What is ISO 27001?
ISO/IEC 27001 is the leading international standard for regulating data security through a code of practice for information security management.
Its creation was a joint effort of two prominent international standard bodies - the International Organization for Standardization (ISO), and the International Electrotechnical Commission (IEC). This is why the standard is formally prepended with ISO/IEC, though "IEC" is commonly left to simplify referencing.
ISO/IEC 27001 is comprised of a set of standards covering different aspects of information security including information security management systems, information technology, information security techniques, and information security requirements.
The latest standard is ISO/IEC 27001:2013, which was published in 2013.
Why is ISO/IEC 27001 Important?
When a business is ISO/IEC 27001 certified it's officially recognized for adhering to the highest internationally recognized information security standard.
This certification demonstrates a world-class level of operations security across threat monitoring, breach mitigation, and sensitive data protection. Because of this exemplary reputation for risk management, partners and customers of ISO/IEC 27001 certified organizations have greater confidence in the security of their information assets.
Organizations requiring clear guidance for strengthening their security posture will benefit from the ISO framework's convenient consolidation of necessary security policies and processes. Any industry, regardless of its size, can implement a cost-effective Information Security Management System (ISMS) through either an ISO 27001 certification or by becoming ISO 27001 compliant.
What is an Information Security Management System (ISMS)?
An ISMS consists of a set of policies, systems, and processes that manage information security risks through a set of cybersecurity controls.
The objective is to only permit acceptable risk levels into the monitored ecosystem to prevent sensitive data from being leaked or accessed by cybercriminals. The primary intention of an ISMS is not to prevent data breaches but to limit their impact on sensitive resources.
It's important to understand that the pursuit of information security does not end at ISO/IEC 27001 certification. The certification demonstrates an ongoing commitment to improving the protection of sensitive recourse through risk assessments and information security controls.
Benefits of ISO/IEC Certification
Some of the benefits of aligning with the ISO 27001 standard are listed below:
- It demonstrates a commitment to preserving the data security of all third-party vendors, business partners, and stakeholders.
- Demonstrates a commitment to the continual improvement of data security for all third-party vendors, suppliers, customers, and business partners.
- It is an internationally recognized standard for Information Security Management (ISM).
- It offers a competitive advantage by demonstrating superior risk management and due diligence.
- Reduces excess time and cost commitments to processes.
- It can facilitate partnerships with highly regulated businesses.
- It can attract higher-quality candidates and business partners.
- Reduces the cost of risk remediation processes.
- Prevents regulator fines (such as GDPR).
- Reduces the likelihood of data breaches and third-party breaches.
- Reduces the impact and cost of a data breach.
What is the ISO 27001 Certification Process?
An ISO/IEC 27001 certification can only be provided by an accredited certification body. Candidates are assessed across three different information security categories:
- Information Confidentiality - Are sufficient access controls in place to prevent unauthorized access?
- Information Integrity - Is information protected from unauthorized modifications?
- Information Availability - Is information readily available to authorizes users when it's required?
By understanding the high-level expectation of certification audits, it becomes clear that the primary mechanism of the ISO/IEC 27001 framework is the detection and mitigation of vulnerabilities through a series of security controls.
A certifier will assess the practices, policies, and procedures of an ISMS against the expected standards of ISO/IEC 27001.
Certification is valid for 3 years. Auditors will continue to assess compliance through annual assessments while the certificate remains valid. To ensure compliance is maintained every year in time for these assessments, certified organizations must commit to routine internal audits.
Some U.S accredited certification bodies for ISO/IEC 27001 are listed below:
The ISO 27001 standard can be broken up into two parts:
- Eleven Clauses (0-10) - Clauses 0 to 3 provided an introduction to the ISO/IEC 27001 standard. Clauses 4-10 should be carefully considered because they outline the minimal compliance expectations for certification.
- Annex A - Defines the guidelines for the 114 controls objects that support ISO/IEC 27001 compliance.
A brief description of clauses 4 - 10 is provided below
Clause 4 - Context of the Organization
Organizations need to demonstrate confident knowledge of all internal and external issues, including regulatory issues, so that scope of ISMS within the unique organizational context is clearly defined.
Clause 5 - Leadership
Clause 5 identifies the specific commitments of the leadership team to the implementation and preservation of an ISMS through a dedicated management system.
These could include:
- Ensuring resource requirements are met.
- Ensuring the organization's information security objectives are met.
- Overseeing the complete integration of the management system with business processes.
- Implementing all appropriate security controls.
- Ensuring all parties are contributing to the success of the ISMS.
Clause 6 - Planning
An ISMS implementation plan needs to be designed based on a security assessment of the current IT environment.
This process involves identifying all assets and then evaluating their risks relative to a specified risk appetite.
This time-consuming process is best entrusted to an attack surface monitoring solution to ensure both speed and accuracy.
Once identified, all risks can be managed and mitigated with the Annex A security controls.
Clause 7 - Support
Clause 7 ensures all staff have been supported with the necessary training to adhere to the ISO/IEC 27001 standards.
Clause 8 - Operation
Clause 8 ensures the appropriate processes are in place to effectively manage detected security risks. This objective is primarily achieved through risk assessments.
Clause 9 - Performance evaluation
In order for ISO 27001 certified organizations to follow through with their commitment to ongoing data security improvement, internal audits need to be regularly conducted.
The objective is to analyze the performance of the Information Security Management System against expected security standards.
Clause 10 - Improvement
The data gathered from the Clause 9 process should then be used to identify operational improvement opportunities.
Continual improvement of the risk management process can be achieved through the use of maturity models coupled with routine auditing efforts.
ISO/IEC 270001 Security Controls
Annex A of the ISO 27001 standard is comprised of 114 controls divided across 14 domains or categories. Not all control objectives are mandatory, they should be viewed as a list of control options.
Each organization should apply the necessary level of controls required to achieve the expected level of information security risk management compliance based on their current degree of compliance.
This unique shortfall can be calculated with an ISO 27001 gap analysis.
To learn more about gap analysis, watch the video below:
All of the implemented controls need to be documented in a Statement of Applicability after they have been approved through a management review.
The 14 domains of Annex A of ISO/IEC 27001 range from A.5 to A.18.
- A.5 Information security policies
- A.6 Organisation of information security
- A.7 Human resources security
- A.8 Asset management
- A.9 Access control
- A.10 Cryptography
- A.11 Physical and environmental security
- A.12 Operational security
- A.13 Communications security
- A.14 System acquisition, development, and maintenance
- A.15 Supplier relationships
- A.16 Information security incident management
- A.17 Information security aspects of business continuity management
- A.18 Compliance
Is ISO/IEC 27001 Mandatory?
ISO/IEC 27001 is not a mandatory requirement in most countries, however, compliance is recommended for all businesses because it provides advanced data protection.
The ISO 27000 family of standards can facilitate compliance with mandatory standards such as the General Data Protection Regulation (GDPR). This is because the ISO/IEC 27000 family follows an Annex SL - a high-level structure of ISO management standards designed to streamline the integration of multiple standards.
By combining an ISO 27701-compliant Privacy Information Management System (PIMS) with an ISMS through an integrated management system, the strict personal data protection expectations of the GDPR can be met.
Because of this, compliance with an ISO 27001 family can become necessary (and almost mandatory) to achieve regulatory compliance with other security frameworks.
What's the Difference Between ISO/IEC 27001 Certification and Compliance?
When an organization is compliant with the ISO/IEC 27001 standard, its security program aligns with the ISO/IEC 27001 list of domains and controls - or at least a sufficient number of them.
When an organization is ISO/IEC 27001 certified, its Information Security Management System (ISMS) has been confirmed to align with the ISO/IEC 27001 standard by an accredited certification body
Achieve and Maintain ISO/IEC 27001 Compliance with UpGuard
UpGuard is an intelligence attack surface monitoring solution that supports ISO/IEC 27001 compliance by managing security risks both internally and throughout the vendor network.
The analytics from these efforts can then be used to create a risk treatment plan to keep stakeholders and interested parties continuously informed about your organization's security posture.
UpGuard also helps organizations remain compliant through the early detection of third-party risks that could potentially be detrimental to an ISO 27001 certification. This is achieved through ISO 27001 security questionnaires that map third-party risks against ISO 27001 domains.