What is ISO
27001?
It is a recognized standard which describe best practice of information security management system.
How does ISO
27001 work
The focus of ISO 27001 is to
protect the confidentiality, integrity and availability of the information in a
company. This is done by finding out what potential problems could happen to
the information (i.e., risk assessment), and then defining what needs to be
done to prevent such problems from happening (i.e., risk mitigation or risk treatment).
Therefore, the main philosophy of ISO 27001 is based on managing risks: find
out where the risks are, and then systematically treat them.
The safeguards (or controls)
that are to be implemented are usually in the form of policies, procedures and
technical implementation (e.g., software and equipment). However, in most cases
companies already have all the hardware and software in place, but they are
using them in an unsecure way – therefore, the majority of the ISO 27001
implementation will be about setting the organizational rules (i.e., writing
documents) that are needed in order to prevent security breaches. Since such
implementation will require multiple policies, procedures, people, assets, etc.
to be managed, ISO 27001 has described how to fit all these elements together
in the information security management system (ISMS).
So, managing information
security is not only about IT security (i.e., firewalls, anti-virus, etc.) – it
is also about managing processes, legal protection, managing human resources,
physical protection, etc.
Benefit of
ISO 27001.
Why is ISO 27001 good for your
company?
There are 4 essential business
benefits that a company can achieve with the implementation of this information
security standard:
Comply
with legal requirements – there are more and more
laws, regulations and contractual requirements related to information security,
and the good news is that most of them can be resolved by implementing ISO
27001 – this standard gives you the perfect methodology to comply with them
all.
Achieve
marketing advantage – if your company gets certified and
your competitors do not, you may have an advantage over them in the eyes of the
customers who are sensitive about keeping their information safe.
Lower costs – the main philosophy of
ISO 27001 is to prevent security incidents from happening – and every incident,
large or small, costs money. Therefore, by preventing them, your company will
save quite a lot of money. And the best thing of all – investment in ISO 27001
is far smaller than the cost savings you’ll achieve.
Better organization –
typically, fast-growing companies don’t have the time to stop and define their
processes and procedures – as a consequence, very often the employees do not
know what needs to be done, when, and by whom. Implementation of ISO 27001
helps resolve such situations, because it encourages companies to write down
their main processes (even those that are not security-related), enabling them
to reduce the lost time of their employees.
What does ISO
27001 actually look like?
ISO/IEC 27001 is split into 11
sections, plus Annex A. Sections 0 to 3 are introductory (and are not mandatory
for implementation), while sections 4 to 10 are mandatory – meaning that all
their requirements must be implemented in an organization if it wants to be
compliant with the standard. Controls from Annex A must be implemented only if
declared as applicable in the Statement of Applicability.
According to Annex SL of the
International Organization for Standardization ISO/IEC Directives, the section
titles in ISO 27001 are the same as in ISO 22301:2012, in the new ISO
9001:2015, and other management standards, enabling easier integration of these
standards.
Section 0: Introduction –
explains the purpose of ISO 27001 and its compatibility with other management
standards.
Section 1: Scope – explains that this
standard is applicable to any type of organization.
Section 2: Normative references –
refers to ISO/IEC 27000 as a standard where terms and definitions are given.
Section 3: Terms and definitions –
again, refers to ISO/IEC 27000.
Section 4: Context of the organization –
this section is part of the Plan phase in the PDCA cycle and defines
requirements for understanding external and internal issues, interested parties
and their requirements, and defining the ISMS scope.
Section 5: Leadership –
this section is part of the Plan phase in the PDCA cycle and defines top
management responsibilities, setting the roles and responsibilities, and
contents of the top-level Information security policy.
Section 6: Planning –
this section is part of the Plan phase in the PDCA cycle and defines
requirements for risk assessment, risk treatment, Statement of Applicability,
risk treatment plan, and setting the information security objectives.
Section 7: Support – this section is
part of the Plan phase in the PDCA cycle and defines requirements for
availability of resources, competences, awareness, communication, and control
of documents and records.
Section 8: Operation –
this section is part of the Do phase in the PDCA cycle and defines the
implementation of risk assessment and treatment, as well as controls and other
processes needed to achieve information security objectives.
Section 9: Performance evaluation –
this section is part of the Check phase in the PDCA cycle and defines
requirements for monitoring, measurement, analysis, evaluation, internal audit
and management review.
Section 10: Improvement –
this section is part of the Act phase in the PDCA cycle and defines
requirements for non-conformities, corrections, corrective actions and continual
improvement.
Annex A – this annex provides a
catalogue of 114 controls (safeguards) placed in 14 sections (sections A.5 to
A.18).
How to
implement ISO 27001
To implement ISO 27001 in your
company, you have to follow these 16 steps:
1) Get
top management support
2) Use project management methodology
3) Define the ISMS scope
4) Write the top-level Information security policy
5) Define the Risk assessment methodology
6) Perform the risk assessment and risk treatment
7) Write the Statement of Applicability
8) Write the Risk treatment plan
9) Define how to measure the effectiveness of your controls and of your ISMS
10) Implement all applicable controls and procedures
11) Implement training and awareness programs
12) Perform all the daily operations prescribed by your ISMS documentation
13) Monitor and measure your ISMS
14) Perform internal audit
15) Perform management review
16) Implement corrective actions
2) Use project management methodology
3) Define the ISMS scope
4) Write the top-level Information security policy
5) Define the Risk assessment methodology
6) Perform the risk assessment and risk treatment
7) Write the Statement of Applicability
8) Write the Risk treatment plan
9) Define how to measure the effectiveness of your controls and of your ISMS
10) Implement all applicable controls and procedures
11) Implement training and awareness programs
12) Perform all the daily operations prescribed by your ISMS documentation
13) Monitor and measure your ISMS
14) Perform internal audit
15) Perform management review
16) Implement corrective actions
Mandatory
documentation
ISO 27001 requires the
following documentation to be written:
·
Scope of the ISMS (clause 4.3)
·
Information security policy and objectives (clauses 5.2 and 6.2)
·
Risk assessment and risk treatment methodology (clause 6.1.2)
·
Statement of Applicability (clause 6.1.3 d)
·
Risk treatment plan (clauses 6.1.3 e and 6.2)
·
Risk assessment report (clause 8.2)
·
Definition of security roles and responsibilities (clauses
A.7.1.2 and A.13.2.4)
·
Inventory of assets (clause A.8.1.1)
·
Acceptable use of assets (clause A.8.1.3)
·
Access control policy (clause A.9.1.1)
·
Operating procedures for IT management (clause A.12.1.1)
·
Secure system engineering principles (clause A.14.2.5)
·
Supplier security policy (clause A.15.1.1)
·
Incident management procedure (clause A.16.1.5)
·
Business continuity procedures (clause A.17.1.2)
·
Statutory, regulatory, and contractual requirements (clause
A.18.1.1)
And these are the mandatory
records:
·
Records of training, skills, experience and qualifications
(clause 7.2)
·
Monitoring and measurement results (clause 9.1)
·
Internal audit program (clause 9.2)
·
Results of internal audits (clause 9.2)
·
Results of the management review (clause 9.3)
·
Results of corrective actions (clause 10.1)
·
Logs of user activities, exceptions, and security events
(clauses A.12.4.1 and A.12.4.3)
Of course, a company may decide
to write additional security documents if it finds it necessary.
To see
more detailed explanation of each of these documents, download the free white
paper Checklist of Mandatory Documentation Required by ISO 27001
(2013 Revision).
How many controls are there in ISO 27001?
There are 114 controls listed
in ISO 27001 – it would be a violation of intellectual property rights if I
listed all the controls here, but let me just explain how the controls are
structured, and the purpose of each of the 14 sections from Annex A:
A.5 Information security policies –
controls on how the policies are written and reviewed A.6
Organization of information security – controls on how the
responsibilities are assigned; also includes the controls for mobile devices
and teleworking
A.7 Human resources
security – controls prior to
employment, during, and after the employment
A.8 Asset management – controls related to inventory of assets and
acceptable use, also for information classification and media handling
A.9 Access control – controls for Access control policy, user
access management, system and application access control, and user
responsibilities
A.10 Cryptography – controls related to encryption and key
management
A.11 Physical and
environmental security – controls
defining secure areas, entry controls, protection against threats, equipment
security, secure disposal, clear desk and clear screen policy, etc.
A.12 Operational security – lots of controls related to management of IT
production: change management, capacity management, malware, backup, logging,
monitoring, installation, vulnerabilities, etc.
A.13 Communications
security – controls related to
network security, segregation, network services, transfer of information,
messaging, etc.
A.14 System acquisition,
development and maintenance –
controls defining security requirements and security in development and support
processes
A.15 Supplier relationships – controls on what to include in agreements,
and how to monitor the suppliers
A.16 Information security
incident management – controls
for reporting events and weaknesses, defining responsibilities, response
procedures, and collection of evidence
A.17 Information security
aspects of business continuity management –
controls requiring the planning of business continuity, procedures,
verification and reviewing, and IT redundancy
A.18 Compliance – controls requiring the identification of
applicable laws and regulations, intellectual property protection, personal
data protection, and reviews of information security
Catalogue
of threats & vulnerabilities
This
list of threats and vulnerabilities can serve as a help for implementing risk
assessment within the framework of ISO 27001 or ISO 22301. This list is not final – each
organization must add their own specific threats and vulnerabilities that
endanger the confidentiality, integrity and availability of their assets.
Threats
Below is a list of threats –
this is not a definitive list, it must be adapted to the individual
organization:
·
Access to the network by unauthorized persons
·
Bomb attack
·
Bomb threat
·
Breach of contractual relations
·
Breach of legislation
·
Compromising confidential information
·
Concealing user identity
·
Damage caused by a third party
·
Damages resulting from penetration testing
·
Destruction of records
·
Disaster (human caused)
·
Disaster (natural)
·
Disclosure of information
·
Disclosure of passwords
·
Eavesdropping
·
Embezzlement
·
Errors in maintenance
·
Failure of communication links
·
Falsification of records
·
Fire
·
Flood
·
Fraud
·
Industrial espionage
·
Information leakage
·
Interruption of business processes
·
Loss of electricity
·
Loss of support services
·
Malfunction of equipment
·
Malicious code
·
Misuse of information systems
·
Misuse of audit tools
·
Pollution
·
Social engineering
·
Software errors
·
Strike
·
Terrorist attacks
·
Theft
·
Thunderstroke
·
Unintentional change of data in an information system
·
Unauthorized access to the information system
·
Unauthorized changes of records
·
Unauthorized installation of software
·
Unauthorized physical access
·
Unauthorized use of copyright material
·
Unauthorized use of software
·
User error
·
Vandalism
Vulnerabilities
Below is a list of
vulnerabilities – this is not a definitive list, it must be adapted to the
individual organization:
·
Complicated user interface
·
Default passwords not changed
·
Disposal of storage media without deleting data
·
Equipment sensitivity to changes in voltage
·
Equipment sensitivity to moisture and contaminants
·
Equipment sensitivity to temperature
·
Inadequate cabling security
·
Inadequate capacity management
·
Inadequate change management
·
Inadequate classification of information
·
Inadequate control of physical access
·
Inadequate maintenance
·
Inadequate network management
·
Inadequate or irregular backup
·
Inadequate password management
·
Inadequate physical protection
·
Inadequate protection of cryptographic keys
·
Inadequate replacement of older equipment
·
Inadequate security awareness
·
Inadequate segregation of duties
·
Inadequate segregation of operational and testing facilities
·
Inadequate supervision of employees
·
Inadequate supervision of vendors
·
Inadequate training of employees
·
Incomplete specification for software development
·
Insufficient software testing
·
Lack of access control policy
·
Lack of clean desk and clear screen policy
·
Lack of control over the input and output data
·
Lack of internal documentation
·
Lack of or poor implementation of internal audit
·
Lack of policy for the use of cryptography
·
Lack of procedure for removing access rights upon termination of
employment
·
Lack of protection for mobile equipment
·
Lack of redundancy
·
Lack of systems for identification and authentication
·
Lack of validation of the processed data
·
Location vulnerable to flooding
·
Poor selection of test data
·
Single copy
·
Too much power in one person
·
Uncontrolled copying of data
·
Uncontrolled download from the Internet
·
Uncontrolled use of information systems
·
Undocumented software
·
Unmotivated employees
·
Unprotected public network connections
·
User rights are not reviewed regularly
·
Complicated user interface
·
Default passwords not changed
·
Disposal of storage media without deleting data
·
Equipment sensitivity to changes in voltage
·
Equipment sensitivity to moisture and contaminants
·
Equipment sensitivity to temperature
·
Inadequate cabling security
·
Inadequate capacity management
·
Inadequate change management
·
Inadequate classification of information
·
Inadequate control of physical access
·
Inadequate maintenance
·
Inadequate network management
·
Inadequate or irregular backup
·
Inadequate password management
·
Inadequate physical protection
·
Inadequate protection of cryptographic keys
·
Inadequate replacement of older equipment
·
Inadequate security awareness
·
Inadequate segregation of duties
·
Inadequate segregation of operational and testing facilities
·
Inadequate supervision of employees
·
Inadequate supervision of vendors
·
Inadequate training of employees
·
Incomplete specification for software development
·
Insufficient software testing
·
Lack of access control policy
·
Lack of clean desk and clear screen policy
·
Lack of control over the input and output data
·
Lack of internal documentation
·
Lack of or poor implementation of internal audit
·
Lack of policy for the use of cryptography
·
Lack of procedure for removing access rights upon termination of
employment
·
Lack of protection for mobile equipment
·
Lack of redundancy
·
Lack of systems for identification and authentication
·
Lack of validation of the processed data
·
Location vulnerable to flooding
·
Poor selection of test data
·
Single copy
·
Too much power in one person
·
Uncontrolled copying of data
·
Uncontrolled download from the Internet
·
Uncontrolled use of information systems
·
Undocumented software
·
Unmotivated employees
·
Unprotected public network connections
·
User rights are not reviewed regularly
ISO
27001 risk assessment & treatment – 6 basic steps
. Risk
assessment (often called risk analysis) is probably the most complex part
of ISO 27001 implementation; but at the same time
risk assessment (and treatment) is the most important step at the beginning of
your information security project – it sets the foundations for information
security in your company.
The question is – why is it so
important? The answer is quite simple although not understood by many people:
the main philosophy of ISO 27001 is to find out which incidents could occur
(i.e. assess the risks) and then find the most appropriate ways to avoid such
incidents (i.e. treat the risks). Not only this, you also have to assess the
importance of each risk so that you can focus on the most important ones.
Although risk assessment and
treatment (together: risk management) is a complex job, it is very often
unnecessarily mystified. These 6 basic steps will shed light on what you have
to do:
1. ISO 27001 risk assessment methodology
This is the first step on your
voyage through risk management. You need to define rules on how you are going
to perform the risk management because you want your whole organization to do
it the same way – the biggest problem with risk assessment happens if different
parts of the organization perform it in a different way. Therefore, you need to
define whether you want qualitative or quantitative risk assessment, which
scales you will use for qualitative assessment, what will be the acceptable
level of risk, etc.
2. Risk assessment implementation
Once you know the rules, you
can start finding out which potential problems could happen to you – you need
to list all your assets, then threats and vulnerabilities related to those
assets, assess the impact and likelihood for each combination of
assets/threats/vulnerabilities and finally calculate the level of risk.
In my experience, companies are
usually aware of only 30% of their risks. Therefore, you’ll probably find this
kind of exercise quite revealing – when you are finished you’ll start to
appreciate the effort you’ve made.
3. Risk treatment implementation
Of course, not all risks are
created equal – you have to focus on the most important ones, so-called
‘unacceptable risks’.
There are four options you can
choose from to mitigate each unacceptable risk:
1.
Apply security controls from Annex A to decrease the risks – see
this article ISO 27001 Annex A controls.
2.
Transfer the risk to another party – e.g. to an insurance
company by buying an insurance policy.
3.
Avoid the risk by stopping an activity that is too risky, or by
doing it in a completely different fashion.
4.
Accept the risk – if, for instance, the cost for mitigating that
risk would be higher that the damage itself.
This is where you need to get
creative – how to decrease the risks with minimum investment. It would be the
easiest if your budget was unlimited, but that is never going to happen. And I
must tell you that unfortunately your management is right – it is possible to
achieve the same result with less money – you only need to figure out how.
4. ISMS Risk Assessment Report
Unlike previous steps, this one
is quite boring – you need to document everything you’ve done so far. Not only
for the auditors, but you may want to check yourself these results in a year or
two.
5. Statement of Applicability
This document actually shows
the security profile of your company – based on the results of the risk
treatment you need to list all the controls you have implemented, why you have
implemented them and how. This document is also very important because the
certification auditor will use it as the main guideline for the audit.
For
details about this document, see article The importance of Statement of Applicability for ISO 27001.
6. Risk Treatment Plan
This is the step where you have
to move from theory to practice. Let’s be frank – all up to now this whole risk
management job was purely theoretical, but now it’s time to show some concrete
results.
This is the purpose of Risk
Treatment Plan – to define exactly who is going to implement each control, in
which time frame, with which budget, etc. I would prefer to call this document
‘Implementation Plan’ or ‘Action Plan’, but let’s stick to the terminology used
in ISO 27001.
Once you’ve written this
document, it is crucial to get your management approval because it will take
considerable time and effort (and money) to implement all the controls that you
have planned here. And without their commitment you won’t get any of these.
And this is it – you’ve started
your journey from not knowing how to setup your information security all the
way to having a very clear picture of what you need to implement. The point is
– ISO 27001 forces you to make this journey in a systematic way.
My cousin recommended this blog and she was totally right keep up the fantastic work!
ReplyDeleteiso 22301 online training
Is this a paid style or did you modify it yourself? Either way keep up the pleasant quality writing, it is rare to see a great site such as this one these days.
ReplyDeleteVisitor Management System
Visitor Management System Dubai
Visitor Management Software Dubai
Visitor Management System UAE
Visitor Management Software
Visitor Management App
This is really an awesome article. Thank you for sharing this.It is worth reading for everyone.
ReplyDeleteInformation Security Management
Thanks
ReplyDeleteExcellent read, Positive site, where did u come up with the information on this posting? I have read a few of the articles on your website now, and I really like your style. Thanks a million and please keep up the effective work.
ReplyDeleteISO 27001 Lead Auditor Course
This post will be very useful to us....i like your blog and helpful to me....nice thoughts for your great work....
ReplyDeleteiso 22301 lead auditor certification
Great release. Thanks for the update.
ReplyDeleteISO 22301 Certification
ReplyDeleteHii , clear explanation keep it up
ISO 22301 Certification Peru
Thanks for sharing this great content. It is really informative and useful., You can also check this Similar site ISO 22301 Internal Auditor Training
ReplyDeleteVery Nice Post. I am very happy to see this post. Such a wonderful information to share with us. I would like to share with my friends. For more information visit here Microsoft 365 Certified: Fundamentals
ReplyDeleteThe information on this blog is very useful and very interesting. Thank You. ISO 45001 Consultant in Oman
ReplyDeleteAwesome! Amazing list of blog thanks you so much for sharing this awesome piece I always love to read. this is really helpful to us
ReplyDeleteISO 27001
Very good article with very useful information. Visit our website for AS 9100 morocco
ReplyDelete