What is ISO/IEC 27001?
The ISO/IEC 27001 standard, published by the International Organization for Standardization (ISO)
and the International Electrotechnical Commission (IEC), is known as “Information security, cybersecurity and privacy protection — Information security management systems — Requirements”.
ISO/IEC 27001:2022 (hereafter referred to as ISO/IEC 27001) is the most recent edition of ISO/IEC 27001 standard which revises the previous edition published in 2013 (ISO/IEC 27001:2013).
ISO/IEC 27001 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS).
The ISMS presents a systematic approach to keep sensitive information secure. It manages people, processes and IT systems through applying risk management processes. The ISMS suits not only large organisations but also small and medium businesses.
ISO/IEC 27001 is designed to be used in conjunction with supporting controls, an example of which is published in document, ISO/IEC 27002:2022 (hereafter referred to as ISO/IEC 27002). ISO/IEC 27002 details 93 security controls which are organised into 4 sections.
Compliance with ISO/IEC 27001 can be formally assessed and certified by an accredited certification body. An organisation’s ISMS certified against the ISO/IEC 27001 standard demonstrates an organisation’s commitment to information security and provides confidence to their customers, partners and stakeholders.
Step 1 – Define information security policy
•Task: Identify business objectives and obtain management support to implement a security
As described in ISO/IEC 27001, management plays an important role in the success of an ISMS.
What you need: Management responsibility section of ISO 27001. Management must make a commitment to the establishment, implementation, operation, monitoring, review, maintenance, and improvement of the ISMS. Commitment must include activities such as ensuring that the proper resources are available to work on the ISMS and that all employees affected by the ISMS have the proper training, awareness, and competency.
Results: Establishment of the following items demonstrates management commitment:
- An information security policy: this policy can be a standalone document or part of an overall security manual that is used by an organization.
- Information security objectives and plans: again this information can be a standalone document or part of an overall security manual that is used by an organization
- Roles and responsibilities for information security: a list of the roles related to information security should be documented either in the organization’s job description documents or as part of the security manual or ISMS description documents.
- Announcement or communication to the organization about the importance of adhering to the information security policy.
- Sufficient resources to manage, develop, maintain, and implement the ISMS.
In addition, management will participate in the ISMS Plan-Do-Check-Act [PDCA] process, as described in ISO 27001 by:
- Determining the acceptable level of risk. Evidence of this activity can be incorporated into the risk assessment documents, which are described later in this guide.
- Conducting management reviews of the ISMS at planned intervals. Evidence of this activity can be part of the approval process for the documents in the ISMS.
- Ensuring that personnel affected by the ISMS are provided with training, are competent for the roles and responsibilities they are assigned to fulfill, and are aware of those roles and responsibilities. Evidence of this activity can be through employee training records and employee review documents.
Step 2 – Define scope of the ISMS
•Task: Compare the existing information security management system against the requirements of
ISO/IEC 27001 and select what business units, departments or systems are to be covered by the ISMS
When management has made the appropriate commitments, you can begin to establish your ISMS. In this step, you should determine the extent to which you want the ISMS to apply to your organization.
What you need:
You can use several of the “result” documents that were created as part of step 2, such as:
- The information security policy
- The information security objectives and plans
- The roles and responsibilities that are related to information security and were defined by the management
In addition, you will need:
- Lists of the areas, locations, assets, and technologies of the organization that will be controlled by the ISMS.
- What areas of your organization will be covered by the ISMS?
- What are the characteristics of those areas; its locations, assets, technologies to be included in the ISMS?
- Will you require your suppliers to abide by your ISMS?
- Are there dependencies on other organizations? Should they be considered?
Your goals will be to cover the following:
- the processes used to establish the scope and context of the ISMS.
- the strategic and organizational context
Important: Keep your scope manageable. Consider including only parts of the organization, such as a logical or physical grouping within the organization. Large organizations might need several Information Security Management Systems in order to maintain manageability. For example, they might have one ISMS for their Finance department and the networks used by that department and a separate ISMS for their Software Development department and systems.
Results: A documented scope for your ISMS.
When you have determined the scope, you will need to document it, usually in a few statements or paragraphs. The documented scope often becomes one of the first sections of your organization’s Security Manual. Or, it might remain a standalone document in a set of ISMS documents that you plan to maintain. Often the scope, the security policy, and the security objectives are combined into one document.
Step 3 – Perform a risk assessment
•Task: Define a method of risk assessment, inventory the information assets to protect, and rank assets
according to risk classification based on risk assessment
Risk assessment is the process of identifying risks by analyzing threats to, impacts on, and vulnerabilities of information and information systems and processing facilities, and the likelihood of their occurrence. Choosing a risk assessment method is one of the most important parts of establishing an ISMS. To meet the requirements of ISO 27001, you will need to define and document a method of risk assessment and then use it to assess the risk to your identified information assets, make decisions about which risks are intolerable and therefore need to be mitigated, and manage the residual risks through carefully considered policies, procedures, and controls.
ISO does not specify the risk assessment method you should use; however, it does state that you must use a method that enables you to complete the following tasks:
- Evaluate risk based on levels of confidentiality, integrity, and availability. Some risk assessment methods provide a matrix that defines levels of confidentiality, integrity, and availability and provides guidance as to when and how those levels should be applied,
- Set objectives to reduce risk to an acceptable level
- Determine criteria for accepting the risk
- Evaluate risk treatment options.
There are many risk assessment methods you can choose from, such as those that are prevalent in your industry. For example, if your company is in the oil industry, you might find there are risk assessment methods related to that industry.
When you have completed this step, you should have a document that explains how your organization will assess risk, including:
- the organization’s approach to information security risk management
- criteria for information security risk evaluation and the degree of assurance required
Step 4 – Manage the identified risk
•Task: Create a risk treatment plan to identify appropriate management actions, resources,
responsibilities and priorities for managing information security risks
Adequate resources (people, time, money) should be allocated to the operation of the ISMS and all security controls. In addition, the staff who must work within the ISMS (maintaining it and its documentation and implementing its controls) must receive appropriate training. The success of the training program should be monitored to ensure that it is effective. Therefore, in addition to the training program, you should also establish a plan for how you will determine the effectiveness of the training.
What you will need:
- A list of the employees who will work within the ISMS
- All of the ISMS procedures to use for identifying what type of training is needed and which members of the staff or interested parties will require training
- Management agreement to the resource allocation and the training plans.
Specific documentation is not required in the ISO/IEC standards. However, to provide evidence that resource planning and training has taken place, you should have some documentation that shows who has received training and what training they have received. In addition, you might want to include a section for each employee that lists what training they should be given. Also, you will probably have some type of procedure for determining how many people, how much money, and how much time needs to be allocated to the implementation and maintenance of your ISMS. It’s possible that this procedure already exists as part of your business operating procedures or that you will want to add an ISMS section to that existing documentation.
Step 5 – Select controls to be implemented
•Task: Prepare a Statement of Applicability (SoA) to document which of the controls (e.g. the 93
security controls from ISO/IEC 27002) that are applicable to the ISMS and the way they will be implemented
Next, for the risks that you’ve determined to be intolerable, you must take one of the following actions:
- decide to accept the risk, for example, actions are not possible because they are out of your control (such as natural disaster or political uprising) or are too expensive.
- transfer the risk, for example, purchase insurance against the risk, subcontract the activity so that the risk is passed on to the subcontractor, etc.
- reduce the risk to an acceptable level through the use of controls.
To reduce the risk, you should evaluate and identify appropriate controls. These controls might be controls that your organization already has in place or controls that are defined in the ISO 27002 standard.
(Note: An examination of the controls that you already have in place against the standard and then using the results to identify what controls are missing is commonly called a “gap analysis.”)
What you will need:
- Annex A of ISO 27001. This appendix summarizes controls that you might want to choose from.
- ISO 27002, which provides greater detail about the controls summarized in ISO 27001.
- Procedures for existing corporate controls
You should end up with two documents by completing this step:
- A Risk Treatment Plan
- A Statement of Applicability
The Risk Treatment Plan documents the following:
- the method selected for treating each risk (accept, transfer, reduce)
- which controls are already in place
- what additional controls are proposed
- the time frame over which the proposed controls are to be implemented
The Statement of Applicability (SOA) documents the control objectives and controls selected from Annex A. The Statement of Applicability is usually a large table in which each control from Annex A of ISO/IEC 27001 is listed with its description and corresponding columns that indicate whether that control was adopted by the organization, the justification for adopting or not adopting the control, and a reference to the location where the organization’s procedure for using that control is documented. The SOA can be part of the Risk Assessment document, but usually, it is a standalone document because it is lengthy and is listed as a required document in the standard.
Step 6 – Implement controls
•Task: Develop programs to implement the identified controls
For each control that you define, you must have corresponding statements of policy or in some cases a detailed procedure. The procedure and policies are used by affected personnel so they understand their roles and so that the control can be implemented consistently. The documentation of the policy and procedures is a requirement of ISO 27001.
What you will need:
To help you identify which procedures you might need to document, refer to your Statement of Applicability. To help you write your procedures so that they are consistent in content and appearance, you might want to create some type of template for your procedure writers to use.
Additional policy and documented Information. (The number of documents you produce will depend on the requirements of your organization.) Some of these procedures might also generate records. For example, if you have a procedure that all visitors to your facility must sign a visitors log, the log itself becomes a record providing evidence that the procedure has been followed.