ISO/IEC 27001 is a set of requirements that addresses security controls for information technology and data security in an enterprise. It’s part of a framework of standards — the ISO/IEC 27000 series — published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).
The ISO 27001 standard functions as a framework for an organization’s information security management system (ISMS), which includes all the processes and policies that govern how an organization uses and controls data. ISO 27001 helps ensure organizations meet their compliance requirements; however, it does not mandate specific tools or practices.
In this blog, we look at how the ISO 27001 certification works and helps organizations strengthen their security posture.
How Does ISO 27001 Work?
ISO 27001 aims to assess and mitigate an organization’s risks around data by identifying gaps and organizing and strengthening security controls to better protect the integrity, privacy, and availability of a company’s data. It’s a top-down approach that requires an organization have proactive rather than reactive security efforts. Organizations can purchase a guide to implementing ISO 27001 directly from ISO and conduct their own audit or employ a third-party auditor.
The ISO 27001 standard has two parts. The first has 11 clauses, numbered 0 to 10. The first four clauses — Introduction, Scope, Normative References, Terms, and Definitions — introduce the ISO 27001 standard. Clauses 4 to 10 outline the ISO 27001 requirements an organization must meet if it wants to be compliant.
The second part, titled Annex A, includes a set of non-mandatory controls that support the clauses and requirements in the first section as part of the risk management process. Currently, there are 114 controls in 14 groups and 35 control categories:
- A.5: Information security policies (2 controls)
- A.6: Organization of information security (7 controls)
- A.7: Human resource security applied before, during, or after employment (6 controls)
- A.8: Asset management (10 controls)
- A.9: Access control (14 controls)
- A.10: Cryptography (2 controls)
- A.11: Physical and environmental security (15 controls)
- A.12: Operations security (14 controls)
- A.13: Communications security (7 controls)
- A.14: System acquisition, development, and maintenance (13 controls)
- A.15: Supplier relationships (5 controls)
- A.16: Information security incident management (7 controls)
- A.17: Information security aspects of business continuity management (4 controls)
- A.18: Compliance; with internal requirements, such as policies, and with external requirements, such as laws (8 controls)
What Are the Requirements for ISO 27001?
The core requirements to achieve compliance are in seven clauses and their sub-clauses. Here is a summary of what’s covered:
Clause 4: Context of the organization
To successfully implement an ISMS, it’s necessary to understand the organization’s context. The company must identify and consider all the internal and external issues relevant to the organization’s security objectives. These include internal capabilities, regulatory issues, and economic factors.
Clause 5: Leadership
An effective ISMS requires a commitment from top management. Leaders have many obligations in this regard, including establishing strategic objectives for the organization, providing the necessary resources for the ISMS, and supporting other management roles to ensure all required roles are available for effective implementation of the ISMS.
Clause 6: Planning
The organization must plan actions to address the risks and opportunities identified under Clause 4. Essentially, this means documenting a risk identification, assessment, and treatment process that considers controls outlined in Annex A.
Clause 7: Support
The organization must demonstrate it provides adequate resources for establishing, implementing, maintaining, and continually improving the ISMS. This includes showing clearly defined and owned roles, responsibilities, and authorities.
Clause 8: Operation
The organization must demonstrate its internal and outsourced ISMS processes are planned, implemented, and controlled. It must also implement the information security risk treatment plan identified in Clause 6 and keep documented information on the results of that risk treatment.
Clause 9: Performance evaluation
The standard requires the organization’s ISMS be monitored, measured, analyzed, and evaluated. This includes departmental self-checks as well as internal audits. Additionally, top management must review the ISMS at regular intervals.
Clause 10: Improvement
The organization must show it is taking corrective action to address nonconformities and eliminating their causes when applicable. It must also show evidence of continually working on improving the ISMS by implementing a process that meets Clause 9 evaluation criteria.
How Do You Implement ISO 27001 Controls?
The ISO 27001 standard doesn’t prescribe what specific controls your organization should use or how to implement them. The controls are flexible enough for organizations to implement in accordance with their particular ISMS context and risk rather than a one-size-fits-all solution. However, there are some general guidelines:
Technical controls
These controls typically are implemented in information systems by adding backup, antivirus, and other software, hardware, and firmware components.
Organizational controls
These are implemented by defining rules and behavioral policies for users, equipment, software, and systems. Examples include bring your own device (BYOD) and Access Control policies.
Legal controls
These controls are implemented by ensuring rules and behavioral policies behaviors like those aforementioned comply with and enforce any laws, regulations, contracts, and other legal instruments to which the organization is subject. Non-disclosure agreements and service level agreements are examples of legal controls.
Physical controls
These controls are implemented with devices that physically interact with people and objects, such as alarm systems, locks, and security cameras.
Human resource controls
These controls are implemented by ensuring people have the necessary knowledge, training, or experience to do their job activities securely. Security awareness training and ISO 27001 internal auditor training are examples.
How do I become ISO 27001 compliant?
ISO 27001 specifies a minimum set of documents and records necessary to become compliant. Required documents include:
- Scope of the ISMS (clause 4.3)
- Information security policy and objectives (clauses 5.2 and 6.2)
- Risk assessment and risk treatment methodology (clause 6.1.2)
- Statement of applicability (clause 6.1.3 d)
- Risk treatment plan (clauses 6.1.3 e and 6.2)
- Risk assessment report (clause 8.2)
- Definition of security roles and responsibilities (controls A.7.1.2 and A.13.2.4)
- Inventory of assets (control A.8.1.1)
- Acceptable use of assets (control A.8.1.3)
- Access control policy (control A.9.1.1)
- Operating procedures for IT management (control A.12.1.1)
- Secure system engineering principles (control A.14.2.5)
- Supplier security policy (control A.15.1.1)
- Incident management procedure (control A.16.1.5)
- Business continuity procedures (control A.17.1.2)
- Statutory, regulatory, and contractual requirements (control A.18.1.1)
Mandatory records include:
- Records of training, skills, experience, and qualifications (clause 7.2)
- Monitoring and measurement results (clause 9.1)
- Internal Audit Program (clause 9.2)
- Results of internal audits (clause 9.2)
- Results of the management review (clause 9.3)
- Results of corrective actions (clause 10.1)
- Logs of user activities, exceptions, and security events (controls A.12.4.1 and A.12.4.3)
While these are the minimum required security documents, an organization can write additional documentation if deemed necessary for their particular situation.
How Do I Get ISO 27001 Certified?
Both organizations and individuals can become ISO 27001 certified. For an organization to receive certification, it must have an accredited certification body perform a two-stage audit. If the organization is found to be fully compliant with the ISO 27001 standard, it will be certified. Certification can take between three and 12 months depending on the size of your organization and the scope of your ISMS. After three years, you will need to recertify.
An individual receives ISO 27001 certification by completing ISO 27001 training and passing the exam. Importantly, individual certification shows the person acquired the appropriate skills during the course.
What Are the Benefits of ISO 27001 Certification?
ISO 27001 certification is globally recognized and offers many benefits, including:
Greater trust of business partners and customers
ISO 27001 certification demonstrates to your business partners and customers that your commitment to meeting the highest standards of information security. This fosters trust and greater retention. It also shows new customers and clients you have a solid information security management process in place and can be trusted with their data.
Better information strategies and practices
Effective cybersecurity is the foundation of the ISO 27001 standard. It requires information security experts audit your organization’s security practices and provide you with actionable information to help you improve or replace them, where necessary, to better prevent data breaches. Completing the certification process nets information security improvements that will protect your company well into the future.
Implements best practices
The certification process requires you to demonstrate compliance with a range of information security best practices such as ensuring IT systems are up to date, maintaining data backups, and logging events, as well as instituting policies for employees to perform their activities more securely. This ultimately makes the organization more secure and resilient from cyberattacks.
Promotes compliance with internal & external requirements
ISO 27001 specifically addresses compliance with internal policies, contractual requirements, and laws in Annex A.18. By ensuring the organization meets its various compliance obligations, certification helps it avoid costly violations.
A more complete understanding of your security posture
Implementing ISO 27001 will require your organization to dive deep into its information storage, test its security processes and policies, review its compliance obligations, and more to identify security gaps and potential risks. This process will clarify your company’s current security posture and uncover opportunities for improvement, as well as drive the creation of action items to help the organization achieve ISO compliance.
Future proofs your business
In today’s aggressive threat landscape, information security is an essential driver of business success. ISO 27001 certification positions your organization to survive and thrive amidst constantly evolving security threats. Additionally, the compliance process puts in place the practices, policies, and strategies to effectively prevent or minimize the losses from cyberattacks, and results in a resilient ISMS that will be able to serve customers for years to come.
What Are the ISO 27000 Standards?
ISO 27001 is the primary standard in the ISO 27000 series because it defines the requirements for a modern ISMS. But because it doesn’t prescribe how to meet those requirements, ISO has created other information security standards to provide more guidance. Notably, there are currently more than 40 standards in the ISO 27000 series. The more commonly used standards are:
- ISO/IEC 27000 — details terms and definitions used in the ISO 2700 family of standards
- ISO/IEC 27002 — provides guidelines for the implementation of controls listed in ISO 27001 Annex A
- ISO/IEC 27004 — provides measurement guidelines for information security
- ISO/IEC 27005 — provides information security risk management guidelines
- ISO/IEC 27017 — provides guidelines for information security in cloud environments
- ISO/IEC 27018 — provides guidelines for privacy protection in cloud environments
- ISO/IEC 27031 — provides guidelines developing business continuity for Information and Communication Technologies
What Is the Difference Between ISO 27001 and 27002?
ISO 27001 defines the requirements for an information security management system (ISMS) but doesn’t tell you what controls to implement from ISO 27001 Annex A. ISO 27002 fills in the gaps by providing detailed guidance on how to implement these controls to meet ISO 27001 requirements.
Differentiate Your Business with ISO 27001 Certification
Vetting your current cybersecurity practices and strategies through the ISO 27001 compliance process is one of the best actions you can take to improve your security posture. But many organizations don’t have the resources or expertise to complete the standard’s rigorous requirements.
Fortra’s Alert Logic helps you achieve your ISO 27001 goals with our managed detection and response (MDR) and web application firewall (WAF) solutions that provides asset discovery, vulnerability assessment, threat detection, and web application security. Our solutions can help you meet the ISO 27001 requirements and u reduce your risks, respond more quickly and effectively to attacks, and show your partners and customers your commitment to the highest information security standards.