All about ISO 27001
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialised system for worldwide standardisation.
The ISO/IEC 27000 family of standards helps organisations keep information assets secure. There are more than a dozen standards in the 27000 family, such as 27001, 27002, 27003, etc..
Using this family of standards will help an organization manage the security of assets such as financial information, intellectual property, employee details or information entrusted to an organisation by third parties. ISO/IEC 27001 is the best-known standard in the family providing requirements for an information security management system (ISMS).
ISO/IEC 27001 is derived from BS 7799 Part 2, first published as such in 1999. BSI revised BS 7799 Part 2 in 2002, explicitly incorporating the Plan-Do-Check-Act cyclic process.
BS 7799 part 2 was adopted as ISO/IEC 27001 in 2005, with various changes to reflect its new custodians. The standard was extensively revised in 2013, bringing it into line with the other ISO certified management systems standards and dropping explicit reference to PDCA
The latest revision of this standard was published in 2013, and the title is now ISO/IEC 27001:2013.
Any organisation can implement ISO27001, be it profit or non-profit, private or state-owned, small or large enterprise. It was written by the world’s best experts in the field of information security and provides a methodology for the implementation of information security management in an organisation. It also enables companies to become certified, which means that an independent certification body has confirmed that an organisation has implemented information security compliant with ISO 27001.
ISO 27001 has become the most popular information security standard worldwide, and many companies have certified against it – here you can see the number of certificates in the last couple of years:
A total of 27,536 certificates were issued worldwide in 2015, compared to 23,005 the previous year, an increase of 20%.(www.iso.org).
Function of ISO 27001
The emphasis of ISO 27001 is to protect the confidentiality, integrity and availability of the information in an organisation. This is achieved by finding out what potential problems could happen to the information, which is a risk assessment. What measures and how to prevent such problems from happening that is risk mitigation or risk treatment. Hence, the prime philosophy of ISO 27001 is based on risk management.
Managing information security is not only about protecting IT assets and their security; it is a holistic approach to managing processes, legal protection, managing human resources, physical protection, etc.
Benefits of ISO 27001 for an organisation:
By implementing this information security standard:
Comply with legal requirements
- Helps you to meet all legislative requirements for your products and services.
- Ensures that you communicate all legal requirements to your employees and other stakeholders.
- It prevents security incidents from happening – and every incident, large or small, costs money.
Achieve marketing advantage & Improvement-
- It requires you always to assess risks for your business.
- Allows you to set up the operational controls to properly administer and measure your performance.
Better organisation & Client Expectation
- Increases the quality control of information security processes and procedures and reduces the level of risk
- ISMS establish you to measure and improve internal and external customer satisfaction.
Structure of ISO 27001 Standard
ISO/IEC 27001 is split into 11 sections, plus Annex A. Sections 0 to 3 are introductory (and are not mandatory for implementation), while sections 4 to 10 are mandatory i.e. that all their requirements must be implemented in an organisation if it wants to be compliant with the standard. Controls from Annex A must be carried out if declared as applicable in the Statement of Applicability.
According to Annex SL of the International Organization for Standardization ISO/IEC Directives, the section titles in ISO 27001 are the same as in ISO 22301:2012, in the new ISO 9001:2015, and other management standards, enabling easier integration of these standards.
Section 0: Introduction – explains the purpose of ISO 27001 and its compatibility with other management standards.
Section 1: Scope – describes that this standard applies to any organisation.
Section 2: Normative references – Refers to ISO/IEC 27000 as a standard where terms and definitions are given.
Section 3: Terms and definitions – Refers to ISO/IEC 27000.
Section 4: Context of the organisation – This is part of the Plan phase in the PDCA cycle and defines requirements for understanding external and internal issues, interested parties and their requirements, and defining the ISMS scope.
Section 5: Leadership – This is part of the Plan phase in the PDCA cycle and defines top management responsibilities, setting the roles and responsibilities, and contents of the top-level Information security policy.
Section 6: Planning – This is part of the Plan phase in the PDCA cycle and defines requirements for risk assessment, risk treatment, Statement of Applicability, Risk treatment plan, and setting the information security objectives.
Section 7: Support – This is part of the Plan phase in the PDCA cycle and defines requirements for availability of resources, competencies, awareness, communication, and control of documents and records.
Section 8: Operation – This section is part of the Do phase in the PDCA cycle and defines the implementation of risk assessment and treatment, as well as controls and other processes required to achieve information security objectives.
Section 9: Performance Evaluation – This section is part of the Check phase in the PDCA cycle and defines requirements for monitoring, measurement, analysis, evaluation, internal audit and management review.
Section 10: Improvement – This section is part of the Act phase in the PDCA cycle and defines requirements for nonconformities, corrections, corrective actions and continual improvement.
Annex A – This provides a catalogue of 114 controls (safeguards) placed in 14 sections (sections A.5 to A.18).
ISO 27001 requires the following documentation:
- Scope of the ISMS (clause 4.3)
- Information security policy and objectives (clauses 5.2 and 6.2)
- Risk assessment and risk treatment methodology (clause 6.1.2)
- Statement of Applicability (clause 6.1.3 d)
- Risk treatment plan (clauses 6.1.3 e and 6.2)
- Risk assessment report (clause 8.2)
- Definition of security roles and responsibilities (clauses A.7.1.2 and A.13.2.4)
- Inventory of assets (clause A.8.1.1)
- Acceptable use of assets (clause A.8.1.3)
- Access control policy (clause A.9.1.1)
- Operating procedures for IT management (clause A.12.1.1)
- Secure system engineering principles (clause A.14.2.5)
- Supplier security policy (clause A.15.1.1)
- Incident management procedure (clause A.16.1.5)
- Business continuity procedures (clause A.17.1.2)
- Statutory, regulatory, and contractual requirements (clause A.18.1.1)
Followings are the mandatory records:
- Records of training, skills, experience and qualifications (clause 7.2)
- Monitoring and measurement results (clause 9.1)
- Internal audit program (clause 9.2)
- Results of internal audits (clause 9.2)
- Results of the management review (clause 9.3)
- Results of corrective actions (clause 10.1)
- Logs of user activities, exceptions, and security events (clauses A.12.4.1 and A.12.4.3)
An organisation may decide to detail any additional security documents if it finds it essential.
Two types of ISO 27001 certificates exist: (a) for organisations, and (b) for individuals. Organisations can get certified to prove that they are compliant with all the mandatory clauses of the standard; individuals can attend the course and pass the exam to get the certificate.
For an organisation to become certified, it must implement the standard as explained in previous sections, and then go through the certification audit performed by the certification body. The certification audit is performed in the following steps:
- Stage 1 audit (Documentation review) – the auditors will review all the documentation.
- Stage 2 audit (Main audit) – the auditors will perform an on-site audit to check whether all the activities in a company are compliant with ISO 27001 and with ISMS documentation.
- Surveillance visits – after the certificate is issued, during its 3-year validity, the auditors will check whether the company maintains its ISMS.
Individuals can go for several courses to obtain certificates – the most popular are:
- ISO 27001 Lead Auditor Course – this 5-day course will teach you how to perform certification audits, and it is intended for auditors and consultants.
- ISO 27001 Lead Implementer Course – this 5-day course will teach you how to implement the standard and is intended for information security practitioners and consultants.
- ISO 27001 Internal Auditor Course – this 2- or 3-day course will teach you the basics of the standard and how to perform an internal audit – it is intended for beginners in this topic and internal auditors.
ISO 27001:2005 & ISO 27001:2013 Versions
As mentioned before, ISO 27001 was first published in 2005 and was revised in 2013 – Therefore, the currently valid version is ISO/IEC 27001:2013.
The most important changes in the 2013 revision are related to the structure of the central part of the standard, interested parties, objectives, monitoring and measurement; also, Annex A has reduced the number of controls from 133 to 114 and increased the number of sections from 11 to 14. Some requirements were deleted from the 2013 revision, like preventive actions and the requirement to document certain procedures.
However, all these changes did not change the standard much as a whole – its main philosophy is still based on risk assessment and treatment, and the same phases in the Plan-Do-Check-Act cycle remain. This new revision of the standard is easier to read and understand, and it is much easier to integrate it with other management standards like ISO 9001, ISO 22301, etc.
Anitech consulting provides consulting services and our information security management system consultants can assist organisations to implement and audit an information security management system in compliance to the specific requirements of ISO/IEC 27001. Contact us for a quote.