An introduction to ISO 27001
Maybe you have been told by a supplier or customer that you need to hold an ISO 27001 certificate to be able to work with them. Or perhaps you want to use ISO 27001 as a business differentiator. Whatever your reasoning, here we will take you through what the standard is, as well as the benefits and what might be involved for you and your organisation.
The contents of ISO 27001
Section 4 – Context of the organization
- 4.1 Understanding the organization and its context
- 4.2 Understanding the needs and expectations of interested parties
- 4.3 Determining the scope of the information security management system
- 4.4 Information security management system
Section 5 – Leadership
- 5.1 Leadership and commitment
- 5.2 Policy
- 5.3 Organizational roles, responsibilities and authorities
Section 6 – Planning
- 6.1 Actions to address risks and opportunities
- 6.2 Information security objectives and planning to achieve them
Section 7 – Support
- 7.1 Resources
- 7.2 Competence
- 7.3 Awareness
- 7.4 Communication
- 7.5 Documented information
Section 8 – Operation
- 8.1 Operational planning and control
- 8.2 Information security risk assessment
- 8.3 Information security risk treatment
Section 9 – Performance evaluation
- 9.1 Monitoring, measurement, analysis and evaluation
- 9.2 Internal audit
- 9.3 Management review
Section 10 – Improvement
- 10.1 Nonconformity and corrective action
- 10.2 Continual improvement
Annex A (normative) Reference control objectives and controls
- A.5 Information security policies
- A.6 Organisation of information security
- A.7 Human resource security
- A.8 Asset management
- A.9 Access control
- A.10 Cryptography
- A.11 Physical and environmental security
- A.12 Operations security
- A.13 Communications security
- A.14 System acquisition, development and maintenance
- A.15 Supplier relationships
- A.16 Information security incident management
- A.17 Information security aspects of business continuity management
- A.18 Compliance
What is the ISO IEC 27001 standard?
Let’s start off by explaining what the ISO IEC letters stand for. ISO stands for the International Organisation for Standardisation. This means that all organisations that achieve an ISO accreditation are all working to the same high standards.
IEC stands for the International Electrotechnical Commission, who is a not-for-profit organisation, that works independently of any government.
Together the ISO and the IEC form a joint technical committee, developing and maintaining standards in IT, as well as Information and Communications Technology (ICT).
When you achieve ISO 27001: 2013 you are demonstrating that your Information Security Management System (ISMS) meets the standards of the ISO model of implementation, maintenance and continual improvement. You can read more about what an ISMS does on our New to Information Security page.
The ISO 27001 code of practice uses a risk-based approach to planning an ISMS, which process includes the following.
Let’s take a look at each of those in a little more detail
Define your organisation’s security policy
In a nutshell, this means that you need to write an information security policy. Sect. 5.2 of ISO 27001 does not give a great deal of guidance on what should be contained within your policy, but it does state what the policy should achieve and how you should define the scope of the ISMS.
Firstly, the information security policy must be adapted to your organisation. Using somebody else’s policy or one that you have purchased is no good without first ensuring that it applies directly to your organisation. If it doesn’t, then you must adapt it, then adopt the contents within.
One of the main factors of retaining the ISO 27001 after achieving it is to continually improve your ISMS. This means that your information security policy should also be reviewed on a regular basis to ensure you are meeting the stated objectives.
Need a set of policies for your ISMS?
We have relevant policies and controls for your organisation to easily adapt, adopt and add to, giving you a 77% head start with ISO 27001
Conduct your risk assessment and manage the risks that have been identified
A risk assessment is an exercise which helps you to identify any potential or current risks within your ISMS. Mainly theoretical, the ISMS risk assessment is lead by internal stakeholders, staff and anyone involved with the ISMS.
Identifying where any possible harm could come to your organisation in relation to information security is the first step. Then the risk should be evaluated in terms of its impact on the organisation and the likelihood of it occurring. This requires a documented methodology to ensure all risks are evaluated using the same criteria. Once evaluated under the process defined in 6.1 of ISO 27001, you must then decide which of the ISO 27001 Annexe A controls will be used in the management of the risk. Treating the risk is next. This is where you mitigate, share or simply accept the risk.
Recording evidence and clear audit trails of risk treatment will be something your auditors will look for.
Choose control objectives, controls that are to be implemented and preparing your Statement of Applicability
The Statement of Applicability (SoA) documents the controls and objectives that you choose to implement based on your risk assessment. It will be something your auditor refers to extensively when he conducts stage 2 and surveillance audits.
Whilst this doesn’t need to go into great detail but can become a laborious spreadsheet task without the help of a software tool that produces it dynamically.
What are the benefits of achieving ISO 27001: 2013?
So we mentioned potential scenarios where you would be looking to achieve ISO 27001. Quite often having ISO 27001 under their belt is not, in fact, the idea of the organisation itself. Why? Because it can be seen as a complex project that takes time and costs money. And by the way, if you’re looking for a quick fix for achieving the standard, you’ll be out of luck.
Because this is an internationally recognised standard, it makes the people you want to work with more accessible.
You’ll win new and retain existing business
Because this is an internationally recognised standard, it makes the people you want to work with feel safe and secure and that you (holding ISO 27001) will look after their valuable assets and information security.
Like many things in business, trust is important. But demonstrating that you have been independently audited, solidifies that trust.
You’ll give your reputation a boost
It doesn’t get much worse for an organisation when the news hits that their systems have been hacked and customer data has been exposed an exploited. If you are managing our information security management system you will be in a better position to identify breach risks before they happen.