Like all ISO standards, ISO 27001 lays out specific requirements that companies must adhere to as they work toward compliance and certification. Creating a high-functioning Information Security Management System based on the ISO 27001 standard serves two distinct purposes. The standard itself lays out the specific design for an Information Security Management System (ISMS), detailing all of the most important facets. Then, by following the set requirements, the resulting system can be used as the basis for assessment for a formal compliance audit in order to receive certification.

Pursuing ISO 27001 certification requires a deep dive in to organizational systems and processes as they relate to information security practices. Just like ISO 9001, which serves as the basic framework for the 27001 standard, companies will move through a series of clauses designed to guide them, step by step, toward compliance and eventual certification.

Based on the original quality standard, the first three clauses of ISO 27001 are in place to introduce and inform the organization about the specifics of the standard. Clause 4 is where the 27001-specific information begins to dovetail into the original requirements and the real work begins.

Section 4: Context of the Organization

Organizations must begin with outlining the context of their organization specific to their information security practices. They must identify all internal and external issues related to information security, all interested parties and the requirements specific to those parties, and the scope of the ISMS, or the areas of the business to which the standard and ISMS will apply.

Per clause 4.3, the development of the scope of the system is one of the most crucial elements of this clause. Each area and department of the business should be carefully evaluated to determine how it will be impacted by the ISMS, and how the system will control that area. The scope defines exactly what needs to be protected.

Organizations can break down the development of the scope statement into three steps. First, they will identify both the digital and physical locations where information is stored, then they will identify ways in which that information should be accessed and by whom. All entry points, including file rooms, laptops, or even desk drawers, must be considered. Lastly, they must identify information that falls out of the scope of the ISMS, such as third-party inputs or areas where sensitive information is not stored, and they must identify that in writing through their scope.

Like all ISO processes, the careful recording and documentation of information is crucial to the process. Starting with the context of the organization and the scope statement, companies must keep careful and accessible records of their work.

Section 5: Leadership

Again, derived from the ISO 9001 standard, the involvement of top management in the development and implementation of the ISMS is a requirement of the 27001 standard. They are responsible for identifying roles and responsibilities, both within the certification process and in the ISMS as a whole, and they are required to work on the development of the organizations Information Security Policy (a requirement unique to the 27001 framework).

Defined in clause 5.2, the Information Security Policy sets the high-level requirements of the ISMS that will be developed. Board involvement is crucial and their requirements and expectations should be clearly defined by the policy.

Additionally, the statement must clearly outline the expectation for full-organization involvement and participation in the pursuit of ISO 27001 and their commitment to upholding the ISMS after certification. Customers, suppliers, and shareholders should also be considered within the security policy, and the board should consider the effects the policy will have on all interested parties, including both the benefits and potential drawbacks of implementing stringent new rules.

The policy doesn’t need to be lengthy, but it must address the following in enough detail that it can be clearly understood by all readers.

The policy must:

  • Set the objectives and establish overarching direction for the ISMS
  • Take into account all requirements of the business, including legal, regulatory, and contractual matters and their related security
  • State the context of the ISMS and the strategy for its establishment and implementation
  • Illustrate an understanding the necessity and practice of risk evaluation and the organization’s process of risk assessment
  • State the locations within the organization that will be impacted by the policy and the ISMS
  • Outline the authority with which the policy was created and their full understanding of the policy’s purpose

The official adoption of the policy must be confirmed by the board of directors and executive leadership team before being circulated throughout the organization. The ultimate goal of the policy is to create a shared understanding of the policy’s intent to manage risk associated with greater information security in order to protect and propel the business forward.

Section 6: Planning

Moving into clause 6, organizations are tasked with evaluating, defining, and managing the risks associated with their Information Security Management System.

Risk assessment, treatment, plans, and objectives must all be documented and maintained through the planning step.

The assessment process allows organizations to dig into the meat of the risks they face. Starting with the establishment of the management framework, they will determine baseline security criteria, appetite for risk, and how the risks they manage could potentially impact and affect their operations.

Once they develop an understanding of baseline requirements, they will work to develop a treatment plan, providing a summary how the identified risks could impact their business, their level of tolerance, and the probability of the threats they face. They will be required to determine a response specific to each risk and include in their summary the parties responsible for the mitigation and control of each factor, be it through elimination, control, retention, or sharing of the risk with a third party.

Annex A

Specific to the ISO 27001 standard, organizations can choose to reference Annex A, which outlines 114 additional controls organizations can put in place to ensure their compliance with the standard. The Statement of Applicability (SoA) is an important document related to Annex A that must be carefully crafted, documented, and maintained as organizations work through the requirements of clause 6. In this document, companies declare which controls they have selected to pursue and which have been omitted, along with the reasoning behind those choices and all supporting related documentation.

Annex A outlines (but does not fully specify) the following documentation:

  • rules for acceptable use of assets
  • access control policies
  • operating procedures
  • confidentiality and/or non-disclosure agreements
  • secure system engineering principles
  • information security policies for supplier relationships
  • information security incident response procedures
  • relevant laws
  • regulations
  • contractual obligations
  • associated compliance procedures
  • information security continuity procedures

It is important to note that organizations are not required to adopt and comply with Annex A. If other structures and approaches are identified and implemented to treat information risks, they may choose to follow those methods. They will, however, be required to provide documentation related to these facets of their ISMS.

Annex A also outlines controls for risks organizations may face and, depending on the controls the organization selects, the following documentation must also be maintained:

  • Definition of security roles and responsibilities (clauses A.7.1.2 and A.13.2.4);
  • Inventory of assets (clause A.8.1.1);
  • Acceptable use of assets (clause A.8.1.3);
  • Access control policy (clause A.9.1.1);
  • Operating procedures for IT management (clause A.12.1.1);
  • Secure system engineering principles (clause A.14.2.5);
  • Supplier security policy (clause A.15.1.1);
  • Incident management procedure (clause A.16.1.5);
  • Business continuity procedures (clause A.17.1.2);
  • Statutory, regulatory and contractual requirements (clause A.18.1.1); and
  • Logs of user activities, exceptions and security events (clauses A.12.4.1 and A.12.4.3).

Section 7: Support

Moving into section 7, the standard requires companies to define the availability of resources, competencies, awareness, communication, and control of documents and records. Documentation relating to the training, skills, experience, and qualifications, especially related to those individuals in the organization in information security roles, is a vital piece of the planning process (the first stage of the PDCA cycle).

Organizations can simplify this process by following three steps: First, identifying exactly what information is needed and by whom in order for processes to be properly completed. Then, training the individuals on the appropriate methods used to acquire and access sensitive information. And last, evaluating the effectiveness of training through continued follow-up (or, in some cases, through formal exam or accredited certification).

It is important for companies to evaluate the entirety of their ISMS related documentation in order to determine which documents are necessary for the overall function of the business.

Section 8: Operation

ISO 27001 moves into the DO phase of the PDCA cycle in section 8, requiring businesses to implement the risk treatment plan developed during section 6. Additionally, it asks organizations to set controls and processes in place to help work toward achievement of their cyber and information security objectives.

This is the literal “doing” of the standard implementation. By creating and maintaining the implementation documentation and recording the controls put in place to reach goals, companies will be able to quantifiably measure their efforts toward improved information and cyber security through their risk assessment reports. In turn, these reports will aid in making educated decisions based on data that comes directly from company performance, thus increasing the ability of the organization to make smart decisions as they continue to approach the treatment of risks.

Section 9: Performance Evaluation

Those educated decisions can be made because of the requirements ISO sets for the measurement and monitoring of compliance efforts. Through both internal audits and management review, organizations can evaluate and analyze the effectiveness of their newly-developed information security processes.

There are five steps of evaluation companies can follow to measure and monitor their progress.

  1. Document Review
    Companies must ensure the scope of their ISMS is clear and fits the goals and limits of the organization. By clearly stating the processes and systems encompassed in the ISMS, organizations will provide a clear expectation of the areas of the business that are susceptible to audit (both for performance evaluation and certification). All documentation that is created throughout the implementation of the ISMS can be referenced throughout a review.
  2. Audit Plan
    The audit plan is created by the internal auditors and management team and lays out the specific details of what systems and processes will be reviewed and when the review will happen. Both formal and informal checks can be defined. Following the audit plan, both auditors and management staff are given the opportunity to flag concerns and make suggestions for improvement within the ISMS.
  3. Field Review
    The field review is the actual action of the audit – taking a real-life look at how processes work to minimize risk within the ISMS. The audit team is given the opportunity to dig into the organization’s information security practices, speak with employees, observe systems, and take a wholistic look at the entirety of the organization as it relates to the requirements of the standard. As they gather evidence, proper documentation and records must be kept.
  4. Analysis
    Following the field review, the results should be evaluated and determination made with regard to the impact the ISMS makes on control and risk. Through this analysis, some organizations may find areas of their information security system that need further control through their ISMS.
  5. Report
    Finally, a report will be created and presented to the management team outlining the entirety of the ISMS performance evaluation. It should start with a summary of the scope, objectives, and details of the ISMS followed by a summary of the audit results before digging into an in-depth analysis of the field review with recommendations for actions to be taken.

The ISO 27001 standard – like all ISO standards – requires the participation of top management to drive the initiative through the organization. Through the process of performance evaluation, the management team will be required to review the effectiveness of the ISMS and commit to action plans for its continued improvement. When followed, this process provides evidence of top management review and participation in the success of the ISMS.

Section 10: Improvement

Finally, organizations are able to act upon the findings of their internal audits and systems review. When nonconformities are identified, corrective actions can be implemented. As companies follow the process of ISMS review and performance evaluation, they will naturally fall into the pattern of continuous improvement of their system. Again, as with all ISO standards, ISO 27001 requires the careful documentation and record keeping of all found nonconformities and the actions taken to address and correct the root cause of the problem, enabling them to show evidence of their efforts as required.

ISO standards come with a seemingly hefty list of requirements. However, as organizations get to work creating and implementing an ISO-caliber ISMS, they often find that they are already complying with many of the listed ISO requirements. The process of becoming ISO certified allows companies to focus on the organization of the protection of their assets and can sometimes uncover gaps in risk management and potential for system improvement that would have otherwise been overlooked. Overall, the effort made – by IT, management, and the workforce as a whole – serves not only the safety of the company’s most vital assets, but also contributes to the company’s potential for long-term success.

For more information about ISO 27001 certification or consulting services, visit Core Business Solutions ISO 27001 Page