that all deal with information and cybersecurity. For example, the ISO/IEC 27005 deals with the risk management process and controls.
However, ISO/IEC 27001 is the only one of the few in which an organization can attain certification.
Why does it matter to be ISO 27001 compliant?
Organizations generally don’t implement comprehensive information security controls. Instead, they deploy them as the need arises to cover specific situations, which leaves these controls fragmented and inconsistent across different types of assets.
Typically, physical paperwork would receive less security than electronic data, and IT departments may be more security-conscious and follow stricter data-protection procedures than other company departments.
The information security management system seeks to undo this by consolidating information security controls across the organization and asset types.
To do this, ISO 27001 requires
- A systematic information security risk assessment including threats, impacts, and vulnerabilities,
- Creating and implementing information security controls to counter the risks and appoint responsible personnel,
- Adoption of processes that guarantee the security controls fulfill their purpose and continue to improve.
The actual scope of controls and resources included in the ISMS is up to the company to determine, based on their relevance.
Critical component of supply-chain security
By implementing an information security management system organizations put their internal processes in order, and passing ISO 27001 certification provides them authoritative proof of their adhering to high standards of information security.
While this is a benefit on its own, ISO 27001 certification may also be a critical requirement in supply-chain security.
Government, military, or healthcare organizations are often required by law to only work with those vendors who can prove a high standard of information security, and ISO/IEC 27001 certification is often asked for.
Even companies outside the public sector or healthcare may request the certification when choosing a supplier as a way of securing their supply chain.
By building and implementing an ISMS and passing an ISO 27001 audit organizations communicate they are serious about information security and are more capable of responding to security incidents.
How to obtain ISO 27001 certification?
As stated above, the scope of controls subject to an ISO 27001 audit will vary; each organization must decide what resources and processes it considers critical.
Pick relevant controls
Although Annex A of the standard lists a number of controls, it is not expected that a compliant company will have them all. Instead, each organization will pick and adopt those that are relevant to their situation.
Obtaining ISO 27001 certification involves creating a body of documents, handbooks, and risk analyses on virtually every process within the company.
New roles, like security manager, must be appointed, including a security forum that meets regularly to discuss information security status, incidents that were encountered, or plan future steps.
While companies can do this themselves, most choose to hire a consultant to help guide the organization through the process, prepare templates, and adjust processes.
Pass a certification audit
To obtain the certificate, the company then has to pass a two-stage certification audit by an accredited certification body.
While the company chooses the scope of the ISMS, the auditor determines the depth of testing.
If the company passes, they are issued an ISO 27001 compliance certificate. The certificate is valid for three years and has to be renewed after expiration.
GoodAccess and ISO 27001 compliance
GoodAccess is ISO 27001 certified (see certificate here). Our customers can rest assured that they are doing business with an ISO-compliant supplier.
Can GoodAccess help me with ISO 27001 compliance?
GoodAccess is a network security company delivering ZTNA as a service. While we cannot help you put internal processes in order, we can help you meet some technological requirements of ISO 27001.
Namely, GoodAccess supplies the following technological controls:
- User Endpoint Devices (Annex A, 8.1) – While not a replacement for EDR, GoodAccess strengthens BYOD security by pre-authenticating devices before granting access to resources.
- Privileged Access Rights (Annex A, 8.2) – GoodAccess’ intuitive Access Control enables highly granular least-privilege access to systems, applications, and data.
- Secure Authentication (Annex A, 8.5) – Use MFA, SSO, and biometrics (on mobile devices) to pre-authenticate users before allowing access to digital resources.
- Logging (Annex A, 8.15) – GoodAccess keeps both gateway-level and system-level access logs for monitoring and analysis.
- Network Security (Annex A, 8.20) – We use strong encryption on all connections and round-the clock system-level logging to ensure information security within the GoodAccess SDP.
- Security of Network Services (Annex A, 8.21) – Robust access controls and authentication prevent unauthorized access and ensure compartmentalization, while system-level logs provide a detective control.
- Segregation of Networks (Annex A, 8.22) – GoodAccess inhibits lateral movement by segmentation on the network level.
- Web Filtering (Annex A, 8.23) – Threat Blocker, a built-in DNS filter, blocks access to harmless, disreputable, or custom-blacklisted domains.
- Use of Cryptography (Annex A, 8.24) – GoodAccess encrypts all communication to protect all data during transit and prevent attacks like man-in-the-middle.
- Application Security Requirements (Annex A, 8.26) – We enforce least-privilege access to online applications, reinforced by MFA and SSO.
By using GoodAccess, you can offload a portion of your technological requirements to a certified supplier.
ISO/IEC 27001 is a globally recognized standard for information security management.
By creating and implementing an information security management system, and achieving certification in the standard, a company can become a trusted member of the vendor supply chain, not to mention significantly boost its own information security by adopting appropriate processes.
GoodAccess can help companies cover parts of the standard’s technological requirements, as pertains to network security, cryptography, logging, and access control.