ISO 27001 is the international standard for information security and protection. It’s roughly equivalent to similar infosec frameworks in the United States, like FedRAMP and CMMC, but the international development, maintenance, and scope of the ISO framework makes it much more commonly seen outside of US Government contracting.

In the US, it’s clear that a security framework mandated by the government is required when working as a contractor for the government. What about ISO 27001? Since it’s not mandated by any central government (because the ISO/IEC are international organizations), it’s not as clear-cut as making it mandatory when working as a contractor for that central government.

So, when is ISO 27001 mandatory? Let’s explore several examples and what they might mean for your business.

Example #1: Foreign Government Contractors

One of the most common reasons why a business may be required to achieve ISO 27001 certification, including passing an audit, is when that business wishes to work with a nation’s government and that nation stipulates the use of ISO 27001 standard security.

For example, the German government, through BSIG section 8a, makes it mandatory that any company working with a KRITIS – that is, critical infrastructure – field needs to be ISO 27001 certified. This includes the fields of state and administration, food, finance and insurance, water, media and culture, transport and traffic, information technology and telecommunications, and health and energy.

Unfortunately, there’s no convenient list of foreign governments that stipulate the use of ISO 27001 standards to work with them as a contractor.

In general, nations around the world will fall into one of four categories. The first category is the United States; here in the US, we have our own standards and set our own rules. Achieving ISO 27001 status does not confer the ability to work with the government, but it does at least put you on high ground for achieving CMMC or the other framework certifications that will enable that partnership.

The second category is countries that have adopted and made mandatory the use of ISO 27001. Much of Europe falls into this category, either explicitly or implicitly, as we’ll go into in the next section. Working with many of the governments in Europe, or with the European Union itself, is generally going to require at minimum a solid ISMS validated with ISO 27001 standards.

The third category is nations that don’t necessarily require ISO 27001, but you can benefit from having it when you work with them. There are numerous less-sophisticated governments that fall into this category.

The final category is embargoed nations that you can’t work with regardless; whether or not they require ISO 27001 doesn’t matter.

Nearly any government you might want to work with will either require or approve of the use of ISO 27001, so it’s always a net benefit to use it if you’re going to work with any government entity.

Example #2: Secondary Regulations

There are a lot of different information security regulations that cover different industries around the world, as well as regulations that encompass specific countries and their privacy laws.

One of the biggest examples is healthcare. In the United States, healthcare organizations are required to follow the information control rules set forth in the Health Information Portability and Accessibility Act, or HIPAA. While HIPAA itself does not mandate the use of ISO 27001, nor does ISO 27001 mandate following HIPAA guidelines, the two work in tandem with one another. To be compliant with HIPAA often means implementing the same basic set of controls as outlined in ISO 27001.

Healthcare is far from the only industry with these kinds of external regulations as well. Finance is another big one. The general finance regulations include the Sarbanes-Oxley Act, or SOX, the Payment Card Industry Data Security Standards regulation, the Bank Secrecy Act, and more. Many of these share the same security controls as ISO 27001. Again, they aren’t entirely the same, and neither calls on the other by name, but achieving ISO 27001 certification is likely to get you most of the way to where you need to be as a financial business.

Another primary example is the GDPR for all of Europe, and the UK-GDPR for the United Kingdom. Again, these are privacy regulations that do not necessarily require the use of ISO 27001, but if you use ISO 27001, you’ll be well on your way towards complying with them, so it’s effectively required for many businesses that handle privileged information.

Example #3: When Written Into a Contract

Oftentimes, you will find that working in the modern business world requires some level of control over the information you handle, regardless of who you’re working with. The fact is, while there may not be a regulatory agency or government breathing down your neck and demanding compliance with ISO 27001, you may find many different doors closed to you if you aren’t certified.

Many of the world’s largest and most influential businesses achieve and maintain ISO 27001 compliance, as well as a whole host of other information security standards, some of which are even more stringent. To work with these companies as a partner, you will generally need to demonstrate at least a basic level of compliance with information security frameworks. ISO 27001 is the broadest and most standardized of the options available to a business that wants to work with other businesses internationally.

So, while it’s not mandatory to comply with ISO 27001 in these circumstances, you will find that you’re hampered in terms of the partnerships, business deals, supply lines, and other business relationships you can form if you don’t maintain that much security.

This holds true largely when you’re working with privileged information. It doesn’t require ISO 27001 certification to make a bulk purchase order of a product with generic specifications, after all. But, forming a closer partnership with a supplier in a way that shares client information will require stricter control.

Example #4: When You Need an ISMS

Sometimes, whoever or whatever entity you’re choosing to work with doesn’t specify that you need to be certified with ISO 27001. However, they do demand that you have an operational ISMS. An ISMS is an Information Security Management System, and while the term seems generic enough to be used for any set of processes and procedures you put into place, it specifically refers to the system developed through compliance with ISO 27001.

We’ve written about this in much greater detail here. In that post, we go over what an ISMS is, how it works, how to develop one, the best practices for implementing and maintaining one, and whether or not your business should have one.

The short version is that an ISMS is a good framework for information control and security. It’s developed through the use of ISO 27001 standards and compliance, and it sets you up to succeed in the international business world, so it’s generally a good idea to implement if you’re in a position to do so. Unless you’re a business that doesn’t handle controlled information at all, in which case you likely don’t need one, but it still might be a good idea to look into what better security can do for you.

Example #5: When Another Program Requires ISO 27001

Sometimes, ISO 27001 is required by something else you want to use. One example of this is the CSA STAR program. The CSA STAR program is more formally known as the Cloud Security Alliance Security, Trust, and Assurance Registry. It’s a program aimed at cloud service providers, meant to form a registry of cloud service providers that have gone the extra mile and achieved certification with some level of information security framework such as ISO 27001.

The CSA STAR program has three levels. The first is a self-assessment level, which is free and allows your business to appear in the registry but offers no additional validation. The second is a third-party audit that reviews your security posture and validates your claims. The third is aimed at high-risk environments and provides ongoing, continuous third-party auditing to validate ongoing security.

The root of the CSA STAR program is that you need to achieve, at minimum, compliance with ISO 27001 to be added to the registry. Other frameworks and security on top can be beneficial as well, but the ISO standard is the bare minimum.

So, if your business is a cloud service provider and you want to be entered into the CSA STAR registry, you will need to achieve ISO 27001 compliance to do so.

This is just one example. Other industries and third-party services that offer validation and lists of validated service providers may have similar requirements. This is another way in which achieving ISO 27001 certification can help you reach broader horizons and expand your accessibility to partners who might be looking for your kind of services.

Is ISO 27001 Ever Truly Mandatory?

The fact is, compliance with ISO 27001 is never mandatory out of the gate for a business. It’s fully optional in every circumstance except where some external force, like a contract, stipulates that you need to use it, which will be on a case-by-case basis.

Even the examples we’ve listed above are largely not actually mandatory. The CSA STAR registry makes it mandatory if you want to be listed in the registry, but you don’t have to be listed in that registry to succeed in business, even as a cloud service provider. Similarly, regulations like GDPR, HIPAA, and others don’t specify ISO 27001 as mandatory for compliance with their rules; it’s just that ISO 27001 is one of the easiest ways to do the majority of the work.

Of course, in some situations, it may as well be mandatory. If you build a platform explicitly with the goal of working as a contractor for a European governmental agency, and that agency requires that you comply with ISO 27001 in order to work with them, you will need to comply. There’s no real way around it.

Some businesses do fine without ever touching ISO 27001. Sometimes, that’s because they don’t need to work with non-US businesses. Sometimes, they aren’t working in an area where controlled information is handled, and there are other ways to enforce security that don’t require the rigorous auditing process that ISO 27001 requires.

While ISO 27001 compliance might not be truly mandatory in many cases, that doesn’t mean it’s not a good idea. There are a lot of potential benefits to achieving that level of compliance, including:

• The ability to increase your business’s credibility and reputation amongst the people in the industry who know what it means to be secure.
• The ability to boost your resilience against cyberattacks and intrusions that can occur in today’s connected digital landscape.
• The ability to ensure compliance with non-ISO standards through the use of higher ISO standards, and thus avoid the penalties and fines that can be associated with being insecure.
• The ability to have structure and systems in place to protect your systems, train your employees, detect potential intrusions, and react to incidents if they occur.

All of this is beneficial to a business in the long term. While the process for achieving ISO 27001 certification can be long, intensive, and expensive, it’s generally well worth it in the end.

How Ignyte Can Help

Here at Ignyte, we can help with many different security and compliance regulations and frameworks. If you need to achieve HIPAA compliance, implement SOC 3 security, comply with the GDPR rules, implement ISO 27001 security, or achieve FedRAMP Authority to Operate, we’re available.

The Ignyte Platform was designed from the ground up as a centralized way to track and organize the compliance process. We designed it in conjunction with many security specialists to ensure that it provides plenty of utility and value to brands looking to expand their security.

Additionally, we’re well-versed in all things infosec, so if you have any questions, you can reach out to us directly. We’d be more than happy to help you out.

*** This is a Security Bloggers Network syndicated blog from Ignyte authored by Max Aulakh. Read the original post at: https://www.ignyteplatform.com/blog/security/when-iso-27001-mandatory/