ISO 27001 is an information security management system (ISMS) standard that was developed to help organizations protect their information systematically and cost effectively. ISO 27001 has been revised several times, most recently in 2013. In this blog post, we will explain what ISO 27001 is, from how it works and what its objectives, standards, controls, and domains are to what its main benefits are.
What is the ISO 27001 certification?
ISO 27001 is the leading international standard focused on information security. The ISO/IEC 27001:2013 standard was published on September 25, 2013, and ISO27001:2017 is the current version. ISO 27001 provides a set of standard requirements for an Information Security Management System (ISMS). An ISMS is a framework of policies and procedures that includes all legal, physical, and technical controls involved in an organization’s information risk management processes.
ISO 27001 aims to protect the confidentiality, integrity, and availability of an organization’s information. This is achieved by conducting a risk assessment of the potential problems that could occur with the information, then defining the risk mitigation plan to use to prevent such problems from happening. So, the main driver of ISO 27001 is a process for managing risks: Identifying where the risks are, then systematically addressing them via the implementation of security controls or safeguards.
Who is it for?
ISO 27001 is for any organization, of any size and industry, that wants to implement an ISMS. The ISO 27001 standard details requirements for establishing, implementing, maintaining, and continually improving an ISMS – designed to help organizations make their information assets more secure.
Why is ISO 27001 important?
ISO 27001 is important because it is a well-recognized international standard allowing organizations that implement it to show to their various stakeholders that it takes information security seriously and commits to the following:
- Perform practical, comprehensive risk assessments.
- Reduce identified risks to an acceptable level.
- Manage those risks effectively.
What does it mean to be “ISO 27001 certified”?
An organization can undertake the ISO 27001 certification by inviting an ISO-accredited certification body to assess whether it complies with the ISO 27001 standard. Once certified, an organization can use the ISO logo and claim to be ISO-27001 compliant, meaning that it has successfully implemented an ISMS that meets the ISO 27001 requirements.
What are the goals of ISO 27001?
The essential goal of ISO 27001 is to protect these three main aspects of information:
- Confidentiality: Only authorized individuals have the right to access the information.
- Integrity: Only authorized individuals can modify the information.
- Availability: The information must be accessible to authorized individuals whenever it is needed.
What are the ISO 27001 14 domains?
The 14 domains listed in Annex A of ISO 27001, from sections A.5 to A.18, cover the following:
- A.5. Information security policies
- A.6. Organization of information security
- A.7. Human resource security
- A.8. Asset management
- A.9. Access control
- A.10. Cryptography
- A.11. Physical and environmental security
- A.12. Operations security.
- A.13. Communications security
- A.14. System acquisition, development and maintenance
- A.15. Supplier relationships
- A.16. Information security incident management
- A.17. Information security aspects of business continuity management:
- A.18. Compliance
A closer examination of these domains shows us that managing information security is not only about IT security (i.e., firewalls, etc.), but also about managing processes, legal protection, HR, physical protection, etc.
What are the ISO 27001 controls and how to implement them?
The ISO 27001 controls or safeguards – which can be technical, organizational, legal, physical, or human – are the practices to be implemented to reduce information security risks to acceptable levels.
- Technical controls are chiefly implemented into information systems using software, hardware, and firmware modules added to the system. e.g., antivirus software.
- Organizational controls are implemented through the definition of the rules to be followed and the expected behavior from users, equipment, software, and systems. e.g., BYOD policy, access control policy.
- Legal controls are implemented by ensuring that all rules and expected behaviors honor and apply the laws, regulations, contracts, and other similar legal instruments that the organization must be compliant with. e.g. NDA (non-disclosure agreement), SLA (service level agreement).
- Physical controls are chiefly implemented through the use of equipment or devices having a physical interaction with people and objects. e.g. CCTV cameras, alarm systems, locks.
- Human resource controls are implemented by providing knowledge, education, skills, or experience to individuals allowing them to perform their activities securely. e.g., security awareness training, ISO 27001 internal auditor training.
What are the ISO 27001 mandatory documents?
ISO 27001 specifies a minimum set of policies, procedures, plans, records, and other documented information that are required to be ISO 27001-compliant.
ISO 27001 requires the writing of the following documents:
- Scope of the ISMS (clause 4.3)
- Information Security Policy and Objectives (clauses 5.2 and 6.2)
- Risk Assessment and Risk Treatment Methodology (clause 6.1.2)
- Statement of Applicability (clause 6.1.3 d)
- Risk Treatment Plan (clauses 6.1.3 e and 6.2)
- Risk Assessment Report (clause 8.2)
- Definition of Security Roles and Responsibilities (controls A.7.1.2 and A.13.2.4)
- Inventory of Assets (control A.8.1.1)
- Acceptable Use of Assets (control A.8.1.3)
- Access Control Policy (control A.9.1.1)
- Operating Procedures for IT Management (control A.12.1.1)
- Secure System Engineering Principles (control A.14.2.5)
- Supplier Security Policy (control A.15.1.1)
- Incident Management Procedure (control A.16.1.5)
- Business Continuity Procedures (control A.17.1.2)
- Statutory, Regulatory, and Contractual Requirements (control A.18.1.1)
And the production of the following records:
- Records of Training, Skills, Experience, and Qualifications (clause 7.2)
- Monitoring and Measurement Results (clause 9.1)
- Internal Audit Program (clause 9.2)
- Results of Internal audits (clause 9.2)
- Results of the Management Review (clause 9.3)
- Results of Corrective Actions (clause 10.1)
- Logs of User Activities, Exceptions, and Security Events (controls A.12.4.1 and A.12.4.3)
Any additional security documents deemed necessary may be written.
Is ISO 27001 mandatory?
In most countries, ISO 27001 implementation isn’t mandatory. However, some countries have created regulations requiring certain industries to implement the ISO 27001 standard.
What are the benefits of ISO 27001?
Implementing the ISO 2700 information security standard will provide compliant organizations with the following four key benefits:
- Comply with legal requirements implementing ISO 27001 will give you the ideal methodology to comply with the ever-growing number of information security laws, regulations, and contractual requirements.
- Achieve competitive advantage Clients who are keen on keeping their information secure may likely perceive your ISO 27001 certification as a clear advantage over your competitors who do not have it.
- Avoid costly security incidents Since the ISO 27001 main philosophy preventing security incidents from happening – and each of them, large or small, costs a significant amount of money. Moreover, your investment in ISO 27001 is far smaller than the cost savings you’ll achieve.
Wrapping up
ISO 27001 is one of the most respected information security standards in the world, and for good reason. It provides a comprehensive framework for establishing an Information Security Management System (ISMS). ISO 27001 certification requires organizations to go through a rigorous auditing process to ensure their compliance with the standard. But the business benefits of ISO 27001 certification – improved security, competitive advantage, cost savings, and better organization – are well worth it.
Contact us if you need help with your security compliance project.