The International Organization for Standardization (ISO) created the ISO 27001 standard, also known as ISO/IEC 27001, as a global standard for Information Security Management Systems (ISMS). The specifications for setting up, implementing, maintaining, and consistently improving an organization’s information security management system are detailed in ISO/IEC 27001:2013.
ISO 27001 is the best-known standard in the ISO 27000 family of standards. It helps businesses manage the cybersecurity of numerous data assets, including financial information, intellectual property, customer data, employee personal information, and third-party data.
The standard also contains specifications for the risk assessment an organization would perform for information security and compliance. Any company, regardless of form, size, or nature, can implement ISO 27001.
ISO defines an ISMS as “a systematic approach to managing sensitive company information so that it remains secure. It includes people, processes and IT systems by applying a risk management process. It can help small, medium and large businesses in any sector keep information assets secure.”
Compliance with ISO 27001 is voluntary, unlike laws such as the EU General Data Protection Regulation (GDPR). There are differences between GDPR and ISO 27001, but following the ISO 27001 standards can help on your journey to comply with the GDPR and similar privacy statutes.
ISO/IEC 27001:2013 has two main parts:
- ISO 27001 Sections 4-10, which outline the requirements for Information Security Management Systems (ISMS)
- ISO 27001 control sets of Annex A, which spell out 114 access controls divided into 14 clauses, also known as control objectives:
- A.5: Information security policies
- A.6: Organization of information security
- A.7: Human resource security
- A.8: Asset management and security
- A.9: Access control
- A.10: Cryptography
- A.11: Physical and environmental security
- A.12: Operations security
- A.13: Communications security
- A.14: System acquisition, development, and maintenance
- A.15: Supplier relationships
- A.16: Information security incident management
- A.17: Information security aspects of business continuity management
- A.18: Compliance with internal requirements, such as policies, and with external requirements, such as laws
Organizations can go through a process to certify their compliance with ISO 27001. It is one of the most common ISO certifications sought, along with the ISO 9001 standard for quality management systems.
What Are the Audit Controls of ISO 27001?
The most recent version of ISO 27001 was released in 2013. It is made up of 11 clauses numbered 0 through 10, plus an Annex A that details specific security policies.
Except for the introduction, each of the significant sentences has several subclauses. Clauses 4 through 10 are regarded as required, and a company cannot declare conformity with ISO 27001 without adhering to its specifications. The following is a list of these 11 main clauses:
- Introduction. Introduces the standard and outlines its goals.
- Scope. Provides a high-level overview of the requirements for the information security management system and risk treatment that are included in the rest of the standard. Additionally, it makes clear that the standard is meant to be universal and relevant to various business sizes and industries.
- Normative references. Explains how ISO 27000 and ISO 27001 standards are related.
- Terms and definitions. Covers the vocabulary used within the standard.
- Context of the organization. This is the first required clause and includes information about stakeholders, and internal and external issues, including rules and regulations. As part of this provision, an organization must specify the scope, limitations, and a statement of applicability in ISO 27001 and the ISMS.
- Leadership. Top management must fully support ISO 27001 compliance. The leadership clause details the duties of senior executives in putting in place and keeping up a working ISMS.
- Planning. Planning comprises defining the criteria for risk assessments and creating objectives to gauge success in connection to the company’s larger business goals.
- Support. Resources must be adequately allocated to build and maintain an effective ISMS.
- Operation. Assessments are carried out and documented; risk treatment plans are developed and implemented.
- Performance evaluation. For your ISO 27001 implementation to be as effective as possible, measuring the performance of your ISMS is essential. Guidelines are defined for monitoring the controls, processes, and policies that make up the management system through management reviews and internal audits.
- Improvement. The last required clause addresses ongoing program improvement.
Definition of ISO 27001
Deployment and maintenance of an information security management system is the primary focus of ISO 27001.
Unlike some other standards and frameworks, ISO 27001 compliance can be achieved and shown without strict adherence to a set of predetermined technology controls. Instead, the emphasis is on risk management and adopting a comprehensive, active approach to security throughout the whole enterprise.
More than a dozen controls are included in “Annex A” of the standard. An organization doesn’t need to certify its compliance with all those controls. Rather, each company only needs to implement whichever Annex A controls make sense for the business, based on the particular risks to each company’s operations.
ISO also makes a conscious effort to present the ISO 27001 framework as one that focuses on “information security” rather than cybersecurity. While most of the information in a contemporary business is digital, some physical assets, insider knowledge, and other information can harm the organization if lost or misused.
“Information Security Management System” refers to the policies, practices, personnel, documentation, and controls designed to preserve the confidentiality, integrity, and availability of an organization’s information (ISMS).
ISO 27001 has two sections. The first comprises 11 clauses (0 to 10). The standard is introduced in Clauses 0 to 3: Introduction, Scope, Normative References, Terms and Definitions. Clauses 4-10 define the requirements for an organization’s ISMS.
The second section, Annex A, provides a list of 114 controls that can support Clauses 4-10. The 114 controls are categorized into 14 groups.
Information Security Policies
These controls cover policy writing, approval, and distribution inside the ISMS and throughout the enterprise. Auditors will check to determine whether your processes are regularly documented and reviewed.
Organization of Information Security
Roles and duties must be clearly defined to comply with ISO 27001 standards. Project management and other organizational concerns, such as remote work environments, are also covered in this section.
Human Resources Security
This category addresses the “human factor,” from background checks to ongoing security awareness training. The purpose is to assure that the business’s workforce understands and performs their duties per the firm’s broader objectives and goals.
Asset Management
Procedures are defined for managing assets and how they must be safeguarded and protected. Auditors will examine how your company controls its databases, software, and hardware. The evidence should include any standard tools or techniques you employ to ensure data integrity.
Access Control
This section offers recommendations for authenticating and limiting employee access to various kinds of data, systems, and apps. In addition, auditors will want a thorough explanation of how access credentials are established and who is in charge of keeping them up to date.
Best Practices for Encryption
Auditors will examine your system’s cryptography methods, including sensitive data handling components and the encryption algorithm: Data Encryption Standard (DES), Rivest, Shamir, and Adleman (RSA), or Advanced Encryption Standard (AES).
Security of the Physical Environment
These controls explain procedures for securing equipment, machinery, and buildings. In addition, auditors will audit the physical location for potential vulnerabilities, including how offices and data centers are accessible.
Operations Security
This broad section defines controls for protecting operational software, handling vulnerabilities, mitigating malware attacks, backing up data, and performing ongoing monitoring to detect data breaches and security events.
Communications Security
Communications security comprises transmissions within the network and the ability to maintain confidentiality, integrity, and availability, whether at rest or in transit. All types of communications tools are covered, including email and video conferencing.
System Development, Acquisition, and Upkeep
Processes are defined for how to manage systems in a secure environment. Auditors will demand proof that any new systems implemented within the firm adhere to strict security guidelines.
Ties With Suppliers
This section discusses how a business should engage with other parties while maintaining security. For example, auditors will examine agreements made with third parties who could have access to sensitive information.
Incident Management for Information Security
Recommended strategies for handling security incidents are explained in this section. Roles, responsibilities, and specific activities are defined to assure a quick and consistent approach.
Information Security Aspects of Business Continuity Management
This section reviews change management and business interruptions. It covers the processes required to handle disruptions and the necessary redundancies to assure information and systems are available.
Compliance
Organizations must determine which laws and regulatory obligations apply to their organization to avoid the risks of non-compliance penalties. Auditors will look for proof of compliance with applicable laws.
How to Obtain ISO 27001 Certification
The certification process for ISO 27001 can be time-consuming, sometimes requiring a year or longer. The ISO itself does not issue certifications for ISO 27001. Instead, independent auditors from an accredited certification body confirm that a company has successfully applied all applicable best practices in line with the established ISO standard.
Because of this structure and the framework’s focus on risk management rather than required technical controls, certification cannot be assured by an all-inclusive ISO 27001 compliance checklist. Each company is free to choose how to implement the framework, and auditors will use professional judgment to assess each situation.
Once a company is prepared to hire an auditor or certification body, there is a set procedure for becoming certified. There are three distinct phases.
Phase one. The external auditor or certification authority reviews the organization’s ISMS at a high level. This phase determines if the organization is prepared to proceed to the second, more in-depth step. An ISO 27001 audit might come to a grinding halt due to a lack of essential paperwork, insufficient management support, or misidentified metrics.
Phase two. A more thorough audit is conducted, examining the organization’s implementation of specific security procedures to fulfill the standards outlined. In this stage, an auditor will seek proof that a company is doing everything that was outlined in the documentation provided in phase one.
Phase three. After receiving formal certification, a company must undergo yearly surveillance audits to maintain compliance with ISO 27001. If significant information security risks and non-conformances are identified in an annual surveillance audit, the ISO 27001 accreditation could be revoked before the stated expiration date.
As one might imagine, the certification procedure is tough; any firm looking to become certified will need to properly allocate funds and resources. Companies often hire outside experts to assist with preparation for a certification audit.
What Is an Information Security Management System (ISMS)?
An organization must build an information security management system (ISMS) to:
- Identify the company’s stakeholders and their information security expectations
- Identify the information threats that exist
- Establish safeguards (controls) and other risk-reduction strategies to satisfy the defined expectations and manage risks
- Clearly define your goals for achieving information security
- Execute all risk management measures and controls
- Continually assess if the controls being used operate as anticipated
- Make ongoing adjustments to optimize the performance of the whole ISMS
An ISMS comprises the policies, procedures, and business processes that support information security in an enterprise. It also includes the best practices and human expertise that are not necessarily recorded in procedures. ISO 27001 defines the required documentation for certification.
Benefits of Implementing an ISMS
The adoption of this information security standard can help a corporation achieve several commercial advantages:
Comply with Legal Obligations
A rising number of laws, rules and contractual requirements are linked to information security. The good news is that most of them can be handled by applying ISO 27001, which provides you with the ideal approach to comply with them.
Gain a Competitive Edge
If your business receives certification and your rivals don’t, you will stand out to clients concerned about their data security.
Lower Costs
The fundamental goal of ISO 27001 is to protect data security. The investment in ISO 27001 is significantly less than the cost reductions you’ll experience in the long term by streamlining processes and preventing security events.
Improved Organization
Fast-growing businesses often don’t take the time to define their processes and procedures clearly. As a result, employee training is ad hoc, and process alignment is lost among departments.
Implementing ISO 27001 helps resolve these issues by pushing businesses to document essential procedures (including those unrelated to security), accelerating new employee onboarding and driving efficiencies.
Automate ISO 27001 Compliance with Reciprocity ZenComply
Juggling all the documentation required for ISO 27001 can be overwhelming, especially if you are tracking requirements on a spreadsheet. Save time and effort by automating your company’s ISO 27001 compliance and certification.
Reciprocity ZenComply provides prescriptive guidance, templates, and a pre-loaded library of frameworks to help you get up and running immediately. Evidence and documentation can be uploaded once and cross-mapped to various frameworks.
Automated workflows ensure nothing falls through the cracks and frees you from tedious follow-ups. All activities and corrective actions are stored and easily retrieved at audit time. Real-time reporting gives you the visibility you need to understand the effectiveness of your compliance program.
You can stop worrying about your company’s ISO compliance and management procedures because ZenComply’s single source of truth has it all under control.
Schedule a demo to see how ZenComply can help you achieve ISO 27001 certification in record time.