What is ISO 27001?
ISO 27001 (ISO/IEC27001:2013) is an international standard for the best practice of an ISMS (information security management system). The standard is well recognised across the world, ranking as one of the most popular global information security standards. An ISO 27001 certification demonstrates that you can protect your data systems and information assets and keep them safe and secure.
ISO 27001 accreditation is gained by showing that you can protect employee information, manage risks effectively, achieve compliance with regulations such as the GDPR and protect your business reputation. The certification plays an important role in improving an organisations information security defence. It is invaluable for monitoring, reviewing, maintaining and improving a company’s information security management system. ISO 27001 is applicable to organisations in all verticals and sizes.
Some organisations choose to implement the standard for best practice, whilst others like to obtain certification to reassure their clients or customers that the security standard has been followed.
What is an ISMS?
An information security management system (ISMS) is a set of policies and procedures for managing an organisation’s information security. An ISMS contain procedures incorporating an organisations physical security, employee behaviour, processes as well as data and technology. The aim of an ISMS is to identify any risks to an organisation and put the mitigation in place to limit the impact of a security breach on the organisation.
The ISMS consists of ensuring the right team is in place to conduct information security activities and is fully supported by the management of the company. Risk assessments should be conducted as part of the procedure to understand what the important information you are trying to protect is and how you will protect it.
In simple terms, an ISMS is a set of policies and procedures involving a number of aspects such as people, processes and technology to help keep an organisation’s data protected.
ISO 27001 Controls - Annex A
During the implementation of the ISMS you will conduct a risk assessment to understand what it is you are trying to protect and how critical that information is to your organisation. Following on from this you will need to identify what security controls to implement to protect this information. For example, security controls can be implemented in a layered approach such as a lock on the front door of the premises (layer 1), a lock on an internal office door (layer 2) a password on the computer within the office (layer 3).
Within the ISO27001 standard Annex A contains 114 controls which can be selected and implemented to protect the information. Not all controls are applicable to the organisation, whilst some controls might already be in place. The selection of these controls and their applicability to protecting information is recorded on a Statement of Applicability (SOA). The controls listed in Annex A and expanded within ISO27002 to include implementation guidance consist of the following areas:
A.5 Information security policies – Implementing policies regarding how to manage information security within the organisation and continuing to review those policies to ensure they remain appropriate to the business.
A.6 Organisation of information security – Ensuring that appropriate roles and responsibilities are assigned internally, internal personnel use external resources to keep up to date with Information Security threats and that they are maintain any contact with authorities applicable to their business activities.
A.7 Human Resource Security – These controls are pre-employment and during employment and consist of areas such as ensuring background checks are completed and appropriate training is in place for employees. The annex also covers what happens when employees leave or change roles.
A.8 Asset Management – This annex is to identify information assets in the scope for the ISMS and ensure that protection responsibilities are in place. Any assets that contain information need to be kept up to date and managed.
A.9 Access Control – This control states the requirements of access control. This is to limit access to information and information processing facilities. An access control policy must be established to establish who needs to know the information, and only authorised people access the information.
A.10 Cryptography – The effective use of cryptography to protect confidentiality of information. The incorrect selection of cryptography technologies can cause vulnerabilities for an organisation, along with a lack of management of cryptographic material, for example keys and certificates.
A.11 Physical and environmental security – This control ensures physical and environmental security including areas such a premises security, preventing unauthorised physical access and clear desk procedures as computers or laptops may contain sensitive information. The organisation must establish secure areas that protect information so that only authorised people can access it.
A.12 Operations Security – Operational security relates to operational procedures and responsibilities. Operational procedures must be documented to ensure consistent procedures for new employees and is useful for cyber security disaster recovery.
A.13 Communications Security – Networks must be managed and controlled to ensure the protection of information in networks. The organisation should ensure there are the correct methods in place to protect information within systems and applications.
A.14 System acquisition, development and maintenance – Controls enforcing the security requirements of information systems. The objective of this control is to ensure information security is a key part of ISMS across the organisation.
A.15 Supplier relationships – Supplier management security to ensure that any suppliers you share information with treat that information as securely as you do, and how to monitor them.
A.16 Information security incident management – Controls for having security Incident management in place to ensure if an incident does occur it has the least possible impact on the operations of your business. The control establishes what procedures are in place and responsibilities that management have in order to address the incident in an effective manner and collecting evidence.
A.17 Information security aspects of business continuity management – Information security within an organisation should be embedded into the organisation’s business continuity management systems with the correct procedures and reviewing.
A.18 Compliance – This control is about compliance and contractual requirements. Organisations who wish to comply to the ISO 27001 standards should avoid breaches of legal or contractual requirements related to information security such as, GDPR which protects the information of individuals.
Benefits of ISO 27001
Increase your cyber-attack resilience
Implementing and maintaining an ISMS will remarkably increase your organisations resilience to cyber-attacks and data breaches as you will have processes in place to protect your information security.
Comply with contractual and legal requirements
A certification for ISO 27001 is a prerequisite for many tender applications and public sector contracts, and provides a competitive advantage when completing RFPs and other new business bids and tenders.
Improve company security culture
As part of ISO 27001, the ISMS will need to be maintained and improved. This enables employees to understand the risks of the organisation and understand the controls as part of day-to-day practices.
Increases customer and client confidence
A continual reminder to your customers or clients that you are committed to information security within different levels of the business. The ISO 27001 certification provides credibility and demonstrates trust.