What is ISO 27001?

Overview

ISO 27001 is an international standard that provides a framework to implement an information security management system (ISMS). It outlines best practices and controls to help organisations manage their information security risks. The standard covers various aspects of information security, including risk assessment, security policies, access controls, and incident management. ISO 27001 is an international standard that provides a framework to implement an information security management system (ISMS). It outlines best practices and controls to help organisations manage their information security risks. The standard covers various aspects of information security, including risk assessment, security policies, access controls, and incident management. 


The Main Requirements and the ISMS 

Clause 4: Context of the organisation

This clause sets the foundation for the ISMS by ensuring it aligns with the organisation's context and objectives through 4 key activities:

  1. Identify internal and external factors relevant to their information security management system (ISMS).
  2. Understand the needs and expectations of interested parties.
  3. Define the scope of the ISMS based on this understanding.
  4. Establish, implement, maintain, and continually improve the ISMS.

Evidence: A documented scope that covers the above items (Note: This doesn’t need to be a standalone document and CAN sit within another policy/company document)

 

Clause 5: Leadership

Clause 5 emphasises the importance of leadership and commitment from top management in driving the implementation and effectiveness of the ISMS throughout the organisation. The key components of clause 5 are:

  1. Leadership and commitment: Top management must demonstrate leadership and commitment to the ISMS by establishing an information security policy and ensuring it is communicated, understood, and applied within the organisation.
  2. Policy: Top management is responsible for establishing, implementing, and maintaining an information security policy that is appropriate to the purpose and context of the organisation and supports its information security objectives.
    NOTE: The Information Security Policy (or equivalent policy) MUST either document the information security objectives or provide a framework to use to set the information security objectives
  3. Organisational roles, responsibilities, and authorities: Top management must ensure that roles, responsibilities, and authorities for relevant roles are assigned, communicated, and understood within the organisation.
  4. Communication: Top management must ensure that the importance of effective information security management and conforming to the ISMS requirements is communicated within the organisation. (Link to 
  5. Support: Top management must provide the necessary resources, including human resources and training, to support the ISMS. (Link to resourcing clause)
  6. Management review: Top management must review the ISMS at planned intervals to ensure its continuing suitability, adequacy, and effectiveness. (Link to management review clause later on)

Clause 6: Planning

Clause 6 of ISO 27001 requires organisations to:

  1. Plan actions to address information security risks and opportunities: This is your Risk Management Framework!
  2. Establish measurable information security objectives
    NOTE: Make sure these align these with the information security objectives in the Information Security Policy
  3. Integrate information security objectives into business processes.
  4. Conduct risk assessments.
  5. Treat identified risks: ISO 27001 expects risks to be treated through the identification of applicable Information Security Controls. The applicable controls are documented in your Statement of Applicability. 
  6. This clause ensures that organisations proactively manage risks and align information security with their business objectives.

Clause 7: Support

Clause 7 focuses on providing the necessary resources and support for the information security management system (ISMS):

Resources: The organisation must determine and provide the necessary resources for the establishment, implementation, maintenance, and continual improvement of the ISMS.

Competence: The organisation must determine the necessary competence of personnel involved in the ISMS and ensure they are competent based on education, training, or experience.

Awareness: The organisation must ensure that persons doing work under its control are aware of the information security policy, relevant information security objectives, their contribution to the effectiveness of the ISMS, and the implications of not conforming with the ISMS requirements.

Communication: The organisation must establish, implement, and maintain processes for internal communication related to the ISMS, as well as for receiving, documenting, and responding to relevant communication from external interested parties.

Documented information: The organisation must control the creation and modification of documents and records required for the ISMS, as well as ensure they are adequately protected.

Overall, Clause 7 emphasises the importance of providing the necessary resources, competence, awareness, communication, and documented information to support the effective implementation and maintenance of the ISMS.

 

Clause 8: Operation

Clause 8 focuses on the planning, implementation, and control of information security processes and activities. In a nutshell, it’s implementing and performing every aspect of your Information Security Management System (ISMS):

Operational planning and control: The organisation must plan, implement, and control the processes needed to meet information security requirements, manage risks, and achieve information security objectives.

Information security risk assessment: The organisation must assess information security risks by identifying assets, threats, vulnerabilities, and impacts, and then analyze and evaluate these risks to determine their significance.

Information security risk treatment: The organisation must select and implement risk treatment options to address information security risks, considering risk reduction, risk acceptance, or risk avoidance.

Information security objectives and planning to achieve them: The organisation must establish, implement, and maintain information security objectives and plans to achieve them, ensuring they are consistent with the information security policy.

Incident management: The organisation must establish, implement, and maintain a process for identifying, managing, and responding to information security incidents.

Business continuity management: The organisation must establish, implement, and maintain a process for managing information security continuity in the event of a disruption.

Compliance with legal and other requirements: The organisation must identify, access, and comply with legal, regulatory, contractual, and other requirements related to information security.

Overall, Clause 8 emphasises the importance of planning, implementing, and controlling information security processes to ensure the confidentiality, integrity, and availability of information, as well as to achieve information security objectives and comply with legal requirements.

Clause 9: Performance evaluation

Clause 9 of ISO 27001 requires organisations to:

  1. Monitor, measure, analyse, and evaluate the ISMS:
    NOTE: The metrics used to evaluate the effectiveness of the ISMS should be in line with the defined objectives!
  2. Conduct internal audits and management reviews of the ISMS.
    NOTE: For further guidance pertaining to internal audits go here
  3. Evaluate compliance with legal and other requirements.
  4. Take corrective action when objectives are not met. (See clause 10: Improvement for further information)

This clause ensures that organisations continually assess and improve the effectiveness of their ISMS.

 

Clause 10: Improvement

Clause 10 of ISO 27001 requires organisations to:

  1. React to nonconformities and take corrective actions to address root causes and prevent recurrence.
    NOTE: All items that require a corrective action should be lodged in a central register or Corrective and Preventive Action (CAPA) Register. 
  2. Continually improve the suitability, adequacy, and effectiveness of the ISMS based on audit results and assessments.