The Complete Guide to ISO 27001
ISO 27001 is the leading international standard focused on information security that was developed to help organizations, of any size or any industry, to protect their information in a systematic and cost-effective way, through the adoption of an Information Security Management System.
Table of contents
What is the meaning of ISO 27001?
ISO/IEC 27001 is an ISO framework that helps companies manage the risks to their business. It stands for International Standards Organization, an independent organization with representatives from various countries who agree on standards and policies.
ISO has developed ISO/IEC 27001:2013 and ISO/IEC 27001:2022 in response to the growing need for international standards, and this document is designed as a management tool against security risks, including intentional threats or accidental events.
ISO 27001 provides guidelines for security management systems to protect information assets at any time during their life cycle. An ISO 27001 Audit is also another way of assessing the effectiveness of a company’s security management system.
The ISO 27001 management framework is a set of guidelines that helps companies manage the risks to their business. It provides guidelines for security management systems to protect information assets and intellectual property at any time during their life cycle and includes elements such as risk assessment, resource availability, or data classification.
An ISO audit can also be carried out by assessing the effectiveness of a company’s security management system - but what are we talking about? For more information, read:
- 9 Steps to Prepare for Your First ISO 27001 Audit
- Searching for Gold: The International Standard on Information Security
What is the purpose of ISO 27001?
The ISO framework is a combination of policies and processes for organizations to use. This framework helps organizations of any size or industry to protect their information through the adoption of an Information Security Management System (ISMS). ISO 27001 is an ISO standard for ISMS that provides guidelines to an organization on how best to protect their information assets from intentional threats or accidental events, which can be broken down into three stages:
- The design stage - creating the policies and procedures to help you meet your objectives.
- Implementation & operation- ensuring that the ISO27001 security policies are carried out daily.
- Assurance - taking ISO 27001 objectives and implementing them to ensure they work as expected. ISO 27001 ensures that your data is safe during any stage of its life cycle, from design through destruction.
Why is this standard so important?
The Standard is an important milestone for companies aiming to protect themselves and their data. Companies can also certify against ISO 27001, providing a valuable assurance of protection to clients and partners.
ISO 27001 is a recognized standard worldwide; because of this, it will be easier for organizations to find more work opportunities. Individuals can get certified by attending a course and passing the exam. The certification proves their skills to potential employers.
ISO27001 certificates can be achieved by adopting and implementing ISO 27001 standards in the company – also known as an ISO Audit, which will assess how well your security management system meets ISO requirements. An ISO audit consists of one or more internal audits (also called self-assessments) followed by a final independent assessment undertaken by an ISO27001-certified auditor. The internal audits will assess the organization’s ability to satisfy ISO requirements, while the final independent assessment determines whether ISO 27001 has been correctly implemented by conducting an audit of your ISMS against the ISO checklist document to see if the company can prove that its security management system meets ISO standards.
What are the 3 ISMS security objectives?
The basic goal of ISO 27001 is to protect three aspects of information:
- Confidentiality: only authorized persons have the right to access information.
- Integrity: only authorized persons can change or update the information.
- Availability: authorized persons should be able to access the information when needed.
Why do we need ISMS?
An Information Security Management System (ISMS) is a set of guidelines that companies need to establish to:
- Identify what stakeholders (specifically) want to know about the company's information security and how it meets their needs.
- Use all the controls and other risk treatment methods.
- Continuously monitor if the implemented controls work as expected.
- Identify the potential risks for the information
- Define controls and other mitigation methods to limit or eliminate the risks
- Set clear objectives for the information security team
- Make continuous improvements that will benefit the ISMS system.
These rules can be formally documented as policies, procedures, and other types of documents or established processes and technologies that are not documented. ISO 27001 identifies which documents must exist at a minimum. For more information read the article, 10 Benefits of Choosing ISO 27001 for Information Security.
How does ISO 27001 work?
ISO 27001 focuses on protecting the confidentiality, integrity, and availability of information in a company. To do this, first, you need to find out what are the potential problems in protecting the information (i.e., risk assessment), and then define what needs to be done to prevent these problems(i.e., risk mitigation or risk treatment).
Thus, the philosophy of ISO 27001 centers around managing risks. You need to identify the risks and then take steps to treat them. Treatment of risks is done by implementing security controls.
According to ISO 27001, all security controls that are to be implemented need to be documented in the Statement of Applicability (SOA).
The standard has two parts. The first part is the main part and has 11 clauses from 0 to 10. Clauses 0 to 3 are for 'Introduction', 'Normative References', and 'Terms and Definitions' respectively. They are an introduction to ISO 27001 standard. Clauses 4 to 10 give the mandatory requirements for ISO 27001 compliance.
The second part is Annex A which is all about security controls. It provides the guidelines and control objectives for 114 controls. Not all the controls in Annex A are mandatory. The decision to use the necessary controls is based on the Risk Management process.
For further information, please read this eBook:
What are the benefits of an ISMS?
An ISMS framework that complies with ISO 27001 security requirements does not just ‘tick a box’.
It also gives you all of these excellent advantages:
- Adaptability: It means you can make quick manoeuvres by responding to evolving security threats and changes both within your organisation and the outside environment. Say hello to threat reduction!
- Reduced costs: You can reduce your costs spent on adding layers of technology and practices that might not work. This is thanks to the risk assessment and systematic approach of an ISMS.
- Resilience: Curating and executing an ISMS can increase your company’s resilience to cyber attacks. As we say here at 6clicks, ‘compliance is not resilience’ (although it should be!).
- Centralisation: An effective ISMS (contact us to get this done) gives you a fantastic centralised framework for securing your information…and keeping it.
- Security-first company culture: Watch your company culture shift as the ISMS blankets your entire company, not just the IT department. Empower your staff to understand and tackle security issues within their respective domains. Let them embrace risk as part of their everyday attitude!
- Forms: Not ‘that’ kind of form (please god no!). Whether your information is paper-based, sitting on the cloud or various other digital existences, an effective ISMS helps you protect it all (electronic, hard-copy, verbal etc.).
- Protection: Remember the bit above when we talked about the ‘features’ of information? Well, an effective ISMS protects the intimate details of your information. The purity, accessibility and privacy of your information is supported by an ISMS by way of it’s policies, procedures and technical and physical access controls.
For further information, please read Business Origami: The Importance of Folding ISMS into Your GRC.
Requirements & security controls
ISO 27001 plays a crucial role in addressing the threat of unauthorized access, particularly in the realm of operations security. By implementing stringent security measures and processes, organizations can prevent unauthorized individuals from gaining access to sensitive information and critical systems. This includes employing robust authentication methods, access controls, and encryption techniques to ensure that only authorized personnel can access valuable assets and perform specific operations. ISO 27001's emphasis on operations security assists in safeguarding against potential breaches and data leaks that could compromise the confidentiality, integrity, and availability of vital resources. By proactively incorporating security best practices and following the applicable control sets, businesses can strengthen their operations and reduce the risk of unauthorized access incidents, safeguarding their data and reputation.
What are the requirements for ISO 27001?
Here is a brief summary of the ISO 27001 requirements as stated in Clauses 4 to 10.
Clause 4: Context of the organization – Understanding the context of the organization is important for implementing a strong ISMS strategy, as well as for implementing ISO 27001 standard. Stakeholders, issues specific to the industry or organization, involvement of clients and vendors, etc. needs to be taken into account. The regulatory obligations related to the business also need to be considered.
Once the context of the organization is clear, the scope of ISMS needs to be defined. The scope will tell you how extensively ISO 27001 will be applied in your organization. Read more about defining the scope in the blog The Best Way to Define the Scope in ISO 27001.
Clause 5: Leadership – This clause emphasizes the need for senior management to be actively involved in information security. Senior management is required to provide the adequate resources for a successful implementation of ISMS. They need to demonstrate commitment to the processes of ISO 27001 and ISMS implementation. Since ISMS objectives need to be aligned with ISMS objectives, it makes sense for the top management to take leadership in security initiatives so that decisions can be made from a compliance as well as a strategic point of view.
Senior management also needs to establish and uphold policies related to information security. It is their responsibility to ensure that the policies are documented and communicated with all employees as well as external stakeholders. Assigning roles and responsibilities to comply with ISO 27001 requirements also is a responsibility that lies with the senior management.
Clause 6: Planning – This clause is about planning the actions to address risks and opportunities. A Risk Assessment is the first step of planning. The information security goals of the organization, the overall business goals, and the insights from the risk assessment need to be aligned for Planning. This helps to create a risk treatment plan that helps to meet all goals. The risk treatment plan will also outline the use of controls as per the list in Annex A of ISO 27001.
Clause 7: Support – ISMS needs continuous efforts for improvement. ISO 27001 requires that the resources be provided to ensure that this improvement continues. Increasing awareness, establishing proper communication channels, procurement of resources for improvement, etc. are all important aspects of providing support to the improvement of ISMS. All information related to ISMS needs to be documented, updated, and maintained.
Clause 8: Operation – This clause is related to the execution of the plans. This includes all actions that are planned to meet the objectives for information security. Considering that some business processes would be outsourced, there needs to be a proper system in place to control all processes.
Clause 9: Performance evaluation – ISO 27001 requires organizations to evaluate the performance of ISMS. This includes the standard processes for monitoring, measuring, evaluating, and analyzing the effectiveness of the ISMS. It includes laying out a plan to monitor and measure performance. This needs to be done via internal audits and management reviews.
Clause 10: Improvement – This clause states the requirement of a process to continuously improve the ISMS. After the performance evaluation as per the previous clause, you will have important insights into how the system can be further improved for enhanced information security. The PDCA (Plan, Do, Check, Act) cycle is not a mandatory ISO requirement. But it is recommended that this cycle is used for achieving continuous improvement.
Annex A contains a list of 114 controls with their objectives in information security. These controls are for risk treatment and ISO 27001 compliance. All 114 controls might not be relevant to all businesses and only those controls that are helpful for meeting the security goals need to be implemented.
What are the 14 domains of ISO 27001?
Annex A of the ISO 27001 standard consists of a list of security controls organizations can utilize to improve the security of their information assets. ISO 27001 comprises 114 controls divided into 14 sections, also known as domains. The sections are focused on information technology and beyond, taking into consideration the wide range of factors that can impact the security of an organization’s information environment. The 14 ISO domains cover organizational issues, human resources, IT, physical security, and legal issues. Organizations are not required to implement the entire list of ISO 27001’s controls but instead use it as a list of possibilities to consider based on their unique needs.
Utilizing the 114 controls listed in Annex A, a company can select those applicable to its needs and the needs of its customers. The 14 domains are:
- Information security policies (A.5)
- Organization of information security and assignment of responsibility (A.6)
- Human resource security (A.7)
- Asset management (A.8)
- User access control (A.9)
- Encryption and management of sensitive information (A.10)
- Physical and environmental security (A.11)
- Operational security (A.12)
- Communications security (A.13)
- System acquisition, development, and maintenance (A.14)
- Supplier relationships (A.15)
- Information security incident management (A.16)
- Information security aspects of business continuity management (A.17)
- Compliance (A.18)
How do you implement ISO 27001 controls?
The ISO 27001 controls can be classified into 5 types of controls.
Technical controls: These are implemented where software, hardware, and firmware components are used. Examples of controls include backups, antivirus software, malware protection programs, etc.
Organizational controls: These are implemented through organizational policies aimed at rules and regulations for user behavior, usage of equipment, software, systems, etc. Examples include access control policy, BYOD policy, etc.
Legal controls: Legal controls ensure that the rules and expected behaviors are in line with the laws, regulations, contractual obligations, and any other legalities that the organizations must follow. Examples include NDAs, SLAs, etc.
Physical controls: Physical controls are implemented in cases where physical assets are exposed to people and objects. Examples of physical controls include CCTV cameras, alarm systems, locks, fireproofing, etc.
Human resource controls: These controls are implemented to empower employees and other users so that they can use information securely. This can be done by providing knowledge, education, skills, or experience. Examples include security awareness training, ISO 27001 internal auditor training, background checks etc.
Implementation & certification
Mandatory documents for ISO 27001
ISO 27001 requires a set of mandatory documents in the form of policies, procedures, plans, records, etc. for compliance.
Below is the list of mandatory documents:
- ISMS Scope (clause 4.3)
- Information Security Policy and Objectives (clauses 5.2 and 6.2)
- Risk Assessment and Risk Treatment Methodology (clause 6.1.2)
- Statement of Applicability (SOA) (clause 6.1.3 d)
- Risk Treatment Plan (clauses 6.1.3 e and 6.2)
- Risk Assessment Report (clause 8.2)
- Definition of security roles and responsibilities (controls A.7.1.2 and A.13.2.4)
- Inventory of Assets (control A.8.1.1)
- Acceptable Use of Assets (control A.8.1.3)
- Access Control Policy (control A.9.1.1)
- Operating Procedures for IT Management (control A.12.1.1)
- Secure System Engineering Principles (control A.14.2.5)
- Supplier Security Policy (control A.15.1.1)
- Incident Management Procedure (control A.16.1.5)
- Business Continuity Procedures (control A.17.1.2)
- Statutory, Regulatory, and Contractual Requirements (control A.18.1.1)
The list of mandatory records is as below:
- Records of training and records of the users' skills, experience, and qualifications (clause 7.2)
- Records of monitoring activities and results of measurement (clause 9.1)
- Records of all internal audits conducted (clause 9.2)
- Results of internal audits also need to be recorded (clause 9.2)
- Results of management reviews (clause 9.3)
- Results of corrective actions taken (clause 10.1)
- User activity logs and records of exceptions and security events logged (controls A.12.4.1 and A.12.4.3)
Apart from this, where applicable, you can choose to create additional documents.
What does it mean to be ISO Certified?
A company, as well as an individual, can be ISO certified.
You can go for ISO 27001 certification by inviting an accredited certification body for an external certification audit. Upon a successful external audit, your company will receive an ISO 27001 certification. The certification process indicates that your company has achieved ISO 27001 compliance.
You can also opt for ISO 27001 training as an individual. After the training when you pass the exam, you will receive the ISO 27001 certificate. This certificate indicates that the person who has appeared for the exam has gained the required skills and knowledge about ISO 27001.
Other frameworks and standards
The most common ISO 27000 standards
ISO 27001 is the main security standard in the ISO 27000 family and also the most commonly referred certification. However, there are over 40 other standards in the ISO 27000 family that you should know about.
ISO 27001 defines the requirement for ISMS. However, it does not detail many aspects of how best to go about implementing the main standard. This is where the other ISO standards come in. The most commonly used standards are as given below:
ISO/IEC 27000: It provides terms and definitions used in all of the ISO 27000 standards.
ISO/IEC 27002: It has the guidelines for implementing the controls listed in Annex A of ISO 27001.
ISO/IEC 27004: It provides information on how information security can be measured and also provides guidelines to determine whether the ISMS objectives are met.
ISO/IEC 27005: It provides complete details on performing risk assessment and risk treatment, both of which are integral to ISO 27001.
ISO/IEC 27017: It provides all information on securing cloud environments.
ISO/IEC 27018: It provides the guidelines for protecting cloud environments and ensuring data privacy in these environments.
ISO/IEC 27031: It details all the aspects you need to consider while developing a business continuity plan for ICT.
What is ISO 27002?
ISO 27002 is a set of guidelines and best practices for information security. It takes into account the risk exposure of the organization's information and provides details on how the risks can be treated by implementing controls. From selecting controls to implementing and managing them, ISO 27002 has all the information.
ISO 27002 helps you implement best practices and achieve a stable ISMS. It is however not a certification, only a standard with clear guidelines. It is much more detailed compared to ISO 27001 and has actionable advice and compliance requirements that ultimately help with achieving the ISO 27001 certification.
What is the difference between ISO 27001:2013 and 2022?
The original version of ISO 27001 was published in 2005, with minor updates in 2013, and now finally a moderately sized update in 2022. That’s about one update per decade!
In a fast-changing industry like cyber and information security that could be seen as a bad thing. But ISO 27001 like ISO itself is a steady ship in a fast-changing environment.
So, what has changed in ISO 27002:2022, including control additions, the reasons behind those additions, and reductions (or rather merged or simmered controls).
So what has changed?
For further information, please read these articles and eBooks:
What is the difference between ISO 27001 and NIST CSF?
The NIST frameworks were designed as flexible, voluntary frameworks. The fact that they are flexible makes it relatively easy to implement them in conjunction with ISO 27001.
This is largely due to both standards having a number of common principles, including; requiring senior management support, a continual improvement process, and a risk-based approach.
- NIST was primarily created to help US federal agencies and organizations better manage their risk.
- NIST frameworks have various control catalogs.
- The NIST CSF contains three key components: the core, implementation tiers, and profiles with each function having categories, which are the activities necessary to fulfill each function.
- NIST has a voluntary, self-certification mechanism.
- The NIST framework uses five functions to customize cybersecurity controls.
- ISO 27001 is an internationally recognized approach for establishing and maintaining an ISMS.
- ISO 27001 Annex A provides 14 control categories with 114 controls.
- ISO 27001 is less technical, with more emphasis on risk-based management that provides best practice recommendations for securing all information.
- ISO 27001 relies on independent audit and certification bodies.
- ISO 27001 has 10 clauses to guide organizations through their ISMS
For further information, please read the articles:
- 📃 ISO 27001 and NIST CSF Overview
- 📃 ISO 27001 vs NIST CSF: Different yet complement each other?
- 📃 ISO 27001 vs NIST Cybersecurity Framework
Artificial Intelligence and Robust Content
Written by 6clicks CISO, Andrew Robinson, this eBook covers the interconnection of Artificial Intelligence and Machine Learning with GRC, the labor of maintaining mappings, how to utilize AI and ML in your GRC practice, AI and ML mapping opportunities for GRC consultants, and curating and maintaining robust GRC content.
Empowering teams with intelligent and flexible GRC software
Schedule your demo now to see why today's risk and compliance professionals choose 6clicks.