The Complete Guide to ISO 27001

What is the meaning of ISO 27001?

ISO/IEC 27001 is an ISO framework that helps companies manage the risks to their business. It stands for International Standards Organization, an independent organization with representatives from various countries who agree on standards and policies.

ISO has developed ISO/IEC 27001:2013 and ISO/IEC 27001:2022 in response to the growing need for international standards, and this document is designed as a management tool against security risks, including intentional threats or accidental events.

ISO 27001 provides guidelines for security management systems to protect information assets at any time during their life cycle. An ISO 27001 Audit is also another way of assessing the effectiveness of a company’s security management system.

The ISO 27001 management framework is a set of guidelines that helps companies manage the risks to their business. It provides guidelines for security management systems to protect information assets and intellectual property at any time during their life cycle and includes elements such as risk assessment, resource availability, or data classification.

An ISO audit can also be carried out by assessing the effectiveness of a company’s security management system - but what are we talking about? For more information, read:

• 9 Steps to Prepare for Your First ISO 27001 Audit
• Searching for Gold: The International Standard on Information Security

Why is this standard so important?

The Standard is an important milestone for companies aiming to protect themselves and their data. Companies can also certify against ISO 27001, providing a valuable assurance of protection to clients and partners. 

ISO 27001 is a recognized standard worldwide; because of this, it will be easier for organizations to find more work opportunities. Individuals can get certified by attending a course and passing the exam. The certification proves their skills to potential employers. 

ISO27001 certificates can be achieved by adopting and implementing ISO 27001 standards in the company – also known as an ISO Audit, which will assess how well your security management system meets ISO requirements. An ISO audit consists of one or more internal audits (also called self-assessments) followed by a final independent assessment undertaken by an ISO27001-certified auditor. The internal audits will assess the organization’s ability to satisfy ISO requirements, while the final independent assessment determines whether ISO 27001 has been correctly implemented by conducting an audit of your ISMS against the ISO checklist document to see if the company can prove that its security management system meets ISO standards. 

How does ISO 27001 work?

ISO 27001 focuses on protecting the confidentiality, integrity, and availability of information in a company. To do this, first, you need to find out what are the potential problems in protecting the information (i.e., risk assessment), and then define what needs to be done to prevent these problems(i.e., risk mitigation or risk treatment).

Thus, the philosophy of ISO 27001 centers around managing risks. You need to identify the risks and then take steps to treat them. Treatment of risks is done by implementing security controls.

According to ISO 27001, all security controls that are to be implemented need to be documented in the Statement of Applicability (SOA).

The standard has two parts. The first part is the main part and has 11 clauses from 0 to 10. Clauses 0 to 3 are for 'Introduction', 'Normative References', and 'Terms and Definitions' respectively. They are an introduction to ISO 27001 standard. Clauses 4 to 10 give the mandatory requirements for ISO 27001  compliance.

The second part is Annex A which is all about security controls. It provides the guidelines and control objectives for 114 controls. Not all the controls in Annex A are mandatory. The decision to use the necessary controls is based on the Risk Management process.

For further information, please read this eBook:

• A Beginner’s Guide to ISO 27001

What are the benefits of an ISMS?

An ISMS framework that complies with ISO 27001 security requirements does not just ‘tick a box’.

It also gives you all of these excellent advantages:

• Adaptability: It means you can make quick manoeuvres by responding to evolving security threats and changes both within your organisation and the outside environment. Say hello to threat reduction!
• Reduced costs: You can reduce your costs spent on adding layers of technology and practices that might not work. This is thanks to the risk assessment and systematic approach of an ISMS.
• Resilience: Curating and executing an ISMS can increase your company’s resilience to cyber attacks. As we say here at 6clicks, ‘compliance is not resilience’ (although it should be!).
• Centralisation: An effective ISMS (contact us to get this done) gives you a fantastic centralised framework for securing your information…and keeping it.
• Security-first company culture: Watch your company culture shift as the ISMS blankets your entire company, not just the IT department. Empower your staff to understand and tackle security issues within their respective domains. Let them embrace risk as part of their everyday attitude!
• Forms: Not ‘that’ kind of form (please god no!). Whether your information is paper-based, sitting on the cloud or various other digital existences, an effective ISMS helps you protect it all (electronic, hard-copy, verbal etc.).
• Protection: Remember the bit above when we talked about the ‘features’ of information? Well, an effective ISMS protects the intimate details  of your information. The purity, accessibility and privacy of your information is supported by an ISMS by way of it’s policies, procedures and technical and physical access controls.

For further information, please read Business Origami: The Importance of Folding ISMS into Your GRC.

What are the requirements for ISO 27001?

Here is a brief summary of the ISO 27001 requirements as stated in Clauses 4 to 10.

Clause 4: Context of the organization – Understanding the context of the organization is important for implementing a strong ISMS strategy, as well as for implementing ISO 27001 standard. Stakeholders, issues specific to the industry or organization, involvement of clients and vendors, etc. needs to be taken into account. The regulatory obligations related to the business also need to be considered. 

Once the context of the organization is clear, the scope of ISMS needs to be defined. The scope will tell you how extensively ISO 27001 will be applied in your organization. Read more about defining the scope in the blog The Best Way to Define the Scope in ISO 27001. 

Clause 5: Leadership – This clause emphasizes the need for senior management to be actively involved in information security. Senior management is required to provide the adequate resources for a successful implementation of ISMS. They need to demonstrate commitment to the processes of ISO 27001 and ISMS implementation. Since ISMS objectives need to be aligned with ISMS objectives, it makes sense for the top management to take leadership in security initiatives so that decisions can be made from a compliance as well as a strategic point of view. 

Senior management also needs to establish and uphold policies related to information security. It is their responsibility to ensure that the policies are documented and communicated with all employees as well as external stakeholders. Assigning roles and responsibilities to comply with ISO 27001 requirements also is a responsibility that lies with the senior management. 

Clause 6: Planning – This clause is about planning the actions to address risks and opportunities. A Risk Assessment is the first step of planning. The information security goals of the organization, the overall business goals, and the insights from the risk assessment need to be aligned for Planning. This helps to create a risk treatment plan that helps to meet all goals. The risk treatment plan will also outline the use of controls as per the list in Annex A of ISO 27001. 

Clause 7: Support – ISMS needs continuous efforts for improvement. ISO 27001 requires that the resources be provided to ensure that this improvement continues. Increasing awareness, establishing proper communication channels, procurement of resources for improvement, etc. are all important aspects of providing support to the improvement of ISMS. All information related to ISMS needs to be documented, updated, and maintained.

Clause 8: Operation – This clause is related to the execution of the plans. This includes all actions that are planned to meet the objectives for information security. Considering that some business processes would be outsourced, there needs to be a proper system in place to control all processes. 

Clause 9: Performance evaluation – ISO 27001 requires organizations to evaluate the performance of ISMS. This includes the standard processes for monitoring, measuring, evaluating, and analyzing the effectiveness of the ISMS. It includes laying out a plan to monitor and measure performance. This needs to be done via internal audits and management reviews. 

Clause 10: Improvement – This clause states the requirement of a process to continuously improve the ISMS. After the performance evaluation as per the previous clause, you will have important insights into how the system can be further improved for enhanced information security. The PDCA (Plan, Do, Check, Act) cycle is not a mandatory ISO requirement. But it is recommended that this cycle is used for achieving continuous improvement. 

Annex A 
Annex A contains a list of 114 controls with their objectives in information security. These controls are for risk treatment and ISO 27001 compliance. All 114 controls might not be relevant to all businesses and only those controls that are helpful for meeting the security goals need to be implemented. 

What are the 14 domains of ISO 27001?

Annex A of the ISO 27001 standard consists of a list of security controls organizations can utilize to improve the security of their information assets. ISO 27001 comprises 114 controls divided into 14 sections, also known as domains. The sections are focused on information technology and beyond, taking into consideration the wide range of factors that can impact the security of an organization’s information environment. The 14 ISO domains cover organizational issues, human resources, IT, physical security, and legal issues. Organizations are not required to implement the entire list of ISO 27001’s controls but instead use it as a list of possibilities to consider based on their unique needs. 

Utilizing the 114 controls listed in Annex A, a company can select those applicable to its needs and the needs of its customers. The 14 domains are:

• Information security policies (A.5)
• Organization of information security and assignment of responsibility (A.6)
• Human resource security (A.7)
• Asset management (A.8)
• User access control (A.9)
• Encryption and management of sensitive information (A.10)
• Physical and environmental security (A.11)
• Operational security (A.12)
• Communications security (A.13)
• System acquisition, development, and maintenance (A.14)
• Supplier relationships (A.15)
• Information security incident management (A.16)
• Information security aspects of business continuity management (A.17)
• Compliance (A.18)

How do you implement ISO 27001 controls?

The ISO 27001 controls can be classified into 5 types of controls. 

Technical controls: These are implemented where software, hardware, and firmware components are used. Examples of controls include backups, antivirus software, malware protection programs, etc. 

Organizational controls:  These are implemented through organizational policies aimed at rules and regulations for user behavior, usage of equipment, software, systems, etc. Examples include access control policy, BYOD policy, etc.

Legal controls:  Legal controls ensure that the rules and expected behaviors are in line with the laws, regulations, contractual obligations, and any other legalities that the organizations must follow. Examples include NDAs, SLAs, etc. 

Physical controls:  Physical controls are implemented in cases where physical assets are exposed to people and objects. Examples of physical controls include CCTV cameras, alarm systems, locks, fireproofing, etc.

Human resource controls: These controls are implemented to empower employees and other users so that they can use information securely. This can be done by providing knowledge, education, skills, or experience. Examples include security awareness training, ISO 27001 internal auditor training, background checks etc.

Mandatory documents for ISO 27001 

ISO 27001 requires a set of mandatory documents in the form of policies, procedures, plans, records, etc. for compliance. 

Below is the list of mandatory documents: 

• ISMS Scope (clause 4.3)
• Information Security Policy and Objectives (clauses 5.2 and 6.2)
• Risk Assessment and Risk Treatment Methodology (clause 6.1.2)
• Statement of Applicability (SOA) (clause 6.1.3 d)
• Risk Treatment Plan (clauses 6.1.3 e and 6.2)
• Risk Assessment Report (clause 8.2)
• Definition of security roles and responsibilities (controls A.7.1.2 and A.13.2.4)
• Inventory of Assets (control A.8.1.1)
• Acceptable Use of Assets (control A.8.1.3)
• Access Control Policy (control A.9.1.1)
• Operating Procedures for IT Management (control A.12.1.1)
• Secure System Engineering Principles (control A.14.2.5)
• Supplier Security Policy (control A.15.1.1)
• Incident Management Procedure (control A.16.1.5)
• Business Continuity Procedures (control A.17.1.2)
• Statutory, Regulatory, and Contractual Requirements (control A.18.1.1)

The list of mandatory records is as below:

• Records of training and records of the users' skills, experience, and qualifications (clause 7.2)
• Records of monitoring activities and results of measurement (clause 9.1)
• Records of all internal audits conducted (clause 9.2)
• Results of internal audits also need to be recorded (clause 9.2)
• Results of management reviews (clause 9.3)
• Results of corrective actions taken (clause 10.1)
• User activity logs and records of exceptions and security events logged (controls A.12.4.1 and A.12.4.3)

Apart from this, where applicable, you can choose to create additional documents. 

The most common ISO 27000 standards

ISO 27001 is the main security standard in the ISO 27000 family and also the most commonly referred certification. However, there are over 40 other standards in the ISO 27000 family that you should know about. 

ISO 27001 defines the requirement for ISMS. However, it does not detail many aspects of how best to go about implementing the main standard. This is where the other ISO standards come in. The most commonly used standards are as given below: 

ISO/IEC 27000: It provides terms and definitions used in all of the ISO 27000 standards.

ISO/IEC 27002: It has the guidelines for implementing the controls listed in Annex A of ISO 27001. 

ISO/IEC 27004: It provides information on how information security can be measured and also provides guidelines to determine whether the ISMS objectives are met. 

ISO/IEC 27005: It provides complete details on performing risk assessment and risk treatment, both of which are integral to ISO 27001. 

ISO/IEC 27017: It provides all information on securing cloud environments. 

ISO/IEC 27018: It provides the guidelines for protecting cloud environments and ensuring data privacy in these environments.

ISO/IEC 27031: It details all the aspects you need to consider while developing a business continuity plan for ICT.