What is ISO 27001 Information Security Management System?

ISO 27001 / IEC 27001 is the world’s best-known standard for the management of Information Security Management.   The standard provides a framework (i.e., a list of requirements and best practice guidelines) for the implementation, management, and continual improvement of security principles to protect information assets. 

In our opinion, ISO 27001 is the crème de la crème of information security management systems, going over and above other accreditations such as Cyber Essentials.   It also helps that ISO 27001 has a global presence, which means it is internationally recognised by almost everyone.  

The three principles of ISO 27001 are Confidentiality, Integrity and Availability (CIA) of data to reduce the risk of data breaches and security incidents. 

What are the core requirements of ISO 27001? 

The requirements of the ISO 27001 standard are made up predominantly of a series of clauses (like other ISO standards) and Annex A, which lists objectives and control measures.  

Requirements 

The standard is laid out so that one clause flows into the next and the next and so on.

Clause 4: Context of the organisation – What your business does (context, scope), who is affected by those activities (stakeholders) and what are your information security processes.

Clause 5: Leadership – Role of leadership and commitment to Information Security Management System (ISMS). What is the policy on information security? What are the roles, responsibilities and authorities to ensure conformity? 

Clause 6: Planning – Planning phase for the identification of ISMS risks.  Applies a risk-based approach to information security and planning of objectives.  While all clauses are important, the planning section is critical, getting this right will set the basis for your entire management system.  

Clause 7: Support – This covers support processes such as competence, awareness, communication, document and record management.

Clause 8: Operation – What are the information security risks associated with your business operations (risk assessment) and what control measures are implemented to eliminate and/or reduce the risk (treatment)?

Quick tip - As a rule of thumb – the higher the threat, the more robust the control measures need to be to reduce the risk. 

Clause 9: Performance evaluation – Requirement for monitoring that the Information Security Management System is fit for purpose.  This covers what, how, when and by whom of performance monitoring.  Monitoring should include internal audits, management review meetings, objectives,  KPIs etc.

Clause 10: Improvement – Information security issues (nonconformances), what can we do to prevent them from happening again (root cause analysis) and what measures can we take to continually improve our existing system?

Annex A - Objectives and controls (This often forms a statement of applicability)

This is an overview of objectives, controls and the things you need to be thinking about.  It’s not exhaustive but gives an idea of what to expect.  

1. Information security policies – What are your information security policies? Do you need specific policies in line with legal requirements?  If so, how are they approved, communicated, and reviewed at planned intervals?

2. Organisation of information security – What are the roles, responsibilities and authorities of personnel and anyone who has access to information security assets? Where do they work? Remote, office etc?

3. Human Resource Security – What are the pre-employment requirements, roles, responsibilities, and authorities communicated?  Are they competent to complete the tasks assigned?  Is a disciplinary process in place? What is the process when someone leaves the company? 

4. Asset Management – Have all assets been identified? Both data and physical? If so, what protection measures are in place to prevent a breach?  Have these assets been classified?  Is this reflected in a risk assessment? 

5. Access Control – Have access arrangements been identified and controlled? Is access limited on a need-to-know basis? Do user registration and de-registration process exist? Is access to privileged information restricted? Is there a process for the allocation of user details, passwords etc?  Are user access rights removed when they leave the organisation? Is a single sign used? 

6. Cryptography – Are Cryptography keys used? If so, what does that process look like?  How are they used and protected? 

7. Physical and Environmental Security – What are the current perimeters of physical security? Are entry controls in place? Are offices/facilities secure? Does a clean desk policy exist? Are there controls in place to protect from physical and environmental threats? I.e. power supply, air ventilation systems and storage of equipment.

8. Operational Security – Are operations identified, working correctly and securely? What are the requirements for project management?  Have risks been identified and control measures implemented?  Examples may include Cloud Security, Penn Testing, single sign-on, Antivirus/malware software, the process for backup and testing for backup, encryption/SSL, user activity logs, training, awareness, documented procedures, policies etc. 

9. Communications Security – How is information communicated internally and externally?  This will include electronic messaging, social media and secure transfer of business information.

10. System Acquisition, Development and Maintenance – What does the system infrastructure look like?  How is it controlled? Are services provided over a public network? What are the rules for the development and use of software and systems? Where development occurs?  What tech stack is used? Are secure system engineering principles established and maintained? What business critical applications are used? Is security functionality tested?

11. Supplier Relationships – who are your critical suppliers? How is this relationship controlled to ensure information security assets are protected? 

12. Information Security Incident Management – What is the process in the event of an information security incident i.e., leak, breach etc?

13. Information Security Aspects of Business Continuity Management – Are legal, statutory, regulatory, or contractual obligations related to the Information Security Management System avoided?  Has the management of information security in adverse situations been considered? Have these arrangements been tested and verified?

14. Compliance - Legislation and Contractual Requirements – What compliance requirements are applicable to your business? How do you know you are compliant? How do you keep up to date? Does your business protect against loss, destruction and unauthorised access?  Is personally identifiable information identified and securely protected? Does a process exist to protect intellectual property (IP) and the use of propriety software products? 

Changes to ISO 27001

ISO 27001 has been recently updated in October 2022 to ISO 27001: 2022.  If are already certified to the previous version, don’t worry you have 3 years to update your ISMS.  We will discuss the changes in an upcoming blog.  Though there’s nothing major, the changes are moderate with clause changes. Some changes to controls listed in Annex A, also known as AISO 27002, the number of controls was reduced and none were removed however many were merged to prevent duplication.

The exact requirements of these clauses are covered in more detail in our Armour platform.

At Armour, our entire process has been laid out to facilitate a guided experience from start to finish. Every step is broken down, simplified and supplemented with all the templates and explanatory notes you could need for your business.  

Our team at Armour have decades of experience working as consultants and auditors covering a wide range of sectors and we are always on hand to help.  Take control of your ISO Management System today by enquiring online or emailing us directly at info@armour.ai.