ISO 27001 is the international standard for an Information Security Management system, but what is the meaning behind the number?
This post will give you a brief overview of ISO 27001 Requirements, and some advice on the easiest way to implement ISO 27001.
What does ISO 27001 Mean?
In this blog we will take a slightly deeper look at some of the requirements.
ISO 27001 Management Framework
The first thing you will notice when you purchase a copy of ISO 27001 is the clause structure. There are 10 Main clauses, followed by Annex A, which contains a list of Controls.
The 10 main clauses follow ISO’s High-Level Common Clause Structure, known as Annex SL. This means that is you have knowledge of other ISO standards, or add them afterwards, it is easy to integrate standards together.
However, if this is you first ISO Standard, let’s start at the beginning. The first 10 clauses set out a management framework focused on continual improvement.
In previous ISO standards this was aligned to Deming’s “Plan, Do, Check, Act” (PDCA) cycle. Now, while this theory can still be applied, the standard is not explicit in stating this example.
Let’s break down the clauses:
Clauses 0-3 cover some housekeeping about the ISO 27001 document itself, so while you should be aware of them, there is no need to document anything.
- Introduction – Provides introductory text to the document.
- Scope – Confirms the purpose of the ISO document.
- Normative References – Discusses related standards, in this case ISO 27000 (see below).
- Terms & Definitions – Confirms the means of particular terms used in the standard. In this case, the clause refers back to ISO 27000 which provides a glossary of terms.
Starting the Real ISO 27001 Work
All the Activity Starts at Clause 4 as follows:
Clause 4 – Context of the Organisation, including defining the scope of your ISMS and considering Internal and External Interested Parties.
Clause 5 – Leadership, a renewed focus on your management system being supported from the top and implemented at every level of the organisation. Clause 5 includes assigning roles and responsibilities; and the Information Security Policy Statement.
Clause 6 – Planning, known best for the risks and opportunities section which requires consideration of the Confidentiality, Integrity and Availability threats to your information. 6.2 requires Information Security Objectives to be set.
Clause 7 – Support, takes care of some housekeeping tasks including competency, awareness and documented information. These are common requirements across Annex SL based standards.
Clause 8 – Operation, in most standards clause 8 contains the bulk of the standard’s unique requirements, HOWEVER, the majority of ISO 27001 Requirements are addressed through the risk management process which is defined earlier in clause 6 and is supported through the 114 controls and control objectives set out in Annex A. Most other standards do not have such a directive annex.
Clause 9 – Performance Evaluation, The standard moves in to Deming’s ‘Check’ stage as requirements for Monitoring, Measurement, analysis & evaluation go along side Internal Audit and Management Review.
Clause 10 – Improvement, the final part of the framework which can be demonstrated throughout your work in earlier clauses.
What are the Annex A Requirements?
Unlike many other ISO Standards, ISO 27001 provides 114 controls and control objectives which can be used to manage the risks identified in clause 6, or just for peace of mind.
Annex A is split into 14 sections from A5 – A18. This odd numbering system has been inherited from previous standards where the controls were first defined.
Information Security is not just I.T Security
As you will see below, the controls cover a variety of business areas, which means you should consider the people resources you need from different areas of the business in order to effectively implement controls
A.5 Information Security Policies
A.6 Organisation of Information Security
A.7 Human Resource Security
A.8 Asset Management
A.9 Access Control
A.11 Physical Security
A.12 Operations Security
A.13 Communications Security
A.14 System Acquisition, Development & Maintenance
A.15 Supplier Relationships
A.16 Incident Management
A.17 Information Security in Business Continuity
Excluding Annex A Controls
You do not have to apply every control.
However, if you do exclude a control there must be a justified reason. Reasons for both inclusion and exclusion must be documented within the Statement of Applicability (SOA) document, as required in Clause 6 of the Standard.
Often the majority of Annex A controls are applied.
Where to Start with ISO 27001 Implementation?
The scale and structure of ISO 27001 can be daunting but ISO Consultants like Assent are here to help.
We have online ISO project management software which can break up the implementation process in to stages.
Many customers also find our Gap, App & Wrap approach an efficient way of implementing ISO 27001.
And while ISO 27001 Certification is not mandatory [according to the standard itself], most companies see the real value being within the UKAS Accredited Certification marks following an external audit of the system.
Finally, although it is not just an I.T Security standard, technology plays an important part in ISO 27001 Requirements, and organisations can benefit from other cyber security activities such as Simulated Phishing Tests.
5 Advantages of ISO 27001
Note: The following information is based on ISO 27001:2013, the current version at time of writing. This may change in future ISO revisions.