What is ISO 27001?

What is ISO 27001 and why do I need it?

ISO 27001:2013 is the internationally recognised best practice framework for an Information Security Management System (ISMS). It is one of the most popular information security standards worldwide.

About the ISO and IEC

Let’s start off by explaining what the ISO IEC letters stand for. ISO stands for the International Organization for Standardisation. This means that all organizations that achieve an ISO 27001 certification are all working to the same high standards.

IEC stands for the International Electrotechnical Commission, which is a not-for-profit organisation that works independently of any government.

Together the ISO and the IEC form a joint technical committee, developing and maintaining standards in IT, as well as Information and Communications Technology (ICT), and related technologies.

When you achieve ISO 27001: 2013 certification you are demonstrating that your Information Security Management System (ISMS) meets the standards of the ISO model of implementation, maintenance and continual improvement.

Mandatory requirements for certification

ISO/IEC 27001 is a formalized specification for an ISMS with two distinct purposes:

1. It lays out the design for an ISMS, describing the important parts at a fairly high level;
2. It can (optionally) be used as the basis for formal compliance assessment by accredited certification auditors in order to certify an organization compliant.

The following mandatory documentation is explicitly required for certification:

1. ISMS scope (as per clause 4.3)
2. Information security policy (clause 5.2)
3. Information risk assessment process (clause 6.1.2)
4. Information risk treatment process (clause 6.1.3)
5. Information security objectives (clause 6.2)
6. Evidence of the competence of the people working in information security (clause 7.2)
7. Other ISMS-related documents deemed necessary by the organization (clause 7.5.1b)
8. Operational planning and control documents (clause 8.1)
9. The results of the [information] risk assessments (clause 8.2)
10. The decisions regarding [information] risk treatment (clause 8.3)
11. Evidence of the monitoring and measurement of information security (clause 9.1)
12. The ISMS internal audit program and the results of audits conducted (clause 9.2)
13. Evidence of top management reviews of the ISMS (clause 9.3)
14. Evidence of nonconformities identified and corrective actions arising (clause 10.1)
15. Various others:Annex A mentions but does not fully specify further documentation including the rules for acceptable use of assets, access control policy, operating procedures, confidentiality or non-disclosure agreements, secure system engineering principles, information security policy for supplier relationships, information security incident response procedures, relevant laws, regulations and contractual obligations plus the associated compliance procedures and information security continuity procedures. However, despite Annex A being normative, organizations are not formally required to adopt and comply with Annex A: they can use other structures and approaches to treat their information risks.

Certification auditors will almost certainly check that these fifteen types of documentation are (a) present, and (b) fit for purpose.

The standard does not specify precisely what form the documentation should take, but section 7.5.2 talks about aspects such as the titles, authors, formats, media, review and approval, while 7.5.3 concerns document control, implying a fairly formal ISO 9000-style approach. Electronic documentation (such as intranet pages) are just as good as paper documents, in fact better in the sense that they are easier to control and update.

ISMS scope and Statement of Applicability (SoA)

Whereas the standard is intended to drive the implementation of an enterprise-wide ISMS, ensuring that all parts of the organization benefit by addressing their information risks in an appropriate and systematically-managed manner, organizations can scope their ISMS as broadly or as narrowly as they wish – indeed scoping is a crucial decision for senior management (clause 4.3). A documented ISMS scope is one of the mandatory requirements for certification.

Although the  Statement of Applicability is not explicitly defined, it is a mandatory requirement of section 6.1.3. SoA refers to the output from the information risk assessments and, in particular, the decisions around treating those risks. The SoA may, for instance, take the form of a matrix identifying various types of information risks on one axis and risk treatment options on the other, showing how the risks are to be treated in the body, and perhaps who is accountable for them. It usually references the relevant controls from ISO/IEC 27002 but the organization may use a completely different framework such as NIST SP800-53, the ISF standard, BMIS and/or COBIT or a custom approach. The information security control objectives and controls from ISO/IEC 27002 are provided as a checklist at Annex A in order to avoid ‘overlooking necessary controls’: they are not required.

The ISMS scope and SoA are crucial if a third party intends to attach any reliance to an organization’s ISO/IEC 27001 compliance certificate. If an organization’s ISO/IEC 27001 scope only includes “Acme Ltd. Department X”, for example, the associated certificate says absolutely nothing about the state of information security in “Acme Ltd. Department Y” or indeed “Acme Ltd.” as a whole. Similarly, if for some reason management decides to accept malware risks without implementing conventional antivirus controls, the certification auditors may well challenge such a bold assertion but, provided the associated analyses and decisions were sound, that alone would not be justification to refuse to certify the organization since antivirus controls are not in fact mandatory.