ISO 27001 and due diligence: The standard for information security

Before a company sale can take place, investors participate in a financing round, or a stock exchange listing can be considered, the matter of due diligence must be dealt with first.

Information security is one of the core topics of due diligence audits. How information security should be managed is defined in the international ISO 27001 standard. In this article, we explain what it means and what businesses should take note of throughout its implementation.

What you need to know, in a nutshell

  • During a due diligence process, the information security of the company in question is also put under the microscope.
  • Information security encompasses much more than just IT security: It also includes the processes and the people within the company.
  • ISO 27001 formulates requirements towards information security management systems (ISMS).
  • Companies with ISO 27001 certification are highly trusted, which increases their value as a business. For these organisations, due diligence can be significantly more compact.
  • For service providers and suppliers in the automotive industry, TISAX approval is the equivalent of ISO 27001 certification.

In this article

What does due diligence mean? When do companies have to carry out such a process?

The literal meaning of due diligence is to take the care required. This term is used to describe a process for examining the statements and information a company provides regarding the value of its business and the risks involved. A due diligence audit is carried out when an investor or purchaser is interested in a company, or before a stock market launch. Anybody who is planning to invest in or take over a company wants to be sure that the statements made about a company and their future collaboration reflect reality.

What does a due diligence process look at? Who examines whom?

The audit is generally carried out by specialist corporate lawyers or business consultants. What is audited depends on the risk exposure in that particular case. Beyond US investor protection legislation, there are no binding standards for due diligence. The minimum action required is a complete audit of the company accounts. However, many other areas are generally examined as well, such as all the company’s relevant processes, its asset values and liabilities, existing contracts with employees, partners and suppliers, compliance, product development standards, supply chain security, and communications and information security. Assessing the latter is very complicated and requires specialist knowledge. DataGuard makes this knowledge accessible via a SaaS platform, offering an auditing solution for information security and the development of individual, optimised information security management systems (ISMS).

The benchmark for information security is ISO 27001. What does this standard mean?

To make it clear, the term information security means and describes much more than just the IT security of a company. This is because, in addition to the technical equipment, the security of all processes and business activities of a company are in the limelight, as well as the qualifications and trustworthiness of the people involved – including not only the workforce and the management, but also the suppliers. It therefore covers a very broad spectrum, which we have illustrated below:

 

  1. General aspects of an ISMS, risk management aspects
  2. Context, interested parties, scope of application, statement of applicability
  3. Management: Information security guidelines and objectives
  4. Information security organisation
  5. Human resources security
  6. Asset management
  7. User access control
  8. Cryptography
  9. Physical and environmental security
  10. Operational security
  11. Communications security
  12. System acquisition, development, and maintenance
  13. Supplier relationships
  14. Incident management
  15. Business continuity management
  16. Compliance

 

Let’s look at business continuity management as an example:

There are two companies.Both offer software-as-a-service products via a cloud.The products therefore require a functioning cloud.When auditing the information security in accordance with ISO 27001, the following questions need to be asked in particular: Which cloud service providers are the companies using, how high is the probability of a technical failure, how severe would this be and what effects could it have on the business activities, and what measures have been taken for this eventuality? The answers may be very different.

Company A) Let’s assume that Company A offers a SaaS product for automatic time recording. The probability of a failure is very low.However, if there was a malfunction, customers would have to log their times temporarily on a spreadsheet or by hand and enter them in the software manually later.That would be annoying, but the damage would be negligible.

Company B) It is a different case for Company B. This company offers a SaaS automated stock trading product via the cloud.If there is an outage, not only could it be bothersome, but it could cause high financial losses, not to mention considerable reputational damage with long-term consequences.The risk would be considerably higher. Suitably thorough protective measures would have to be defined within an information security management system (ISMS) in accordance with ISO 27001.

The international ISO 27001 standard currently does not contain any instructions that state how this task should be organised in each individual case. The standard only specifies in which areas and with which objectives an assessment and treatment of the risks must take place. The company itself must gauge how in-depth an audit should sensibly be.

What is an information security management system (ISMS)?

An ISMS defines rules, methods, and measures to manage the information security of an organisation. Its implementation is individual and takes place for the respective organisation as a whole, on a process-orientated basis. The international ISO 27001 standard, therefore, provides globally uniform guidelines for the development and operation of an ISMS. If these guidelines are followed verifiably and demonstrably, a company can have its own ISMS certified accordingly. What is interesting is that most ISO 27001 ISMS certificates by far are issued in China.

ISO

What are the advantages of a certified ISMS?

Companies that have a certified management system for their information security benefit in more ways than one, particularly because they can systematically detect and minimise risks to their IT, business activities, processes, and finally, the behaviour of the people within their organisations. An ISMS ensures the right behaviour; potential hazards are eliminated – for example, by introducing end-to-end encryption of data in the cloud – and response plans are developed for any security breaches that may happen.

In other words, companies with a certified ISMS have excellent risk management in regards to information security. This increases the trust of the customers and potential partners/interested parties in the performance of the company, giving it both an important competitive edge in the market. Depending on the industry, a certified ISMS also acts as proof that the company is fulfilling its compliance requirements and other legal requirements, such as those that apply to operators of critical infrastructures.

What we can be certain about is that the investment and costs of certification pay off in any case – especially when a due diligence audit is planned: Such audits are considerably easier and therefore faster when the company is already ISO 27001 certified. This shortens the process and often increases the value of the company considerably.

 

TISAX acts as the automotive industry’s own standard why?

TISAX stands for Trusted Information Security Assessment Exchange. It is a separate standard developed by the Verband der Automobilindustrie (German Association of the Automotive Industry). The TISAX guidelines are based directly on ISO 27001. They are somewhat less extensive, but they have been specially adjusted to the requirements of the automotive industry and are aimed explicitly at the service providers and suppliers used by manufacturers. Car manufacturers expect their business partners to undergo regular audits and certification as part of an information security assessment (ISA). In addition to the ISA requirements catalogue, TISAX 2017 has also created a mechanism for the reliable exchange of assessment results. The transparency thereby guarantees preventing unnecessary cross-checking. The assessment results are recognised industry-wide, enabling new supplier relationships to be established, and saving lots of time and money.

TISAX and ISO 27001 have a risk-based approach – what does that mean?

The assessment and optimisation of information security in both regulatory systems do not take place based on absolute specifications. As a result, it is not stated in writing what a company has to do to increase its information security. Only the path to the objective is defined, which is always reached by carefully considering the risks your company is exposed to, their probability of occurrence, and the damage they could potentially cause. Those who know the answers to these questions can (and must) introduce and implement proportionate risk management measures.

Let’s take HR security as an example: What risks could a corrupt employee pose? What damage could they potentially cause? Once again, the answers will differ greatly. If we are talking about somebody who works for a national intelligence agency, the disclosure of secrets could have severe diplomatic implications. The risks would be enormous, so the barriers and security measures in the recruitment process would have to be accordingly high. In order to check the suitability of an applicant’s character, a criminal record check alone would not be enough. In contrast, requiring such a certificate from somebody who wants to work in a pasta factory would be unreasonable and in no way productive.

Risk, damage potential and risk-minimising measures must therefore always be applied in a way which is individual, optimal and proportionate. In the future, this can be achieved in a very efficient and resource-effective way using the risk management model provided by DataGuard’s new ISMS platform.

What is the conclusion?

Companies with a certified management system for information security in accordance with ISO 27001 or TISAX are trusted to the highest level and enjoy a decisive competitive edge on the market. These certifications will also increase the value of your company, especially in terms of the due diligence process, and drastically shorten the time taken to perform due diligence. This will save costs enormously and increase the negotiating power of companies that are looking for new partners or investors.

Learn how DataGuard's corporate compliance solutions support ISO 27001 certification for enhanced due diligence.

 
whitepaper-download whitepaper-download

ISO 27001 and due dilligence

Why information security plays such a big role in due diligence

Download your Guide

About the author

Contact Sales

See what DataGuard can do for you.

Find out how our Privacy, InfoSec and Compliance solutions can help you boost trust, reduce risks and drive revenue.

  • 100% success in ISO 27001 audits to date 
  • 40% total cost of ownership (TCO) reduction
  • A scalable easy-to-use web-based platform
  • Actionable business advice from in-house experts

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • External data protection officer
  • Audit of your privacy status-quo
  • Ongoing GDPR support from a industry experts
  • Automate repetitive privacy tasks
  • Priority support during breaches and emergencies
  • Get a defensible GDPR position - fast!

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Continuous support on your journey towards the certifications on ISO 27001 and TISAX®️, as well as NIS2 Compliance.
  • Benefit from 1:1 consulting
  • Set up an easy-to-use ISMS with our Info-Sec platform
  • Automatically generate mandatory policies
Certified-Icon

100% success in ISO 27001 audits to date

 

 

TISAX® is a registered trademark of the ENX Association. DataGuard is not affiliated with the ENX Association. We provide consultation and support for the assessment on TISAX® only. The ENX Association does not take any responsibility for any content shown on DataGuard's website.

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Proactive support
  • Create essential documents and policies
  • Staff compliance training
  • Advice from industry experts

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Comply with the EU Whistleblowing Directive
  • Centralised digital whistleblowing system
  • Fast implementation
  • Guidance from compliance experts
  • Transparent reporting

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Let's talk