ISO/IEC 27001 is a set of international standards developed to guide information security. Its component standards, such as ISO/IEC 27001:2013, are designed to help organizations implement, maintain and continually improve an information security management system (ISMS).
Compliance with ISO 27001 is not mandatory. However, in a world where hackers relentlessly target your data and more and data privacy mandates carry stiff penalties, following ISO standards will help you reduce risk, comply with legal requirements, lower your costs and achieve a competitive advantage. In short, ISO 27001 certification will help your business attract and retain customers.
This article details the core ISO 27001 requirements, related security controls and steps in the certification process. It also offers tips for maintaining ISO 27001 compliance and explains how Netwrix solutions can help.
What is ISO 27001?
ISO/IEC 27001 is a set of information technology standards designed to help organizations of any size in any industry implement an effective information security management system. The standard uses a top-down, risk-based approach and is technology neutral.
Risk management is the central idea of ISO 27001: You must identify sensitive or valuable information that requires protection, determine the various ways that data could be at risk, and implement controls to mitigate each risk. Risk includes any threat to data confidentiality, integrity or availability. The standard provides a framework for choosing appropriate controls and processes.
In particular, ISO 27001 requires you to:
- Identify stakeholders and their expectations of the ISMS
- Define the scope of your ISMS
- Define a security policy
- Conduct a risk assessment to identify existing and potential data risks
- Define controls and processes to manage those risks
- Establish clear objectives for each information security initiative
- Implement controls and other risk treatment methods
- Measure and continuously improve the performance of the ISMS
Requirements and Security Controls
ISO 27001 Requirements
The standard contains two main parts. The first section lays out definitions and requirements in the following numbered clauses:
- Introduction — Describes the process for systematically managing information risks
- Scope — Specifies generic ISMS requirements suitable for organizations of any type, size or nature
- Normative References — Lists other standards that contain additional information relevant to determining ISO 27001 compliance (only one, ISO/IEC 27000, is listed)
- Terms and Definitions — Explains the more complex terms used in the standard
- Organizational Context — Explains why and how to define the internal and external issues that can affect an enterprise’s ability to build an ISMS, and requires the organization to establish, implement, maintain and continually improve the ISMS
- Leadership — Requires senior management to demonstrate leadership and commitment to the ISMS, mandate policy, and assign information security roles and responsibilities
- Planning — Outlines processes to identify, analyze and plan to treat information risks and clarify the objective of information security initiatives
- Support: Requires organizations to assign adequate resources, raise awareness, and prepare all necessary documentation
- Operation — Details how to assess and treat information risks, manage changes, and ensure proper documentation
- Performance Evaluation — Requires organizations to monitor, measure and analyze their information security management controls and processes
- Improvement — Requires organizations to refine their ISMS continually, including addressing the findings of audits and reviews
Reference Control Objectives and Controls
The second part, Annex A, details a set of controls that can help you comply with the requirements in the first section. Your organization should select the controls that will best address its specific needs, and feel free to supplement with other controls as needed.
The controls are grouped into the following domains:
- Information Security Policies — For ensuring policies are written and reviewed in line with the organization’s security practices and overall direction
- Organization of Information Security — For assigning responsibilities for specific tasks
- Human Resource Security — For ensuring employees and contractors understand their responsibilities.
- Asset Management — For ensuring that organizations identify their information assets and define appropriate protection responsibilities
- Access Controls — For ensuring employees can view only information relevant to their jobs
- Cryptography — For encrypting data to ensure confidentiality and integrity.
- Physical and Environmental Security — For preventing unauthorized physical access, damage or interference to premises or data, and controlling equipment to prevent loss, damage or theft of software, hardware and physical files
- Operations Security — For ensuring information processing facilities are secure
- Communications Security — For protecting information networks
- System Acquisition, Development, and Maintenance — For securing both internal systems and those that provide services over public networks
- Supplier Relationships — For properly managing contractual agreements with third parties
- Information Security Incident Management — For ensuring effective management and reporting of security incidents
- Information Security Aspects of Business Continuity Management — For minimizing business interruptions
- Compliance — For ensuring adherence to relevant laws and regulations and mitigating the risks of noncompliance
ISO 27001 Compliance and Certification
By voluntarily meetings ISO 27001 requirements, your organization can proactively reduce information security risks and improve your ability to comply with data protection mandates. By going a step further and achieving ISO 27001 certification, you will demonstrate your commitment to protecting your data assets to customers, partners, suppliers and others. Building this trust can boost your company’s reputation and provide a competitive advantage
Multiple documents are required to demonstrate ISO 27001 compliance, including the following:
- ISMS Scope (clause 4.3)
- Information Security Policy (clause 5.2)
- Information Security Objectives (clause 6.2)
- Evidence of Competence of People Working in Information Security (clause 7.2)
- Results of the Information Risk Assessment (clause 8.2)
- ISMS Internal Audit Program and Results of Audits Conducted (clause 9.2)
- Evidence of Leadership Reviews of the ISMS (clause 9.3)
- Evidence of Nonconformities Identified and Corrective Actions Arising (clause 10.1)
Defining ISMS Scope
One of the main requirements for ISO 27001 implementation is to define the ISMS scope. To do that, you need to take the following steps:
- Inventory all information you store in any form, physical or digital, local or in the cloud.
- Identify the various ways people can access information.
- Determine what data is in scope for you ISMS and what is out of scope. For example, information over which your organization has no control would be out of scope for your ISMS.
The ISO 27001 certification process involves the following steps:
- Develop an ISMS that includes policies, procedures, people and technology.
- Perform an internal review to identify nonconformities and corrective actions.
- Invite auditors to perform a basic review of the ISMS.
- Correct the issues which the auditors find.
- Have an accredited certification body perform an in-depth audit of the ISO 27001 components to check whether you followed the policies and procedures.
Certification can take three to twelve months. To improve the cost-effectiveness of the certification process, many organizations perform a preliminary gap analysis against the standard to get an idea of the effort required to implement any necessary changes.
Cost of Certification
The cost of certification depends on many variables, so every organization will have a different budget. The main costs relate to training and literature, external assistance, technologies to be updated or implemented, employee time and effort, and the certification audit itself.
Duration of Certification
Once you earn certification, you should perform regular internal audits. The certification body re-audits at least annually, and will check the following:
- Closure of all nonconformities from the last visit
- ISMS operation
- Documentation updates
- Risk management reviews
- Corrective actions
- Monitoring and measuring of ISMS performance
Tips for Achieving and Maintaining ISO 27001 Compliance
- Stakeholder support is crucial for successful certification. Commitment, guidance and resources from all stakeholders is required to identify necessary changes, prioritize and implement remediation actions, and ensure regular ISMS review and improvement.
- Define the impact of ISO 27001 on your organization. Consider the needs and requirements of all interested parties, including regulators and employees. Look at the internal and external factors influencing your information security.
- Write a Statement of Applicability. The statement details which ISO 27001 controls apply to your organization.
- Perform risk assessment and remediation regularly. For each assessment, write a risk treatment plan that details whether each risk will be treated, tolerated, terminated or transferred.
- Assess ISMS performance. Monitor and measure your ISMS and controls.
- Implement training and awareness programs. Provide all employees and contractors with training in your security processes and procedures and raise data security awareness throughout the organization.
- Perform internal audits. Uncover and remediate issues before outside audits find them.
How Netwrix Helps with ISO 27001 Compliance
The Netwrix Data Security Platform helps you achieve and maintain ISO 27001 compliance by enabling you to:
- Discover and classify data across your on-premises and cloud-based repositories
- Identify and prioritize the IT-related risks
- Monitor system login attempts, file access, and data and configuration changes for anomalous activity
- Identify and investigate threat patterns
- Establish strong data access governance
Now that data security is more essential for success than ever, ISO 27001 certification provides a valuable competitive edge. Using the standard’s requirements and controls, you’ll be able to establish and continuously improve your information security management system, demonstrating your commitment to data security to partners and customers alike.
1. What is the purpose of ISO 27001?
The ISO 27001 standard was developed to help organizations of any size in any industry protect their data by effectively using an information security management system (ISMS).
2. What is the latest ISO 27001 standard?
The latest version offered by ISO/IEC is 27001:2013. There’s a regional EU update called ISO/IEC 27001:2017.
3. What are the requirements of ISO 27001?
ISO 27001 requires organizations to:
- Understand organizational context
- Demonstrate leadership and commitment to the ISMS, and assign information security roles and responsibilities
- Develop a plan for identifying, analyzing and treating information risks
- Assign adequate resources to support the ISMS
- Perform operational risk assessment and treatment
- Evaluate the performance of the ISMS
- Continually improve the ISMS
4. Why is ISO 27001 important?
ISO 27001 protects the confidentiality, integrity and availability of information within an organization and as it is shared by third parties.
5. What is the difference between ISO 27001 and ISO 27002?
ISO 27001 is the central standard in the ISO 27000 series and contains the implementation requirements for an ISMS. ISO 27002 is a supplementary standard that details the information security controls organizations might choose to implement, expanding on the brief descriptions in Annex A of ISO 27001.
6. What is the difference between NIST and ISO 27001?
NIST is a U.S. standards organization comparable to ISO. NIST 800-53 is more security control-driven than ISO 27001, with a variety of groups contributing best practices related to federal information systems. ISO 27001 is less technical and more risk-focused, and is applicable for organizations of all sizes and in all sectors.
7. What is the difference between SOX and ISO 27001?
ISO 27001 is a voluntary international standard for implementing an ISMS. SOX 404 is a U.S. law that all publicly traded companies in the U.S. must follow.