What are the requirements of ISO 27001:2013?
The core requirements of the standard are addressed in Clauses 4.1 through to 10.2. A summary is below and you can click through each of the clauses for much further detail.
Clause 4.1 of the ISO 27001 requirements is about understanding the organisation and its context. We always recommend this is where an organisation starts with its ISO 27001 implementation.
Clause 4.2 of the requirements for ISO 27001 is about ‘Understanding the needs and expectations of your organisation’s interested parties’.
Clause 4.3 of the ISO 27001 standard involves setting the scope of your Information Security Management System. This is a crucial part of the ISMS as it will tell stakeholders, including senior management, customers, auditors and staff, what areas of your business are covered by your ISMS. You should be able to quickly and simply describe or show your scope to an auditor.
This clause of ISO 27001 is a simple stated requirement and easily addressed if you are doing everything else right! It deals with how the organisation implements, maintains and continually improves the information security management system.
This leadership focused clause of ISO 27001 emphasises the importance of information security being supported, both visibly and materially, by senior management.
This clause identifies specific aspects of the management system where top management are expected to demonstrate both leadership and commitment.
Clause 5.2 of the ISO 27001 standard requires that top management establish an information security policy. This requirement for documenting a policy is pretty straightforward. However it is what is inside the policy and how it relates to the broader ISMS that will give interested parties the confidence they need to trust what sits behind the policy.
This clause is all about top management ensuring that the roles, responsibilities and authorities are clear for the information security management system. This does not mean that the organisation needs to go and appoint several new staff or over engineer the resources involved – it’s an often misunderstood expectation that puts smaller organisations off from achieving the standard.
Clause 6 of the ISO 27001 requirements is about planning, and specifically the planning of actions to address risks and opportunities. Risk management is pretty straight forward however it means different things to different people, and it means something specific to ISO 27001 auditors so it is important to meet their requirements.
You probably know why you want to implement your ISMS and have some top line organisation goals around what success looks like. The business case builder materials are a useful aid to that for the more strategic outcomes from your management system. Clause 6.2 starts to make this more measurable and relevant to the activities around information security in particular for protecting confidentiality, integrity and availability (CIA) of the information assets in scope.
A requirement of ISO 27001 is to provide an adequate level of resource into the establishment, implementation, maintenance and continual improvement of the information security management system. As described before with the leadership resources in Clause 5.3, ISO 27001 does not actually mandate that the ISMS has to be staffed by full time resources, just that the roles, responsibilities and authorities are clearly defined and owned – assuming that the right level of resource will be applied as required. It is the same with clause 7.1, which acts as the summary point of ‘resources’ commitment.
ISO/IEC 27001 clause 7.2 basically says that the organisation will ensure that it has:
- determined the competence of the people doing the work on the ISMS that could affect its performance
- people that are deemed competent on the basis of the relevant education, training or experience
- where required, taken action to acquire the necessary competence and evaluated the effectiveness of the actions
- retained evidence of the above for audit purposes
Clause 7.3 of ISO 27001 is a simple one to dovetail in with clause 7.2 around competence and 7.4 around broader communication about the information security management system to all the relevant interested parties.
ISO 27001 is seeking confirmation that the persons doing the work are aware of:
- the information security policy
- their contribution to the effectiveness of the ISMS including benefits from its improved performance
- what happens when the information security management system does not conform to its requirements
ISO 27001 clause 7.4 has five short bullet points about communication but their importance to the ISMS outcomes is arguably more significant than any other requirement of the information security management system. After all it is no good having a world class best practise information security management system that is only understood by the information security expert in the organisation!
ISO 27001 is looking for the following things in this clause:
- what to communicate about the ISMS
- when that will be communicated
- who will be part to that communication
- who does the communication
- how that all happens i.e. what systems and processes will be used to demonstrate it happens and is effective
Anyone familiar with operating to a recognised international ISO standard will know the importance of documentation for the management system. One of the main requirements for ISO 27001 is therefore to describe your information security management system and then to demonstrate how its intended outcomes are achieved for the organisation. It is incredibly important that everything related to the ISMS is documented and well maintained, easy to find, if the organisation wants to achieve an independent ISO 27001 certification form a body like UKAS. ISO certified auditors take great confidence from good housekeeping and maintenance of a well structured information security management system.
This clause is very easy to demonstrate evidence against if the organisation has already ‘showed its workings’. In developing the information security management system to comply with requirements 6.1, 6.2 and in particular 7.5 where the whole ISMS is well structured and documented, this also achieves 8.1 at the same time.
It is about planning, implementation and control to ensure the outcomes of the information security management system are achieved.
This is another one of the ISO 27001 clauses that gets automatically completed where the organisation has already evidences its information security management work in line with requirements 6.1, 6.2 and in particular where the whole ISMS is clearly documented. The organisation must perform information security risk assessments at planned intervals and when changes require it – both of which need to be clearly documented.
Under clause 8.3, the requirement is for the organisation to implement the information security risk treatment plan and retain documented information on the results of that risk treatment. This requirement is therefore concerned with ensuring that the risk treatment process described in clause 6.1, are actually taking place. This should include evidence and clear audit trials of reviews and actions, showing the movements of the risk over time as results of investments emerge (not least also giving the organisation as well as the auditor confidence that the risk treatments are achieving their goals).
ISO 27001 clause 9.1 requires organisations to evaluate how the ISMS is performing and look at the effectiveness of the information security management system. If the organisation is seeking certification for ISO 27001 the independent auditor working in a certification body associated to UKAS (or a similar accredited body internationally for ISO certification) will be looking closely at the following areas:
- What it has decided to monitor and measure, not just the objectives but the processes and controls as well
- How it will ensure valid results in the measuring, monitoring, analysis and evaluation
- When that measurement, monitoring, evaluation and analysis takes place and who does it
- How the results get used
Like everything else with ISO/IEC standards including ISO 27001 the documented information is all important – so describing it and then demonstrating that it is happening, is the key to success!
Clause 9.2 of ISO 27001 says that the organisation shall conduct internal audits at planned intervals to provide information on whether the information security management system:
- Conforms to the organisation’s own requirements for its information security management system; and meets the requirements of the ISO 27001 international standard;
- Whether the ISMS is effectively implemented and maintained
It is the responsibility of senior management to conduct the management review for ISO 27001. These reviews should be pre-planned and often enough to ensure that the information security management system continues to be effective and achieves the aims of the business. ISO itself says the reviews should take place at planned intervals, which generally means at least once per annum and within an external audit surveillance period. However with the pace of change in information security threats, and a lot to cover in management reviews, our recommendation is to do them far more frequently, as described below and ensure the ISMS is operating well in practise, not just ticking a box for ISO compliance.
Clause 10.1 is part of the improvement requirement within ISO 27001. It concerns the actions an organisation takes to address information security orientated nonconformities. The corrective action that follows form a nonconformity is also a key part of the ISMS improvement process that needs to be evidenced along with any other consequences caused by the nonconformity.
A large part of running an information security management system is to see it as a living and breathing system. Organisations that take improvement seriously will be assessing, testing, reviewing and measuring the performance of the ISMS as part of the broader led strategy, going beyond a ‘tick box’ regime. There are several mechanisms already covered within ISO 27001 for the continual evaluation and improvement of the ISMS.