ISO/IEC 27001 is a set of requirements that address security controls for information technology and data security in the enterprise. It’s part of a framework of standards — the ISO/IEC 27000 series — published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).
The ISO 27001 standard functions is a framework for an organization’s information security management system (ISMS), which includes all the processes and policies that govern how the organization uses and controls data. ISO 27001 helps ensure organizations are meeting their compliance requirements, however, it doesn’t mandate specific tools or practices.
In the following sections, we’ll look at how the ISO 27001 certification works and how it can help your organization.
How does ISO 27001 work?
The aim of ISO 27001 is to assess and mitigate an organization’s risks around data by identifying gaps and organizing and strengthening security controls to better protect the integrity, privacy, and availability of a company’s data. It’s a top-down approach that requires an organization to be proactive rather than reactive in its security efforts. Organizations can purchase a guide to implementing ISO 27001 directly from ISO and conduct their own audit or employ a third-party auditor.
The ISO 27001 standard is divided into two parts. The first comprises 11 clauses, numbered 0 to 10. The first four clauses — Introduction, Scope, Normative References, Terms, and Definitions — introduce the ISO 27001 standard. Clauses 4 to 10 outline the ISO 27001 requirements an organization must meet if it wants to be compliant with the standard.
The second part, titled Annex A, includes a set of non-mandatory controls that support the clauses and requirements in the first section as part of the risk management process. Currently, there are 114 controls in 14 groups and 35 control categories:
- A.5: Information security policies (2 controls)
- A.6: Organization of information security (7 controls)
- A.7: Human resource security applied before, during, or after employment (6 controls)
- A.8: Asset management (10 controls)
- A.9: Access control (14 controls)
- A.10: Cryptography (2 controls)
- A.11: Physical and environmental security (15 controls)
- A.12: Operations security (14 controls)
- A.13: Communications security (7 controls)
- A.14: System acquisition, development, and maintenance (13 controls)
- A.15: Supplier relationships (5 controls)
- A.16: Information security incident management (7 controls)
- A.17: Information security aspects of business continuity management (4 controls)
- A.18: Compliance; with internal requirements, such as policies, and with external requirements, such as laws (8 controls)
What are the requirements for ISO 27001?
The core requirements to achieve compliance are outlined in seven clauses and the sub-clauses. Here is a summary of what’s covered:
- Clause 4: Context of the organization — To successfully implement an ISMS, it’s necessary to understand the organization’s context. The company must identify and consider all the internal and external issues relevant to the organization’s security objectives. These include internal capabilities, regulatory issues, economic factors, to name a few.
- Clause 5: Leadership — An effective ISMS requires a commitment from top management. Leaders have many obligations in this regard, including establishing strategic objectives for the organization, providing the necessary resources for the ISMS, and supporting other management roles to ensure that all required roles are available for effective implementation of the ISMS.
- Clause 6: Planning — The organization must plan actions to address the risks and opportunities identified under Clause 4. Essentially, this means documenting a risk identification, assessment, and treatment process that considers controls outlined in Annex A.
- Clause 7: Support — The organization must demonstrate that it is providing adequate resources for establishing, implementing, maintaining, and continually improving the ISMS. This includes showing clearly defined and owned roles, responsibilities, and authorities.
- Clause 8: Operation — The organization must demonstrate its internal and outsourced ISMS processes are being planned, implemented, and controlled. It must also implement the information security risk treatment plan identified in Clause 6 and keep documented information on the results of that risk treatment.
- Clause 9: Performance evaluation — The ISO 27001 standard requires the organization’s ISMS to be monitored, measured, analyzed, and evaluated. This includes departmental self-checks as well as internal audits. Additionally, top management must review the ISMS at regular intervals.
- Clause 10: Improvement — The organization must show that it is taking corrective action to address nonconformities and eliminating their causes when applicable. It must also show evidence that it is continually working on improving the ISMS by implementing a process that meets the evaluation criteria in Clause 9.
How do you implement ISO 27001 controls?
The ISO 27001 standard doesn’t prescribe what specific controls your organization should use or how to implement them. The controls are meant to be flexible enough for organizations to implement in accordance with their particular ISMS context and risk rather than a one-size-fits-all solution. However, there are some general guidelines
- Technical controls — These controls are typically implemented in information systems by adding backup, antivirus, and other software, hardware, and firmware components.
- Organizational controls — These are implemented by defining rules and behavioral policies for users, equipment, software, and systems. Examples include BYOD and Access Control policies.
- Legal controls — These controls are implemented by ensuring rules and behavioral policies behaviors like those just mentioned comply with and enforce any laws, regulations, contracts, and other legal instruments to which the organization is subject. Non-disclosure agreements and service level agreements are examples of legal controls.
- Physical controls — These controls are implemented using devices that physically interact with people and objects, such as alarm systems, locks, and security cameras.
- Human resource controls — These controls are implemented by ensuring people have the necessary knowledge, training, or experience to do their job activities securely. Security awareness training and ISO 27001 internal auditor training are examples.
How do I become ISO 27001 compliant?
ISO 27001 specifies a minimum set of documents and records that are needed to become compliant.
Required documents include:
- Scope of the ISMS (clause 4.3)
- Information Security Policy and Objectives (clauses 5.2 and 6.2)
- Risk Assessment and Risk Treatment Methodology (clause 6.1.2)
- Statement of Applicability (clause 6.1.3 d)
- Risk Treatment Plan (clauses 6.1.3 e and 6.2)
- Risk Assessment Report (clause 8.2)
- Definition of security roles and responsibilities (controls A.7.1.2 and A.13.2.4)
- Inventory of Assets (control A.8.1.1)
- Acceptable Use of Assets (control A.8.1.3)
- Access Control Policy (control A.9.1.1)
- Operating Procedures for IT Management (control A.12.1.1)
- Secure System Engineering Principles (control A.14.2.5)
- Supplier Security Policy (control A.15.1.1)
- Incident Management Procedure (control A.16.1.5)
- Business Continuity Procedures (control A.17.1.2)
- Statutory, Regulatory, and Contractual Requirements (control A.18.1.1)
Mandatory records include:
- Records of training, skills, experience, and qualifications (clause 7.2)
- Monitoring and measurement results (clause 9.1)
- Internal Audit Program (clause 9.2)
- Results of internal audits (clause 9.2)
- Results of the management review (clause 9.3)
- Results of corrective actions (clause 10.1)
- Logs of user activities, exceptions, and security events (controls A.12.4.1 and A.12.4.3)
While these are the minimum required security documents, an organization can write additional documentation if they determine it’s necessary for their particular situation.
How do I get ISO 27001 certified?
Both organizations and individuals can become ISO 27001 certified. For a company to receive certification, it must have an accredited certification body perform a two-stage audit. If the organization is found to be fully compliant with the ISO 27001 standard, it will be awarded a certificate. Certification can take between three and 12 months depending on the size of your organization and the scope of your ISMS. Recertification is required after three years.
An individual receives ISO 27001 certification by completing ISO 27001 training and passing the exam. Individual certification shows the person has acquired the appropriate skills during the course.
What are the benefits of ISO 27001 certification?
ISO 27001 certification is globally recognized and offers many benefits, including:
- Greater trust of business partners and customers — An ISO 27001 certification demonstrates to your business partners and customers that you are committed to meeting the highest standards of information security. This fosters trust and greater retention. It also shows new customers and clients that you have a solid information security management process in place and can be trusted with their data and their business.
- Better information strategies and practices — Effective cyber security is the foundation of the ISO 27001 standard. It requires that information security experts audit your organization’s security practices and provide you with actionable information to help you improve or replace them where necessary to better prevent data breaches. Completing the certification process nets information security improvements that will protect your company well into the future.
- Implements best practices — The certification process requires you to demonstrate compliance with a range of information security best practices such as ensuring IT systems are up to date, maintaining data back-ups, and logging events, as well as instituting policies for employees to perform their activities more securely. This ultimately makes the organization more secure and resilient from cyberattacks.
- Promotes compliance with internal and external requirements — ISO 27001 specifically addresses compliance with internal policies, contractual requirements, and laws in Annex A.18. By ensuring the organization is meeting its various compliance obligations, certification helps it avoid costly violations.
- A more complete understanding of your security posture — Implementing ISO 27001 will require your organization to dive deep into its information storage, test its security processes and policies, review its compliance obligations, and more to identify security gaps and potential risks. This process will clarify your company’s current security posture and uncover opportunities for improvement, as well as drive the creation of action items to help the organization achieve ISO compliance.
- Future proofs your business — In todays’ aggressive threat landscape, information security is an essential driver of business success. ISO 27001 certification positions your organization to survive and thrive amidst constantly evolving security threats. The compliance process puts in place the practices, policies, and strategies to effectively prevent or minimize the losses from cyberattacks, and results in a resilient ISMS that will be able to serve customers for years to come.
What are the ISO 27000 standards?
ISO 27001 is the primary standard in the ISO 27000 series because it defines the requirements for a modern ISMS. But because it doesn’t prescribe how to meet those requirement, ISO has created other information security standards to provide more guidance. There are currently more than 40 standards in the ISO2700 series. The more most commonly used standards are:
- ISO/IEC 27000 — details terms and definitions used in the ISO 2700 family of standards
- ISO/IEC 27002 — provides guidelines for the implementation of controls listed in ISO 27001 Annex A
- ISO/IEC 27004 — provides measurement guidelines for information security
- ISO/IEC 27005 — provides information security risk management guidelines
- ISO/IEC 27017 — provides guidelines for information security in cloud environments
- ISO/IEC 27018 — provides guidelines for privacy protection in cloud environments
- ISO/IEC 27031 — provides guidelines developing business continuity for Information and Communication Technologies
What is the difference between ISO 27001 and 27002?
ISO 27001 defines the requirements for an Information Security Management System (ISMS) but doesn’t tell you what controls to implement from ISO 27001 Annex A. ISO 27002 fills in the gaps by providing detailed guidance on how to implement these controls to meet ISO 27001 requirements.
Differentiate your business with ISO 27001 certification
Vetting your current cybersecurity practices and strategies through the ISO 27001 compliance process is one of the best actions you can take to improve your security posture. But many organizations don’t have the resources or expertise to complete the standard’s rigorous requirements. Alert Logic delivers an ISO 27001 solution with our MDR service that provides asset discovery, vulnerability assessment, threat detection, and web application security. Our MDR solution can help you meet the ISO 27001 requirements so that you can reduce your risk, respond more quickly and effectively to attacks, and show your partners and customers that you’re committed to the highest information security standards.
