Safety first: What you need to know about ISO 27001 certification

Keeping data safe and secure is a priority for all digital-first organizations. But obtaining ISO certification requires an ongoing commitment, as Learnosity EVP John Kleeman explains.

Cybersecurity is a matter of utmost importance in edtech. Learners, teachers, parents, schools, governments and other stakeholders want to ensure that learner data is safely stored and learners are protected from digital risks. But if you decide to purchase software or services from a third party to add to your edtech offering, how do you evaluate its security? 

Many organizations undergo a build or buy decision process: do we buy that component from elsewhere or build it ourselves? Security is a big piece of that puzzle. 

The truth of the matter is that any organization can claim to be secure. But to live up to its claims, it has to consistently and regularly consider the risks and threats it faces and put in place comprehensive measures to mitigate them—and, crucially, have an independent third party review its security. 

The ISO 27001 standard helps companies adopt a standardized way of managing these risks. Although working with a supplier who has earned a 27001 certification does not guarantee security, it is evidence that the supplier has made serious efforts to put in place secure processes and environments.

What is ISO 27001?

ISO 27001 is a management system standard published by the International Organization for Standardization. It requires organizations to set up an information security management system, which is a framework of documents, policies, controls and procedures that enable them to evaluate security risks systematically and consider the confidentiality, integrity and availability of their data. A key focus of the standard is that it requires ongoing, continual improvement over time.

To be certified against ISO 27001 (as Learnosity has been), an organization defines a scope. Usually the scope is the whole of the organization’s activities, but sometimes the scope can be a part of an organization’s activities. 

An accredited, independent certification body then conducts a detailed onsite audit of the organization and its management system. These audits are taken very seriously, and if the organization has many locations, then there are usually visits to each of them. An ISO 27001 certification is usually valid for 3 years with annual reviews and audits.

How to evaluate a supplier’s ISO 27001 certification

Be wary if someone claims to be ISO 27001 compliant or conformant, but not certified. You should expect certification as without independent review, the statement is not very meaningful. Also, make sure that it is the organization that is certified—not just their hosting supplier or data center.

If an organization claims to be ISO 27001 certified, you can verify the claim by doing the following:

1. Ask to see a copy of the certificate. (Here is the Learnosity certificate.)
2. Check the date on the certificate is current.
3. Check the scope on the certificate covers the services relevant to you.
4. Check the certification body is reputable. Certification bodies need to be accredited by an organization that is a member of the IAF (International Accreditation Federation), for example ABNAB or UKAS (and there are many others). Learnosity is certified by BSI, which is accredited.
5. Check if the certificate is valid. Many certification bodies have a way to check a certificate number on their websites to ensure authenticity.
6. Ask to see the statement of applicability. This lists the ISO 27001 controls that are applicable to the certification—it would be unusual if most controls were not included.

You don’t need a non-disclosure agreement in place to view the certificate but one may be required to see the statement of applicability.

Is it worth considering ISO 27001 certification for your organization?

ISO 27001 is not just applicable to third parties. It could also be useful to consider for your organization. Whether or not you buy in external services, you need your core software and systems to be secure.

Undertaking ISO 27001 certification is fairly expensive in terms of time and bandwidth. 

Whereas the actual audit costs tend to be moderate, the staff time to set up the information security management system and the procedures and policies within an organization can be substantial. There are also ongoing compliance costs and requirements.

If you are considering it, it could be worth getting a consulting or auditing company to do a  preparedness evaluation/gap analysis to determine how much work is needed. It probably only makes sense if your organization has a genuine, long-term commitment to security and plans to continue the certification/attestation over time. You also need top executive approval and commitment. 

While costly, obtaining ISO 27001 certification ultimately confers great value. It shows customers and stakeholders (including learners and teachers/schools/instructors) that an entity takes security seriously and will look after their valuable data. Perhaps most importantly, being ISO 27001 certified requires that an organization complies with best practices in security. It will make a security failure less likely and, should one occur, allow it to be remediated more easily.