12 Dec 2022

What an ISO 27001 certification means for HR and IT

ISO 27001 certification can help to overhaul and holistically strengthen your organisation’s information security strategy. This comprehensive set of standards holds you accountable for how you safeguard sensitive information, protect your IT environment, and manage your assets.

smartphone screen with a padlock icon

Naturally, the ISO 27001 framework affects every part of your business, not least your HR and IT departments. On first look, the road to ISO 27001 certification is not the easiest to navigate.

Luckily, with tools like Zelt that help to consolidate your HR and IT management, adapting your processes to fulfill ISO requirements is not as hard as you might think. In this article, we take an in-depth look at ISO certification, what that means for your business, and how ISO 27001 controls impact the way you manage your people and your devices.

What is ISO 27001 certification ?

Before we dive into the specifics, let’s take a moment to understand exactly what ISO 27001 is and what it means for your business. ISO 27001 refers to a globally recognised framework that governs and standardises information security standards for organisations around the world.

The ISO 27001 framework provides organisations with standardised guidance on best practices for data protection, cyber resilience, asset management, and data protection. They are comprehensive standards that cover everything from your business’ workflows and practices, your use of technology, and your people.

Using ISO 27001’s structured guidance, organisations can feel confident in their information security management protocols and systems. Additionally, ISO 27001 certification reassures clients and customers that they are taking proper measures to safeguard their information.

Why do businesses choose ISO 27001?

Uptake of business software has proliferated in recent years. And whilst this has led to optimized efficiency and streamlined workflows, there have also been rising concerns about data protection. That’s why demand for credible certifications has risen. ISO 27001 helps businesses to identify existing strengths and weaknesses in their current security protocols and gives structured guidance on how to address vulnerabilities.

Is ISO 27001 mandatory?

It’s important to understand that ISO 27001 controls are not a legal requirement, nor do businesses have to meet every standard. Organisations are free to ‘cherry pick’ the controls they feel align with how much security they want. In order to get ISO 27001 certified, your business will have to complete a Statement of Applicability.

In this Statement of Applicability, you will need to outline which of the ISO 27001 Annex A controls you’ve implemented and which you have excluded. You don’t need to have fulfilled all of the controls, but you will need to explain why you chose to exclude some of them.

How does ISO certification work?

Though not necessary, organisations usually opt to hire an ISO 27001 consultant to help them get certified. Engaging the support of an expert reduces your administrative load and also maximises your chances of getting certified. Start by checking out the list of the top ISO 27001 consultants in the UK according to dozens of UK-based businesses.

Step 0: Set the scope

Before getting started with ISO certification, you first need to establish the context of your organisation. You need to plan ahead for securing the certification by setting objectives and understanding the scope the ISO 27001 will have. Additionally, you will need to complete an interested parties register, create OKRs, and undertake a business risk assessment.

Step 1: Asess risk

The first step to getting ISO 27001 certification is carrying out an ISO risk assessment. This will involve undertaking an audit of your organisation’s current environment, assessing the strengths or shortcomings of protocols you have in place, and profiling the cyber security risks you face.

Step 2: Identify gaps

Using the risk assessment, the next stage is to identify gaps that need to be filled in your cyber and information security strategy. This will help you to design a new (or updated) risk management strategy, which in turn will indicate which ISO 27001 controls are most relevant to your organisation.

Step 3: Select controls

Understand and select your ISO 27001 security controls. This next step involves choosing the ISO 27001 controls that help you to implement your information security strategy. ISO 27001 implementation will probably involve changing certain workflows, updating key documentation, and educating your workers about new responsibilities.

Step 4: Write Statement of Applicability

You will then need to complete the Statement of Applicability that we mentioned. If you’ve hired an ISO 27001 consultant, they should help you to draft your SOA so that it fulfills all requirements. As explained, as well as stipulating which Annex A controls you have put into place, you will also have to justify the ones that you chose to exclude.

Step 5: Training

Next, you need to roll-out and complete training to ensure that your company is up to date with the requirements and controls that you’ve set out in previous steps.

Step 6: Audit

You will then have to undergo two audits (stage 1 and 2) by an accredited third-party to confirm that you have fully met the required standards to receive ISO certification.

Step 7: Ongoing compliance

Ensure ongoing compliance. Once you have gained your ISO 27001 certification, you need to make sure that you are aware of any compliance or regulatory updates that may affect your accreditation.

As section 9.2 of the ISO 27001 stipulates, organisations are expected to conduct internal audits at planned intervals.

How much does ISO certification cost?

You can separate the various costs associated with ISO certification cost into a few different elements including training, an ISO consultant and audit. Training can range from being completely free if you opt for free training resources up to a few thousands if you opt for a professionally developed course. An ISO 27001 consultant typically charges £140 per hour and you’ll have to factor in a minimum of 24 hours to get your certification. Though this does, of course, depend on the size of your organisation. Lastly, you’ll need to pay an accredited body to carry out your stage 1 and 2 ISO 21007 audits to verify and confirm your compliance. The cost of this will vary depending on how big your organisation is. Our article on how to keep employee data safe and prevent data leaks gives estimated costs depending on the number of employees you have. Finally, you should factor in the ongoing costs of implementing and maintaining ISO 27001 compliant systems and protocols. The time required to produce compliant materials, provide training and up to date education, as well as carrying out internal audits are all costs that should be considered.

Benefits of an ISO certification

If you’re still weighing up whether certification makes sense for your organization, here’s a quick look at ISO 27001’s benefits:

Minimised risk of information loss

By nature, ISO 27001 certification should reduce your organization’s risk of losing precious data. The protocols, checks and systems that ISO 27001 requires you to put in place give you, your employees and your customers valuable peace of mind.

Credibility and increased trust

In the same vein, since the ISO 27001 is a globally recognised framework, getting accredited will bolster your organization’s credibility, trust in how you handle sensitive data, and in the strength of your cybersecurity protocols.

Accountability, structure and scalability

The ISO 27001 controls help you to keep you and your employees accountable to a clearly defined framework. Moreover, having a solid foundation in place makes it easier to safeguard precious data and information even as your organisation grows and scales.

Keeps you compliant

Complying with ISO 27001 standards is likely to keep you on the right side of many data protection and privacy laws too. This again, gives you invaluable peace of mind and potentially protects you from legal liability.

ISO 27001 checklist and how Zelt can help

Even once you understand what ISO 27001 is and the overall aims of the standards it sets, it can still be difficult to wrap your head around it. Especially when it comes to how its controls will translate into your organisation. In this article we’re focussing on how ISO 27001 impacts your HR and IT management.

That’s why we’ve unpacked some of the key Annex A controls that are relevant to different points in the employee lifecycle, directly affect HR, and lastly, how you manage your employees (and other assets). We’ll also explain how Zelt can help you to integrate ISO 27001 compliant practices into your organisation.

ISO 27001 contorls prior to employment relevant for onboarding

The first controls we’re looking at are those that focus on HR security prior to employing someone and during onboarding:

Background checks

Under A.7.1.1, you’re expected to carry out thorough background verification checks on all candidates, ensuring that you’re fully compliant with relevant laws and ethics throughout the process. This may mean you need to rework or tighten your hiring practices to include ISO 27001 compliant screening.

Employment contracts

A.7.1.2 requires the inclusion of clear information around employees’ and the organisation’s information security responsibilities within the employment contract. If you don’t already have a section of your contract dedicated to information security and relevant duties and responsibilities, you will need to add this in. Using Zelt, you can store your employment contracts in a centralised and secure deposit. Crucially, your new joiners will have instant access to their contract if they want to check a term or confirm a certain policy.

Communicating policies with new (and existing) employees

Another requirement under A.5.1.1 is that you create a defined set of policies that set out your information security strategy and, once approved by your management team, share this with your employees. You will need to make sure to provide these policy documents to new employees as part of your onboarding process. With Zelt, you can set up a standard ‘new starter checklist’ that automatically prompts your recent employees to read all required material. Instead of sharing each document with them manually, employees can access all your key documents independently at any time. A.5.1.2 stipulates that you need to review these policies at planned intervals and update and adapt them as and when necessary. And, if there are significant changes to these policies, you will need to inform your employees of these. To ensure you don’t miss your regular review, you can set yourself reminders through Zelt ahead of time. You’ll get an automatic notification prompting you to schedule a full policy review and update session.

Granting new employees permissions and access

When a new team member joins, one of the first things you’ll think about is getting them set up across all your various systems. The ISO 27001 standards expect you to properly manage this process to ensure that ‘the allocation and use of privileged access rights is restricted and controlled’ (A.9.2.3). Additionally, you’re expected to share secret authentication information through a formally set out process and introduce a formal user registration process. Zelt makes access management as stress free as it should be. You can manage all your user permissions from your dashboard and onboarding new employees to relevant applications. You also get crucial oversight over who is using which apps, and add or remove employees as and when necessary.

ISO 27001 contorls prior during employment

Next, let’s take a look at the controls that directly impact your workers during employment from section A.7.2.

Enforce active implementation of ISO 27001 compliant policies

As set out in A.7.2.1, you need to not only write up ISO 27001 compliant policies, but ensure their active implementation throughout your organisation. Part of encouraging this uptake is taking the time to educate, train and update all of your employees about your new organisational policies, workflows and protocols, and how they affect their specific position (section A.7.2.2). Finally, you’re expected to penalise non-compliance with your information security policies by introducing a clearly defined disciplinary process for employees who are found to be in breach. You can store all your disciplinary policies direclty in Zelt for easy and direct access. This means your employees can remind themselves of your company policy whenever they need. You can also conduct performance reviews from the platform to track ongoing progress and compliance with your ISO 27001 policies.

Access management

A.9.4.3 requires you to create an interactive password management system that requires strong and secure passwords. Using Zelt, you can also set organisation-wide password policies that stipulate certain features for user passwords to ensure their strength. For example, you can require a certain character composition and force employees to update their passwords at regular intervals.

Device management

Another key organisational duty is managing your devices. This falls under both section A.6.2 (mobile devices and teleworking) and A.8 (asset management). Under A.6.2.1, you need to devise a mobile device policy that helps to identify and manage risks associated with your employees using mobile devices as well as teleworking. Additionally, you’re expected to outline controls for the security of equipment that is taken outside of your business premises or that is left unattended (sections A.11.2.6/9). Finally, A.12.5.1 recommends controlling the installation of apps. You can configure all of your device security settings across your organisation or by group directly from Zelt. You can set up and assign devices to employees remotely, force updates, as well as manage app installation. You can set your organisation’s devices to be pre-loaded with certain apps, whilst also limiting users’ ability to download software you haven’t approved. You’re also able to monitor all your organisational devices’ security status, with a clear overview of which device is assigned to who, how that device is performing, and how it rates in terms of security. Finally, if there is a breach or a security risk such as an employee losing their device, you don’t need to stress because you can remotely lock the device or remotely wipe it from Zelt.

Asset management

Assets don’t just refer to your organisation’s physical assets such as devices. In fact, employees are categorised as assets that need to be managed from an information security perspective too. At its core, Zelt is a people-oriented tool that’s designed to help you easily and effectively manage all your employees. It acts as an ‘asset inventory’, that helps you to oversee every aspect of your employees’ relationship with your business (and comply with A.8.1.1).

Change of employment and termination

The ISO 27001 controls also extend to the end of the employee lifecycle. Here’s what you need to do:

Define responsibilities beyond termination of contract

As outlined under A.7.3.1, it’s important to ‘protect your organization’s interests’ even when a worker ends their contractual working relationship with you. You should do this by clearly defining which (if any) information security responsibilities continue to apply even once an employee leaves. By creating an offboarding checklist for exiting employees, you can make sure outgoing workers are reminded of their ongoing responsibilities before they leave.

Revoke access and permissions

For obvious reasons, issues relating to access and permissions are also relevant here. Under control A.9.2, you’re required to mitigate against unauthorised access to your systems and services. On termination of an employees’ contract, you are expected to remove their access and permissions immediately. To do so, you need to implement a ‘formal user access provision….and de-registration process’, as well as thoroughly control the allocation of privileged access. Instead of manually revoking permissions, Zelt makes this an automated process. Since you can tie user access and permissions to contract start and end-dates, an ex-employee’s credentials will be automatically suspended when their contract expires. But of course, if an employee leaves suddenly, you always have the ability to manage their access manually.

How can I get ISO ready with minimum effort?

Though worth it in the long-run, ISO certification can be a front-heavy burden on your business and your employees. That’s why it’s important to make the journey to certification as efficient as possible by drawing on the right tools and expertise.

Make sure you understand ISO 27001

Before embarking on this journey, it’s more than worth taking the time to familiarise yourself further with the ISO 27001 framework. This should help you identify the most relevant controls, and how you can adapt existing policies and practices to fulfill the requirements.

Ensure you have the right software in place

ISO usually means new systems have to be implemented, which can add overhead and new costs. With Zelt as your central employee platform you can keep the systems you need to a minimum across HR, access and device management, minimising the amount you need to spend to get setup. Plus, as we’ve seen, many of Zelt’s native features will automatically fulfill a number of the ISO 27001 Annex A controls with very little added input from you.

Use an expert consultant with industry-specific experience

Many of our customers have gone through the ISO certification process, and there’s a reason they chose to work with a dedicated ISO consultant. Since every business is different in terms of industry, IT environment and information security aspirations, we’d recommend choosing a consultant who has experience working with similar-profile companies. To help you get started, we collated a list of the top ISO 27001 consultants in the UK – according to founders.

FAQs about ISO 27001

Here are the answers to some of the most common questions about ISO 27001.

What does ISO 27001 mean?

ISO 27001 refers to a set of information security standards that a business can implement to secure certification and strengthen the cybersecurity of their operations across the board.

What are the ISO 27001 requirements?

ISO 27001 comprises a number of standards that you can choose to comply with or not (though if you do choose to exclude a requirement, you will need to justify why). The requirements range from operational standards, to information security protocols that you need to implement.

Why is ISO 27001 important?

ISO 27001 is an internationally recognised framework that helps organisations to minimise your risk of information loss or breach, which in turn will reassure your customers or clients with a credible certification.

What’s the difference between Cyber Essentials and ISO 27001?

Whereas ISO 27001 certification is completely optional and is malleable to a company’s needs and wants, Cyber Essentials is a mandatory certification for companies looking to work with public bodies in the UK. Comparative to ISO 27001, therefore, Cyber Essentials is a far more demanding framework with a number of requirements that must be fulfilled to qualify for certification.