ISO 27001 is the international security standard that lays out all information security controls when building an ISMS (Information Security Management System) for your organisation. When you comply with ISO 27001, it can help your organisation identify and overcome risks and possible data breaches.
To become ISO 27001 certified, the certification has 22 main requirements addressed in clauses 4.1 through to 10.2. Let us take a look at what those requirements are, what an ISMS is, what type of documentation is required and why an organisation should aim to be ISO 27001 certified.
In this Article
- Why does an organisation need ISO 27001?
- What is an ISMS and why is it important?
- So what are the ISO 27001 requirements?
- What are ISO 27001 controls and how they are relevant to your organisation?
- What documents you need to comply with ISO 27001?
- What is the Statement of Applicability (SoA)?
Why does an organisation need ISO 27001?
Typically, the ISO 27001 sets out procedures and rules you need to follow to comply and obtain certification. Certification provides you with credibility among your stakeholders and helps gain a competitive advantage. If you want to learn more about ISO 27001, read our complete guide on ISO 27001.
What is an ISMS and why is it important?
An ISMS is a system that consists of processes and technology that helps an organisation manage and protect its information. This is what shapes an organisation's data privacy and data management structure. This system allows an organisation to identify risks such as data breaches that attempt to enter the data management system. If you want to learn more about ISMS, read our comprehensive guide on ISMS.
It is necessary to have an up to date ISMS in order to meet the ISO 27001 requirements. As having one in today's day and age where information security is becoming increasingly important will help you navigate the world of data privacy with a greater level of understanding.
To start implementing ISMS, an organisation will need to understand the requirements of ISO 27001 and their context. All aspects and criteria are essential when complying with ISO 27001. Let’s take a look at what the requirements are.
So what are the ISO 27001 requirements?
Having analysed the fundamental considerations of adapting ISO 27001 standard requirements and also the purpose behind implementing an ISMS, let’s understand what the requirements are in the form of clauses under the ISO 27001 international standard.
Consider that these requirements have to be complied with not only when preparing for the ISO 27001 certification process, but also through continuous compliance with ISO 27001 as it is not just about gaining the certification, but about setting up a strong information security policy.
Clause 4: Context of the organisation
4.1 - Understanding the Organisational context
This clause acts as the base of an organisation's ISO 27001 implementation. Seemingly self-explanatory, it is understanding an organisation’s setting.
4.2 - Understanding the Needs and Expectations of Interested Parties
This requirement is completed after understanding the organisational context. Typically, after understanding Clause 4.1 and the goals of the organisation, it is possible to understand its potential stakeholders.
4.3 - Determining the Scope of the ISMS
This step is where the scope of an ISMS is established relevant specifically to an organisation. This is important as stakeholders will be able to understand what areas are and are not protected by the ISMS.
4.4 - Information Security Management System
This is where an organisation implements the ISMS. Once implemented it, they are required to continuously update and improve the system all while providing adequate training to employees/staff.
Clause 5: Leadership
5.1 - Leadership & Commitment
This is where senior management and C-level executives of the organisation are expected to focus and show genuine interest in learning about information security. This ensures that they adapt to it so they lead junior management by example.
5.2 - Information Security Policy
Senior management and C-level executives are expected to create an information security policy. This policy document may be easy to create however it is what is inside the document that will play a role in relating to the ISMS–as this document will provide stakeholders the confidence to trust the organisation with the policy.
5.3 - Organisational Roles, Responsibilities & Authorities
When implementing ISMS, senior management and C-level executives are expected to ensure roles, responsibilities and authorities are divided accordingly among employees.
Clause 6: Planning
6.1 - Actions to Address Risks and Opportunities
Risk management plays a vital role in ISO 27001. Through risk management and risk assessment within the ISMS, organisations are able to identify risks and opportunities and assess the organisation's requirements.
6.2 - Information Security Objectives & Planning to Achieve them
Information security plays a vital role in an organisation's success and can be leveraged as a competitive advantage. That is why an organisation will need to know why they are implementing an ISMS in order to make processes quicker and more transparent along the way–and in line with their organisational goals.
Clause 7: Support
7.1 - Resources
An organisation needs to provide adequate resources to itself when complying with ISO 27001. In addition to what is mentioned previously in clause 5.3, it is not compulsory that organisations must continuously supply staff to update, maintain and improve the ISMS, but resources must be placed in where necessary.
7.2 - Competence
ISO 27001 urges that staff handling processes related to ISMS and ISO 27001 are required to have the relevant knowledge and continuous update training in order to remain competent with the standard and information security as a whole.
7.3 - Awareness
Staff handling processes related to ISMS and ISO 27001 must be aware of and be continuously updated on information security policy within the organisation. This includes the benefits of the ISMS, methods of identifying risks and opportunities through risk assessments and risk management and the possibilities of errors if the ISMSs does not meet the organisation's security policy requirements.
7.4 - Communication
Staff handling processes related to ISMS and ISO 27001 must be able to understand terminology used in information security such as in the UK GDPR, ISMS, and ISO 27001 and other security standards, who they have to communicate with and how they should communicate.
7.5 - Documented Information
ISO 27001 and other ISO standards are stringent about the legitimacy and accuracy of documentation they receive from the organisation.
Clause 8: Operation
8.1 - Operational Planning & Control
It is important that an organisation has structural processes in place before and while implementing an ISMS and ISO 27001 such as what is mentioned above in clauses 6.1, 6.2 and 7.5. This provides scope for efficient processes and a clear path to success.
8.2 - Information Security Risk Assessment
A security risk assessment identifies, evaluates, and implements important information security controls. It also focuses on preventing security weak spots in applications. These assessments must be performed at regular intervals as changes may be made within the ISMS and information security policy.
8.3 - Information Security Risk Treatment
Avoiding, optimising, transferring, or keeping risk are some of the risk treatment options. The measures can be chosen from a list of security controls used by the organisation's ISMS.
Clause 9: Performance evaluation
9.1 - Monitoring, Measurement, Analysis and Evaluation
If an organisation is looking to become ISO 27001 certified as well, an auditor from the UKAS (United Kingdom Accreditation Service) for information security will be monitoring the established information security processes and controls, ISMS maintenance and overall ISO 27001 compliance. Therefore, it is required for an organisation to constantly monitor, measure, analyse and evaluate its ISMS.
9.2 - Internal Audit
An organisation must conduct internal audits on a regular basis to ensure that the ISMS abides by the organisation's information security policy and meets the requirements of the ISO 27001 standard to become certified.
9.3 - Management Review
Senior management and C-level executives are required to conduct management reviews at uniform intervals throughout the year. These management reviews should identify areas that can be improved in your organisation's ISMS and overall ISO 27001 standard.
Typically, while the reviews may only be required to be completed once or twice a year, it is advised that your organisation performs management reviews regularly–due to the constant evolution of threat actors and their toolkits.
Clause 10: Improvement
10.1 - Nonconformity and Corrective Action
If a nonconformity is spotted within the ISMS, the action that follows is a crucial part of ISMS improvement in an organisation. Both the nonconformity and the corrective action that followed must be documented.
10.2 - Continual Improvement
An ISMS relies heavily on continuous improvement to achieve and maintain the adequacy and effectiveness of information security in respect to the organisation's objectives.
If an organisation complies with the above clauses and makes information security an important aspect of the organisation, it will play a vital role in obtaining ISO 27001 certification for itself.
Even though it is essential to comply with all the above requirements, it is not essential to comply with all ISO 27001 controls. A crucial aspect of ISO 27001 apart from its requirements, is assessing the exact controls that apply to a specific organisation.
What are ISO 27001 controls and how are they relevant to your organisation?
ISO 27001 controls fall under the Annex A of the standard, so they are referred to as Annex A controls. Annex A is comprised of 114 information security controls and goals under 14 categories that organisations need to consider when complying with ISO 27001 measures and implementing ISMS measures.
The 14 categories of Annex A are:
- Information Security Policies
- Organisation of Information Security
- Human Resources Security
- Asset Management
- Access Control
- Physical and Environmental Security
- Operational Security
- Communications Security
- Systems Acquisition, Development and Maintenance
- Supplier Relationships
- Information Security Incident Management
- Information Security aspects of Business Continuity Management
ISO 27001 Annex A is the most well-known annex of all ISO standards, as it offers an important tool for managing information security risks. If you want to learn more about ISO 27001: Annex A controls, read our comprehensive blog that breaks down the Annex A controls and provides a deeper understanding of how controls work within the ISO 27001 standard.
Annex A can also be thought of as a portfolio of information security controls from which you can choose – pick from the 114 measures listed in Annex A that are relevant to your organisation's environment. Once these controls have been chosen specifically for your organisation, you can start preparing the documentation for ISMS.
What documents do you need to comply with ISO 27001?
Documentation is a crucial part of complying with the ISO 27001 standard as regular audits are to be held by external parties such as the UKAS. When an organisation undergoes audits, the external auditors will need proof of all parts of ISO 27001 and ISMS implementation which should be shown through documentation.
The mandatory documents required for ISO 27001 are:
- 4.3 The scope of the ISMS
- 5.2 Information security policy
- 6.1.2 Information security risk assessment process
- 6.1.3 Information security risk treatment plan
- 6.1.3 The Statement of Applicability
- 6.2 Information security objectives;
- 7.2 Evidence of competence
- 5.5.1 Documented information determined by the organisation as being necessary for the effectiveness of the ISMS
- 8.1 Operational planning and control
- 8.2 Results of the information security risk assessment
- 8.3 Results of the information security risk treatment
- 9.1 Evidence of the monitoring and measurement of results
- 9.2 A documented internal audit process
- 9.2 Evidence of the audit programmes and the audit results
- 9.3 Evidence of the results of management reviews
- 10.1 Evidence of the nature of the non-conformities and any subsequent actions taken
- 10.1 g) Evidence of the results of any corrective actions
Each of these documents are covered by the ISO 27001 requirements outlined above. Each criteria must be followed and documented accordingly in order for an organisation to present during external audits.
Clause 6.1.3 The Statement of Applicability, is one of the main documents that fall under the clause 6.1 Actions to Address Risks and Opportunities.
What is the statement of applicability (SoA)?
When starting to implement ISMS controls and measures, you may come across the SoA which is mandatory and acts as the main link between a risk assessment and a risk treatment in an organisation.
The SoA is part of 6.1.3 of the primary ISO standards for ISO 27001, a component of the larger 6.1 requirements, which is focused on activities that address risks and opportunities and one of the first things an external auditor looks at when performing an audit.If you want to learn more about the SoA, read our article on Statement of Applicability in ISO 27001.
Using the SoA, an organisation may determine which ISO 27001 controls and policies are currently in place and compare them to the ISO 27001 Annex A controls.
Now that you have an understanding of the IS0 27001, you can get started on the implementation. An ISO 27001 certification proves to your stakeholders that your organisation takes information security seriously.
It reduces uncertainty, reduces the risks of having a compromised system and enables your organisation to operate in an increasingly volatile cyberspace with piece of mind that you are doing what you can to mitigate the risks of operating in a technical world.