ISO /IEC 27001

WHAT IS ISO/IEC 27001?

The International Organization for Standardization (ISO) in partnership with the International Electrotechnical Commission (IEC) publishes ISO 27001. ISO/IEC 27001 is?the world’s best-known standard for?information security management systems (ISMS). It defines the requirements an ISMS must meet.? Conformity with ISO/IEC 27001 means that an organization or business has put in place a system to manage risks related to the security of data owned or handled by the company and that the system respects all the best practices and principles enshrined in this International Standard.

What is an information security management system (ISMS)?

ISMS is a systematic approach to managing and protecting a company’s information. ISO 27001 provides a framework to help organizations of any size or any industry to protect their information systematically and cost-effectively: through the adoption of an?Information Security Management System (ISMS). It is a?framework of policies and procedures for systematically managing?an organization’s sensitive data.

Why do we need an ISMS?

1. Safeguard confidentiality, integrity, and availability of data. It is not restricted to digital data but covers hard copies too.
2. Meet regulatory compliance.

Violations of legal regulations come with hefty fines, having an ISMS can be especially beneficial for highly regulated industries with critical infrastructures, such as finance or healthcare.

1. Security threat response.

Due to its ability to monitor and analyse, ISMS reduces the threat associated with continually evolving risks.

1. Reduces security-related costs.

An ISMS offers a thorough risk assessment of all assets.

1. Improves company work culture.

The standard holistic approach of ISMS not only covers the IT department but the entire organization, including the people, processes, and technologies.

1. Gain competitive advantage.

ISO 27001 certification demonstrates a commitment to keeping data secure. This offers an edge over competitors to provide trust to customers.

Why is ISO/IEC 27001 important?

?

It ensures that organizations are identifying and managing risks effectively, consistently, and measurably. With cybercrime on the rise and new threats constantly emerging, it can seem difficult or even impossible to manage cyber risks. Organizations become risk-aware and proactively identify and address weaknesses.

It promotes a holistic approach to information security: vetting people, policies, and technology. An information security management system implemented according to this standard is a tool for risk management, cyber-resilience, and operational excellence.

What is ISO 27002?

?

ISO 27002 provides a reference set of generic information security controls including implementation guidance. This document is designed to be used by organizations:

1. Within the context of an information security management system (ISMS) based on ISO/IEC27001
2. For implementing information security controls based on internationally recognized best practices
3. For developing organization-specific information security management guidelines

What are the three guiding principles of ISO 27001?

?

The ISO 27001 standard aims to secure people, processes, and technology via three main guiding principles: confidentiality, integrity, and availability.

Confidentiality?translates to data and systems that must be protected against unauthorized access from people, processes, or unauthorized applications. This involves the use of technological controls like multifactor authentication, security tokens, and data encryption. Confidentiality means only the right people can access the information held by the organization.

Integrity?means verifying the accuracy, trustworthiness, and completeness of data. It involves the use of processes that ensure data is free of errors and manipulation, such as ascertaining if only authorized personnel have access to confidential data. Information integrity means data that the organization uses to pursue its business or keep safe for others is reliably stored and not erased or damaged.

Availability?typically refers to the maintenance and monitoring of information security management systems (ISMSs). This includes removing any bottlenecks in security processes, minimizing vulnerabilities by updating software and hardware to the latest firmware, boosting business continuity by adding redundancy and minimizing data loss by adding back-ups and disaster recovery solutions.

How will ISO/IEC 27001 benefit the organization?

Implementing the information security framework specified in the ISO/IEC 27001 standard helps you:

1. Reduce your vulnerability to the growing threat of cyber-attacks.
2. Respond to evolving security risks.
3. Ensure that assets such as financial statements, intellectual property, employee data, and information entrusted by third parties remain?undamaged, confidential, and available?as needed.
4. Provide a centrally managed framework that secures all information in one place.
5. Prepare people, processes and technology throughout your organization to face technology-based risks and other threats.
6. Secure information in all forms, including paper-based, cloud-based and digital data.
7. Save?money?by increasing efficiency and reducing expenses for ineffective Défense technology.

How many controls are there in ISO 27001?

?

It has 93 controls organized into 4 sections.

How do you implement ISO 27001 controls?

ORGANIZATIONAL

Organizational controls cover information security policies, asset use, and cloud service use.

PEOPLE

With only eight total controls, this theme deals with remote work, confidentiality, nondisclosures, and screening to help manage the way employees interact with sensitive information in their day-to-day roles. Controls include onboarding and offboarding processes and responsibilities for incident reporting.

PHYSICAL

Physical controls cover security monitoring, maintenance, facilities security, and storage media. This category focuses on how you are protecting against physical and environmental threats such as natural disasters, theft, and intentional destruction.

TECHNOLOGICAL

Technological controls deal with authentication, encryption, and data leakage prevention. This category focuses on properly securing technology through various approaches, including access rights, network security, and data masking.

The five attributes are:

• Control type:?preventative, detective, corrective
• Operational capabilities:?governance, asset management, information protection, human resource security, etc.
• Security domains:?governance and ecosystem, protection, defence, resilience
• Cybersecurity concepts:?identify, protect, detect, respond, recover
• Information security properties:?confidentiality, integrity, availability

How is ISO 27001:2022 structured?

?

ISO 27001 can very broadly be broken into two components:

ISO 27001 has a list of standards called?clauses?that define the core processes for building out your ISMS from an organizational and leadership perspective. These 11 clauses are further divided into subsections called “requirements” that break the clauses down into more concrete steps.

The 10 clauses of ISO 27001 include:

1. Terms and definitions
2. Process approach impact
3. Plan-Do-Check-Act cycle
4. Context of the organization
5. Leadership
6. Planning
7. Support
8. Operation
9. Performance evaluation
10. Improvement

2. Controls:?ISO 27001 has a section called Annex A that lists the physical, logical, and environmental security controls that organizations must put into place in order to be ISO 27001 compliant. Among additions in ISO 27001:2022 are new control groups (categories that ISO uses to segment controls into sections) and new additional controls.?Data leakage prevention is among one of the new controls specifically added to ISO 27001 and is required to be in place by 2025.

Organizational?(37 total controls)

• 5.23 Information security for use of cloud services
• 5.30 ICT readiness for business continuity
• 5.7 Threat Intelligence

People?(8 total controls)

Physical?(14 total controls)

• 7.4 Physical security monitoring

Technological?(34 total controls)

• 8.1 Data masking
• 8.9 Configuration management
• 8.10 Information deletion
• 8.12 Data leakage prevention
• 8.16 Monitoring activities
• 8.23 Web filtering
• 8.28 Secure coding

ISO 27001 CONTEXT OF ORGANIZATION

The context of organization controls look at demonstrating that you understand the organization and its context. That you understand the?needs and expectations of interested parties?and have determined the?scope of the information security management system. External and internal issues, as well as interested parties, need to be identified and considered. Requirements may include regulatory issues, but they may also go far beyond.

ISO 27001 LEADERSHIP

ISO 27001 wants top-down leadership and to be able to show evidence demonstrating leadership commitment. It requires Information Security Policies that outline procedures to follow. Objectives must be established according to the strategic direction?and goals of the organization. Providing resources needed for the ISMS, as well as supporting persons and contributions to the ISMS, are other examples of obligations to meet. Roles and responsibilities?need to be assigned, too, to meet the requirements of the ISO 27001 standard and report on the performance of the ISMS.

ISO 27001 PLANNING

Planning addresses actions to address risks and opportunities. ISO 27001 is a risk-based system so risk management is a key part, with?risk registers?and?risk processes?in place. Accordingly, information security objectives should be based on the risk assessment. These objectives need to be aligned with the company’s overall objectives, and they need to be promoted within the company because they provide the security goals to work toward for everyone within and aligned with the company. From the risk assessment and the security objectives, a risk treatment plan is derived based on controls listed in Annex A.

ISO 27001 SUPPORT

Education and awareness are established and a culture of security is implemented. A communication plan is created and followed. Another requirement is documenting information according to ISO 27001. Information needs to be documented, created, and updated, as well as controlled. A suitable set of documentation, including a?communications plan, needs to be maintained in order to support the success of the ISMS. Resources are allocated and competency of resources is managed and understood. What is not written down does not exist, so standard operating procedures are documented and documents are controlled.

ISO 27001 OPERATION

Operations are managed and controlled, and risk assessments undertaken.

ISO 27001 PERFORMANCE EVALUATION

Monitors and measures, along with the processes of analysis and evaluation, are implemented. As part of continual improvement, audits are planned and executed and management reviews are undertaken following structured agendas.

ISO 27001 IMPROVEMENT

The ability to adapt and continually improve is foundational to the ISO 27001 standard. Nonconformities need to be addressed by acting and eliminating their causes.

What are the mandatory documents for ISO 27001 certification?

?

Here is the list of mandatory documents and records:

• ISMS Scope document
• Information Security Policy
• Risk Assessment Report
• Statement of Applicability
• Internal Audit Report

Is ISO 27001 mandatory?

?

Compliance with ISO 27001 is not mandatory in most countries. Mandates are generally determined by regulatory authorities of respective countries or business partners. Beyond government regulation, some business entities ask for ISO 27001 compliance and/or ISO 27001 certification to ensure all shared information remains secure.

Even if it is not mandatory, IT-enabled businesses can at least build confidence in their product by demonstrating to their customers, partners, and investors their commitment to securing customer data.

Source: https://www.iso.org/standard/27001 and Internet.