This post addresses the following questions
The post targets business leaders considering embarking on an ISMS implementation or ISO/IEC 27001 certification initiative.
In my previous post in the series, I introduced the concept of an information security management system (ISMS) as a structured framework of policies, procedures, processes, practices, controls, roles, responsibilities and resources for the treatment of risks to confidentiality, integrity and availability of information assets, in line with organisational objectives.
What is ISO 27001?
ISO 27001 is an internationally recognised specification for an information security management system (ISMS). The current version of the standard is ISO/IEC 27001:2013. The standard is undergoing revision, with an updated version that coincides with a significant overhaul of the accompanying ISO 27002 code of practice for information security controls scheduled for publication in 2022.
The standard provides a set of requirements for establishing, implementing, maintaining and continually improving an information security management system.
How is ISO 27001 structured?
ISO 27001 contains ten chapters, which the standard refers to as “Clauses”. Clauses zero to three detail key introductory information about the standard and its use. Clauses four to ten contain twenty-two sections and subsections that outline the management system process requirements that your ISMS must meet if you want it to claim conformity with the standard.
The standard concludes with “Annex A”, which lists a set of one hundred and fourteen best-practice information security controls that address critical areas of information security, such as information security policies, supplier relationships, information security incident management and compliance.
The following section provides a brief overview of the ISO 27001 clauses:
Clause zero introduces the standard and contains no specific requirements.
The scope clause explains how the requirements set out in the standard can be applied to all organisations, regardless of type, size or nature. It also states that the requirements specified in clauses four to ten are mandatory for an organisation to claim conformance to the standard.
Clause two contains references to other documents in the ISO27000 standard series and has no specific requirements.
Terms and definitions
This clause introduces some basic terms and definitions. It contains no specific requirements.
Context of the organisation
Clause four of the standard requires you to assess the internal and external issues and the needs and expectations of stakeholders relevant to your ISMS. It also involves determining a suitable scope for your ISMS and a process for its implementation, maintenance and continual improvement.
Clause five is probably the most critical component of any information security management system since even the most well-planned implementation is sure to fail without the total commitment of senior management. The leadership clause requires establishing an information security policy and defining information security roles, responsibilities, and authorities.
Clause six of the standard requires the general risks and opportunities that may impact the intended outcomes of the management system to be reviewed and treated. It also involves creating processes to assess and treat information security risks and a "statement of applicability" used to document the ISO 27001 Annex A controls considered relevant to the ISMS (as a result of the initial risk assessment). Finally, clause six requires the definition of information security objectives that align with organisational objectives.
Clause seven requires the organisation of the management of documented information. Its requirements also cover resources and communication, the management of competency, and awareness training for information security and the information security management system.
Clause eight of the standard forms the core of the ISMS and involves executing the risk assessment and treatment process established in clause six. The clause also requires planning for the control of outsourced operations and scheduling regular risk assessments at predetermined intervals.
Clause nine of the standard requires the implementation of measures and metrics to evaluate the management system’s performance. It entails the planning and execution of internal audits and management reviews to ensure that the management system meets its objectives and continuously improves over time.
The tenth and final clause of the main body of the standard addresses requirements for the definition, identification and elimination of nonconformities. It also requires implementing measures to continually improve the suitability, adequacy and effectiveness of the information security management system.
ISO 27001 Annex A is a catalogue of best practice information security controls split into fourteen domains. The Annex A (Table A.1) controls are derived from Clauses five to eighteen of the ISO/IEC 27002 code of practice for information security controls.
Which sections of ISO 27001 contain mandatory requirements?
ISO 27001 provides a set of requirements for implementing an ISMS. As clause one of the standard clearly states:
“Excluding any of the requirements specified in Clauses 4 to 10 is not acceptable when an organization claims conformity to this International Standard.”
Generally speaking, the use of the word "shall" in any ISO standard indicates a mandatory requirement. Use of the word “should” relates to a recommendation, which fulfilling is optional.
In addition to the requirements in clauses four to ten, all applicable Annex A controls must be implemented.
Why should your organisation pursue certification to ISO 27001?
So why should your organisation consider attaining certification to ISO 27001? Well, it’s important to distinguish between the benefits of an ISMS implementation, which are to efficiently minimise cyber risk in accordance with organisational objectives, and the benefits of an ISO 27001 certification. The former should apply regardless of whether or not your organisation intends to certify their ISMS to ISO 27001. Implementing an ISMS purely for compliance purposes, whilst technically possible, will eventually result in a critical security incident, which is, at best, counter-productive.
With this in mind, let’s briefly examine the advantages an organisation gains by certifying its ISMS to ISO 27001.
Promotion of globally recognised best practices
ISO 27001 promotes globally accepted good practices drawn from the knowledge of a group of experienced information security practitioners from a wide range of organisations from over fifty countries. Since the standard is non-prescriptive, it gives organisations a degree of flexibility to implement appropriate controls that suit their specific circumstances. It also means that controls can be maintained and adapted due to a constantly changing risk profile.
Greater marketplace credibility
Implementing an independently certified ISMS helps create a trusted relationship with customers. It demonstrates that your organisation has established effective information security processes. ISO 27001 provides a common language and conceptual basis for information security, making it easier to place confidence in business partners with a certified ISMS.
Facilitated market access
Customers are beginning to make ISO 27001 a requirement of suppliers to bid for contracts, particularly in the digital healthcare space, where healthcare providers require strong assurance that sensitive personal data has sufficient protection against online threats. An ISO 27001 certification can also result in reduced bid effort for contracts that ask questions related to product information security.
Simply put, greater credibility in the marketplace combined with increased market access gives ISO 27001 certified organisations the edge over non-certified competitors and increases sales and revenue.
Increased operating efficiency
An ISO 27001 certified management system requires annual surveillance audits and a recertification audit at the end of each three-year certification cycle. Regular reviews ensure that organisations continuously optimise their controls according to changes to the organisational context, scope or risk profile. Over time, this iterative approach improves process efficiency and increases the economic effectiveness of information security investments.
Reduction in cyber insurance premiums
Even the most detailed ISMS risk assessment and well-executed risk treatment plan will result in some degree of residual risk. This risk can either be accepted by leadership or transferred to a third party insurer. When shopping for a cyber insurance policy, an ISO 27001 certificate acts as proof to insurers that you have taken a series of measures to address information risk within your organisation. Insurers consider this due diligence as a factor that reduces the chances of a claim, which typically results in a lower cyber insurance premium.
Identify the risks in your Information Security Management System with our free ISO 27001 Gap Analysis Checklist.
As CEO and founder of MOD1 AG, Dylan Johnston dedicates his energy to helping organisations break down barriers to digital transformation through the adoption of a risk-based approach to securing sensitive personal data and critical business information assets. Dylan’s work for AT&T, Swisscom, United Nations, Bank for International Settlements, and Hoffmann-La Roche has equipped him with unique insight on how to inject cybersecurity and data privacy practices into organisational culture. Connect with Dylan on LinkedIn, subscribe to the MOD1 Insights Blog, or comment below to join the conversation.