CS Risk Management is a risk management consultancy which has helped organisations of all sizes and industries achieve ISO 27001 across the world. We are one of the first consultancies to take an organisation through the ISO 27001:2013 process. With every company we work with there is the same starting point to understanding and implementing an ISO 27001 aligned ISMS. Our ISO 27001 consultants are here to give you the basics and the benefits of ISO 27001 for your company!
What is ISO 27001?
ISO 27001 is an international standard and sets out the requirements for an Information Security Management System (ISMS). As a globally recognised framework, it was developed in 2013 to establish implement, maintain and improve the information security processes of organisations.
ISO 27001 is also known as IEC 27001 and consists of 2 parts:
- A set of defined practices and activities to manage security within the organisation (the management system).
- A catalogue of security measures that could be selected for implementation (Annex A – 118 controls).
To achieve full certification of ISO 27001, the management system practices and activities must all be in place. The controls chosen by the organisation must be operating and demonstrable. ISO 27001 is not an IT-based standard it is about information security within a business. It also means managing the threats or risks which could damage its confidentiality and integrity.
When designing an Information Security Management System for any organisation, it is crucial to factor in the ISO 27001 standard to make sure you have covered every information security area and considerations. This is done by following 4 steps; establishing, implementing, maintaining and making improvements to the ISMS. Here’s how they fit together…
What is an ISMS aligned with ISO 27001?
An ISMS is a set of policies and procedures for managing an organisations information security. The ISMS will include physical security, risks related around people; employees, resources, processes and technology. An Information Security Management System can be applied to a specific area of the business or the entire organisation. Implementing an ISMS within your organisation means that your company is taking information security procedures seriously. This will allow your security strategy to be managed efficiently so that fewer cyber incidents occur. The ISO 27001 scope can also be extended and implemented over time within other aspects of a business to tighten information security.
Establish the ISMS
- Demonstrate leadership through:
- Setting a clear scope and objectives for the ISMS
- Actively promoting the importance of information security to staff and third-party vendors (e.g. marketing agencies, office supplies provider or telephone company)
- Ensuring information security is embedded in business activities and managed effectively (e.g. physical security within the organisation or employing new staff)
- Making resources available for implementing, maintaining and improving information security (e.g. having the appropriate staff or management to maintain the ISMS)
- Define the ISMS scope in terms of:
- The business objectives of the ISMS
- Internal and external security issues
- Requirements from stakeholders
- Organisational boundaries of the management system (i.e customer-facing service provision)
- Establish the Information Security Policy
- Define and assign information security roles and responsibilities
- Define risk assessment method and perform risk assessment
- Determine risk treatment options (e.g. which controls are selected from Annex A
- Prepare Statement of Applicability- A SoA is a mandatory document which needs to be developed ready to submit in order to obtain an ISO 27001 certification
- Develop information security implementation plan considering stakeholder requirements, risk treatment options and introducing new ISMS processes
Implement the ISMS
- Resource and execute the implementation plan
- Track progress against the new information security plan put in place
- Confirm that the implementation objectives that your organisation set out have been met
Maintain the ISMS
- Maintain resourcing levels required to manage information security
- Maintain the education of staff information security and general security awareness competence levels
- Determine and follow an internal and external communication strategy
- Document management
- Day-to-day operational planning and control
- Regular re-assessment and treatment of risk
Improve the ISMS
- Measure, monitor, analyse and evaluate controls and security management system
- Internal audits need to be conducted to raise any concerns with the ISMS
- Management review
- Correcting non-conformities found in internal audits and management reviews
- Practicing continual improvement (maintaining the ISMS)
The ISO 27001 standard requires a risk assessment based on current information security. The organisation will need to select the appropriate controls to tackle the information security risks.
The controls belong to the Annex A standard and some controls may already be in place, whilst not all controls will be applicable. The simple way to understand what the Annex A controls are to picture them as an index of controls. The organisation will undertake a risk assessment. The appropriate controls will be selected to address the risks. This will then need to be documented in the ‘Statement of Applicability’, with documented evidence for any controls which you already have in place.
The Annex A controls are split into 14 sections and each different aspect focuses on different factors of information security. Implementing these controls within your organisation improves company security culture for staff and employees. The ISO 27001 certification increases cyber resilience against data breaches and attacks based around confidential information.
There are 118 potential Annex A controls:
A.5 Information security policies (2 controls) – Implementing appropriate polices regarding how to manage information security
A.6 Organization of information security (7 controls) – Ensuring appropriate roles and responsibilities are assigned internally to keep updates with information security threats
A.7 Human Resource Security (6 controls) – Control covers staff pre-employment and during to ensure background checks and appropriate training for employees
A.8 Asset Management (10 controls) – Any assets that contain information need to be kept up to date, managed and in the scope of the ISMS
A.9 Access Control (14 controls) – Limits access to information to ensure only authorised people have access to confidential information
A.10 Cryptography (2 controls) – Effective and proper use of cryptography to protect the integrity of information within the organisation
A.11 Physical and environmental security (15 controls) – Ensures physical and environmental security such as office security and clear desk procedures
A.12 Operations Security (14 controls) – Any operational procedures or responsibilities must be documented to ensure secure information processing
A.13 Communications Security (7 controls) – Networks must be managed, and the organisation must ensure the correct procedures are in place to protect information within systems
A.14 System acquisition, development and maintenance (13 controls) – This control ensures information security is a key part of the ISMS across the entire business
A.15 Supplier relationships (5 controls) – Supplier management security to ensure any suppliers you share information with treat the information securely and is maintained within supplier agreements
A.16 Information security incident management (7 controls) – If a cyber incident does occur then it will have the least possible impact on the business and the correct controls in place to respond in an efficient manner
A.17 Information security aspects of business continuity management (4 controls) – Information security should be embedded into an organisations business continuity management system with the correct procedures
A.18 Compliance (8 controls) – This control relates too legal and contractual requirements and organisations should avoid breaches and conform to standards such as GDPR to protect information
Why Should Your Organisation Adopt the ISO 27001 Standard?
ISO 27001 certification has many benefits to an organisation. Adopting the information security standard ensures that security becomes part of company culture and ensures resilience from cyber threats. ISO 27001 is a standard which needs to be maintained by the organisation by conducting risk assessments which allows management and key stake holders to maintain information security risks.
Here are some of the many reasons a company should adopt the ISO 27001 standard:
- Gain a competitive edge against other companies– ISO 27001 helps organisations to demonstrate good practice within information security. It is a reminder to third parties, new clients and customers that you take security seriously. ISO 27001 certified also helps meet new business tenders and requirements making it more likely to be accepted.
- Control risk within the organisation- Security risk levels are hard to maintain within an organisation, without a set-controlled plan in place. ISO 27001 ensures procedures are followed to protecting information security minimising the threats.
- Increase resilience to cyber-attacks- Implementing an ISO 27001 aligned ISMS into your company will ensure you have the processes and maintenance in place to protect information security, and become resilient to attacks such as Data breaches.
- Confidence and assurance to your business! – Gain full confidence in your information security arrangements. This will improve the organisations ability to recover operations in event of an attack. Overall assurance that there is improved internal organisation which protects your business reputation!