What is it?
ISO 27001Compliance With Policies, Rules And Standards For Information Security are simply checks that the polices, rules and standards are being followed. These are the tasks that are important for keeping your company’s information secure. Think of them as a recipe for a secure operation. These checks tell you that things are working correctly every time, so there are no mistakes that could lead to a data breach. They’re a core part of an Information Security Management System (ISMS) and they help you prove to auditors that you’re serious about security.
Table of contents
- What is it?
- Applicability to Small Businesses, Tech Startups, and AI Companies
- Why Do You Need Them?
- When Do You Need Them?
- Who Needs to Write and Use These Checks?
- Where Do You Keep These Checks?
- How Do You Write Them?
- How Do You Implement Them?
- Examples of using it for small businesses
- Examples for Tech Startups
- Examples for AI Companies
- How Can an ISO 27001 Toolkit Help?
- Which Other Standards Need These Checks?
- What are the relevant ISO 27001:2022 controls?
- ISO 27001 Documented Operating Procedures FAQ
Applicability to Small Businesses, Tech Startups, and AI Companies
Compliance With Policies, Rules And Standards For Information Security is useful for businesses of all sizes, including small businesses, tech startups, and AI companies.
- Small Businesses: Even if you’re a small company, you handle sensitive data like customer information or financial records. Procedures help you manage this data safely, protecting your reputation and your customers and the checks make sure they are working.
- Tech Startups: As a startup, you’re growing fast and need to build a strong foundation. Documenting your processes from the start prevents security issues down the line. It’s much easier to do it right the first time than to fix it later so the checks make sure things are working.
- AI Companies: You’re dealing with complex data and algorithms. Procedures are crucial for managing things like data handling, model training, and access control. Checking them will ensure your AI systems are secure and your data is protected from misuse.
Why Do You Need Them?
You need these checks to show you’re serious about information security. They help you:
- Be Compliant: Many laws and regulations (like GDPR) require you to have check your documented security practices.
- Prevent Mistakes: They ensure everyone on your team follows the same steps, reducing human error.
- Pass Audits: When an auditor comes to check your security, these internal checks are the proof that you’ve thought about and implemented security controls.
When Do You Need Them?
You should start thinking about these checks as soon as you decide to get ISO 27001 certified. They are a fundamental requirement of the standard. It’s best to write them as you develop your security policies, so they align perfectly with your overall security strategy.
Who Needs to Write and Use These Checks?
- Your team: Anyone who handles sensitive information or works with your IT systems can help write these checks. This includes everyone from your IT manager to a person in customer support.
- You (or a designated person): The person responsible for your security (often a Security Officer or IT Manager) needs to lead the effort in writing and maintaining the checks.
Where Do You Keep These Checks?
You should store evidence of the checks and reviews in a secure, easily accessible location. This could be a shared drive, a company wiki, or a document management system. The key is that they’re available to everyone who needs them, but only to those who are authorised to see them.
How Do You Write Them?
Writing these checks is easy when you break it down:
- Define the Goal: What is the purpose of this check? (e.g., “To ensure all new hires have secure access to our systems.”)
- List the Steps: Write down each step in a logical order. Be as clear and simple as possible.
- Identify Roles: Who is responsible for each step?
- Include Details: Add important details like what tools to use, what forms to fill out, and what to do if something goes wrong.
How Do You Implement Them?
Implementation is all about making sure people use the checks and do the reviews:
- Training: Train your information security staff on the new checks and reviews. Don’t just give them a document; walk them through it.
- Communication: Announce new checks and reviews and explain why they’re important.
- Review: Regularly review the procedures to make sure they’re still relevant and effective.
Examples of using it for small businesses
A small business might have a check for “Securely Backing Up Customer Data.” It would include steps like:
- Log in to the backup software.
- Select the customer data folder.
- Verify the backup was successful.
Examples for Tech Startups
A tech startup might have a check for “Onboarding New Employees.” This would include steps like:
- Check an example of at the creation of a secure user account.
- Review the necessary permissions (using the “least privilege” rule).
Examples for AI Companies
An AI company might have a checks and reviews for “Managing Sensitive Training Data.” This check would outline:
- Ensure that you anonymise or pseudonymize data before training.
- Checking who has access to the raw data sets.
- Reviewing how to you securely delete data after the project is complete.
How Can an ISO 27001 Toolkit Help?
The ISO 27001 toolkit is a collection of pre-made documents, templates, and guides. It’s like a shortcut to getting certified! It can save you hundreds of hours by providing you with the framework you need to create your own procedures, policies, and records.
Which Other Standards Need These Checks?
Many information security standards and regulations, like GDPR, HIPAA, and NIST, also require you to have reviews and checks of standards, procedures, policies and rules. Having your ISO 27001 checks in place will often help you meet the requirements of these other standards too. It is also applicable to:
- CCPA (California Consumer Privacy Act)
- DORA (Digital Operational Resilience Act)
- NIS2 (Network and Information Security (NIS) Directive)
- SOC 2 (Service Organisation Control 2)
What are the relevant ISO 27001:2022 controls?
The main ISO 27001 control requirement is ISO 27001 Annex A 5.36 Compliance With Policies, Rules And Standards For Information Security.
Here are some controls from the latest ISO 27001 standard that are especially relevant for each company type:
For Small Businesses
- ISO 27001:2022 Annex A 8.9: Configuration Management – Checking secure settings for devices
- ISO 27001:2022 Annex A 5.22 Monitor, Review And Change Management Of Supplier Services – Keeping an eye on your systems and processes
- ISO 27001:2022 Annex A 8.13: Information Backup – Reviewing that you can recover data
For Tech Startups
- ISO 27001:2022 Annex A 8.1: User Endpoint Device Security – Ensuring the securing of laptops and phones
- ISO 27001:2022 Annex A 8.2: Privileged Access Rights – Checking there is a limiting of powerful access to only those who need it
- ISO 27001:2022 Annex A 8.25: Secure Development Life Cycle – Reviewing that security is built into your software from the start
For AI Companies
- ISO 27001:2022 Annex A 5.10 Acceptable Use Of Information And Other Associated Assets – Reviewing how employees can use company data
- ISO 27001:2022 Annex A 5.15 Access Control – Ensuring the controlling of who can access your data sets
- ISO 27001:2022 Annex A 5.16 Identity Management – Checking user identities and credentials
ISO 27001 Documented Operating Procedures FAQ
This rule is a simple check. It makes sure you follow your own security plans. You check to see if your team is doing what they said they would do.
It’s a big deal because it keeps your information safe. When everyone follows the rules, you have fewer security problems. It helps you trust your own security.
The main point is to check for compliance. You check your work. You make sure your team is doing what your security policies say.
You are in charge of this rule. Your managers are too. You all make sure your team follows the rules. It’s a team effort.
You can do a quick check. You can also do a bigger review. You just look at what people are doing. Then you see if it matches the rules you set.
You should check on a regular basis. You might check some things every month. Other things you might check once a year. It depends on how important the data is.
Yes, a computer can help. Special tools can check for you. They can give you a report. This makes the job fast and easy for you.
If you find a problem, you need to fix it. First, you figure out why it happened. Then, you make a plan to fix it.
You could teach your team new things. You might also change a policy to make it clearer. You might get a new tool to help.
You check on it later. You look to see if the problem is gone. This makes sure your fix was a good one.
You should write down what you find. You should also write down how you fix problems. These notes prove you are doing a good job.
You should keep your notes in a safe place. This way, you can find them later. This is important for an audit.
This rule helps your business a lot. It builds trust with your customers. They know you care about their safety. It also helps you meet legal rules.
Yes, you will have some simple papers to fill out. You write down your plans. You also write down your checks. This shows you are following the rule.
This rule works with all the other rules. For example, you need rules to begin with. This rule makes sure you follow them. It ties everything together.
