Consultancy and Services

The ISO 27000 family of standards helps organizations keep information assets secure.

ISO/IEC 27001 - Information security management
Using this family of standards will help your organization manage the security of assets such as financial information, intellectual property, employee details or information entrusted to you by third parties.ISO/IEC 27001 is the best-known standard in the family providing requirements for an information security management system (ISMS).

Introduction
ISO/IEC 27001 formally specifies an Information Security Management System (ISMS), a suite of activities concerning the management of information security risks. The ISMS is an overarching management framework through which the organization identifies, analyzes and addresses its information security risks. The ISMS ensures that the security arrangements are fine-tuned to keep pace with changes to the security threats, vulnerabilities and business impacts - an important aspect in such a dynamic field, and a key advantage of ISO27k’s flexible risk-driven approach as compared to, say, PCI-DSS. The standard covers all types of organizations (e.g. commercial enterprises, government agencies, non-profits), all sizes (from micro-businesses to huge multinationals), and all industries or markets (e.g. retail, banking, defense, healthcare, education and government). This is clearly a very wide brief.

What is an ISMS?
An ISMS is a systematic approach to managing sensitive company information so that it remains secure. It includes people, processes and IT systems by applying a risk management process.It can help small, medium and large businesses in any sector keep information assets secure.

Certification to ISO/IEC 27001
Like other ISO management system standards, certification to ISO/IEC 27001 is possible. Some organizations choose to implement the standard in order to benefit from the best practice it contains while others decide they also want to get certified to reassure customers and clients that its recommendations have been followed. ISO does not perform certification.

Structure of the standard
ISO/IEC 27001:2013 has the following sections:
  • 0 Introduction - the standard uses a process approach. 1 Scope - it specifies generic ISMS requirements suitable for organizations of any type, size or nature.
  • 2 Normative references - only ISO/IEC 27000 is considered absolutely essential to users of ’27001: the remaining ISO27k standards are optional.
  • 3 Terms and definitions - a brief, formalized glossary, soon to be superseded by ISO/IEC 27000.
  • 4 Context of the organization - understanding the organizational context, the needs and expectations of ‘interested parties’, and defining the scope of the ISMS. Section 4.4 states very plainly that “The organization shall establish, implement, maintain and continually improve” a compliant ISMS.
  • 5 Leadership - top management must demonstrate leadership and commitment to the ISMS, mandate policy, and assign information security roles, responsibilities and authorities.
  • 6 Planning - outlines the process to identify, analyze and plan to treat information security risks, and clarify the objectives of information security.
  • 7 Support - adequate, competent resources must be assigned, awareness raised, documentation prepared and controlled.
  • 8 Operation - a bit more detail about assessing and treating information security risks, managing changes, and documenting things (partly so that they can be audited by the certification auditors).
  • 9 Performance evaluation - monitor, measure, analyze and evaluate/audit/review the information security controls, processes and management system in order to make systematic improvements where appropriate.
  • 10 Improvement - address the findings of audits and reviews (e.g. nonconformities and corrective actions), make continual refinements to the ISMS
Annex A

Reference control objectives and controls - little more in fact than a list of titles of the control sections in ISO/IEC 27002. The annex is ‘normative’, implying that certified organizations are expected to use it, but they are free to deviate from or supplement it in order to address their particular information security risks.

ISMS scope, and Statement of Applicability (SoA)
Whereas the standard is intended to drive the implementation of an enterprise-wide ISMS, ensuring that all parts of the organization benefit by addressing their information security risks in an appropriate and systematically-managed manner, organizations can scope their ISMS as broadly or as narrowly as they wish - indeed scoping is a crucial decision for senior management (clause 4.3). A documented ISMS scope is one of the mandatory requirements for certification. Although the “Statement of Applicability” (SoA) is not explicitly defined, it is a mandatory requirement of section 6.1.3. This commonplace term refers to the output from the information security risk assessments and, in particular, the decisions around treating those risks. The SoA may, for instance, take the form of a matrix identifying various types of information security risks on one axis, and risk treatment options on the other, showing how the risks are to be treated in the body, and perhaps who is accountable for them. It usually references the relevant controls from ISO/IEC 27002, but the organization may use a different framework such as NIST SP800-55, the ISF standard, BMIS and/or COBIT or a custom approach. The information security control objectives and controls from ISO/IEC 27002 are provided as a checklist at Annex A in order to avoid ‘overlooking necessary controls’. The ISMS scope and SoA are crucial if a third party intends to attach any reliance to an organization’s ISO/IEC 27001 compliance certificate. If an organization’s ISO/IEC 27001 scope only notes “Acme Ltd. Department X”, for example, the associated certificate says absolutely nothing about the state of information security in “Acme Ltd. Department Y” or indeed “Acme Ltd.” as a whole. Similarly, if for some reason management decides to accept malware risks without implementing conventional antivirus controls, the certification auditors may well challenge such a bold assertion but, provided the associated analyses and decisions were sound, that alone would not be justification to refuse to certify the organization since antivirus controls are not in fact mandatory.

Mandatory requirements for certification ISO/IEC 27001 is a formalized specification for an ISMS with two distinct purposes: It lays out, at a fairly high level, what an organization can do in order to implement an ISMS; It can (optionally) be used as the basis for formal compliance assessment by accredited certification auditors in order to certify an organization.
The following mandatory documentation (or rather “documented information” in the curiously stilted language of the standard) is explicitly required for certification: ISMS scope (as per clause 4.3) Information security policy (clause 5.2) Information security risk assessment process (clause 6.1.2) Information security risk treatment process (clause 6.1.3) Information security objectives (clause 6.2) Evidence of the competence of the people working in information security (clause 7.2) Other ISMS-related documents deemed necessary by the organization (clause 7.5.1b) Operational planning and control documents (clause 8.1) The results of the risk assessments (clause 8.2) The decisions regarding risk treatment (clause 8.3) Evidence of the monitoring and measurement of information security (clause 9.1) The ISMS internal audit program and the results of audits conducted (clause 9.2) Evidence of top management reviews of the ISMS (clause 9.3) Evidence of nonconformities identified and corrective actions arising (clause 10.1) Various others: Annex A, which is normative, mentions but does not fully specify further documentation including the rules for acceptable use of assets, access control policy, operating procedures, confidentiality or non-disclosure agreements, secure system engineering principles, information security policy for supplier relationships, information security incident response procedures, relevant laws, regulations and contractual obligations plus the associated compliance procedures and information security continuity procedures.

Certification auditors will almost certainly check that these fifteen types of documentation are (a) present, and (b) fit for purpose.