ISO 27001 Compliance: How to Get Started

Post Date: 07/05/2018
feature image

Create a culture of transparency, action and trust. Learn more about our award-winning compliance solutions here.

One of the best parts of my job at AvePoint is being able to help customers around the world with their privacy, security, compliance and data protection initiatives. GDPR was one of the more popular topics discussed this year, but there are still many organizations that are interested in or being challenged to adopt good security and governance best practices in order to keep their information assets secure.

ISO/IEC 27001 helps organizations prove that they have those practices in place. Speaking from work experience, I can attest to it being even more challenging to keep forward momentum after your organization has been ISO 27001-certified.

Although ISO 27001 certification is not mandatory, working towards it can help you get ready to meet data governance requirements for similar acts, laws, regulations and standards.  Most of these share a common goal: protection of information and assets.

The AvePoint Privacy Impact Assessment (APIA) System can help you automate the process of evaluating, assessing and reporting on the privacy implications of your enterprise IT systems. Exclusively available through the IAPP, the APIA System allows you to select questions from the prepopulated bank of PIA questions (such as ISO 27001/02) or create your own, meaning you can build and save PIA templates to be reused and reported out.

ISO 27001 Standard Controls

One of the most common questions organizations often ask is, “How do I get started with risk assessment?” Ideally, risk assessments should be part of Privacy and Security by Design or as part of project management under ISO 27001 Annex 6.1.5 which reads, “Information Security shall be addressed in project management regardless of the type of the project.”

First, you should start and agree upon your risk assessment methodology. Tailor the rules of how to perform the risk management assessment and follow a standard that you can replicate across your organization (especially if you have a global presence). Don’t forget to define what your risk scoring mechanism (severity vs likelihood) and risk level threshold are.

AvePoint’s Enterprise Risk Management (ERM) system helps you automate Risks Analysis, associate recommendations and document appropriate Corrective and Preventive Actions (CAPA) once any non-conformities or other undesirable situations are identified from assessments.

Once you have defined the methodology, the next step is to apply it across all the assets your organization has. This is tricky as it also requires you to have an Asset Inventory in advance as ISO 27001 mandates in Annex A.8.1.1. In most cases, organizations may not know or fully understand the risks associated with each of the ISO controls. Some questions to help get you audit-ready are:

  • Is there an asset owner assigned to each asset?
  • Who maintains the asset inventory?
  • Is the asset inventory regularly reviewed?
  • What is the asset’s retention period?
  • What is the asset’s classification?
  • How often is the asset/information backed up?
The Inventory Manager allows organizations to centralize all of their assets (systems, services, processes, applications, etc.) into a single pane of glass and conduct automated Privacy, Risk, Security, and Data Protection Threshold and Impact Assessments with configurable calculators for risk-based decisions and controls.

If you’ve done the first two steps, you should now have identified the gaps between the business expectations and actual situation of your information assets. Now it’s time to start planning your risk treatment or corrective and preventative action controls.

Applying security controls is one of your options to mitigate or minimize the risks, but you also have the option to:

  1.  Transfer the risk to another party
  2.  Avoid the risk by disabling the process or activity which is too risky (although the business may not be very happy about this)
  3.  Accept the risk, which make sense if the cost and effect of mitigating the risk is higher than the actual potential loss or damage. With the recent changes in data breach penalties such as the GDPR (up to 4% of global revenue or up to 20Mil euros), however, accepting the risk can be quite the questionable decision.

Another common question when it comes to ISO 27001 requirements and controls is about data labeling or data classification. Annex 8.2.1 from ISO 27001 states that “Information shall be classified in terms of legal requirements, value, criticality and sensitivity to unauthorized disclosure or modification.”

The biggest challenge with information or data classification is finding the easiest, most efficient and accurate way to achieve this goal. Positioning this task to employees can sometimes be both time consuming and inaccurate.

In addition, not every employee is familiar with how to appropriately classify data. Data changes frequently, and it’s often hard to solely rely on untrained personnel to make sure classification is done according your company information classification policy. It’s not that you shouldn’t trust your employees, but it’s better to monitor and control how information is used throughout the organization.

How do you protect personally identifiable information (PII) and sensitive information while reducing risk across the enterprise? Does your organization have processes in place to classify and protect data in all of your assets? The term “we have a firewall” is no longer valid when adopting cloud collaboration solutions.

Unintentional employee action is the most common cause of data breaches worldwide. In order to protect your assets, organizations need to classify what you have and, based on the value, apply appropriate security controls.

Not everything needs to be protected, but understanding what information you have, where is it, who has access, who is it shared with, what the retention period is, etc. is all part of a best practices data governance process.

ISO 27001

AvePoint itself received ISO 27001 certification and has been able to meet many of the ISO 27001 requirements using our own Enterprise Risk Management (ERM) solution. We’ve been able to do things like:

  • Automatically apply data classification to data at rest and any newly- created document based on sensitivity, document/information type and retention period.
  • Identify non-conformities in the Incident Management Center
  • Automate third party vendor risk assessments
  • Evaluate security into contracts using Impact Assessments

Stay tuned for a more detailed blog post on our ISO 27001 certification process in the coming weeks!

Scan results to provide insight into your greatest areas of vulnerability. Scan your content against internal or external regulations to identify privacy or security issues in files, file properties, or even attributes like headers and footers. Begin to tag and classify your data so you can more easily find, and react to at-risk or sensitive data.

If you’re just beginning your ISO 27001 certification journey or are performing your periodic ISO 27001 review and need a centralized solution to help you with automating some of the ISO requirements, consider AvePoint’s compliance solutions and feel free to contact us for more information.

Want more on data protection and compliance? Subscribe to our blog to stay in the loop.


During his tenure as a Senior Compliance Technical Specialist at AvePoint, Esad was responsible for research, technical and analytical support on current as well as upcoming industry trends, technology, standards, best practices, concepts and solutions for information security, risk analysis and compliance.

View all post by Esad I.

Subscribe to our blog