ISO27001 Implementation Services
What are the requirements for ISO 27001?
The mandatory requirements for ISO 27001 are defined in its clauses 4 through 10 – this means that all those requirements must be implemented in an organization if it wants to be compliant with the standard. Controls from Annex A must be implemented only if declared as applicable in the Statement of Applicability.
The requirements from sections 4 through 10 can be summarized as follows:
Clause 4: Context of the organization – defines requirements for understanding external and internal issues, interested parties and their requirements, and defining the ISMS scope.
Clause 5: Leadership – defines top management responsibilities, setting the roles and responsibilities, and contents of the top-level Information Security Policy.
Clause 6: Planning – defines requirements for risk assessment, risk treatment, Statement of Applicability, risk treatment plan, and setting the information security objectives.
Clause 7: Support – defines requirements for availability of resources, competencies, awareness, communication, and control of documents and records.
Clause 8: Operation – defines the implementation of risk assessment and treatment, as well as controls and other processes needed to achieve information security objectives.
Clause 9: Performance evaluation – defines requirements for monitoring, measurement, analysis, evaluation, internal audit, and management review.
Clause 10: Improvement – defines requirements for nonconformities, corrections, corrective actions, and continual improvement.
What are the 14 domains of ISO 27001?
There are 14 “domains” listed in Annex A of ISO 27001, organized in sections A.5 to A.18. The sections cover the following:
A.5. Information security policies: The controls in this section describe how to handle information security policies.
A.6. Organization of information security: The controls in this section provide the basic framework for the implementation and operation of information security by defining its internal organization (e.g., roles, responsibilities, etc.), and through the organizational aspects of information security, like project management, use of mobile devices, and teleworking.
A.7. Human resource security: The controls in this section ensure that people who are under the organization’s control are hired, trained, and managed in a secure way; also, the principles of disciplinary action and terminating the agreements are addressed.
A.8. Asset management: The controls in this section ensure that information security assets (e.g., information, processing devices, storage devices, etc.) are identified, that responsibilities for their security are designated, and that people know how to handle them according to predefined classification levels.
A.9. Access control: The controls in this section limit access to information and information assets according to real business needs. The controls are for both physical and logical access.
A.10. Cryptography: The controls in this section provide the basis for proper use of encryption solutions to protect the confidentiality, authenticity, and/or integrity of information.
A.11. Physical and environmental security: The controls in this section prevent unauthorized access to physical areas, and protect equipment and facilities from being compromised by human or natural intervention.
A.12. Operations security: The controls in this section ensure that the IT systems, including operating systems and software, are secure and protected against data loss. Additionally, controls in this section require the means to record events and generate evidence, periodic verification of vulnerabilities, and make precautions to prevent audit activities from affecting operations.
A.13. Communications security: The controls in this section protect the network infrastructure and services, as well as the information that travels through them.
A.14. System acquisition, development and maintenance: The controls in this section ensure that information security is taken into account when purchasing new information systems or upgrading the existing ones.
A.15. Supplier relationships: The controls in this section ensure that outsourced activities performed by suppliers and partners also use appropriate information security controls, and they describe how to monitor third-party security performance.
A.16. Information security incident management: The controls in this section provide a framework to ensure the proper communication and handling of security events and incidents, so that they can be resolved in a timely manner; they also define how to preserve evidence, as well as how to learn from incidents to prevent their recurrence.
A.17. Information security aspects of business continuity management: The controls in this section ensure the continuity of information security management during disruptions, and the availability of information systems.
A.18. Compliance: The controls in this section provide a framework to prevent legal, statutory, regulatory, and contractual breaches, and audit whether information security is implemented and is effective according to the defined policies, procedures, and requirements of the ISO 27001 standard.
A closer look at these domains shows us that managing information security is not only about IT security (i.e., firewalls, anti-virus, etc.), but also about managing processes, legal protection, managing human resources, physical protection, etc.
What are the ISO 27001 controls?
The ISO 27001 controls (also known as safeguards) are the practices to be implemented to reduce risks to acceptable levels. Controls can be technical, organizational, legal, physical, human, etc.
How many controls are there in ISO 27001?
ISO 27001 Annex A lists 114 controls organized in the 14 sections numbered A.5 through A.18 listed above.
How do you implement ISO 27001 controls?
Technical controls are primarily implemented in information systems, using software, hardware, and firmware components added to the system. E.g. backup, antivirus software, etc.
Organizational controls are implemented by defining rules to be followed, and expected behavior from users, equipment, software, and systems. E.g. Access Control Policy, BYOD Policy, etc.
Legal controls are implemented by ensuring that rules and expected behaviors follow and enforce the laws, regulations, contracts, and other similar legal instruments that the organization must comply with. E.g. NDA (non-disclosure agreement), SLA (service level agreement), etc.
Physical controls are primarily implemented by using equipment or devices that have a physical interaction with people and objects. E.g. CCTV cameras, alarm systems, locks, etc.
Human resource controls are implemented by providing knowledge, education, skills, or experience to persons to enable them to perform their activities in a secure way. E.g. security awareness training, ISO 27001 internal auditor training, etc.
ISO 27001 mandatory documents
ISO 27001 specifies a minimum set of policies, procedures, plans, records, and other documented information that are needed to become compliant.
ISO 27001 requires the following documents to be written:
- Scope of the ISMS (clause 4.3)
- Information Security Policy and Objectives (clauses 5.2 and 6.2)
- Risk Assessment and Risk Treatment Methodology (clause 6.1.2)
- Statement of Applicability (clause 6.1.3 d)
- Risk Treatment Plan (clauses 6.1.3 e and 6.2)
- Risk Assessment Report (clause 8.2)
- Definition of security roles and responsibilities (controls A.7.1.2 and A.13.2.4)
- Inventory of Assets (control A.8.1.1)
- Acceptable Use of Assets (control A.8.1.3)
- Access Control Policy (control A.9.1.1)
- Operating Procedures for IT Management (control A.12.1.1)
- Secure System Engineering Principles (control A.14.2.5)
- Supplier Security Policy (control A.15.1.1)
- Incident Management Procedure (control A.16.1.5)
- Business Continuity Procedures (control A.17.1.2)
- Statutory, Regulatory, and Contractual Requirements (control A.18.1.1)
And these are the mandatory records:
- Records of training, skills, experience and qualifications (clause 7.2)
- Monitoring and measurement results (clause 9.1)
- Internal Audit Program (clause 9.2)
- Results of internal audits (clause 9.2)
- Results of the management review (clause 9.3)
- Results of corrective actions (clause 10.1)
- Logs of user activities, exceptions, and security events (controls A.12.4.1 and A.12.4.3)