The ISO/IEC 27001 certification
ISO/IEC 27001 is an international standard on how to manage information security. The standard was originally published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in 2005 and then revised in 2013. It details requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS) – the aim of which is to help organizations make the information assets they hold more secure. A European update of the standard was published in 2017. Organizations that meet the standard’s requirements can choose to be certified by an accredited certification body following the successful completion of an audit. The effectiveness of the ISO/IEC 27001 certification process and the overall standard has been addressed in a large-scale study conducted in 2020.
The ISO/IEC 27001 certification, like other ISO management system certifications, usually involves a three-stage external audit process defined by the ISO/IEC 17021and ISO/IEC 27006 standards:
- Stage 1 is a preliminary, informal review of the ISMS, for example checking the existence and completeness of key documentation such as the organization’s information security policy, Statement of Applicability (SoA) and Risk Treatment Plan (RTP). This stage serves to familiarize the auditors with the organization and vice versa.
- Stage 2 is a more detailed and formal compliance audit, independently testing the ISMS against the requirements specified in ISO/IEC 27001. The auditors will seek evidence to confirm that the management system has been properly designed and implemented, and is in fact in operation (for example by confirming that a security committee or similar management body meets regularly to oversee the ISMS). Certification audits are usually conducted by ISO/IEC 27001 Lead Auditors. Passing this stage results in the ISMS being certified compliant with ISO/IEC 27001.
Ongoing involves follow-up reviews or audits to confirm that the organization remains in compliance with the standard. Certification maintenance requires periodic re-assessment audits to confirm that the ISMS continues to operate as specified and intended. These should happen at least annually but (by agreement with management) are often conducted more frequently, particularly while the ISMS is still maturing.
Clauses
ISO/IEC 27001:2013 has ten short clauses, plus a long annex, which cover:
- Scope of the standard
- How the document is referenced
- Reuse of the terms and definitions in ISO/IEC 27000
- Organizational context and stakeholders
- Information security leadership and high-level support for policy
- Planning an information security management system; risk assessment; risk treatment
- Supporting an information security management system
- Making an information security management system operational
- Reviewing the system’s performance
- Corrective action
Clause 1: Scope
The first clause details the scope of the standard.
Clause 2: Normative references
All the normative references are contained in ISO/IEC 27000, Information technology – Security techniques – Information security management systems – Overview and vocabulary, which is referenced and provides valuable guidance.
Clause 3: Terms and definitions
Please refer to the terms and definitions contained in ISO/IEC 27000. This is an important document to read.
Clause 4: Context of the organization
This is the clause that establishes the context of the organization and the effects on the ISMS. Much of the rest of the standard relates to this clause. The starting point is to identify all external and internal issues relevant to your organization and your information or
information that is entrusted to you by 3rd parties. Then you need to establish all “interested parties” and stakeholders as well as how they are relevant to the information. You will need
to identify requirements for interested parties, which could include legal, regulatory and/or contractual obligations. You’ll also need to consider important topics such as any market
assurance and governance goals. You will be required to decide on the scope of your ISMS, which needs to link with the strategic direction of your organization,
core objectives and the requirements of interested parties. Finally, you’ll need to show how you establish, implement, maintain and continually improve the ISMS in relation to the
standard.
Clause 5: Leadership
This clause is all about the role of “top management,” which is the group of people who direct and control your organization at the highest level. They will need to demonstrate leadership
and commitment by leading from the top. Top management needs to establish the ISMS and information security policy, ensuring it is compatible with the strategic direction of the organization. They also need to make sure that these are made available, communicated, maintained and understood by all parties. Top management must ensure that the ISMS is continually improved and that direction and support are given. They can assign ISMS relevant responsibilities and authorities, but ultimately they remain accountable.
Clause 6: Planning
This clause outlines how an organization plans actions to address risks and opportunities to information. It focuses on how an organization deals with information security risk and needs to be proportionate to the potential impact they have. ISO 31000, the international standard for
risk management, contains valuable guidance. Organizations are also required to produce a “Statement of Applicability”
(SoA). The SoA provides a summary of the decisions an organization has taken regarding risk treatment, the control objectives and controls you have included and those you have excluded, and why you have decided to include and exclude the
controls in the SOA. Another key area of this clause is the need to establish information security objectives and the standard defines the properties that information security objectives must have.
Clause 7: Support
This section of ISO/IEC 27001 is all about getting the right resources, the right people and the right infrastructure in place to establish, implement, maintain and continually improve the
ISMS. It deals with requirements for competence, awareness and
communications to support the ISMS and it could include making training and personnel available, for example. This clause also requires all personnel working under an
organization’s control to be aware of the information security policy, how they contribute to its effectiveness and the implications of not conforming. The organization also needs to ensure that internal and external communications relevant to information security and the ISMS are appropriately communicated. This includes identifying what needs to be communicated to whom, when and how this is delivered. It’s in this clause that the term “documented information” is referenced. Organizations need to determine the level of documented information that’s necessary to control the ISMS. There is also an emphasis on controlling access to documented information, which reflects the importance of information
security.
Clause 8: Operation
This clause is all about the execution of the plans and processes that are the subject of previous clauses. It deals with the execution of the actions determined and the achievement of the information security objectives. In recognition of the increased use of outsourced functions
in today’s business world, these processes also need to be identified and controlled. Any changes, whether planned or unintended need to be considered here and the consequences
of these on the ISMS. It also deals with the performance of information security risk assessments at planned intervals, and the need for documented information to be retained to record the results of these. Finally, there is a section that deals with the implementation of the risk treatment plan, and again, the need for the results of these to be retained in documented information.
Clause 9: Performance evaluation
This clause is all about monitoring, measuring, analyzing and evaluating your ISMS to ensure that it is effective and remains so. This clause helps organizations to continually assess how they are performing in relation to the objectives of the standard to continually improve. You will need to consider what information you need to evaluate the information security effectiveness, the methods employed and when it should be analyzed and reported. Internal audits will need to be carried out as well as management reviews. Both of these must be performed at planned intervals and the findings will need to be retained as documented information. It should be noted that management reviews are also an opportunity to identify areas for improvement
Clause 10: Improvement
This part of the standard is concerned with corrective action requirements. You will need to show how you react to nonconformities, take action, correct them and deal with the
consequences. You’ll also need to show whether any similar nonconformities exist or could potentially occur and show how you will eliminate the causes of them so they do not
occur elsewhere. There is also a requirement to show continual improvement of the ISMS, including demonstrating the suitability and adequacy of it and how effective it is. However you do this is up to you. ISO/IEC 27001 also includes Annex A which outlines 114 controls to help protect information in a variety of areas across the organization. ISO/IEC 27002 also provides best practice guidance and acts as a valuable reference for choosing as well as excluding which controls are best suited for your organization.
Tips on making IOS/IEC 27001 effective for organization.
1 thought on “ISO/IEC 27001”
Sweet!