ISO 27001 Explained
A complete guide to the international standard for information security management systems
is a licensed document of around 30 pages that can be purchased on the internet in a variety of languages. The standard specifies requirements for the development and operation of a structured framework of policies, procedures, processes, practices, roles, responsibilities controls and resources collectively referred to as an information security management system (ISMS).
The ultimate goal of an ISMS is to treat risks to the confidentiality, integrity and availability of information assets, in line with organisational objectives. ISO 27001 includes a set of best-practice controls for the mitigation of the risks associated with the information assets which the organisation seeks to protect by operating its ISMS.
Organisations operating an ISMS may have its conformity audited and certified to ISO 27001. Certifying your organisation’s ISMS brings a variety of benefits, including reduced information risk, improved governance, conformity to legal and regulatory requirements, competitive advantage and incremental revenue growth.
Since the standard itself is not particularly easy to interpret – especially for those without a background in compliance – we decided to create a concise overview of the main elements in an easily digestible format. We trust you find “ISO 27001 Explained” a valuable resource. Please feel free to bookmark the page for your reference. We intend to make regular improvements and publish supporting material both here and on the MOD1 Insights blog.
As CEO and founder of MOD1 AG, Dylan Johnston dedicates his energy to helping organisations break down barriers to digital transformation through the adoption of a risk-based approach to securing sensitive personal data and critical business information assets.
- What is ISO 27001?
- What role does ISO 27001 play in the area of information security?
- What is an ISO 27001 certification?
- What are the advantages of certifying your organisation to ISO 27001?
- What are the ISO 27001 requirements?
- Which sections of ISO 27001 contain mandatory requirements?
- What is an ISO 27001 risk assessment?
- What is ISO 27001 Annex A?
- What are the ISO 27001:2022 Annex A controls?
- What are the differences between ISO 27001:2013 and ISO 27001:2022?
- What can we deduce from this?
- How will the 2022 changes affect existing ISO 27001 certifications?
What is ISO 27001?
ISO 27001 is an international standard that defines a set of requirements for the establishment, implementation, operation, monitoring, review and continual improvement of an information security management system (ISMS).
The official name of the standard is ISO/IEC 27001:2013 — ISO/IEC Information technology — Security techniques — Information security management systems — Requirements, but it is (for obvious reasons) more commonly referred to as “ISO 27001”, “ISO27001” or “27001”.
As its official name suggests, ISO 27001 was developed by the International Organisation for Standardisation (ISO) and International Electrotechnical Commission (IEC) joint technical committee (JTC1).
JTC1 is a consensus-based, voluntary international standards group of over 2000 experts from 163 countries. JTC1 is committed to developing, maintaining, promoting and facilitating information technology (IT) standards required by global markets meeting business and user requirements.
What role does ISO 27001 play in the area of information security?
Information security is the protection of information assets from unauthorised access, use, modification, disclosure, disruption or destruction, to maintain confidentiality, integrity and availability.
ISO 27001 serves as a blueprint for a framework of policies, procedures, guidelines, resources and associated activities managed by an organisation in the pursuit of securing its information assets in support of its business objectives.
A core component of the standard is effective risk management and the subsequent implementation of a set of managerial, administrative, physical, technical and educational measures that mitigate risks to sensitive data and business information assets.
What is an ISO 27001 certification?
An ISO 27001 certification provides an independent demonstration that an organisation’s ISMS meets its stated policy and objectives, complies with the relevant statutory, regulatory and contractual requirements and is effectively maintained. Organisations can become ISO 27001 certified by passing a certification audit performed by an accredited certification body.
What are the ISO 27001 requirements?
Organisations can obtain certification against ISO 27001 by demonstrating compliance with its requirements. Clauses 0 – 3 introduce the standard and its vocabulary but don’t contain requirements. Clauses 4 – 10 specify the requirements that must be met for an organisation to claim conformity. The requirements of clauses 4 – 10 are as follows:
Clause 4 of the standard requires an assessment of internal and external issues and the needs and expectations of stakeholders relevant to the information security management system (ISMS). It also involves the determination of a suitable scope for the information security management system and a process for its implementation, maintenance and continual improvement.
Clause 5 is probably the most critical component of any information security management system since even the most well-planned implementation is sure to fail without the total commitment of senior management. The leadership clause requires the organisation to establish an information security policy and define information security roles, responsibilities, and authorities.
Clause 6 of the standard requires the general risks and opportunities that may impact the intended outcomes of the management system to be reviewed and treated. Organisations must develop processes to assess and treat information security risks. They must also produce a "statement of applicability" that documents the ISO 27001 Annex A controls deemed relevant to the ISMS identified by the initial risk assessment. Finally, clause 6 requires the definition of information security objectives that align with organisational objectives.
Clause 7 requires the organisation of the management of documented information. Its requirements also cover resources and communication, the management of competency, and awareness training for information security and the information security management system.
Clause 8 of the standard involves executing the risk assessment and treatment processes established in clause 6. The clause also requires plans for controlling outsourced operations to be implemented and the scheduling of regular risk assessments at predetermined intervals.
Clause 9 of the standard requires the organisation to implement measures and metrics to evaluate the management system’s performance. It entails the planning and execution of internal audits and management reviews to ensure that the management system consistently meets its objectives and can be continuously improved.
The final clause addresses requirements for defining, identifying and eliminating nonconformities. It also requires the business to continually improve the suitability, adequacy and effectiveness of the information security management system.
What are the advantages of certifying your organisation to ISO 27001?
Implementing an ISO 27001 certified ISMS helps organisations reduce the likelihood of cybersecurity and data privacy incidents, optimise information security controls and effectively respond to threats.
A structured approach to information security management can help organisations reduce the likelihood of cybersecurity and data privacy incidents, optimise their information security controls and effectively respond to an evolving threat landscape.
ISO 27001 requires senior management accountability for information security. When senior management is directly involved in steering ISMS strategy, there is a greater chance that the organisation’s approach to treating information risk aligns with business objectives, and that the ISMS program will add significant value.
Implementing an information security management system helps organisations conform with statutory, regulatory or contractual requirements, such as EU-GDPR, HIPAA or DiGa. The flexibility of ISO 27001 allows organisations to integrate best practices from a variety of sources, including PCI/DISS, CSA CCM, NIST and ITIL.
ISO 27001 is an internationally recognised and externally assured standard that conveys to stakeholders that your organisation is credible and trustworthy. An ISO 27001 certification can be leveraged as a marketing tool to inspire customer confidence and differentiate your organisation's products and services from those of uncertified competitors.
Customers are beginning to make ISO 27001 a requirement of suppliers to bid for contracts, particularly in the digital healthcare space, where healthcare providers require strong assurance that sensitive personal data has sufficient protection against online threats. An ISO 27001 certification can also result in reduced bid effort for contracts that ask questions related to product information security.
An ISO 27001 requires regular reviews to ensure that organisations continuously optimise their processes according to organisational context, scope, or risk profile changes. Over time, this iterative approach improves process efficiency and increases the economic effectiveness of information security investments.
Which sections of ISO 27001 contain mandatory requirements?
This standard indicates a mandatory requirement through the use of the word “shall”. For example:
“The organization shall define and apply an information security risk assessment process”
Clause 1 of the standard states that excluding any of the requirements in clauses 4 – 10 is not acceptable. The requirements in these clauses are mandatory for all organisations who wish to claim conformity to the standard.
What is an ISO 27001 risk assessment?
An ISO 27001 risk assessment is the process of determining and documenting potential risk scenarios. ISO 27001 defines risk as “the effect of uncertainty on objectives”. Risks are often expressed by combining the consequences of an event and the associated likelihood of its occurrence.
The main stages of a risk assessment are asset identification, risk identification, risk analysis and risk evaluation. When the risk assessment is complete, the organisation must treat the risks. Risk treatment planning determines the course of action taken to address a particular risk based on the risk assessment results. Risk treatment options include risk mitigation (implement measures to reduce the risk), risk transfer (insure against an occurrence of the risk), risk acceptance (have management “sign-off” on the risk) or risk avoidance (terminate the activity associated with the risk.
Risk management is an ongoing process. It is crucial to assess risks regularly and consistantly to account for changes in the business environment and threat landscape.
What is ISO 27001 Annex A?
ISO 27001 Annex A is a table of information security control objectives and controls that organisations should consider when complying with the standard. While most of the controls are not mandatory to achieve ISO 27001 certification, the standard requires that any Annex A control deemed not applicable includes written justification for its exclusion in what’s known as a “statement of applicability” document.
What are the ISO 27001:2022 Annex A controls?
ISO 27001:2022 Annex A consists of 93 best-practices information security controls split into the following 4 domains:
Organisational measures represent an organisation's comprehensive approach to safeguarding its data across various domains. These measures include policies, regulations, processes, procedures, organisational structures, and other components.
People measures enable businesses to address the human aspect of their information security program, establishing protocols for how personnel engage with data and each other. These controls encompass secure human resources management, personnel security, and awareness and training initiatives.
Physical measures are put in place to protect tangible assets, encompassing entry systems, guest access protocols, asset disposal procedures, storage medium protocols, and clear desk policies. These safeguards are essential for safeguarding sensitive information.
Technological measures dictate the digital regulations and procedures that organisations should implement to establish a secure and compliant IT infrastructure. They include authentication methods, configurations, backup and disaster recovery strategies, and information logging practices.
What are the differences between ISO 27001:2013 and ISO 27001:2022?
The differences begin with the title, shifting from “Information technology – Security techniques” to “Information security, cybersecurity, and privacy protection.” Noteworthy changes within the core sections, clauses 4 to 10, include fresh requirements emphasising stakeholder needs understanding, strategising for ISMS processes, defining “business” in leadership, and highlighting controlled planning for ISMS changes.
Here’s a concise summary of the alterations in ISO 27001:2022:
- Clause 4.2 “Understanding the needs and expectations of interested parties”, item (c) has been added, requiring an analysis of which interested party requirements must be addressed through the ISMS.
- Clause 4.4 “Information security management system” now includes a phrase requiring process and interaction planning as part of the ISMS.
- Clause 5.3, “Organizational roles, responsibilities, and authorities,” has a new phrase clarifying that role communication is internal within the organisation.
- Clause 6.2 “Information security objectives and planning to achieve them”, item(d) has been added requiring monitoring objectives.
- Clause 6.3 “Planning of changes” is a new addition, mandating that any change in the ISMS must be planned.
- Clause 7.4 (Communication), item (e) has been merged, which previously required setting up communication processes.
- Clause 8.1 “Operational planning and control”, some new requirements have been added for establishing criteria for security processes and implementing processes according to those criteria, while the one to implement plans has been removed.
- Clause 9.3 “Management review” now includes the new item 9.3.2 c), clarifying that inputs from interested parties must pertain to their needs and expectations and be relevant to the ISMS.
- Clause 10 “Improvement”, the subclauses have been rearranged, with “Continual improvement” (10.1) now preceding “Nonconformity and corrective action “(10.2), although the text of those clauses remains unchanged.
The structure of ISO 27001 – Annex A has been entirely redesigned. The updated version of ISO 27001 has been restructured and revised. The number of controls has been reduced from 114 to 93 in the new version of ISO 27001. These security controls are now divided into 4 domains instead of 14. The new areas of ISO 27002:2022 are:
- Chapter 5: Organisational with 37 controls
- Chapter 6: People with 8 controls
- Chapter 7: Physical with 14 controls
- Chapter 8: Technology with 34 controls
Some controls have remained unaltered in the revised ISO 27001 standard, while others have been either renamed, merged, or introduced newly.
In the new version of ISO/IEC 27001:2022, Annex A now encompasses a total of 93 controls, with the following 11 controls being newly incorporated:
- Annex A 5.7 Threat Intelligence
- Annex A 5.23 Information security for use of cloud services
- Annex A 5.30 ICT readiness for business continuity
- Annex A 7.4 Physical security monitoring
- Annex A 8.9 Configuration management
- Annex A 8.10 Information deletion
- Annex A 8.11 Data masking
- Annex A 8.12 Data leakage prevention
- Annex A 8.16 Monitoring activities
- Annex A 8.23 Web filtering
- Annex A 8.28 Secure coding
What can we deduce from this?
To summarise, the adjustments in the ISO 27001:2022 revision compared to the 2013 edition range from minor to moderate. The foundational structure, comprising 11 clauses, remains largely unaltered, with only minor tweaks.
The 2022 version offers a new flexibility and contemporary features, facilitating easier customisation and implementation across various organisations and scenarios. Additionally, its streamlined controls aid in reducing the costs and complexities associated with information security.
In summary, the key new features include:
- Alignment of the management system with a standardised structure.
- Greater emphasis on process orientation, interactions, and criteria.
- Simplified and rationalised categorisation of controls into thematic groupings.
- Integration of modern measures in line with current organisational practices and associated risks.
- Incorporation of attributes to harmonise controls with various risk management methodologies, including global cybersecurity frameworks.
How will the 2022 changes affect existing ISO 27001 certifications?
The new updates do not affect organisations’ or individuals’ existing certifications.