ISO 27001 framework: What it is and how to comply
The ISO 27001 framework is for those looking for management guidance on information technology. ISO 27001 is intended to provide a standard framework for how organizations should manage their information security and data.
What is ISO 27001?
This framework was created by a partnership between the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), so you may see it under the alternative name ISO/IEC 27001. Any way you say it, ISO 27001 is a set of standards for information security management called the ISO/IEC 27000 series and provides best practices for information security management systems or ISMS. It was developed to guide organizations, both large and small, to better protect their information in a manner that is risk-based, systematic and cost-effective. It is not mandatory to implement ISO 27001 in your organization, however, the good it can bring to your information security management may just make you a believer.
Please note that ISO 27001 is a standards framework that does not work independently. It takes input from management and other organizational decision-makers to give an accurate picture of the security risks, threats and vulnerabilities present. Custom-made security controls by organization management are how you get around the organization-specific issues.
ISO 27001:2013 vs. ISO 27001:2017: What is the difference?
Standards frameworks evolve and ISO 27001 has gone through revisions since it was first released in 2005. The first revision was released in 2013 and the second in 2017. This begs the question: what is the difference between the two? Simply put, there is not much substantive difference between the two but one. Appendix A in the 2013 version calls for you to specifically inventory assets. The change in the 2017 version is that information is specifically listed as an asset, which means that it needs to be specifically inventoried. This shows a changing view on information and is now inventoried just like physical assets.
What are the ISO 27001 controls?
ISO 27001 Annex A contains 14 domains, which are essentially categories of controls. There are 114 controls in all and for compliance, you only need to implement the controls that make sense for your organization. We will explore the domains of ISO 27001 to give you an overview of the different types of controls that ISP 27001 recommends organizations implement. It should be noted that IT security is not the sole focus of these controls, rather they extend to the areas of managing processes, human resources, legal compliance, physical protection and other areas of organizational management.
A.5. Information security policies
These controls describe how the organization should handle its information security policies.
A.6. Organization of information security
These controls provide a framework for information security by defining the internal organization, such as roles and responsibilities, as well as other information security aspects of the organization such as the use of mobile devices, project management and even teleworking.
A.7. Human resource security
This domain presents controls that tackle the information security aspects of HR.
A.8. Asset management
These controls concern assets that are used in information security as well as designating responsibilities for their security.
A.9. Access control
These controls limit access to information assets and are both logical access controls and physical access controls.
This domain presents us with a proper basis for use of encryption to protect the confidentiality, authenticity and integrity of your organization’s information.
A.11. Physical and environmental security
These controls are concerned with physical areas, equipment and facilities and protect against intervention, both by humans and nature.
A.12. Operations security
These controls ensure that the organization’s IT systems, operating systems and software are protected.
A.13. Communications security
These are controls for the network (infrastructure and services) and the information that travels through it.
A.14. System acquisition, development and maintenance
Controls to ensure that information security is paramount when purchasing or upgrading information systems.
A.15. Supplier relationships
These controls are meant to ensure that suppliers/partners use the right Information Security controls and describe how third-party security performance should be monitored.
A.16. Information security incident management
This domain contains controls related to security incident management related to security incident handling, communication, resolution and prevention of incident reoccurrence.
A.17. Information security aspects of business continuity management
Controls to ensure information security management continuity during disruptions as well as information system availability.
The controls in this domain are a framework to prevent legal, regulatory, statutory and breaches of contract. They also can be used to audit whether your implemented information security is effective based upon the ISO 27001 standard.
Who needs ISO 27001?
While you are not required to adopt the best practices laid out in ISO 27001, some do need ISO 27001. Those that need it most of all are managers responsible for information security at organizations that have either undeveloped or non-existent information security. Using ISO 27001 as a source of guidance, they can turn this situation around by attaining effective information security. Those who have information security that is at least functional can benefit as well and strengthen their information security programs as well.
What else is needed for compliance?
There is also a list of mandatory requirements that organizations need to implement to comply with ISO 27001. These requirements can be found in clauses four through 10 of the standard. They are:
- Clause four: the context of the organization
- Clause five: leadership
- Clause six: planning
- Clause seven: support
- Clause eight: operation
- Clause nine: performance evaluation
- Clause 10: improvement
Implementation of ISO 27001 also requires that some documents be written up by the organization. These documents are:
- Scope of the ISMS (clause 4.3)
- Information security policy and objectives (clauses 5.2 and 6.2)
- Risk assessment and risk treatment methodology (clause 6.1.2)
- Statement of applicability (clause 6.1.3 d)
- Risk treatment plan (clauses 6.1.3 e and 6.2)
- Risk assessment report (clause 8.2)
- Definition of security roles and responsibilities (controls A.7.1.2 and A.13.2.4)
- Inventory of assets (control A.8.1.1)
- Acceptable use of assets (control A.8.1.3)
- Access control policy (control A.9.1.1)
- Operating procedures for IT management (control A.12.1.1)
- Secure system engineering principles (control A.14.2.5)
- Supplier security policy (control A.15.1.1)
- Incident management procedure (control A.16.1.5)
- Business continuity procedures (control A.17.1.2)
- Statutory, regulatory and contractual requirements (control A.18.1.1)
It is also required to keep certain mandatory records. These records are:
- Records of training, skills, experience and qualifications (clause 7.2)
- Monitoring and measurement results (clause 9.1)
- Internal audit program (clause 9.2)
- Results of internal audits (clause 9.2)
- Results of the management review (clause 9.3)
- Results of corrective actions (clause 10.1)
- Logs of user activities, exceptions and security events (controls A.12.4.1 and A.12.4.3)
How to get ISO 27001 certified
After proper implementation of your ISMS, you can now get certified in the standard. Organizations can be certified as well as individuals within the organization. There is no set price for how much it costs an organization to be certified but relatively speaking, the cost considerations for an organization to be certified are:
- Training and literature
- External assistance
- Technologies that need to be implemented or updated
- Employees’ effort and time
- Cost of the certification body
For an organization to become certified, it needs to invite an accredited certification body to perform a certification audit. If the organization passes the audit, it is issued an ISO 27001 certificate. This certificate shows that the organization is fully compliant and certifications last for three years.
Individuals can become certified in ISO 27001 by attending a training session and passing the certification exam. There are several different courses available:
- Lead implementer
- Lead auditor
- Internal auditor
- Foundations (ISO 27001 basics)
Pursuing the ISO 27001 standard
ISO 27001 is a standards framework that provides best practices for risk-based, systematic and cost-effective information security management. To comply with ISO 27001, it is necessary to roll out implementation of it according to the standard’s requirements and get ISO 27001 certified. Compliance with ISO 27001 will make your information security management not only more effective, but you will have a way to prove it if you ever have to.
What is ISO 27001? Quick and easy explanation, 27001 Academy
What is ISO 27001 and why do I need it?, Compare the Cloud