ISO 27001 Details – ISO/IEC 27001:2013 Information technology — Security techniques — Information security management systems — Requirements (second edition)
ISO/IEC 27001 formally specifies an Information Security Management System (ISMS) which is a collection of activities concerning the management of information risks (the standard refers to these as “information security risks”). An ISMS is an comprehensive management framework through which an organization identifies, analyzes and addresses its information risks. Using an ISMS ensures that the security arrangements are fine-tuned to keep pace with security threat changes, vulnerabilities and impacts to the business – an important aspect in such a dynamic field, and a key advantage of ISO 27000’s risk-driven approach as compared to PCI-DSS, (Payment Card Industry Data Security Standard).
The standard ISO 27001 details how it is applicable to cover all types of organizations (such as commercial, government agencies, non-profits), all sizes (from small-businesses to very large multi-nationals), and any industry or market (retail, banking, defense, healthcare, education and government).
It is not specified in the ISO 27001 details a formal mandate for specific information security controls to be applied to all companies. On the contrary, the controls required vary distinctly across the wide range of organizations who adopt the standard. The information security controls from ISO/IEC 27002 are noted in Annex A to ISO/IEC 27001, and are presented like a menu. Organizations adopting ISO/IEC 27001 are free to choose the specific information security controls applicable to their particular information risks. The ISO 27001 details allow the organization to select from those listed in the menu and to supplement them with other options (sometimes known as extended control sets) depending on their situation. As with ISO/IEC 27002, the key to selecting applicable controls is to undertake a comprehensive assessment of the organization’s information risks and to determine which are vital to conformance in the ISMS.
Management may determine that it wishes to avoid, transfer or accept information risks rather than mitigate them through controls – a risk treatment decision within the risk management process.
ISO 27001 Details and History
- ISO/IEC 27001 is derived from BS 7799 Part 2, first published as such in 1999.
- BS 7799 Part 2 was revised by BSI in 2002, explicitly incorporating the Plan-Do-Check-Act cyclic process.
- BS 7799 part 2 was adopted as ISO/IEC 27001 in 2005, with various changes to reflect its new custodians.
- The standard was extensively revised in 2013, bringing it into line with the other ISO certified management systems standards and dropping explicit reference to PDCA.
ISO 27001 Details and Structure
ISO/IEC 27001:2013 has the following sections:
0 Introduction – the standard uses a process approach.
1 Scope – it specifies generic ISMS requirements suitable for organizations of any type, size or nature.
2 Normative references – only ISO/IEC 27000 is considered absolutely essential to users of ’27001: the remaining ISO27k standards are optional.
3 Terms and definitions – a brief, formalized glossary, soon to be superseded by ISO/IEC 27000.
4 Context of the organization – understanding the organizational context, the needs and expectations of ‘interested parties’, and defining the scope of the ISMS. Section 4.4 states very plainly that “The organization shall establish, implement, maintain and continually improve” a compliant ISMS.
5 Leadership – top management must demonstrate leadership and commitment to the ISMS, mandate policy, and assign information security roles, responsibilities and authorities.
6 Planning – outlines the process to identify, analyze and plan to treat information risks, and clarify the objectives of information security.
7 Support – adequate, competent resources must be assigned, awareness raised, documentation prepared and controlled.
8 Operation – a bit more detail about assessing and treating information risks, managing changes, and documenting things (partly so that they can be audited by the certification auditors).
9 Performance evaluation – monitor, measure, analyze and evaluate/audit/review the information security controls, processes and management system in order to make systematic improvements where appropriate.
10 Improvement – address the findings of audits and reviews (non-conformities and corrective actions), make continual refinements to the ISMS.
Annex A Reference control objectives and controls – this is a list of titles of the control sections in ISO/IEC 27002. The annex is ‘normative’, implying that certified organizations are expected to use it, but they are free to deviate from or supplement it in order to address their particular information risks.
Bibliography – points readers to the five related standards, plus part 1 of the ISO/IEC directives, for more information. In addition, ISO/IEC 27000 is identified in the body of the standard as a normative (i.e. essential) standard and there are several references to ISO 31000 on risk management.
Companies that implement this quality system usually have a requirement from the US Government’s NIST SP 800-171.