The ISO 27001 standard for management of information systems helps organizations of any size to manage the security of data assets such as employee information, financial information, intellectual property, and third-party information.
ISO 27001 is primarily known for providing requirements for an information security management system (ISMS), and is part of a much larger set of information security standards.
An ISMS is a standards-based approach to managing sensitive information to assure that the information stays secure. The core of an ISMS is rooted in the people, processes, and technology through a governed risk management program.
Many organizations follow ISO 27001 standards, while others seek the additional step of obtaining an ISO 27001 certification. Be aware, however, that certification is evaluated and granted by an independent third party that conducts the certification audit. Once the ISO 27001 audit is complete, the auditor gives the organization a Statement of Applicability (SOA) summarizing its position on all security controls.
Why Is an ISO 27001 Checklist Essential?
Information security policies and controls are the backbone of a successful information security program.
Risk assessments, risk treatment plans, and management reviews are all critical components needed to verify the effectiveness of an information security management system. Security controls make up the actionable steps in a program and are what an internal audit checklist follows.
A complete list of controls for ISO 27001 is in Annex A of the standard, but not all of those controls are information technology-related. The best way to think of Annex A is as a catalog of security controls, and once a risk assessment has been conducted, the organization has a guide on where to focus.
These are the control sets of Annex A:
- Annex A.5 – Information Security Policies
- Annex A.6 – Organization of Information Security
- Annex A.7 – Human Resource Security
- Annex A.8 – Asset Management
- Annex A.9 – Access Control
- Annex A.10 – Cryptography
- Annex A.11 – Physical and Environmental Security
- Annex A.12 – Operations Security
- Annex A.13 – Communications Security
- Annex A.14 – System Acquisition, Development, and Maintenance
- Annex A.15 – Supplier Relationships
- Annex A.16 – Information Security Incident Management
- Annex A.17 – Information Security Aspects of Business Continuity Management
- Annex A.18 – Compliance
What Are the Controls in ISO 27001?
The ISO 27001 controls list, divided into 14 sections, may be found in Annex A (domains). Not all of them are IT-related. Following is an overview of the controls within each section.
Information Security Policies, Annex A.5 (2 controls)
This section defines the general direction of the organization’s information security processes based on the organization’s needs.
Organization of Information Security, Annex A.6 (7 controls)
The distribution of duties for particular tasks is covered in this appendix. It consists of two sections, with Annex A.6.1 verifying that the organization has built a structure capable of effectively implementing and maintaining information security standards.
Mobile devices and remote working are covered in Annex A.6.2. It is intended to assure that everyone who works from home or while on the go, whether part- or full-time, adheres to the proper procedures.
Security of Human Resources, Annex A.7 (6 controls)
Making sure that workers and contractors are aware of their duties is the goal of Annex A.7.
There are three parts to it. Annex A.7.1 discusses what obligations exist for people before employment. Job-related tasks are covered in Annex A.7.2. Annex A.7.3 covers requirements to protect the organization when employees are no longer in that job due to leaving the organization or changing roles.
Asset Management, Annex A.8 (10 controls)
This section addresses how organizations define acceptable information protection obligations and identify information assets.
There are three portions. First, organizations’ identification of information assets that fall under the purview of the ISMS is the chief topic of Annex A.8.1.
Information classification is covered in Annex A.8.2. By following this procedure, information assets are assured to receive the proper level of protection.
In Annex A.8.3, media handling must prevent sensitive data’s unauthorized disclosure, alteration, removal, or destruction.
Control of Access, Annex A.9 (14 controls)
Assuring that employees can only read information pertinent to their jobs is the goal of Annex A.9. It is separated into four components covering user access to data, systems, and applications. User responsibilities, such as password management, are also covered.
Cryptography, A.10 Annex (2 controls)
This section covers the handling of sensitive information and data encryption. Its two controls assure businesses employ cryptography to secure the availability, confidentiality, and integrity of data.
Physical and Environmental Security, Annex A.11 (15 controls)
The security of physical assets and property is covered in this section. With 15 controls divided into two sections, it is the longest annex in the Standard.
Preventing unauthorized physical access to the organization’s facilities or the sensitive data kept there is the goal of Annex A.11.1.
Annex A.11.2 focuses on equipment. It is intended to prevent the theft, loss, or damage of the physical files, software, hardware, and other containers that make up an organization’s information assets.
Security for Operations, Annex A.12 (14 controls)
This annex has seven components. Its controls assure that information processing facilities are safe.
Operational duties and procedures are covered in Annex A.12.1, assuring that the correct operations are carried out.Malware is addressed in Annex A.12.2, to assure that the organization has the required defenses to reduce the risk of infection.
Organizations’ obligations for backing up systems to prevent data loss are covered in Annex A.12.3.
The intention of Annex A.12.4 is to guarantee that organizations maintain logs and records of proof when security incidents take place.
The requirements for protecting the integrity of operational software are covered in Annex A.12.5.
Technical vulnerability management is covered in Annex A.12.6, intended to prevent unauthorized parties from taking advantage of flaws in the system.
Information systems and audit issues are addressed in Annex A.12.7 providing guidelines to minimize the impact that audit operations have on operational systems.
Communications Security, Annex A.13 (7 controls)
This section addresses how businesses safeguard data on networks. It has two parts. Network security management is addressed in Annex A.13.1 to maintain the confidentiality, integrity, and accessibility of information in such networks. Annex A.13.2 addresses information security while in transit, whether moving to another company division, a third party, a client, or any other interested party.
Acquisition, Development, and Maintenance of Systems, Annex A.14 (13 controls)
The goal of Annex A.14 is to maintain information security as a critical component of the organization’s procedures over its entire lifespan. The security needs for internal systems and those that offer services via public networks are covered by its 13 controls.
Supplier Relationships, Annex A.15 (5 controls)
This appendix addresses the contracts that businesses have with other parties.
It is split into two halves. First is the protection of an organization’s assets accessible to or affected by suppliers, covered in Annex A.15.1. Second, Annex A.15.2 assures that all parties uphold the agreed-upon standards for information security and service delivery.
Information Security Incident Management, Annex A.16 (7 controls)
This section covers how to handle and report security issues. The procedure entails defining which personnel should be responsible for particular activities to provide a uniform and efficient approach for responding to security incidents.
Business Continuity Management Related to Information Security, Annex A.17 (4 controls)
The goal of Annex A.17 is to create a successful system to handle business disruptions. It has two parts.
First, information security continuity is covered in Annex A.17.1, which also outlines the steps to make sure that information security continuity is integrated into the organization’s business continuity management system. Redundancies are examined in Annex A.17.2 to assure the availability of information processing facilities throughout a disruption.
Compliance, Annex A.18 (8 controls)
Organizations can locate pertinent legislation and regulations thanks to this appendix. This aids in comprehending their contractual and legal obligations, reducing the possibility of non-compliance and the associated fines.
How to Create an ISO 27001 Controls Checklist
A typical ISO 27001 checklist has several key components.
- The organization must assess the environment and take an inventory of hardware and software.
- Select a team to develop the implementation plan.
- Define and develop the ISMS plan.
- Establish a security baseline.
- Establish a risk management program and identify a risk treatment plan.
- Implement a risk treatment plan.
- Monitor, conduct management reviews and take corrective action by leveraging the ISMS.
Once the ISO 27001 checklist has been established and carried out by the organization, then ISO certification may be considered.
Are you looking for ISO certification or simply strengthening your security program? An ISO 27001 checklist adequately laid out will help accomplish both. In addition, the checklist needs to consider security controls that can be measured. For instance, the checklist should proceed through the issues in Annex A 5-18 to understand whether the organization has the proper security controls.
Create Your Own ISO 27001 Checklist
There are many ways to create your own ISO 27001 checklist. The critical point is that the checklist should be designed to test and prove that security controls in your organization are compliant.
Consult with your internal and external audit teams for a checklist template to use with ISO compliance or for basic security control validation. ISO 27001 standards are an essential baseline for a successful information security program.
Also remember that an ISO 27001 checklist is not a one-time exercise. Proper compliance is a cycle of continuous improvement; checklists require ongoing monitoring to stay ahead of cybercriminals.
How Do You Perform a Gap Analysis?
Companies can compare their present information security systems to the criteria of the ISO 27001 standard to determine where gaps might exist, and what should be done to update their business processes to achieve ISO 27001 certification.
Theoretically an organization can do a gap analysis at any time, but timing is essential to optimize its impact. So perform gap studies frequently, and especially before a time of strategic planning or whenever a department or endeavor is performing poorly.
The ISO 27001 risk assessment and ISO 27001 gap analysis are the major topics of the ISO 27001 implementation and review procedure. Most of the information required for an organization to adhere to the ISO 27001 standard is provided through these procedures.
That said, because the procedures for ISO 27001 gap analysis and risk assessment are similar, companies can become confused between the two – which jeopardizes your ISO 27001 compliance.
An ISO 27001 risk assessment helps you to determine which cybersecurity controls are necessary at your business. That risk assessment, however, does not reveal if the firm actually has implemented specific cybersecurity measures. The ISO 27001 gap analysis does that.
Businesses frequently use consulting firms to complete the ISO 27001 gap analysis. An ISO 27001 gap analysis specialist can evaluate your current information security processes, procedures, and documentation during this process.
The specialist will then evaluate those items, considering the criteria of the ISO 27001 standard. The specialist will report on non-conformities and opportunities to improve the organization’s current information security practices, to resolve gaps in compliance and reduce the risk of data breaches.
Which Metrics Should You Use to Measure the Efficacy of an ISMS?
Assuring that processes are efficient makes sense in information security management – but how can you tell if your information security program is successful and moving in the right direction?
Organizations that follow the ISO 27001 standard must guarantee that their ISMS is continually improved. The standard’s Chapter 9 focuses primarily on measures to monitor performance. It states that you must specify the processes and controls you plan to measure, the frequency of reviews, and the targets.
Performance metrics show whether you are meeting your information security objectives and can serve as early warning systems, alerting you to new risks. Examples include: how much spam your spam filter catches, how many viruses you detect, how many attacks your intrusion detection system or firewall can detect, uptime/downtime, and other quantitative measurements.
Additional measures include the percentage of security tasks completed in the allotted time, the number of staff members who have acknowledged the latest security policy update, or the average amount of time taken to correct policy or compliance requirements violations.
When you compare metrics from month to month, you will see if your controls are adequate or if new risks are emerging. If targets are not being met, review your risk assessment, gap analysis, and operating procedures. Top management should review metrics regularly and ensure resources are properly allocated to address concerns.
Streamline ISO 27001 Compliance with ZenGRC
Complying with regulatory and security frameworks is labor intensive, especially if you are tracking requirements on an old-fashioned spreadsheet. To expedite the process and ease your ISO worries, you can streamline and automate your ISO 27001 compliance and certification tasks.
ZenGRC is a compliance and audit management solution. It provides prescriptive guidance with a pre-loaded library of regulatory and information security frameworks. Automated workflows ensure nothing falls through the cracks and always leave a clear audit trail.
Insightful reporting and dashboards help you spot concerns and easily share progress with stakeholders. ZenGRC is a single source of truth with advanced functionality to help you perform all your compliance activities with ease.
Schedule a demo to see how you can always be audit-ready with ZenGRC.