ISO 27001: Standards and Best Practices

ISO 27001: Standards and Best Practices

The goal of this blog is to describe the ISO/IEC 27001 (ISO 27001) standard and related best practices. This post provides an overview of the ISO/IEC 27001 standard including the purpose of an Information Security Management System (ISMS). The blog also includes a comparison between ISO/IEC 27001 and related frameworks and details the certification and compliance management processes. The post concludes with FAQs related to the process.

What is ISO 27001?

ISO/IEC 27001 is a globally recognized standard outlining best practices for information security management systems. The standard, and the ISO/IEC 27000 family of standards, is governed by both the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). ISO/IEC 27001 defines mandatory ISMS requirements. These requirements can facilitate the management of organizational security practices. In fact, ISO/IEC 27001 can be applied by organizations from any sector/market or size. In adopting ISO/IEC 27001, businesses can demonstrate a strong commitment to maintaining a high level of data security and privacy which can enhance brand reputation and instill a greater level of trust and confidence among external and internal parties and other interested parties. ISO 27001 evolved from BS 7799 and ISO 17799 as described below.

BS 7799

BS 7799 was published by the British Standards Institution (BSI) in February 1995. BS 7799 consisted of three parts. BS 7799 Part 1 (BS 7799-1) eventually evolved into ISO/IEC 17799 in 2000. ISO/IEC 17799 was renumbered to ISO/IEC 27002 in 2007. BS 7799-2 evolved into ISO/IEC 27001 in 2005. BS 7799-3 was adopted as ISO/IEC 27005 in 2008.

ISO/IEC 27001

As mentioned above, ISO/IEC 27001 was adopted in 2005. The standard was updated in 2013, and most recently in 2022. Organizations must recertify against the 2022 version of the standard no later than October 31, 2025. Occasionally, you’ll see ISO/IEC 27001 noted as ISO/IEC 27001:2013 or 27001:2022. The date after the colon (e.g. 2022) reflects the last time the ISO/IEC 27001 standard was reviewed and revised by the ISO/IEC. Organizations can expect the ISO 27000 series to continue to adapt and evolve to match changes in the broader cybersecurity and risk landscape.

Source: A brief history of ISO/IEC 27001

At its heart, ISO/IEC 27001 is a globally recognized standard that emphasizes the safeguarding of Confidentiality, Integrity, and Availability (also referred to as the “CIA Triad”) of information assets and information systems. Confidentiality ensures that information is accessible only to those authorized to have access. Integrity involves maintaining the consistency, accuracy, and trustworthiness of the data during its entire life cycle. Availability, on the other hand, ensures that the information is available and usable when required by an authorized entity.

ISO/IEC 27001 Requirements and Controls

ISO/IEC 27001:2013 and  ISO/IEC 27001:2022 consist of requirements and controls. The requirements in both versions of the standard are defined in clauses four through 10. Clause 6.1.3 in both versions of the standard incorporates Annex A controls. Annex A controls are based on ISO/IEC 27002:2013 and ISO/IEC 27002:2022 respectively. ISO/IEC 27001:2013 Annex A consists of 114 controls in 14 domains. There are 93 ISO/IEC 27001:2022 Annex A controls grouped into four categories.

ISO/IEC 27001:2013 and  ISO/IEC 27001:2022 Clauses

Clause 4 – Organizational context

Clause 5 – Leadership

Clause 6 – Planning

Clause 7 – Support

Clause 8 – Operation

Clause 9 – Performance evaluation

Clause 10 – Improvement

ISO/IEC 27001:2013 Annex A Control Domains

A5 – Information security policies (2 Controls)

A6 – Organization of information security (7 Controls)

A7 – Human resource security (6 Controls)

A8 – Asset management (10 Controls)

A9 – Access control (14 Controls)

A10 – Cryptography (2 Controls)

A11 – Physical and environmental security (15 Controls)

A12 – Operations security (14 Controls)

A13 – Communications security (7 Controls)

A14 – System acquisition, development, and maintenance (13 Controls)

A15 – Supplier relationships (5 Controls)

A16 – Information security incident management (7 Controls)

A17 – Information security aspects of business continuity management (4 Controls)

A18 – Compliance (8 Controls)

ISO/IEC 27001:2022 Annex A Control Categories

Organizational (37 Controls)

People (8 Controls)

Physical (14 Controls)

Technological (34 Controls)

ISO/IEC 27001:2022 Annex A Explained

What is the Purpose of an Information Security Management System (ISMS)?

In general, a management system can be seen as a comprehensive framework enabling an organization to manage the interrelated components of its business to accomplish its objectives. These objectives can include topics such as the quality of products or services, operational efficiency, environmental performance, health and safety in the workplace, information management, and security, among others. ISO management system standards are integral to management system planning, implementation, monitoring, and continuous improvement.

ISO/IEC 27001, the ISMS management system standard,  is one of several management system standards. An ISMS provides a framework consisting of policies, procedures, and controls, ensuring that the organization’s information security measures are efficient and consistent. This includes risk management processes, IT governance, and compliance checks. Furthermore, an ISMS helps organizations fulfill legal, contractual, and regulatory requirements pertaining to information security. Ultimately, the ISMS aims to facilitate compliance with other requirements, increase competitive advantages, lower costs, and better organization.

Comply with Requirements

ISO/IEC 27001 remains one of the most popular security frameworks partly because it shares significant overlap with other widely recognized frameworks and standards. The standard facilitates compliance with The Payment Card Industry (PCI) Data Security Standard (DSS), the Health Insurance Portability and Accountability Act (HIPAA), the National Institute of Standards and Technology (NIST), and other frameworks in several ways. The standard provides a framework for the establishment, implementation, maintenance, and continual improvement of a management system, which aligns with the requirements of these regulations. Additionally, by adopting ISO/IEC 27001, organizations can identify, assess, and manage the risks, fulfilling the risk management mandates of these standards. Lastly, ISO/IEC 27001’s emphasis on regular audits, management reviews, and continual improvement parallels the continuous monitoring requirements of SOC, PCI, HIPAA, and NIST. Implementation of ISO/IEC 27001 facilitates the ability to safeguard critical information assets and fulfill regulatory requirements.

Competitive Advantages

ISO/IEC 27001 offers numerous competitive advantages which is one of the benefits of ISO. The standard provides a robust framework for maintaining information security, thereby enhancing customer trust and corporate reputation. The standard also assists businesses meet various regulatory and compliance requirements as mentioned above, ultimately avoiding potential fines and penalties. Implementation can also lead to a reduction in security breaches, thereby minimizing financial losses. 

Lower Costs

ISO/IEC 27001 emphasizes a risk-based approach to information security. This risk-based approach can result in cost reduction in several ways related to risk management, risk treatment, asset management, operations, audits and assurance activities, and third-party management. The extent of these benefits may vary depending on factors such as the organization’s size, industry, and specific operational context.

By identifying and addressing potential risks, organizations can prevent costly cyber-attacks and security incidents and mitigate the financial impact of data breaches. Implementation can also lead to enhanced operational efficiency and reduce the risk of fines and penalties associated with non-compliance with regulatory requirements. ISO/IEC 27001 certification demonstrates an organization’s commitment to information security assurance to partners and stakeholders leading to potential cost savings associated with audits and assessments from business partners. Lastly, third-party management of supplier relationships is required by the standard. This can prevent disruptions and associated costs caused by security lapses within the supply chain.

Better Organization

ISO/IEC 27001 forms the basis of ISMS implementation. Although each organization will naturally have unique and idiosyncratic processes and controls specific to their information security risks and vulnerabilities, most organizations will need to address common topics related to cybersecurity risk. Areas such as access control, business continuity management, performance evaluations, incident management, data protection and cryptography, supplier relationships, communications security, vulnerability management, and change management are potential risk zones for almost all businesses and organizations. Through building an ISO-compliant ISMS, organizations can be confident that they are managing these common components as well as their own unique cybersecurity needs. As an added benefit, companies can provide their ISO/IEC 27001 certificates to interested parties. The ability to provide evidence of ISO/IEC 27001 certification can often eliminate the need to complete supplemental client security-related questionnaires.

What is the Certification Process?

Accreditation and Certification Bodies

ISO/IEC 27001 is not mandated; rather, it’s a voluntary decision. Organizations opt to pursue ISO/IEC 27001 certification based on strategic objectives. In fact, organizations that leverage the ISO/IEC 27001 standard, and the broader ISO/IEC 27000 family, are not required to pursue the certification process at all and may conduct internal audits to gauge their compliance and security posture instead. 

Organizations that do choose to embark on the certification process must engage a certification body that has been accredited by an accreditation body. According to ISO:

Accreditation is the formal recognition by an independent body, generally known as an accreditation body, that a certification body operates according to international standards. Certification is the provision by an independent body of written assurance (a certificate) that the product, service, or system in question meets specific requirements.

There are numerous ISO accreditation bodies worldwide.

·         In the United States, the ANSI National Accreditation Board (ANAB) is the primary ISO accreditation body.

·         In Canada, the primary ISO accreditation body is the Standards Council of Canada (SCC).

·         There isn’t a single European Union (EU) ISO accreditation body. Accreditation bodies for conformity assessment in the EU are typically organized at the national level. For example, in Germany, the accreditation body is the Deutsche Akkreditierungsstelle GmbH (DAkkS), and in the United Kingdom, it is the United Kingdom Accreditation Service (UKAS).

Presently, there are 38 ANAB-accredited ISO/IEC 27001 certification bodies, ANAB ISO/IEC 27001 Certification Bodies. Accredited certification bodies undergo continued audits from accreditation bodies throughout the year.

The Certification Process

Phase 1

The ISO/IEC 27001 certification process is cyclical. The process starts with management’s commitment to implement the ISMS. Management commitment consists of resource allocation, defining organizational objectives, and establishing a culture centered around the ISMS among other activities. Defining the ISMS scope is also an initiation activity. Organizations typically evaluate automation Governance, Risk, and Compliance tools at this stage.

Phase 2

The next step in the process involves performing a gap analysis of existing practices against ISO/IEC 27001 requirements. After the gap analysis, most organizations perform a risk assessment. The output of the risk assessment is a Statement of Applicability (SOA) that lists applicable controls and associated rationale, a register of risk items, and related treatment options. Developing required documentation and implementing controls, based on the SOA, and measures as per the ISMS documentation comes next.

Phase 3

The third phase centers around training, auditing, and review. Conducting training and awareness is mandatory. Organizations must also conduct internal audits to verify the effectiveness of the implemented ISMS. Lastly, top management reviews the ISMS to ensure its continuing suitability, adequacy, and effectiveness and identifies areas of continuous improvement.

Audits

In terms of actual audits, the certification process involves conducting the following:

Stage 1:

The certification body conducts an initial audit to review documentation, check the readiness of the ISMS, and verify compliance with ISO/IEC 27001 requirements.

Stage 2:

A more detailed audit is performed to assess the implementation and effectiveness of the ISMS. Non-conformities are identified, and corrective actions may be required.

Certification Decision:

The certification body evaluates audit findings and decides whether to grant ISO/IEC 27001 certification. Certification is issued if requirements are met; otherwise, corrective actions may be required.

Surveillance Audits:

Periodic surveillance audits are conducted to ensure ongoing compliance and effectiveness of the ISMS.

Recertification:

Every few years a recertification audit is conducted to renew ISO/IEC 27001 certification.

Managing ISO/IEC 27001

Creating and maintaining an information security management system that complies with ISO/IEC 27001:2022 can be a daunting task. As with any job, the right tools and technology can facilitate efficiencies in obtaining ISO/IEC 27001 compliance. With AuditBoard’s IT Compliance Solution, your team can hasten your compliance actions and workflows, including those involved with maintaining your organization’s ISMS and ISO/IEC 27001 compliance. Through CrossComply’s multi-framework approach, satisfying multiple controls that share the same evidence or documentation reduces manual efforts and redundancy. And with cross-platform integrations, you can break down silos to achieve results and reach your compliance and security goals.

If your organization is looking to comply with ISO/IEC 27001, try AuditBoard today and streamline your journey to security.

Justin

Justin Toro, CISA, is a Commercial Account Executive at AuditBoard. Prior to joining AuditBoard, Justin spent 6 years with KPMG in Atlanta specializing in information technology audits, SOX/ICFR, and SOC Reporting across a variety of industries. Connect with Justin on LinkedIn.