Across the globe, International Standards Organization (ISO) standards have been accepted by experts as a standard that can be relied upon for just about any process. They guide requirements to manufacture a good, provide a service, set up a management system, and comply with safety requirements. The list goes on and on.
Since we are a CPA firm that specializes in information security audits, we will mostly be sticking to that topic in this blog. The International Standards Organization (ISO) created information security standards as a guide for companies to maintain a safe environment for information assets. Within this blog post, we will discuss an overview of applicable ISO security standards and steps toward successful implementation by leveraging professional practices used within the internal audit function.
Fun Fact: How many ISO standards are there in the world?
- 0-1000
- 1001-10000
- 10001-25,0000
- 25001-50,000
(Answer at the end of this blog.)
What Are ISO Standards?
The International Standards Organization (ISO) is an independent, non-governmental international organization. The main goal of ISO is to bring experts together to share knowledge in an effort to create relevant international standards that support process revolution and provide solutions to problems in all industries around the world.
ISO was shaped in 1946 when delegates from 25 countries met and decided to create an organization that facilitates the international integration of industry standards. Fast forward 70 years, ISO has now created a robust number of standards and other published works that are available to companies globally in a variety of different industries such as technology, food safety, agriculture, and healthcare. They provide specifications for the manufacturing of products, providing services, and the use of systems to help ensure quality, safety, and efficiency.
What is the Primary Focus of ISO?
Over the years, studies have been performed to identify the benefits that are provided by ISO. Studies revealed that ISO frameworks provide a positive impact on the overall success of businesses by focusing on identifying risks and defining control objectives. Below are some examples of benefits that companies have reported after the implementation of ISO standards.
- Provides a competitive edge
- Customers take the company more seriously
- Increases credibility in the marketplace
- Increases in compliments vs complaints from customers
- Regulators speculate less
- Board’s risk mitigation plan has more structure
- Staff has a clearer understanding of their roles and responsibilities
- External audit results provide better insight into the effectiveness of business systems and processes
- CEO feels more relaxed that their business is better controlled using ISO standards
While ISO functions to create the standards, ISO itself does not certify organizations. Depending on where you are in the world, there are organizations that are responsible for providing organizations with the accreditation required to be certifying bodies. I will use US-based firms as an example. Firms performing ISO-related assessments based in the US are accredited by the ANSI National Accreditation Board (ANAB).
This is extremely important to understand as many organizations that perform ISO assessments are not accredited by ANAB (or other qualified organizations providing accreditations around the world). The easiest way to know is to use the directory located on the ANAB website to determine if the firm is in fact accredited. If your organization is provided an ISO certification and the certifying body is not found on the website of the accreditation organization, it is possible your ISO certification is not valid. Please refer to our article on ISO certificate verification for additional guidance.
Which ISO Standard Pertains to Information Security, Cyber Security, and Privacy Protection – Information Security Management Systems (ISMS)?
As I mentioned previously, Linford & Company is an audit firm specializing in information security audits. As such, we are accredited to audit against ISO 27001:2022 (which is the current version of ISO 27001). The ISO security standards created to protect information assets are within the ISO 27000 family. This family consists of over a dozen topics pertaining to the management of information assets and the implementation of specific information security standards and control objectives. This blog post will focus on the information found within ISO 27001 and ISO 27002.
In simple terms, the ISMS is the accumulation of the information security framework requirements that when functioning in unison, help companies to identify and protect the information it determines to be most valuable. This ISO security standard outlines the control objectives that a company must meet, through evidential support, if its goal is to be ISO 27001 compliant.
ISO 27002, while focusing on the same control objectives, provides its audience with illustrative examples that a company can choose to implement. This ISO standard is essentially an ISO playbook created to help companies choose or implement controls that meet the required objectives outlined in ISO 27001.
More information about these ISO security standards can be found on ISO’s website. Additionally, this website has a store where you can purchase ISO guidelines, collections, and checklists.
Understanding the Steps Toward ISO 27001 Compliance
ISO 27001 compliance is broken out into two stages.
Stage 1 of ISO Compliance
Stage 1 is meant to validate that what are known as “clauses” are met. The clauses review the following items:
- Context of the Organization
- Organizational Controls
- Leadership
- Planning
- Support
- Operation
- Performance Evaluation
- Continual Improvement
Each of these clauses must meet implementation requirements prior to moving to Stage 2. Otherwise, a major nonconformity is noted, preventing the beginning of Stage 2. See the end of this section for an overview of ISO findings.
Stage 2 of ISO Compliance
Within Stage 2, operational effectiveness at a point in time is reviewed to validate whether technical requirements noted within ISO requirements, known as Annex A, are completed.
The first step to creating a secure ISMS is to understand its scope within the organization. To understand the scope of the ISMS, it is imperative to consider the variables or risks, both internal and external, that may affect its ability to function properly. An example of an internal and external risk is that users (internal and external) may not understand their roles and responsibilities in safeguarding confidential information.
During this exercise, it is imperative to understand where information security requirements originate. Generally, requirements originate from a few core areas. These include: the risk assessment, contractual agreements such as statement of works or master service agreements, and finally requirements set internally to aid in the successful operation of day-to-day business activity.
Once requirements have been set, it is time to start choosing those controls that best fit the needs of the company.
ISO Audit Findings
As mentioned above, a major nonconformity can be a show-stopper when trying to progress from Stage 1 to Stage 2 in an ISO 27001:2022 audit. Findings in these ISO audits are broken out into the following: minor nonconformity, major nonconformity, and finally other control improvements (OFI). See a definition for each finding type below.
- Major Nonconformity – Issue found that does not meet ISO requirement and must be reviewed, accepted, and corrective actions must be verified as sufficient prior to moving to Stage 2 or being granted certification. Presents an unacceptable level of risk to the organization’s interested parties.
- Minor Nonconforming – Issue found that does not fully meet ISO requirement and corrective action plan must be reviewed and accepted prior to moving to Stage 2 or being granted certification. These present a minor risk (but not one to be ignored) to the organization’s interested parties.
- OFI – These are control recommendations that are not required to be responded to or action taken on them prior to moving to Stage 2 or being granted certification. These do not present a risk to the organization’s interested parties.
How to Maintain ISO 27001 Compliance
The next requirement of ISO 27001 compliance is monitoring and improvement. To do this, the best professional practice is to incorporate some form of internal audit.
Utilizing internal auditors allows for a structured methodology to be implemented to test the operating effectiveness of controls in accordance with the requirements identified in the initial setup as well as those requirements identified by ISO.
The reports generated by the internal audit group should be retained and reviewed by management on a regular basis. In addition, management should be using these reports while considering any changes necessary to improve the operational effectiveness of the controls being tested.
Key Takeaways: Understanding ISO Standards & Security
ISO was created about seven decades ago in an effort to provide specifications for the manufacturing of products, providing services, and the use of systems to help promote quality, safety, and efficiency across the globe. Part of this effort includes information security which is found within ISO standard 27000.
ISO security standard 27001 and 27002 provides companies with the controls, guidance, and checklists needed to successfully maintain an effective ISMS and safe environment for information assets. Using these documents together provides companies with the tools needed to navigate their environment for requirements, risks, and controls which together create the ISMS.
Finally, a successful ISMS requires monitoring and improvement. This is satisfied using assessments completed by internal auditors. The internal audit function should be maintaining evidence to determine the operating effectiveness of controls put in place. Furthermore, management should be involved so they understand any deficiencies and can make improvements as necessary.
ANSWER TO QUESTION: You have made it to the end! Okay, so how many standards exist as of today?! If you selected answer d) 25,001-50,000 you were right! As of today, ISO has developed over 25,751 ISO standards. You can review them within the ISO catalogue. In fact, interested in making the perfect cup of tea? ISO has your back. ISO 3101:2019 specifies the proper method to infuse tea leaves to ultimately make tea. I mean, ISO literally covers everything. And to tie it back to information security…Weak tea = disappointing drink – Weak passwords = data breach. No one wants either of these things!
Understanding the benefits of having standards such as ISO has proven to be an effective tool for businesses around the world. It is important to understand that incorporating any standards into a company should be more than just checking off a box that shows your business complies with a particular standard. Using standards like these can take the success of your business to a whole new level.
Looking for more information about ISO? Check out some other blog posts completed by Linford & Company at the links below:
- What is the ISO 9000?
- ISO/IEC 27001:2022 vs SOC 2: Differences in Certification vs. Compliance
- Deconstructing SOC 1 (f. SAS 70) Reports
This article was originally published on 3/21/2017 and was updated on 2/12/2025.
Jaclyn Finney started her career as an auditor in 2009. She started with Linford & Co., LLP. in 2016 and is a partner with the firm. She is a CISA with a special focus on SOC, HITRUST, FedRAMP and royalty examinations. Jaclyn works with her clients to provide a process that meets the needs of each customer and generates a tailored report that is useful to the client and the users of the report.
