What is the meaning of ISO 27001?
First, it is important to note that the full name of ISO 27001 is “ISO/IEC 27001 – Information technology — Security techniques — Information security management systems — Requirements.”
It is the leading international standard focused on information security, published by the International Organization for Standardization (ISO), in partnership with the International Electrotechnical Commission (IEC). Both are leading international organizations that develop international standards.
ISO-27001 is part of a set of standards developed to handle information security: the ISO/IEC 27000 series.
Why is ISO 27001 important?
Not only does the standard provide companies with the necessary know-how for protecting their most valuable information, but a company can also get certified against ISO 27001 and, in this way, prove to its customers and partners that it safeguards their data.
Individuals can also get ISO 27001-certified by attending a course and passing the exam and, in this way, prove their skills to potential employers.
Because it is an international standard, ISO 27001 is easily recognized all around the world, increasing business opportunities for organizations and professionals.
What are the 3 ISMS security objectives?
The basic goal of ISO 27001 is to protect three aspects of information:
- Confidentiality: only the authorized persons have the right to access information.
- Integrity: only the authorized persons can change the information.
- Availability: the information must be accessible to authorized persons whenever it is needed.
What is an ISMS?
An Information Security Management System (ISMS) is a set of rules that a company needs to establish in order to:
- identify stakeholders and their expectations of the company in terms of information security
- identify which risks exist for the information
- define controls (safeguards) and other mitigation methods to meet the identified expectations and handle risks
- set clear objectives on what needs to be achieved with information security
- implement all the controls and other risk treatment methods
- continuously measure if the implemented controls perform as expected
- make continuous improvement to make the whole ISMS work better
This set of rules can be written down in the form of policies, procedures, and other types of documents, or it can be in the form of established processes and technologies that are not documented. ISO 27001 defines which documents are required, i.e., which must exist at a minimum.
Why do we need ISMS?
There are four essential business benefits that a company can achieve with the implementation of this information security standard:
Comply with legal requirements – there is an ever-increasing number of laws, regulations, and contractual requirements related to information security, and the good news is that most of them can be resolved by implementing ISO 27001 – this standard gives you the perfect methodology to comply with them all.
Achieve competitive advantage – if your company gets certified and your competitors do not, you may have an advantage over them in the eyes of those customers who are sensitive about keeping their information safe.
Lower costs – the main philosophy of ISO 27001 is to prevent security incidents from happening – and every incident, large or small, costs money. Therefore, by preventing them, your company will save quite a lot of money. And the best thing of all – investment in ISO 27001 is far smaller than the cost savings you’ll achieve.
Better organization – typically, fast-growing companies don’t have the time to stop and define their processes and procedures – as a consequence, very often the employees do not know what needs to be done, when, and by whom. Implementation of ISO 27001 helps resolve such situations, because it encourages companies to write down their main processes (even those that are not security-related), enabling them to reduce lost time by their employees.
How does ISO 27001 work?
The focus of ISO 27001 is to protect the confidentiality, integrity, and availability of the information in a company. This is done by finding out what potential problems could happen to the information (i.e., risk assessment), and then defining what needs to be done to prevent such problems from happening (i.e., risk mitigation or risk treatment).
Therefore, the main philosophy of ISO 27001 is based on a process for managing risks: find out where the risks are, and then systematically treat them, through the implementation of security controls (or safeguards).
ISO 27001 requires a company to list all controls that are to be implemented in a document called the Statement of Applicability.
Two parts of the standard
The standard is separated into two parts. The first, main part consists of 11 clauses (0 to 10). The second part, called Annex A, provides a guideline for 114 control objectives and controls. Clauses 0 to 3 (Introduction, Scope, Normative references, Terms and definitions) set the introduction of the ISO 27001 standard. The following clauses 4 to 10, which provide ISO 27001 requirements that are mandatory if the company wants to be compliant with the standard, are examined in more detail further in this article.
Annex A of the standard supports the clauses and their requirements with a list of controls that are not mandatory, but that are selected as part of the risk management process. For more, read the article The basic logic of ISO 27001: How does information security work?
What are the requirements for ISO 27001?
The requirements from sections 4 through 10 can be summarized as follows:
Clause 4: Context of the organization – One prerequisite of implementing an Information Security Management System successfully is understanding the context of the organization. External and internal issues, as well as interested parties, need to be identified and considered. Requirements may include regulatory issues, but they may also go far beyond.
With this in mind, the organization needs to define the scope of the ISMS. How extensively will ISO 27001 be applied to the company? Read more about the context of the organization in the articles How to define context of the organization according to ISO 27001, How to identify interested parties according to ISO 27001 and ISO 22301, and How to define the ISMS scope.
Clause 5: Leadership – The requirements of ISO 27001 for an adequate leadership are manifold. The commitment of the top management is mandatory for a management system. Objectives need to be established according to the strategic objectives of an organization. Providing resources needed for the ISMS, as well as supporting persons to contribute to the ISMS, are other examples of the obligations to meet.
Furthermore, the top management needs to establish a policy according to the information security. This policy should be documented, as well as communicated within the organization and to interested parties. Roles and responsibilities need to be assigned, too, in order to meet the requirements of the ISO 27001 standard and to report on the performance of the ISMS.
Learn more about top management in ISO 27001 in these articles: Top management perspective of information security implementation, Roles and responsibilities of top management in ISO 27001 and ISO 22301 , and What should you write in your Information Security Policy according to ISO 27001?
Clause 6: Planning – Planning in an ISMS environment should always take into account risks and opportunities. An information security risk assessment provides a sound foundation to rely on. Accordingly, information security objectives should be based on the risk assessment. These objectives need to be aligned to the company`s overall objectives. Moreover, the objectives need to be promoted within the company. They provide the security goals to work towards for everyone within and aligned with the company. From the risk assessment and the security objectives, a risk treatment plan is derived, based on controls as listed in Annex A.
For better understanding of risks and opportunities, read the article ISO 27001 risk assessment & treatment – 6 basic steps. Learn more about control objectives in the article ISO 27001 control objectives – Why are they important?. For more details about a company’s direction, read the article Aligning information security with the strategic direction of a company according to ISO 27001.
Clause 7: Support – Resources, competence of employees, awareness, and communication are key issues of supporting the cause. Another requirement is documenting information according to ISO 27001. Information needs to be documented, created, and updated, as well as being controlled. A suitable set of documentation needs to be maintained in order to support the success of the ISMS.
For more about training, awareness, and communication read the articles How to perform training & awareness for ISO 27001 and ISO 22301 and How to create a Communication Plan according to ISO 27001. Learn more about document management in the article Document management in ISO 27001 & BS 25999-2.
Clause 8: Operation – Processes are mandatory to implement information security. These processes need to be planned, implemented, and controlled. Risk assessment and treatment – which needs to be on top management`s mind, as we learned earlier – has to be put into action.
Learn more about risk assessment and treatment in the articles ISO 27001 risk assessment: How to match assets, threats and vulnerabilities and How to assess consequences and likelihood in ISO 27001 risk analysis, and in this free Diagram of the ISO 27001:2013 Risk Assessment and Treatment Process.
Clause 9: Performance evaluation – The requirements of the ISO 27001 standard expect monitoring, measurement, analysis, and evaluation of the Information Security Management System. Not only should the department itself check on its work – in addition, internal audits need to be conducted. At set intervals, the top management needs to review the organization`s ISMS.
Learn more about performance, monitoring, and measurement in the articles Key performance indicators for an ISO 27001 ISMS and How to perform monitoring and measurement in ISO 27001.
Clause 10: Improvement – Improvement follows up on the evaluation. Nonconformities needs to be addressed by taking action and eliminating the causes when applicable. Moreover, a continual improvement process should be implemented, even though the PDCA (Plan-Do-Check-Act) cycle is no longer mandatory (read more about this in the article Has the PDCA Cycle been removed from the new ISO standards?) Still, the PDCA cycle is often recommended, as it offers a solid structure and fulfills the requirements of ISO 27001.
For more about improvement in ISO 27001, read the article Achieving continual improvement through the use of maturity models.
Annex A (normative) Reference control objectives and controls Annex A is a helpful list of reference control objectives and controls. Starting with A.5 Information security policies through A.18 Compliance, the list offers controls by which the ISO 27001 requirements can be met, and the structure of an ISMS can be derived. Controls, identified through a risk assessment as described above, need to be considered and implemented.
For more about Annex A, read the articles Overview of ISO 27001:2013 Annex A and How to structure the documents for ISO 27001 Annex A.
What are the 14 domains of ISO 27001?
There are 14 “domains” listed in Annex A of ISO 27001, organized in sections A.5 to A.18. The sections cover the following:
A.5. Information security policies: The controls in this section describe how to handle information security policies.
A.6. Organization of information security: The controls in this section provide the basic framework for the implementation and operation of information security by defining its internal organization (e.g., roles, responsibilities, etc.), and through the organizational aspects of information security, like project management, use of mobile devices, and teleworking.
A.7. Human resource security: The controls in this section ensure that people who are under the organization’s control are hired, trained, and managed in a secure way; also, the principles of disciplinary action and terminating the agreements are addressed.
A.8. Asset management: The controls in this section ensure that information security assets (e.g., information, processing devices, storage devices, etc.) are identified, that responsibilities for their security are designated, and that people know how to handle them according to predefined classification levels.
A.9. Access control: The controls in this section limit access to information and information assets according to real business needs. The controls are for both physical and logical access.
A.10. Cryptography: The controls in this section provide the basis for proper use of encryption solutions to protect the confidentiality, authenticity, and/or integrity of information.
A.11. Physical and environmental security: The controls in this section prevent unauthorized access to physical areas, and protect equipment and facilities from being compromised by human or natural intervention.
A.12. Operations security: The controls in this section ensure that the IT systems, including operating systems and software, are secure and protected against data loss. Additionally, controls in this section require the means to record events and generate evidence, periodic verification of vulnerabilities, and make precautions to prevent audit activities from affecting operations.
A.13. Communications security: The controls in this section protect the network infrastructure and services, as well as the information that travels through them.
A.14. System acquisition, development and maintenance: The controls in this section ensure that information security is taken into account when purchasing new information systems or upgrading the existing ones.
A.15. Supplier relationships: The controls in this section ensure that outsourced activities performed by suppliers and partners also use appropriate information security controls, and they describe how to monitor third-party security performance.
A.16. Information security incident management: The controls in this section provide a framework to ensure the proper communication and handling of security events and incidents, so that they can be resolved in a timely manner; they also define how to preserve evidence, as well as how to learn from incidents to prevent their recurrence.
A.17. Information security aspects of business continuity management: The controls in this section ensure the continuity of information security management during disruptions, and the availability of information systems.
A.18. Compliance: The controls in this section provide a framework to prevent legal, statutory, regulatory, and contractual breaches, and audit whether information security is implemented and is effective according to the defined policies, procedures, and requirements of the ISO 27001 standard.
A closer look at these domains shows us that managing information security is not only about IT security (i.e., firewalls, anti-virus, etc.), but also about managing processes, legal protection, managing human resources, physical protection, etc.
What are the ISO 27001 controls?
The ISO 27001 controls (also known as safeguards) are the practices to be implemented to reduce risks to acceptable levels. Controls can be technical, organizational, legal, physical, human, etc.
How many controls are there in ISO 27001?
ISO 27001 Annex A lists 114 controls organized in the 14 sections numbered A.5 through A.18 listed above.
How do you implement ISO 27001 controls?
Technical controls are primarily implemented in information systems, using software, hardware, and firmware components added to the system. E.g. backup, antivirus software, etc.
Organizational controls are implemented by defining rules to be followed, and expected behavior from users, equipment, software, and systems. E.g. Access Control Policy, BYOD Policy, etc.
Legal controls are implemented by ensuring that rules and expected behaviors follow and enforce the laws, regulations, contracts, and other similar legal instruments that the organization must comply with. E.g. NDA (non-disclosure agreement), SLA (service level agreement), etc.
Physical controls are primarily implemented by using equipment or devices that have a physical interaction with people and objects. E.g. CCTV cameras, alarm systems, locks, etc.
Human resource controls are implemented by providing knowledge, education, skills, or experience to persons to enable them to perform their activities in a secure way. E.g. security awareness training, ISO 27001 internal auditor training, etc.
ISO 27001 mandatory documents
ISO 27001 specifies a minimum set of policies, procedures, plans, records, and other documented information that are needed to become compliant.
ISO 27001 requires the following documents to be written:
- Scope of the ISMS (clause 4.3)
- Information Security Policy and Objectives (clauses 5.2 and 6.2)
- Risk Assessment and Risk Treatment Methodology (clause 6.1.2)
- Statement of Applicability (clause 6.1.3 d)
- Risk Treatment Plan (clauses 6.1.3 e and 6.2)
- Risk Assessment Report (clause 8.2)
- Definition of security roles and responsibilities (controls A.7.1.2 and A.13.2.4)
- Inventory of Assets (control A.8.1.1)
- Acceptable Use of Assets (control A.8.1.3)
- Access Control Policy (control A.9.1.1)
- Operating Procedures for IT Management (control A.12.1.1)
- Secure System Engineering Principles (control A.14.2.5)
- Supplier Security Policy (control A.15.1.1)
- Incident Management Procedure (control A.16.1.5)
- Business Continuity Procedures (control A.17.1.2)
- Statutory, Regulatory, and Contractual Requirements (control A.18.1.1)
And these are the mandatory records:
- Records of training, skills, experience and qualifications (clause 7.2)
- Monitoring and measurement results (clause 9.1)
- Internal Audit Program (clause 9.2)
- Results of internal audits (clause 9.2)
- Results of the management review (clause 9.3)
- Results of corrective actions (clause 10.1)
- Logs of user activities, exceptions, and security events (controls A.12.4.1 and A.12.4.3)
Of course, a company may decide to write additional security documents if it finds it necessary.
To see a more detailed explanation of each of these documents, download the free white paper Checklist of Mandatory Documentation Required by ISO 27001 (2013 Revision).
What is “ISO 27001 certified”?
A company can go for ISO 27001 certification by inviting an accredited certification body to perform the certification audit and, if the audit is successful, to issue the ISO 27001 certificate to the company. This certificate will mean that the company is fully compliant with the ISO 27001 standard.
An individual can go for ISO 27001 certification by going through ISO 27001 training and passing the exam. This certificate will mean that this person has acquired the appropriate skills during the course.
To learn more about ISO 27001 certification, read this article: How to get ISO 27001 certified.
What are the ISO 27000 standards?
Because it defines the requirements for an ISMS, ISO 27001 is the main standard in the ISO 27000 family of standards. But, because it mainly defines what is needed, but does not specify how to do it, several other information security standards have been developed to provide additional guidance. Currently, there are more than 40 standards in the ISO27k series, and the most commonly used ones are as follows:
ISO/IEC 27000 provides terms and definitions used in the ISO 27k series of standards.
ISO/IEC 27002 provides guidelines for the implementation of controls listed in ISO 27001 Annex A. It can be quite useful, because it provides details on how to implement these controls.
ISO/IEC 27004 provides guidelines for the measurement of information security – it fits well with ISO 27001, because it explains how to determine whether the ISMS has achieved its objectives.
ISO/IEC 27005 provides guidelines for information security risk management. It is a very good supplement to ISO 27001, because it gives details on how to perform risk assessment and risk treatment, probably the most difficult stage in the implementation.
ISO/IEC 27017 provides guidelines for information security in cloud environments.
ISO/IEC 27018 provides guidelines for the protection of privacy in cloud environments.
ISO/IEC 27031 provides guidelines on what to consider when developing business continuity for Information and Communication Technologies (ICT). This standard is a great link between information security and business continuity practices.
What is the current version of ISO 27001?
As of the publication date of this article, the current version of ISO 27001 is ISO/IEC 27001:2013.
The first version of ISO 27001 was released in 2005 (ISO/IEC 27001:2005), the second version in 2013, and the standard was last reviewed in 2019, when the 2013 version was confirmed (i.e., no changes were needed).
It is important to note that different countries that are members of ISO can translate the standard into their own languages, making minor additions (e.g., national forewords) that do not affect the content of the international version of the standard. These “versions” have additional letters to differentiate them from the international standard, e.g., NBR ISO/IEC 27001 designates the “Brazilian version,” while BS ISO/IEC 27001 designates the “British version.” These local versions of the standard also contain the year when they were adopted by the local standardization body, so the latest British version is BS EN ISO/IEC 27001:2017, meaning that ISO/IEC 27001:2013 was adopted by the British Standards Institution in 2017.
What is the difference between ISO 27001 and 27002?
ISO 27001 defines the requirements for an Information Security Management System (ISMS), while ISO 27002 provides guidance on the implementation of controls from ISO 27001 Annex A.
In other words, for each control, ISO 27001 provides only a brief description, while ISO 27002 provides detailed guidance.
What is the difference between NIST and ISO 27001?
While ISO 27001 is an international standard, NIST is a U.S. government agency that promotes and maintains measurement standards in the United States – among them the SP 800 series, a set of documents that specifies best practices for information security.
Although they are not the same, the NIST SP 800 series and ISO 27001 can be used together for implementation of information security.
Is ISO 27001 mandatory?
In most countries, implementation of ISO 27001 is not mandatory. However, some countries have published regulations that require certain industries to implement ISO 27001.
To determine whether ISO 27001 is mandatory or not for your company, you should look for expert legal advice in the country where you operate.
Is ISO 27001 a legal requirement?
Public and private organizations can define compliance with ISO 27001 as a legal requirement in their contracts and service agreements with their providers. Further, as mentioned above, countries can define laws or regulations turning the adoption of ISO 27001 into a legal requirement to be fulfilled by the organizations operating in their territory.
To learn more about the EU GDPR and why it is applicable to the whole world, see this article.