ISO 27001 is the international security standard that lays out all information security controls when building an ISMS (Information Security Management System) for your organisation. When you comply with ISO 27001, it can help your organisation identify and overcome risks and possible data breaches.
To become ISO 27001 certified, the certification has 22 main requirements addressed in clauses 4.1 through to 10.2. Let us take a look at what those requirements are, what an ISMS is, what type of documentation is required and why an organisation needs to be ISO 27001 certified.
In this Article
- Why does an organisation need ISO 27001?
- What is an ISMS and why is it important?
- So what are the ISO 27001 requirements?
- What are ISO 27001 controls and how they are relevant to your organisation?
- What documents you need to comply with ISO 27001?
- What is the Statement of Applicability (SoA)?
Why does an organisation need ISO 27001?
Typically, the ISO 27001 sets out procedures and rules you need to follow to comply and obtain certification. Certification provides you with credibility among your stakeholders and helps gain a competitive advantage. If you want to learn more about ISO 27001, read our complete guide on ISO 27001.
When your organisation starts implementing ISO 27001 standard measures, remember that it is not just a handbook on what controls you need to adhere to and how–it is also a step in the right direction of data protection and data privacy management.
What is an ISMS and why is it important?
An ISMS is a system that consists of processes and technology that helps an organisation manage and protect its information. This is what shapes your organisation's data privacy and data management structure. This system allows your organisation to identify risks such as data breaches that attempt to enter your data management system. If you want to learn more about ISMS, read our comprehensive guide on ISMS.
You will need an up to date ISMS in order to meet the ISO 27001 standards requirements. As having one in today's day and age where information security is becoming increasingly important, will help you navigate the world of data privacy easily.
To start implementing ISMS, your organisation will need to understand the requirements of ISO 27001 and their context. Your organisation cannot pick and choose which of these requirements to comply with as they are all essential when complying with ISO 27001. Let’s take a look at what the requirements are.
So what are the ISO 27001 requirements?
Now that we have outlined the basics when adapting ISO 27001 standard requirements and also the purpose behind implementing an ISMS, let’s understand what the requirements are in the form of clauses under the ISO 27001 international standard.
Keep in mind that these requirements have to be complied not only when you are preparing for certification, but also when you are looking to comply with ISO 27001 as it is not just about gaining the certification, but about setting up a strong information security policy.
Clause 4: Context of the organisation
4.1 - Understanding the Organisational context
This clause acts as the base or the first step of an organisation's ISO 27001 implementation. It means what is depicted in its name: understanding an organisation's context and what is relevant to you.
4.2 - Understanding the Needs and Expectations of Interested Parties
This requirement is completed after understanding the organisational context. Typically, after understanding Clause 4.1 and the goals of the organisation, we can understand its potential stakeholders.
4.3 - Determining the Scope of the ISMS
This step is where you carve out the scope of your ISMS strictly made for your organisation. This is important as stakeholders will be able to understand what areas are and are not protected by the ISMS.
4.4 - Information Security Management System
This is where your organisation implements the ISMS. Once you implement it, you are required to continuously update and improve the system all while providing adequate training to your employees/staff.
Clause 5: Leadership
5.1 - Leadership & Commitment
This is where senior management and C-level executives of the organisation are expected to focus and show genuine interest in learning about information security. This ensures that they adapt to it so they lead junior management by example.
5.2 - Information Security Policy
Senior management and C-level executives are expected to create an information security policy. This policy document may be easy to create however it is what is inside the document that will play a role in relating to the ISMS–as this document will provide stakeholders the confidence to trust the organisation with the policy.
5.3 - Organisational Roles, Responsibilities & Authorities
When implementing ISMS, senior management and C-level executives are expected to ensure roles, responsibilities and authorities are divided accordingly among employees.
Clause 6: Planning
6.1 - Actions to Address Risks and Opportunities
Risk management plays a vital role in ISO 27001. Through risk management and risk assessment within the ISMS, organisations are able to identify risks and opportunities and assess the organisation's requirements.
6.2 - Information Security Objectives & Planning to Achieve them
Information security plays a vital role in an organisation's success and can be leveraged as a competitive advantage. That is why an organisation will need to know why they are implementing an ISMS in order to make processes quicker and more transparent along the way–and in line with their organisational goals.
Clause 7: Support
7.1 - Resources
An organisation needs to provide adequate resources to itself when complying with ISO 27001. In addition to what is mentioned previously in clause 5.3, it is not compulsory that organisations must continuously supply staff to update, maintain and improve the ISMS, but resources must be placed in where necessary.
7.2 - Competence
ISO 27001 urges that staff handling processes related to ISMS and ISO 27001 are required to have the relevant knowledge and continuous update training in order to remain competent with the standard and information security as a whole.
7.3 - Awareness
Staff handling processes related to ISMS and ISO 27001 must be aware of and be continuously updated on information security policy within the organisation. This includes the benefits of the ISMS, methods of identifying risks and opportunities through risk assessments and risk management and the possibilities of errors if the ISMSs does not meet the organisation's security policy requirements.
7.4 - Communication
Staff handling processes related to ISMS and ISO 27001 must be able to understand terminology used in information security such as in the UK GDPR, ISMS, and ISO 27001 and other security standards, who they have to communicate with and how they should communicate.
7.5 - Documented Information
ISO 27001 and other ISO standards are stringent about the legitimacy and accuracy of documentation they receive from the organisation. It is best to take some time to yourself and understand your organisation's ISMS in order to document down its goals, objectives and limitations.
Clause 8: Operation
8.1 - Operational Planning & Control
It is important that an organisation has structural processes in place before and while implementing an ISMS and ISO 27001 such as what is mentioned above in clauses 6.1, 6.2 and 7.5. This allows for efficient processes and a clear path to success.
8.2 - Information Security Risk Assessment
A security risk assessment identifies, evaluates, and implements important information security controls. It also focuses on preventing security weak spots in applications. These assessments must be performed at regular intervals as changes may be made within the ISMS and information security policy.
8.3 - Information Security Risk Treatment
Avoiding, optimising, transferring, or keeping risk are some of the risk treatment options. The measures can be chosen from a list of security controls used by the organisation's ISMS.
Clause 9: Performance evaluation
9.1 - Monitoring, Measurement, Analysis and Evaluation
If your organisation is looking to become ISO 27001 certified as well then an auditor from the UKAS (United Kingdom Accreditation Service) for information security will be monitoring your information security processes and controls, ISMS maintenance and overall ISO 27001 compliance. Therefore, it is required for an organisation to constantly monitor, measure, analyse and evaluate its ISMS.
9.2 - Internal Audit
Your organisation must conduct internal audits on a regular basis to ensure that the ISMS abides by the organisation's information security policy and meets the requirements of the ISO 27001 standard to become certified.
9.3 - Management Review
Senior management and C-level executives are required to conduct management reviews at uniform intervals throughout the year. These management reviews help identify areas that can be improved in your organisation's ISMS and overall ISO 27001 standard.
Typically, while the reviews may only be required to be completed once or twice a year, it is advised that your organisation performs management reviews regularly–due to the improvement of technology, the risk of being exposed to threats is much higher than before.
Clause 10: Improvement
10.1 - Nonconformity and Corrective Action
If a nonconformity is spotted within the ISMS, the action that follows is a crucial part of ISMS improvement in an organisation. Both the nonconformity and the corrective action that followed must be documented.
10.2 - Continual Improvement
The ISMS relies heavily on continuous improvement to achieve and maintain the appropriateness, adequacy, and effectiveness of information security in respect to the organisation's objectives.
If an organisation complies with the above clauses and makes information security an important aspect of the organisation, it will play a vital role in obtaining the ISO 27001 certification for your organisation.
Even though it is essential to comply with all the above requirements, it is not essential to comply with all ISO 27001 controls. A crucial aspect of ISO 27001 apart from its requirements, is picking and choosing the exact controls that apply to your organisation.Take a look at what those controls are below and what they would mean for your organisation.
What are ISO 27001 controls and how are they relevant to your organisation?
ISO 27001 controls fall under the Annex A of the standard, so they are referred to as Annex A controls. Annex A comprises 114 information security controls and goals under 14 categories that organisations need to look at when complying with ISO 27001 measures and implementing ISMS measures.
The 14 categories of Annex A are:
- Information Security Policies
- Organisation of Information Security
- Human Resources Security
- Asset Management
- Access Control
- Physical and Environmental Security
- Operational Security
- Communications Security
- Systems Acquisition, Development and Maintenance
- Supplier Relationships
- Information Security Incident Management
- Information Security aspects of Business Continuity Management
ISO 27001 Annex A is the most well-known annex of all ISO standards, as it offers an important tool for managing information security risks. If you want to learn more about ISO 27001: Annex A controls, read our comprehensive blog that breaks down the Annex A controls and provides a deeper understanding of how controls work within the ISO 27001 standard.
Annex A can also be thought of as a portfolio of information security controls from which you can choose – pick from the 114 measures listed in Annex A that are relevant to your organisation's environment. Once these controls have been chosen specifically for your organisation, you can start preparing the documentation for ISMS.
What documents do you need to comply with ISO 27001?
Documentation is a crucial part of complying with the ISO 27001 standard as regular audits are to be held by external parties such as the UKAS. When your organisation undergoes audits, the external auditors will need proof of all parts of ISO 27001 and ISMS implementation which should be shown through documentation.
The mandatory documents required for ISO 27001 are:
- 4.3 The scope of the ISMS
- 5.2 Information security policy
- 6.1.2 Information security risk assessment process
- 6.1.3 Information security risk treatment plan
- 6.1.3 The Statement of Applicability
- 6.2 Information security objectives;
- 7.2 Evidence of competence
- 5.5.1 Documented information determined by the organisation as being necessary for the effectiveness of the ISMS
- 8.1 Operational planning and control
- 8.2 Results of the information security risk assessment
- 8.3 Results of the information security risk treatment
- 9.1 Evidence of the monitoring and measurement of results
- 9.2 A documented internal audit process
- 9.2 Evidence of the audit programmes and the audit results
- 9.3 Evidence of the results of management reviews
- 10.1 Evidence of the nature of the non-conformities and any subsequent actions taken
- 10.1 g) Evidence of the results of any corrective actions
Each of these documents are covered by the ISO 27001 requirements outlined above. Each criteria must be followed and documented accordingly in order for an organisation to present during external audits.
Clause 6.1.3 The Statement of Applicability, is one of the main documents that fall under the clause 6.1 Actions to Address Risks and Opportunities.
What is the statement of applicability (SoA)?
When starting to implement ISMS controls and measures, you may come across the SoA which is mandatory and acts as the main link between a risk assessment and a risk treatment in an organisation.
The SoA is part of 6.1.3 of the primary ISO requirements for ISO 27001, a component of the larger 6.1 requirements, which is focused on activities that address risks and opportunities and one of the first things an external auditor looks at when performing an audit.If you want to learn more about the SoA, read our article on Statement of Applicability in ISO 27001.
Using the SoA, an organisation may determine which ISO 27001 controls and policies are currently in place and compare them to the ISO 27001 Annex A controls.
Now that you have an understanding of the IS0 27001, you can get started on the implementation. An ISO 27001 certification proves to your stakeholders that your organisation takes information security seriously.