ISO/IEC 27001

ISO/IEC 27001:2013 Information technology — Security techniques — Information security management systems — Requirements (second edition)

Introduction

ISO/IEC 27001:2013 is the ISO management standard that formally specifies an information security management system. An information security management system (ISMS) includes all of the policies, procedures, documents, records, plans, guidelines, agreements, contracts, processes, practices, methods, activities, roles, responsibilities, relationships, tools, techniques, technologies, resources, and structures that organizations use to protect and preserve information, to manage and control information security risks, and to achieve business objectives. The ISMS established through ISO/IEC 27001 flexible risk-driven approach enables a tightly calibrated and monitored system that strives to evolve with the ever-changing security landscape and business impacts all organizations face daily.

The objective of ISO/IEC 27001 is to provide formal specifications that bring information security under categorical management control. ISO/IEC 27001 defines conditions for the formation, implementation, monitoring, appraisal, maintenance, and enhancement of a management system for managing an organization’s information security risk. Organizations that implement ISO/IEC 27001 can validate the effort through a formal audit by an accredited organization, certifying compliance to the requirements of ISO/IEC 27001:2013.

The standard covers all types of organizations (e.g. commercial enterprises, government agencies, non-profits), all sizes (from micro-businesses to huge multinationals), and all industries or markets (e.g. retail, banking, defense, healthcare, education and government).

ISO/IEC 27001 does not formally mandate specific information security controls since the specific controls that are required are chosen to mitigate specific risks that vary markedly across the wide range of organizations adopting the standard. The information security controls from ISO/IEC 27002 are noted in annex A to ISO/IEC 27001, rather like a menu or even a throrough checklist. Organizations adopting ISO/IEC 27001 are free to choose whichever specific information security controls are applicable to their particular information risks, drawing on those listed in the menu and potentially supplementing them with other a la carte options (sometimes known as extended control sets). As with ISO/IEC 27002, the key to selecting applicable controls is to undertake a comprehensive assessment of the organization’s information risks, which is one vital part of the ISMS.

Furthermore, management may elect to avoid, transfer or accept information risks rather than mitigate them through controls — a risk treatment decision within the risk management process.

History

1995: Originated as BS 7799 and first published by BSI Group. It was written by the United Kingdom Government’s Department of Trade and Industry (DTI), and consisted of several parts.

1999: BS7799 part 2 and first published by BSI Group, titled “Information Security Management Systems – Specification with guidance for use.” (BS 7799-2)

2002: BS 7799-2 was revised by BSI explicitly incorporating the Plan-Do-Check-Act (PDCA) cyclic process.

2005: ISO/IEC 27001:2005 became the new version after BS 7799-2 was adopted by the International Organization for Standardization (ISO) with various changes to reflect its new custodians.

2013: ISO/IEC 27001:2013 is the extensive revision ISO/IEC 27001:2005, aligning it with the other ISO certified management systems standards and dropping explicit reference to PDCA.

Structure of the Standard

ISO/IEC 27001:2013 has the following sections:

0 Introduction – the standard uses a process approach.

1 Scope – it specifies generic ISMS requirements suitable for organizations of any type, size or nature.

2 Normative references – only ISO/IEC 27000 is considered absolutely essential to users of ’27001: the remaining ISO27k standards are optional.

3 Terms and definitions – a brief, formalized glossary, soon to be superseded by ISO/IEC 27000.

4 Context of the organization – understanding the organizational context, the needs and expectations of ‘interested parties’, and defining the scope of the ISMS. Section 4.4 states very plainly that “The organization shall establish, implement, maintain and continually improve” a compliant ISMS.

5 Leadership – top management must demonstrate leadership and commitment to the ISMS, mandate policy, and assign information security roles, responsibilities and authorities.

6 Planning – outlines the process to identify, analyze and plan to treat information risks, and clarify the objectives of information security.

7 Support – adequate, competent resources must be assigned, awareness raised, documentation prepared and controlled.

8 Operation – a bit more detail about assessing and treating information risks, managing changes, and documenting things (partly so that they can be audited by the certification auditors).

9 Performance evaluation – monitor, measure, analyze and evaluate/audit/review the information security controls, processes and management system in order to make systematic improvements where appropriate.

10 Improvement – address the findings of audits and reviews (e.g. nonconformities and corrective actions), make continual refinements to the ISMS

Annex A Reference control objectives and controls – little more in fact than a list of titles of the control sections in ISO/IEC 27002. The annex is ‘normative’, implying that certified organizations are expected to use it, but they are free to deviate from or supplement it in order to address their particular information risks.

Bibliography – points readers to five related standards, plus part 1 of the ISO/IEC directives, for more information. In addition, ISO/IEC 27000 is identified in the body of the standard as a normative (i.e. essential) standard and there are several references to ISO 31000 on risk management.

Certification

Certified compliance to ISO/IEC 27001 by an accredited and respected certification body is entirely optional. But the demand from suppliers and business partners concerned about the security of their information, and about information security throughout the supply chain or network is increasing rapidly.

According to the ISO survey, in 2016 there were 33,290 ISO/IEC 27001 certificates issued worldwide. The 33,000+ certifications for ISO/IEC 27001 issued were the most ever and an increase of 20.9% over 2015 (27,536), which had an increase of 19.7% over 2014 (23,005).

Certification brings a number of benefits above and beyond mere compliance, in much the same way that an ISO 9000 series certificate says more than just “We are a quality organization”. Independent audits provide formality and diligence to the implementation process and invariably, at the very least, require senior management approval if not involvement.

The certificate carries marketing potential, in that the organization makes information security management a high priority. It says “We have a compliant ISMS in place”, not “We are secure”. That’s an important distinction, as well as, the scope of the ISMS for the certification. If only a portion of the organization falls under the scope for the certification, then the rest of the organization is most likely operating at much higher risk levels.

Mandatory requirements for certification

ISO/IEC 27001 is a formalized specification for an ISMS with two distinct purposes

  1. What an organization can do in order to implement an ISMS;
  2. Used as the basis for a formal, accredited certification audit in order to certify an organization’s compliance.

Here is a list of the documents and records necessary for compliance with ISO 27001:

  • Scope of the ISMS (clause 4.3)
  • Information security policy and objectives (clauses 5.2 and 6.2)
  • Risk assessment and risk treatment methodology (clauses 6.1.2)
  • Statement of Applicability (clause 6.1.3 d)
  • Risk treatment plan (clauses 6.1.3 e and 6.2)
  • Risk assessment report (clause 8.2)
  • Definition of security roles and responsibilities (clauses A.7.1.2 and A.13.2.4)
  • Inventory of assets (clause A.8.1.1)
  • Acceptable use of assets (clause A.8.1.3)
  • Access control policy (clause A.9.1.1)
  • Operating procedures for IT management (clause A.12.1.1)
  • Secure system engineering principles (clause A.14.2.5)
  • Supplier security policy (clause A.15.1.1)
  • Incident management procedure (clause A.16.1.5)
  • Business continuity procedures (clause A.17.1.2)
  • Statutory, regulatory, and contractual requirements (clause A.18.1.1)

(Note: documents from Annex A are mandatory only if they are chosen to mitigate identified risks.)

And here are the mandatory records:

  • Records of training, skills, experience and qualifications (clause 7.2)
  • Monitoring and measurement results (clause 9.1)
  • Internal audit program (clause 9.2)
  • Results of internal audits (clause 9.2)
  • Results of the management review (clause 9.3)
  • Results of corrective actions (clause 10.1)
  • Logs of user activities, exceptions, and security events (clauses A.12.4.1 and A.12.4.3)

The standard does not specify precisely what form the documentation should take, but section 7.5.2 talks about aspects such as the titles, authors, formats, media, review and approval, while 7.5.3 concerns document control, implying a fairly formal ISO 9000-style approach. Electronic documentation (such as intranet pages) are just as good as paper documents, in fact better in the sense that they are easier to control.

Annex A

Annex A of ISO 27001 is a catalogue of 114 security controls you can select from to mitigate identified risks that are applicable to your organization. Considered by many experts to be the most well-known and useful annex of all the ISO standards, because it provides an essential catalogue of controls for managing and improving security of the information through the ISMS.

The ISO’s intellectual property rights prohibit the publication of the ISO 27001 Standard. Here is a brief overview of the 14 sections from Annex A with a simple explanation about how the controls are structured and the purpose of each:

  • A.5 Information security policies – controls on how the policies are written and reviewed
  • A.6 Organization of information security – controls on how the responsibilities are assigned; also includes the controls for mobile devices and teleworking
  • A.7 Human resources security – controls prior to employment, during, and after the employment
  • A.8 Asset management – controls related to inventory of assets and acceptable use, also for information classification and media handling
  • A.9 Access control – controls for Access control policy, user access management, system and application access control, and user responsibilities
  • A.10 Cryptography – controls related to encryption and key management
  • A.11 Physical and environmental security – controls defining secure areas, entry controls, protection against threats, equipment security, secure disposal, clear desk and clear screen policy, etc.
  • A.12 Operational security – lots of controls related to management of IT production: change management, capacity management, malware, backup, logging, monitoring, installation, vulnerabilities, etc.
  • A.13 Communications security – controls related to network security, segregation, network services, transfer of information, messaging, etc.
  • A.14 System acquisition, development and maintenance – controls defining security requirements and security in development and support processes
  • A.15 Supplier relationships – controls on what to include in agreements, and how to monitor the suppliers
  • A.16 Information security incident management – controls for reporting events and weaknesses, defining responsibilities, response procedures, and collection of evidence
  • A.17 Information security aspects of business continuity management – controls requiring the planning of business continuity, procedures, verification and reviewing, and IT redundancy
  • A.18 Compliance – controls requiring the identification of applicable laws and regulations, intellectual property protection, personal data protection, and reviews of information security

ISO/IEC 27001 isn’t focused on IT only. While IT is certainly important, IT alone can’t protect all of the information. A collective and collaborative team effort is required to properly secure the organization’s information through physical security, IT security, human resources, legal protection, management commitment, and other organizational specifics.

ISO/IEC 27001:2013 Compliance with RM Studio

ISO 27001:2013 certification provides your organization with a competitive advantage, added trust and value to your clients. RM Studio sharpens your focus on the risk management process and supports your organization in the certification and audit process.

RM Studio is a database driven software application for information security risk management.

Developed, designed and optimized to assist your organization in implementing and maintaining an information security management system (ISMS) that complies with ISO 27001:2013. RM Studio is based on the methodology of ISO 27005 Information Security Risk Management Standard. RM Studio utilizes a systematic approach to information security risk management to identify your organization’s needs regarding information security requirements and in creating an effective ISMS. RM Studio assists you in making information security risk management an integral part of all information security management activities and can be utilized in both the implementation and ongoing operations of your ISMS.