Earning an ISO 27001 certification helps your software-as-a-service business stand out. In today’s world of data privacy concerns, it’s a way to show clients you take their security as seriously as they do. But like most forms of compliance for SaaS, ISO 27001 certification is a complicated process. Get a high-level look at the mandatory controls of ISO 27001 and the documents and policies.
What Are the Mandatory Controls of ISO 27001?
ISO 27001 controls are the steps an organization has to take to meet the framework’s security requirements. You can find the full list of 114 controls in Annex A of the certification guidelines. There are specific controls you’ll need to follow in each of the following domains:
- Information security policies
- Organization and information security
- Human resources security
- Asset management
- Access control
- Cryptography
- Physical and environmental security
- Operational security
- Communications security
- System acquisition, development, and maintenance
- Supplier relationships
- Information security incident management
- Information security aspects of business continuity management
- Compliance
Note that it’s not enough just to follow these controls. There are mandatory documents for ISO 27001 (2022) that you’ll need to prove your compliance.
What Documents Are Required for ISO Certification?
The ISO 27001 mandatory requirements don’t include a list of official documentation. However, you’ll need some way to prove that your company has met the required security practices.
The easiest way to demonstrate this is by documenting the steps you take with official policies and other things of that nature. You’ll show these to the ISO certification body you choose when you apply.
Most companies end up providing documentation covering:
- The scope of their information security management system (ISMS)
- Risk assessment reports
- Access control policies
- Operating procedures for IT managers
- Business continuity procedures
- Asset inventories
- Information security policies and objectives
- Statutory and regulatory compliance
- Definitions of security roles and responsibilities
This list is by no means exhaustive, but it should give you a sense of just how many documents companies need to get ISO 27001 certified. This complexity is why it’s often worth partnering with a company like Trava Security. Our compliance services verify you have all necessary policies in place and the documentation you’ll need to prove it.
What Policies Are Required for ISO 27001?
The ISO 27001 (2022) mandatory clauses cover all aspects of organizational information security. There are too many to list here. But here are some key areas to focus on first.
Information Security Policy
First, you’ll need a document describing your company’s cybersecurity approach in depth. It should cover core principles, legal considerations, high-level security objectives, and assigned roles.
Your information security policy is something like a map. It shows auditors where to find various security processes and personnel. It’s one of the first things a certification body will look at when assessing your ISO 27001 readiness.
Access Controls
Next, ISO 27001 requires strict access controls. These limit who can get into your company’s private databases. For example, you might only allow managers to see sensitive customer data, as opposed to every employee with an account.
Risk Assessment
You’ll also need to conduct risk assessments before pursuing ISO 27001 certification. These identify security threats and help you prioritize vulnerabilities based on their likelihood and severity of impact.
Understanding where your company is vulnerable is key to keeping it safe. Detailed risk assessments give you those details while getting you ready for your ISO 27001 audit.
Training
Training is another key policy area. Auditors will want to see that you have a plan in place for sharing security findings and strategies with employees. Even the best security strategies require daily execution to work. Training your employees is how you ensure everyone follows your policies and best practices every day.
What Are the 11 New Controls in ISO 27001?
In 2022, an update was made to the ISO 27701 mandatory documents list. There are 11 new controls to consider:
- Threat intelligence
- ICT readiness for business continuity
- Configuration management
- Data masking
- Monitoring activities
- Secure coding
- Information security and cloud services
- Physical security monitoring
- Information deletion
- Data leakage prevention
- Web filtering
Get Your Company ISO 27001 Ready With Trava Security
Earning ISO certification is a complicated but worthwhile process. It’s a way to stand out from the competition by highlighting your security expertise. But with 114 controls to consider and documentation requirements to match, just getting started can feel daunting.
That’s why Trava Security offers comprehensive compliance management support. We’ll get your company audit ready faster and guide you through each step of ISO certification. Take a look at our service page for more information.