What is ISO 27001? Understanding the Information Security Standard
This article provides an overview of the data security standards ISO, specifically ISO/IEC 27001 and its importance for protecting businesses. It also covers the differences between ISO 27001 and 27002 standards. The advantages of ISO 27001 are also discussed.
Table of Contents
- Understanding ISO/IEC 27001: An Overview
- What is an ISMS? Everything You Need to Know About Information Security Management Systems
- Why ISO 27001 is Essential for Protecting Your Business: Advantages and Benefits of the Standard
- ISO 27001 vs. 27002 Standards: What's the Difference?
- ISO 27001 Clauses: Understanding the Framework for IT Security
- ISO 27001 Security Controls: Understanding Annex A Requirements in ISO 27002:2022
Understanding ISO/IEC 27001: An Overview
ISO/IEC 27001 is a global information and data security standard that provides a systematic approach to managing and protecting sensitive information. It is an essential framework for organizations that want to ensure the confidentiality, integrity, and availability of their data assets, as well as comply with various regulatory requirements. ISO/IEC 27001:2022 is the technical name for the standard.
ISO 27001 takes a comprehensive, top-down approach to information security management that is designed to identify and address risks across the entire organization. To manage these risks the standard provides an outline for implementing robust security controls. Unlike other standards that may be specific to certain technologies or products, ISO 27001 is technology-neutral, meaning it can be applied to any organization regardless of its technological capabilities.
The standard is designed to help organizations establish and maintain an effective Information Security Management Systems (ISMS) that aligns with their business objectives.
Overall, ISO/IEC 27001 is a critical standard for organizations that want to protect their sensitive data assets and ensure the resilience of their information security management systems. By implementing the standard and achieving certification, organizations can demonstrate their commitment to data security and gain a competitive edge in today's rapidly evolving cyber landscape.
What is an ISMS? Everything You Need to Know About Information Security Management Systems
An information security management system (ISMS) is a structured and organized approach to managing confidential information, aimed at preventing unauthorized access, use, disclosure, modification, or destruction of such information. An ISMS typically includes a set of policies, procedures, guidelines, and other controls that help organizations manage their information security risks effectively.
Implementing an ISMS based on the ISO 27001 standard can help organizations ensure the confidentiality, integrity, and availability of their information assets, as well as demonstrate their compliance with applicable laws and regulations.
Does all of this sound too complicated?
Don't worry, it's not as daunting as it may seem.
In simple terms, an ISMS is just the implementation of all the security controls and processes you have put in place to protect your IT systems.
While the security controls defined in ISO 27002 are typically the foundation of an ISMS, they can be supplemented with additional controls as needed.
This makes the ISMS a dynamic, rather than a static system.
It is based on the so called Plan - Do - Check - Act cycle.
But what is a PDCA cycle?
The PDCA cycle, also known as the Deming Cycle, is a four-step approach to continuous improvement. It involves Plan, Do, Check, and Act, and it provides a framework for organizations to make data-driven decisions and improve their processes continually.
- Plan: Identify areas where improvements or changes can be made, and create a plan to implement those changes.
- Do: Implement the changes outlined in the plan, and measure their effectiveness.
- Check: Review the results of the changes made in the "Do" phase, and analyze data to evaluate their effectiveness.
- Act: Based on the results of the "Check" phase, take action to either make further improvements or incorporate the changes into broader company practices.
Here's an example of how the PDCA cycle works within the IT world:
- Plan: The IT department of a company recognizes the need to improve the security of its data, and decides to implement an information security management system (ISMS) based on the ISO 27001 standard. The planning process involves identifying potential security risks, defining security policies and procedures, and selecting appropriate security controls.
- Do: The IT department implements the ISMS by putting the defined security policies and procedures in place, and deploying the selected security controls. This may involve updating software, configuring firewalls, training employees on security best practices, and implementing access controls to restrict who can view sensitive data.
- Check: The IT department regularly measures and analyzes the effectiveness of the implemented security measures. This may involve reviewing access logs to ensure that only authorized personnel are accessing sensitive data, performing vulnerability scans to identify potential security weaknesses, and reviewing incident reports to track the number and severity of security incidents.
- Act: Based on the results of the check phase, the IT department takes action to improve the security of its systems and data. For example, if a vulnerability is discovered during the check phase, the IT department may patch the affected software or implement additional controls to mitigate the risk. If the implemented security measures are found to be effective, the IT department may incorporate them into wider security policies and procedures, or use them to guide future improvements to the ISMS. The PDCA cycle is repeated continuously to ensure ongoing improvement in the company's IT security posture.
Why ISO 27001 is Essential for Protecting Your Business: Advantages and Benefits of the Standard
Improved Information Security
The implementation of an ISMS based on the requirements of ISO 27001 will help organizations to identify and address potential security risks and vulnerabilities, leading to improved information security.
Regulatory Compliance
Compliance with ISO 27001 can help organizations meet various regulatory requirements and demonstrate their commitment to data security. Implementing the standard can also help organizations avoid costly regulatory fines for non-compliance.
Competitive Advantage
ISO 27001 certification showcases an organization's commitment to safeguarding sensitive information, providing a competitive edge to customers, partners, and stakeholders. It enhances customer confidence and demonstrates the implementation of robust security measures.
Cost Savings
Implementing ISO 27001 helps organizations identify and eliminate inefficiencies in their information security processes, resulting in cost savings. Additionally, it streamlines processes and provides top management with better visibility into what is going on in the organization.
Protect Your Reputation
ISO 27001 certification minimizes the impact of data breaches and enhances communication with stakeholders by reassuring them that the organization has taken measures to protect their information.
Reduce the Need for IT Questionnaires
ISO 27001 certification can reduce the need for IT security questionnaires from suppliers and vendors as the rigorous audit process verifies an organization's security posture.
ISO 27001 vs. 27002 Standards: What's the Difference?
ISO 27001 and ISO 27002 are complementary standards within the ISO 27000 framework. ISO 27001 provides the requirements for an Information Security Management System (ISMS), while ISO 27002 provides a comprehensive set of information security controls that can be implemented as part of an ISMS. ISO 27002 is also known as Annex A to ISO 27001. Therefore it is a supporting document for ISO 27001.
While ISO 27001 is auditable for certification, ISO 27002 is not certifiable on its own.
Organizations can use ISO 27002 as a reference for implementing security controls and ensuring compliance with ISO 27001 requirements. Together, ISO 27001 and ISO 27002 provide a robust framework for managing and securing sensitive information.
ISO 27001 Clauses: Understanding the Framework for IT Security
ISO 27001:2022 is structured around 34 clauses.
The term "clause" refers to a section or provision within a legal document or standard. In the case of ISO 27001, the clauses provide the foundation for the standard and guide organizations in establishing an effective ISMS. With the release of the 2022 version of the standard, there are some changes to the clauses, but the fundamental framework remains the same.
Each clause represents a high-level area of focus for the ISMS.
Detailed implementation of the clauses is described within Annex A of ISO 27002, which outlines best practices for implementing and maintaining security controls.
Buy and download your copy of ISO 27001:2022 here.
ISO/IEC 27001:2022
ISO/IEC 27001:2022 Clause 4 Context of the Organization
- 4.1 – Understanding the Organization and its Context:
Identify internal and external factors that may affect the security of information. - 4.2 – Information Security Management System:
Establish and maintain the ISMS in accordance with the standard. - 4.3 – Determining the Scope of the Information Security Management System:
Define the scope of the ISMS. - 4.4 – Information Security Management System:
Establishing, implementing, maintaining, and continually improving an ISMS.
ISO/IEC 27001:2022 Clause 5 Leadership
- 5.1 - Leadership & Commitment:
Demonstrating management's commitment and involvement in establishing, implementing, maintaining, and continually improving the ISMS. - 5.2 - Information Security Policy:
Establishing an information security policy that provides a framework for setting objectives, assigning responsibilities, and defining requirements for the ISMS. - 5.3 – Organizational Roles, Responsibilities & Authorities:
Defining and communicating information security roles, responsibilities, and authorities within the organization.
ISO/IEC 27001:2022 Clause 6 Planning
- 6.1 – Actions to Address Risks and Opportunities:
- 6.1.1 - General:
The organization shall determine and take appropriate actions to address risks and opportunities that can affect the achievement of the ISMS objectives. - 6.1.2 - Information security risk assessment:
The organization shall systematically evaluate information security risks. - 6.1.3 - Information security risk treatment:
The organization shall apply controls to treat information security risks.
- 6.1.1 - General:
The organization shall establish measurable objectives for the ISMS and align them with the organization's strategic goals.
The organization shall ensure that changes to the ISMS are conducted in a planned manner.
ISO/IEC 27001:2022 Clause 7 Support
- 7.1 – Resources:
The organization shall determine and provide the resources needed for the establishment, implementation, maintenance, and continual improvement of the ISMS. - 7.2 – Competence:
The organization shall determine the necessary competence of persons doing work under its control that affects the performance and effectiveness of the ISMS. - 7.3 – Awareness:
The organization shall ensure that persons doing work under its control are aware of the information security policy, their contribution to the effectiveness of the ISMS, and the implications of not conforming to the ISMS requirements. - 7.4 – Communication:
The organization shall determine the internal and external communications relevant to the ISMS including on the information security performance. - 7.5 - Documented information:
- 7.5.1 - General:
The organization shall determine and maintain the necessary documented information to support the operation of the ISMS and retain documented information to the extent necessary to have confidence that the processes have been carried out as planned. - 7.5.2 - Creating and updating:
The organization shall ensure that documented information required by the ISMS is identified, developed, and maintained. - 7.5.3 Control of documented information:
The organization shall ensure that documented information required by the ISMS and by this International Standard is controlled to ensure that it is adequately protected and is available where and when it is needed.
- 7.5.1 - General:
ISO/IEC 27001:2022 Clause 8 Operation
- 8.1 – Operational Planning & Control:
The organization shall determine, plan, and control the processes needed for the operation of the ISMS. - 8.2 – Information Security Risk Assessment:
The organization shall assess information security risks in accordance with a risk assessment process. - 8.3 – Information Security Risk Treatment:
The organization shall select and implement risk treatment options in accordance with the risk assessment process.
ISO/IEC 27001:2022 Clause 9 Performance evaluation
- 9.1 - Monitoring, measurement, analysis and evaluation:
The organization shall evaluate the performance and effectiveness of the ISMS, and identify opportunities for improvement. -
9.2 - Internal audit:
- 9.2.1 - General:
The organization shall conduct internal audits of the ISMS to determine whether it conforms to the requirements of the standard and the organization's own requirements. - 9.2.2 Internal audit programme:
The organization shall establish, implement, maintain and continually improve an internal audit program to provide assurance that the ISMS conforms to the requirements of the standard.
- 9.2.1 - General:
-
9.3 Management review:
- 9.3.1 - General:
Top management shall review the ISMS at planned intervals to ensure its continuing suitability, adequacy, effectiveness, and alignment with the strategic direction of the organization. - 9.3.2 - Management review inputs:
The inputs to the management review shall include information on the performance and effectiveness of the ISMS, results of internal audits and external audits, feedback from interested parties, and changes in the external and internal context that may affect the ISMS. - 9.3.2 - Management review results:
The outputs of the management review shall include decisions and actions related to the improvement of the ISMS and its processes, resource needs, and opportunities for improvement.
- 9.3.1 - General:
ISO/IEC 27001:2022 Clause 10 Improvement
- 10.1 - Nonconformity and Corrective Action:
The organization shall have a process to identify and address nonconformities and to take corrective action to prevent their recurrence. - 10.2 - Continual Improvement:
The organization shall continually improve the suitability, adequacy and effectiveness of the information security management system.
ISO 27001 Security Controls: Understanding Annex A Requirements in ISO 27002:2022
ISO 27002:2022 provides a comprehensive list of security controls that can be implemented by organizations to manage and mitigate information security risks.
Buy and download your copy of ISO 27001:2022 here.
These controls are categorized into 4 ISO 27001 domains, now named security categories, which cover a wide range of areas.
Each of these categories is made up of specific security controls, which serve as a crucial guidance resource for organizations seeking to implement ISO 27001-compliant information security management systems (ISMS).
The total number of security controls is 93.
The 4 categories of ISO 27002 and the 93 assosiated security controls are:
Organizational Controls (Clause 5) - 37 Security Controls
- 5.1 - Policies for information security - Define and approve information security policies and review them regularly
- 5.2 - Information security roles and responsibilities - Allocate information security roles and responsibilities based on organizational needs
- 5.3 - Segregation of duties - Segregate conflicting duties and responsibilities
- 5.4 - Management responsibilities - Ensure that all personnel comply with information security policies and procedures
- 5.5 - Contact with authorities - Establish and maintain contact with relevant authorities
- 5.6 - Contact with special interest groups - Establish and maintain contact with special interest groups or security forums
- 5.7 - Threat intelligence - Collect and analyze information security threats to produce threat intelligence
- 5.8 - Information security in project management - Integrate information security into project management
- 5.9 - Inventory of information and other associated assets - Develop and maintain an inventory of information and other associated assets
- 5.10 - Acceptable use of information and other associated assets - Identify, document, and implement rules for acceptable use and handling of information and other associated assets
- 5.11 - Return of assets - Ensure that personnel return all organization's assets upon change or termination of employment or contract
- 5.12 - Classification of information - Classify information based on security needs of the organization.
- 5.13 - Labelling of information - Develop and implement procedures for information labelling according to the organization's classification scheme.
- 5.14 - Information transfer - Establish transfer rules, procedures, or agreements for all types of information transfer within and outside the organization.
- 5.15 - Access control - Establish and implement rules for physical and logical access to information and assets based on business and security requirements.
- 5.16 - Identity management - Manage the full lifecycle of identities.
- 5.17 - Authentication information - Control allocation and management of authentication information.
- 5.18 - Access rights - Provision, review, modify, and remove access rights to information and assets according to the organization's policy and rules for access control.
- 5.19 - Information security in supplier relationships - Define and implement processes and procedures to manage security risks associated with the use of supplier's products or services.
- 5.20 - Addressing information security within supplier agreements - Establish and agree on information security requirements with each supplier based on the type of relationship.
- 5.21 - Managing information security in the ICT supply chain - Define and implement processes and procedures to manage security risks associated with the ICT products and services supply chain.
- 5.22 - Monitoring, review and change management of supplier services - Regularly monitor, review, evaluate and manage change in supplier information security practices and service delivery.
- 5.23 - Information security for use of cloud services - Establish processes for acquisition, use, management, and exit from cloud services according to the organization's security requirements.
- 5.24 - Information security incident management planning and preparation - Plan and prepare for managing information security incidents by defining, establishing, and communicating incident management processes, roles, and responsibilities.
- 5.25 - Assessment and decision on information security events - The organization shall assess information security events and decide if they are to be categorized as information security incidents.
- 5.26 - Response to information security incidents - Information security incidents shall be responded to in accordance with the documented procedures.
- 5.27 - Learning from information security incidents - Knowledge gained from information security incidents shall be used to strengthen and improve the information security controls.
- 5.28 - Collection of evidence - The organization shall establish and implement procedures for the identification, collection, acquisition and preservation of evidence related to information security events.
- 5.29 - Information security during disruption - The organization shall plan how to maintain information security at an appropriate level during disruption.
- 5.30 - ICT readiness for business continuity - ICT readiness shall be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements.
- 5.31 - Legal, statutory, regulatory and contractual requirements - Legal, statutory, regulatory and contractual requirements relevant to information security and the organization’s approach to meet these requirements shall be identified, documented and kept up to date.
- 5.32 - Intellectual property rights - The organization shall implement appropriate procedures to protect intellectual property rights.
- 5.33 - Protection of records - Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release.
- 5.34 - Privacy and protection of personal identifiable information (PII) - The organization shall identify and meet the requirements regarding the preservation of privacy and protection of PII according to applicable laws and regulations and contractual requirements.
- 5.35 - Independent review of information security - The organization’s approach to managing information security and its implementation including people, processes and technologies shall be reviewed independently at planned intervals, or when significant changes occur.
- 5.36 - Compliance with policies, rules and standards for information security - Compliance with the organization’s information security policy, topic-specific policies, rules and standards shall be regularly reviewed.
- 5.37 - Documented operating procedures - Operating procedures for information processing facilities shall be documented and made available to personnel who need them.
People controls (Clause 6) - 8 Security Controls
- 6.1 Screening - Carry out background verification checks on personnel prior to joining and ongoing basis.
- 6.2 Terms and conditions of employment - Employment contracts must state personnel and organization responsibilities for information security.
- 6.3 Information security awareness, education and training - Ensure personnel and relevant parties receive appropriate awareness, education, and training.
- 6.4 Disciplinary process - Implement formal disciplinary process for personnel and parties who violate information security policies.
- 6.5 Responsibilities after termination or change of employment - Define and enforce information security responsibilities after termination or change of employment.
- 6.6 Confidentiality or non-disclosure agreements - Identify, document, and review confidentiality or non-disclosure agreements for personnel and relevant parties.
- 6.7 Remote working - Implement security measures for personnel working remotely.
- 6.8 Information security event reporting - Provide a mechanism for timely reporting of information security events by personnel.
Physical controls (Clause 7) - 14 Security Controls
- 7.1 Physical security perimeters - Define and use security perimeters to protect areas with sensitive information and associated assets.
- 7.2 Physical entry control - Protect secure areas using appropriate entry controls and access points.
- 7.3 Securing offices, rooms and facilities - Implement physical security measures to protect offices, rooms and facilities.
- 7.4 Physical security monitoring - Continuously monitor premises to prevent unauthorized physical access.
- 7.5 Protecting against physical and environmental threats - Implement protections against physical and environmental threats, both intentional and unintentional.
- 7.6 Working in secure areas - Implement security measures for working in secure areas.
- 7.7 Clear desk and clear screen - Define and enforce clear desk and clear screen rules to protect against unauthorized access to information.
- 7.8 Equipment siting and protection - Site equipment securely and provide protection to prevent damage or unauthorized access.
- 7.9 Security of assets off-premises - Protect off-site assets using appropriate security measures.
- 7.10 Storage media - Manage storage media through their entire life cycle in accordance with the organization's classification scheme and handling requirements.
- 7.11 Supporting utilities - Protect information processing facilities from disruptions caused by failures in supporting utilities.
- 7.12 Cabling security - Protect cables carrying power, data or supporting information services from interception, interference or damage.
- 7.13 Equipment maintenance - Correctly maintain equipment to ensure availability, integrity and confidentiality of information.
- 7.14 Secure disposal or re-use of equipment - Verify removal or secure overwriting of sensitive data and licensed software prior to disposal or re-use of equipment containing storage media.
Technological controls (Clause 8) - 34 Security Controls
- 8.1 User end point devices - Protect information on user end point devices.
- 8.2 Privileged access rights - Restrict and manage privileged access rights.
- 8.3 Information access restriction - Restrict access to information and associated assets according to policy.
- 8.4 Access to source code - Manage read and write access to source code, development tools, and software libraries.
- 8.5 Secure authentication - Implement secure authentication technologies and procedures based on policy.
- 8.6 Capacity management - Monitor and adjust resource use based on capacity requirements.
- 8.7 Protection against malware - Implement protection against malware and support user awareness.
- 8.8 Management of technical vulnerabilities - Obtain information on technical vulnerabilities, evaluate the organization's exposure, and take appropriate measures.
- 8.9 Configuration management - Establish, document, implement, monitor, and review configurations of hardware, software, services, and networks.
- 8.10 Information deletion - Delete information stored in systems or other storage media when no longer required.
- 8.11 Data masking - Use data masking according to policy and business requirements, and applicable legislation.
- 8.12 Data leakage prevention - Apply data leakage prevention measures to systems, networks, and devices that process, store, or transmit sensitive information.
- 8.13 Information backup - Maintain and regularly test backup copies of information, software, and systems according to policy.
- 8.14 Redundancy of information processing facilities - Implement information processing facilities with sufficient redundancy to meet availability requirements.
- 8.15 Logging - Produce, store, protect, and analyze logs that record activities, exceptions, faults, and other relevant events.
- 8.16 Monitoring activities - Monitor networks, systems, and applications for anomalous behavior and take appropriate actions to evaluate potential information security incidents.
- 8.17 Clock synchronization - Synchronize the clocks of information processing systems used by the organization to approved time sources.
- 8.18 Use of privileged utility programs - The use of utility programs that can be capable of overriding system and application controls shall be restricted and tightly controlled.
- 8.19 Installation of software on operational systems - Procedures and measures shall be implemented to securely manage software installation on operational systems.
- 8.20 Networks security - Networks and network devices shall be secured, managed and controlled to protect information in systems and applications.
- 8.21 Security of network services - Security mechanisms, service levels and service requirements of network services shall be identified, implemented and monitored.
- 8.22 Segregation of networks - Groups of information services, users and information systems shall be segregated in the organization’s networks.
- 8.23 Web filtering - Access to external websites shall be managed to reduce exposure to malicious content.
- 8.24 Use of cryptography - Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented.
- 8.25 Secure development life cycle - Rules for the secure development of software and systems shall be established and applied.
- 8.26 Application security requirements - Information security requirements shall be identified, specified and approved when developing or acquiring applications.
- 8.27 Secure system architecture and engineering principles - Principles for engineering secure systems shall be established, documented, maintained and applied to any information system development activities.
- 8.28 Secure coding - Secure coding principles shall be applied to software development.
- 8.29 Security testing in development and acceptance - Security testing processes shall be defined and implemented in the development life cycle.
- 8.30 Outsourced development - The organization shall direct, monitor and review the activities related to outsourced system development.
- 8.31 Separation of development, test and production environments - Development, testing and production environments shall be separated and secured.
- 8.32 Change management - Changes to information processing facilities and information systems shall be subject to change management procedures.
- 8.33 Test information - Test information shall be appropriately selected, protected and managed.
- 8.34 Protection of information systems during audit testing - Audit tests and other assurance activities involving assessment of operational systems shall be planned and conducted in a manner that minimizes the risk to information systems and associated data.
In the 2022 version of the standard, each security control is associated with 5 attributes to give clear guidance what each control is designed to do.
These attributes are:
Control type:
This attribute describes when and how a control modifies the risk with regard to the occurrence of an information security incident. Attribute values consist of:
- #Preventive
- #Detective
- #Corrective
Information security properties:
This attribute describes which characteristic of information the control will contribute to preserving. Attribute values consist of:
- #Confidentiality
- #Integrity
- #Availability
Cybersecurity concepts:
This attribute describes the association of controls to cybersecurity concepts defined in the cybersecurity framework described in ISO/IEC TS 27110. Attribute values consist of:
- #Identify
- #Protect
- #Detect
- #Respond
- #Recover
Operational capabilities:
This attribute describes controls from the practitioner's perspective of information security capabilities. Attribute values consist of:
- #Governance
- #Asset_management
- #Detect
- #Information_protection
- #Human_resource_security
- #Physical_security
- #System_and_network_security
- #Application_security
- #Secure_configuration
- #Identity_and_access_management
- #Threat_and_vulnerability_management
- #Continuity
- #Supplier_relationships_security
- #Legal_and_compliance
- #Information_security_event_management
- #Information_security_assurance
Security domains:
This attribute describes controls from the perspective of four information security domains:
- #Governance_and_Ecosystem
- #Protection
- #Defence
- #Resilience
By using the guidance provided, organizations can utilize the appropriate security controls to mitigate identified risks and ensure the confidentiality, integrity, and availability of their information assets.
It's important to note that ISO 27002 is not intended to be a prescriptive or exhaustive list of security controls. Rather, it is meant to serve as a starting point for organizations to develop and customize their own set of security controls based on their unique risk landscape, business objectives, and regulatory requirements.
Overall, understanding the requirements outlined in Annex A of ISO 27001:2022 is crucial for organizations seeking to establish and maintain an effective information security management systems.