In this article, we will explore how ISO 27001 (or the ISO/IEC 27001:2013 standard) can be used to provide requirements with regards to establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). An ISMS is a systematic approach to managing an organization’s crown jewels (e.g. valuable assets and data) and sensitive information so that they remain secure by applying a risk management approachapplying a risk management approach. Further, there are three main security goals of ISMS for an organization:
- Confidentiality — only the authorized personnel have the right to access information.
- Integrity — only the authorized personnel can modify the information.
- Availability — the information must be accessible to authorized personnel whenever it is needed.
The ISMS is related to the two major sections of the standard, as follows:
The requirements section of the standard describes the necessary characteristics for an organization to properly manage its ISMS. The requirements section consists of eleven short clauses 0 - 10. Clauses 0 - 3 (Introduction, Scope, Normative References and Terms and Definitions) describe the ISO 27001 standard and clauses, while clauses 4 - 10 set the mandatory requirements for an ISMS, which must be implemented for an organization to be compliant with the standard.
The standard takes a risk management approach to protect the information security of an organization. Risk assessment is doneRisk assessment is done to find out potential risks to information and then risk treatment is done to address them through security controls. The security controls used to address risk are in the form of policies, procedures and technical controls to secure assets. The following are mandatory requirements for an ISMS:
- 4 - Context of the organization: Defining the intended scope of the standard in an organization, requirements for external and internal issues and interested parties. This can be achieved by understanding organization and its context, expectations of the stakeholders and scope of management systems.
- 5 - Leadership: Defining top management responsibilities, high-level contents of the Information Security Policy, and roles and responsibilities. This can be achieved by gaining the executive management commitment to maintain an effective ISMS and security policy, and formally establishing security‐related roles and responsibilities.
- 6 - Planning: Defining the information security objectives, requirements for risk assessment, risk treatment, and Statement of Applicability. The Information security objectives can be defined by setting a plan on how to achieve them and taking actions to address risks & opportunities within the organization.
- 7 - Support: Defining requirements for availability of resources, competencies, awareness, communication, and control of documents and records by providing the necessary resources, communications, and training regarding information security awareness.
- 8 - Operation: Defining the implementation of risk assessment and treatment, as well as controls and other processes needed to achieve information security objectives. This can be achieved by performing a risk-based approach for the assessment, identifying the risk and how it could be treated, developing a risk treatment plan, and implementing them on the identified risks.
- 9 - Performance evaluation: Defining requirements for monitoring, measurement, analysis, evaluation, internal audit, and management review.
- 10 - Improvement: Defining requirements for nonconformities, corrections, corrective actions, and continual improvement by seizing opportunities to make security processes and controls better over time.
Security Controls (Annex A)
The Annex A or the controls section of ISO 27001 contains a set of 114 security controls or safeguards of industry standard grouped into 14 sections, organized in the following categories:
- Information security policies: Defining management direction and rules for information security in accordance with business requirements and relevant laws and regulations.
- Organization of information security: Defining an organization structure to initiate and control the implementation of information security.
- Human resource security: Ensuring that employees and contractors understand their responsibilities and are suitable for the roles for which they are considered; and aware of and fulﬁl their information security responsibilities prior, during, and post employment.
- Asset management: Identifying organizational assets and defining appropriate protection responsibilities, such as preventing unauthorized disclosure, modification, removal or destruction of information stored on media.
- Access control: Ensuring access limitation to information and information processing facilities, so it ensures an authorized user access, and to prevent unauthorized access to systems and services.
- Cryptography: Ensuring proper and effective use of cryptography to protect the conﬁdentiality, authenticity, and integrity of information.
- Physical and environmental security: Preventing unauthorized physical access, damage, and interference to the organization’s information and information processing facilities.
- Operations security: Ensuring correct and secure operations of information processing facilities.
- Communications security: Ensuring the protection of information in networks and its supporting information processing facilities and maintaining the security of information transferred within an organization and with any external entity
- Systems acquisition, development, and maintenance: Ensuring that information security is an integral part of information systems across the entire lifecycle. This also includes the requirements for information systems which provide services over public networks.
- Supplier relationships: Ensuring protection of the organization’s assets made available to suppliers.
- Information security incident management: Ensuring a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses.
- Information security aspects of business continuity management: Embedding information security continuity in the organization’s Business Continuity Management (BCM) systems.
- Compliance: Preventing breaches of legal, statutory, regulatory or contractual obligations related to information security and of any security requirements, including compliance with legal and contractual requirements and information security reviews.
Becoming ISO/IEC 27001:2013 Compliant: Who, When, Where, Why, How
Who: ISO/IEC 27001:2013 is suitable for an organization that wants to improve their information security management system using the widely known information security leading practices standard and gets the mandatory security assurance.
When: An organization can implement and get certified on ISO/IEC 27001:2013 anytime, but it is not mandatory. The organization may choose to implement the standard first and get certified later when the organization is compelled by regulations or when the organization wants to increase trust among customers and clients, giving extended security assurance.
Where: The standard can be adopted and implemented in any organization regardless of its size, type, nature, private or state owned, profit or non profit.
Why: ISO/IEC 27001:2013 will benefit organizations by implementing security in a comprehensive manner. It helps organizations comply with legal requirements, achieve marketing advantage by reassuring customers about security, lower costs by preventing incidents, and be better organized by defining processes and procedures for a coordinated approach to information securitydefining processes and procedures for a coordinated approach to information security.
How: An organization that wants to improve its security management system using ISO/IEC 27001:2013 as its standard would undergo the following activities:
- Gap analysis: The first step in achieving compliance, a gap analysis is performed either internally or by an external information security expert. A gap analysis helps the organization fully understand which requirements and controls they do and do not comply with.
- Remediation: For any requirements and controls with which the organization is not compliant, it can make changes to its people, processes, and technologies to become compliant.
- Measure, Monitor and Review: The performance of the ISMS is required to be constantly analyzed and reviewed for effectiveness and compliance, in addition to identifying improvements to existing processes and controls.
- Internal audit: A practical working knowledge of the lead audit process is required for the ISMS at planned intervals and also crucial for the champions responsible for implementing and maintaining ISO/IEC 27001:2013 compliance before conducting a certification audit by an external auditor or organization authorized to certify and register an organization as ISO/IEC 27001:2013 compliant.
- Certification and registration: During the Stage One certification audit, the auditor will assess whether the documentation meets the requirements of the ISO/IEC 27001:2013 standard and point out any areas of nonconformity and potential improvement of the management system. Once any required changes have been made, the organization will then be ready for a Stage Two registration audit. During a Stage Two audit, the auditor will conduct a thorough assessment to establish whether the organization is complying with the ISO/IEC 27001:2013 standard.