ISO 27001 Explained
A complete guide to the international standard for information security management systems
The ISO/IEC 27001 standard
is a licensed document of around 30 pages that can be purchased on the internet in a variety of languages. The standard specifies requirements for the development and operation of a structured framework of policies, procedures, processes, practices, roles, responsibilities controls and resources collectively referred to as an information security management system (ISMS).
The ultimate goal of an ISMS is to treat risks to the confidentiality, integrity and availability of information assets, in line with organisational objectives. ISO 27001 includes a set of best-practice controls for the mitigation of the risks associated with the information assets which the organisation seeks to protect by operating its ISMS.
Organisations operating an ISMS may have its conformity audited and certified to ISO 27001. Certifying your organisation’s ISMS brings a variety of benefits, including reduced information risk, improved governance, conformity to legal and regulatory requirements, competitive advantage and incremental revenue growth.
Since the standard itself is not particularly easy to interpret – especially for those without a background in compliance – we decided to create a concise overview of the main elements in an easily digestible format. We trust you find “ISO 27001 Explained” a valuable resource. Please feel free to bookmark the page for your reference. We intend to make regular improvements and publish supporting material both here and on the MOD1 Insights blog.
As CEO and founder of MOD1 AG, Dylan Johnston dedicates his energy to helping organisations break down barriers to digital transformation through the adoption of a risk-based approach to securing sensitive personal data and critical business information assets.
- What is ISO 27001?
- What role does ISO 27001 play in the area of information security?
- What is an ISO 27001 certification?
- What are the advantages of certifying your organisation to ISO 27001?
- What are the ISO 27001 requirements?
- Which sections of ISO 27001 contain mandatory requirements?
- What is an ISO 27001 risk assessment?
- What is ISO 27001 Annex A?
- What are the ISO 27001:2013 Annex A controls?
What is ISO 27001?
ISO 27001 is an international standard that defines a set of requirements for the establishment, implementation, operation, monitoring, review and continual improvement of an information security management system (ISMS).
The official name of the standard is ISO/IEC 27001:2013 — ISO/IEC Information technology — Security techniques — Information security management systems — Requirements, but it is (for obvious reasons) more commonly referred to as “ISO 27001”, “ISO27001” or “27001”.
As its official name suggests, ISO 27001 was developed by the International Organisation for Standardisation (ISO) and International Electrotechnical Commission (IEC) joint technical committee (JTC1).
JTC1 is a consensus-based, voluntary international standards group of over 2000 experts from 163 countries. JTC1 is committed to developing, maintaining, promoting and facilitating information technology (IT) standards required by global markets meeting business and user requirements.
What role does ISO 27001 play in the area of information security?
Information security is the protection of information assets from unauthorised access, use, modification, disclosure, disruption or destruction, to maintain confidentiality, integrity and availability.
ISO 27001 serves as a blueprint for a framework of policies, procedures, guidelines, resources and associated activities managed by an organisation in the pursuit of securing its information assets in support of its business objectives.
A core component of the standard is effective risk management and the subsequent implementation of a set of managerial, administrative, physical, technical and educational measures that mitigate risks to sensitive data and business information assets.
What is an ISO 27001 certification?
An ISO 27001 certification provides an independent demonstration that an organisation’s ISMS meets its stated policy and objectives, complies with the relevant statutory, regulatory and contractual requirements and is effectively maintained. Organisations can become ISO 27001 certified by passing a certification audit performed by an accredited certification body.
What are the advantages of certifying your organisation to ISO 27001?
Implementing an ISO 27001 certified ISMS helps organisations reduce the likelihood of cybersecurity and data privacy incidents, optimise information security controls and effectively respond to threats.
Enhanced information security
A structured approach to information security management can help organisations reduce the likelihood of cybersecurity and data privacy incidents, optimise their information security controls and effectively respond to an evolving threat landscape.
Improved governance
ISO 27001 requires senior management accountability for information security. When senior management is directly involved in steering ISMS strategy, there is a greater chance that the organisation’s approach to treating information risk aligns with business objectives, and that the ISMS program will add significant value.
Conformity
Implementing an information security management system helps organisations conform with statutory, regulatory or contractual requirements, such as EU-GDPR, HIPAA or DiGa. The flexibility of ISO 27001 allows organisations to integrate best practices from a variety of sources, including PCI/DISS, CSA CCM, NIST and ITIL.
Marketing
ISO 27001 is an internationally recognised and externally assured standard that conveys to stakeholders that your organisation is credible and trustworthy. An ISO 27001 certification can be leveraged as a marketing tool to inspire customer confidence and differentiate your organisation's products and services from those of uncertified competitors.
Incremental revenue growth
Customers are beginning to make ISO 27001 a requirement of suppliers to bid for contracts, particularly in the digital healthcare space, where healthcare providers require strong assurance that sensitive personal data has sufficient protection against online threats. An ISO 27001 certification can also result in reduced bid effort for contracts that ask questions related to product information security.
An ISO 27001 requires regular reviews to ensure that organisations continuously optimise their processes according to organisational context, scope, or risk profile changes. Over time, this iterative approach improves process efficiency and increases the economic effectiveness of information security investments.
What are the ISO 27001 requirements?
Organisations can obtain certification against ISO 27001 by demonstrating compliance with its requirements. Clauses 0 – 3 introduce the standard and its vocabulary but don’t contain requirements. Clauses 4 – 10 specify the requirements that must be met for an organisation to claim conformity. The requirements of clauses 4 – 10 are as follows:
4. Context of the organisation
Clause 4 of the standard requires an assessment of internal and external issues and the needs and expectations of stakeholders relevant to the information security management system (ISMS). It also involves the determination of a suitable scope for the information security management system and a process for its implementation, maintenance and continual improvement.
5. Leadership
Clause 5 is probably the most critical component of any information security management system since even the most well-planned implementation is sure to fail without the total commitment of senior management. The leadership clause requires the organisation to establish an information security policy and define information security roles, responsibilities, and authorities.
6. Planning
Clause 6 of the standard requires the general risks and opportunities that may impact the intended outcomes of the management system to be reviewed and treated. Organisations must develop processes to assess and treat information security risks. They must also produce a "statement of applicability" that documents the ISO 27001 Annex A controls deemed relevant to the ISMS identified by the initial risk assessment. Finally, clause 6 requires the definition of information security objectives that align with organisational objectives.
7. Support
Clause 7 requires the organisation of the management of documented information. Its requirements also cover resources and communication, the management of competency, and awareness training for information security and the information security management system.
8. Operation
Clause 8 of the standard involves executing the risk assessment and treatment processes established in clause 6. The clause also requires plans for controlling outsourced operations to be implemented and the scheduling of regular risk assessments at predetermined intervals.
9. Performance Evaluation
Clause 9 of the standard requires the organisation to implement measures and metrics to evaluate the management system’s performance. It entails the planning and execution of internal audits and management reviews to ensure that the management system consistently meets its objectives and can be continuously improved.
10. Improvement
The final clause addresses requirements for defining, identifying and eliminating nonconformities. It also requires the business to continually improve the suitability, adequacy and effectiveness of the information security management system.
Which sections of ISO 27001 contain mandatory requirements?
This standard indicates a mandatory requirement through the use of the word “shall”. For example:
“The organization shall define and apply an information security risk assessment process”
Clause 1 of the standard states that excluding any of the requirements in clauses 4 – 10 is not acceptable. The requirements in these clauses are mandatory for all organisations who wish to claim conformity to the standard.
What is an ISO 27001 risk assessment?
An ISO 27001 risk assessment is the process of determining and documenting potential risk scenarios. ISO 27001 defines risk as “the effect of uncertainty on objectives”. Risks are often expressed by combining the consequences of an event and the associated likelihood of its occurrence.
The main stages of a risk assessment are asset identification, risk identification, risk analysis and risk evaluation. When the risk assessment is complete, the organisation must treat the risks. Risk treatment planning determines the course of action taken to address a particular risk based on the risk assessment results. Risk treatment options include risk mitigation (implement measures to reduce the risk), risk transfer (insure against an occurrence of the risk), risk acceptance (have management “sign-off” on the risk) or risk avoidance (terminate the activity associated with the risk.
Risk management is an ongoing process. It is crucial to assess risks regularly and consistantly to account for changes in the business environment and threat landscape.
What is ISO 27001 Annex A?
ISO 27001 Annex A is a table of information security control objectives and controls that organisations should consider when complying with the standard. While most of the controls are not mandatory to achieve ISO 27001 certification, the standard requires that any Annex A control deemed not applicable includes written justification for its exclusion in what’s known as a “statement of applicability” document.
What are the ISO 27001:2013 Annex A controls?
ISO 27001:2013 Annex A consists of 114 best practice information security controls split into the following 14 domains:
A.5 Information security policies
The objective of Annex A.5 is to provide management direction and support for information security in accordance with the organisation's business requirements and applicable laws and regulations. It states that a set of policies for information security are drawn up and regularly reviewed.
A.6 Organisation of information security
Annex A.6 defines controls that establish a management framework for implementing and operating information security within an organisation. Annex A.6 controls cover the definition of roles and responsibilities for information security, contact with law enforcement, regulatory bodies and supervisory authorities, the application of information security in project management and mobile device management.
A.7 Human resource security
Annex A.7 addresses information security for human resources departments and recommends controls such as employee screening, information security awareness, education and training and disciplinary processes.
A.8 Asset management
Annex A.8 defines controls that address accountability and responsibility for information assets. A.8 controls include the creation of an information asset register, the assignment of ownership and rules that govern the acceptable use of information assets. Asset management also covers controls for information classification and media handling.
A.9 Access control
Annex A.9 of the standard covers controls for identity and access management, including the requirement for an access control policy, unique user identifiers, secure authentication practices and the management of privileged access rights. It also documents requirements for access control provisioning and review.
A.10 Cryptography
Annex A.10 introduces control objectives that ensure proper and effective use of cryptography to protect information confidentiality, authenticity, and integrity. The controls cover requirements that govern secure cryptographic algorithms and effective key management.
A.11 Physical and environmental security
The objective of Annex A.10 is to prevent unauthorised physical access, damage and interference to the organisation’s information assets and processing facilities.
A.12 Operations security
Annex A.12 defines a broad set of operational security controls, including operational procedures and responsibilities, protection from malware, backup, logging and monitoring, control of operational software, technical vulnerability management, and information systems audit considerations.
A.13 Communications security
Annex A.13 specifies controls for securing network services and information transfer, including secure communication via email.
A.14 System acquisition, development and maintenance
Annex A.14 defines controls for the acquisition, development and maintenance of information systems across the entire lifecycle. A.14 covers system change control procedures, technical application reviews and secure system engineering principles.
A.15 Supplier relationships
The objective of Annex A.15 is to minimise risks related to third-party service providers with access to the organisation’s information assets. The controls address contractual requirements as well as supplier service delivery management.
A.16 Information security incident management
Annex A.10 introduces controls for managing information security incidents, such as defining roles and responsibilities, reporting, response, and learning from security incidents.
A.17 Information security aspects of business continuity management
Annex A.17 controls are designed to embed Information security continuity in the organization’s business continuity management systems. The controls address the planning, implementation, verification, review and evaluation of information security continuity.
A.18 Compliance
Finally, Annex A.18 Presents controls for compliance with legal and contractual requirements. The controls cover privacy and protection of personally identifiable information and information security reviews to verify adherence to security policies, third party standards, and other information security requirements.
