Get it for FREE
What is ISO/IEC 27001?
ISO 27001 is the leading international standard focused on information security. It was published by the International Organization for Standardization (ISO), in partnership with the International Electrotechnical Commission (IEC).
ISO/IEC 27001 is the world’s best-known standard for information security management systems (ISMS). It defines the requirements an ISMS must meet.
Conformity with ISO/IEC 27001 means that an organization or business has put in place a system to manage risks related to the security of data owned or handled by the company, and that the system respects all the best practices and principles enshrined in this International Standard.
The ISO/IEC 27001 standard provides companies of any size and from all sectors of activity with guidance for establishing, implementing, maintaining, and continually improving an information security management system.
What is information security management systems (ISMS)?
ISMS is a systematic approach for managing and protecting a company’s information. ISO 27001 provides a framework to help organizations of any size or any industry to protect their information in a systematic and cost-effective way: through the adoption of an Information Security Management System (ISMS). It is a framework of policies and procedures for systematically managing an organization’s sensitive data.
Why do we need an ISMS?
Some of the benefits of implementing an efficient Information Security Management System (ISMS) are highlighted below:
- Safeguard confidentiality, integrity, and availability of data.
An efficient ISMS offers a set of policies and technical and physical controls to help protect the confidentiality, integrity, and availability of data of the organization. ISMS secures all forms of information, including:
- Paper-based information
- Intellectual property
- Personal information
- Digital information
- Data on devices and in the Cloud
- Company secrets
- Hard copies
- Meet regulatory compliance.
ISMS helps organizations meet all regulatory compliance and contractual requirements and provides a better grasp on the legalities surrounding information systems. Since violations of legal regulations come with hefty fines, having an ISMS can be especially beneficial for highly regulated industries with critical infrastructures, such as finance or healthcare. A correctly implemented ISMS can help businesses work towards gaining full ISO 27001 certification.
- Security threat response.
Due to its ability to monitor and analyze, ISMS reduces the threat associated with continually evolving risks. It enables security teams to continuously adapt to changes in the threat landscape and internal changes within your organization.
- Reduces security-related costs.
An ISMS offers a thorough risk assessment of all assets. This enables organizations to prioritize the highest-risk assets to prevent indiscriminate spending on unneeded defenses and provide a focused approach toward securing them. This structured approach, along with less downtime due to a reduction in security incidents, significantly cuts an organization’s total spending.
- Improves company work culture.
The standard holistic approach of ISMS not only covers the IT department but the entire organization, including the people, processes, and technologies. This enables employees to understand security risks and include security controls as a part of their routine activity.
- Gain competitive advantage.
ISO 27001 certification demonstrates commitment towards keeping data secure. This offers an edge over competitors to provide trust to customers.
Why is ISO/IEC 27001 important?
ISO 27001 can be applicable to businesses of all sizes and ensures that organizations are identifying and managing risks effectively, consistently, and measurably.
With cyber-crime on the rise and new threats constantly emerging, it can seem difficult or even impossible to manage cyber-risks. ISO/IEC 27001 helps organizations become risk-aware and proactively identify and address weaknesses. It helps global businesses establish, organize, implement, monitor, and maintain their information security management systems.
ISO/IEC 27001 promotes a holistic approach to information security: vetting people, policies, and technology. An information security management system implemented according to this standard is a tool for risk management, cyber-resilience, and operational excellence.
Get it for FREE
What is ISO 27002?
ISO 27002 provides a reference set of generic information security controls including implementation guidance. This document is designed to be used by organizations:
- Within the context of an information security management system (ISMS) based on ISO/IEC27001
- For implementing information security controls based on internationally recognized best practices
- For developing organization-specific information security management guidelines
It is a supplementary standard that focuses on the information security controls that organizations might choose to implement. Controls of ISO 27002 are listed in “Annex A” of ISO 27001.
What are the three guiding principles of ISO 27001?
The ISO 27001 standard aims to secure people, processes, and technology via three main guiding principles: confidentiality, integrity, and availability (commonly referred to as the C-I-A triad).
- Confidentiality translates to data and systems that must be protected against unauthorized access from people, processes, or unauthorized applications. This involves use of technological controls like multifactor authentication, security tokens, and data encryption.
Confidentiality means only the right people can access the information held by the organization.
Risk example: Criminals obtain client login details and sell them on the Darknet.
- Integrity means verifying the accuracy, trustworthiness, and completeness of data. It involves use of processes that ensure data is free of errors and manipulation, such as ascertaining if only authorized personnel has access to confidential data.
Information integrity means data that the organization uses to pursue its business or keep safe for others is reliably stored and not erased or damaged.
Risk example: A staff member accidentally deletes a row in a file or database during processing.
- Availability typically refers to the maintenance and monitoring of information security management systems (ISMSs). This includes removing any bottlenecks in security processes, minimizing vulnerabilities by updating software and hardware to the latest firmware, boosting business continuity by adding redundancy, and minimizing data loss by adding back-ups and disaster recovery solutions.
Availability of data means the organization and its clients can access the information whenever it is necessary so that business purposes and customer expectations are satisfied.
Risk example: enterprise database goes offline because of server problems and insufficient backup.
An information security management system that meets the requirements of ISO/IEC 27001 preserves the confidentiality, integrity, and availability of information by applying a risk management process. It gives confidence to interested parties that risks are adequately managed.
Who needs ISO/IEC 27001?
In today’s digital economy, almost every business is exposed to data security risks. And these risks can potentially have very serious consequences for your business, from reputational damage to legal issues. Any business needs to think strategically about its information security needs, and how they relate to company objectives, processes, size, and structure. The ISO/IEC 27001 standard enables organizations to establish an information security management system and apply a risk management process that is adapted to their size and needs, and scale it as necessary as these factors evolve.
While information technology (IT) is the industry with the largest number of ISO/IEC 27001- certified enterprises, the benefits of this standard have convinced companies across all economic sectors, including but not limited to services and manufacturing, as well as the primary sector: private, public and non-profit organizations.
ISO 27001 is a globally recognized data security standard. To become ISO 27001 certified, a company must develop the appropriate Information Security Management System (ISMS) and undergo an independent audit. Companies that adopt the holistic approach described in ISO/IEC 27001 ensure that information security is built into organizational processes, information systems, and management controls. Because of it, such organizations gain efficiency and often emerge as leaders within their industries.
How will ISO/IEC 27001 benefit my organization?
Implementing the information security framework specified in the ISO/IEC 27001 standard helps you:
- Reduce your vulnerability to the growing threat of cyber-attacks.
- Respond to evolving security risks.
- Ensure that assets such as financial statements, intellectual property, employee data, and information entrusted by third parties remain undamaged, confidential, and available as needed.
- Provide a centrally managed framework that secures all information in one place.
- Prepare people, processes and technology throughout your organization to face technology-based risks and other threats.
- Secure information in all forms, including paper-based, cloud-based and digital data.
- Save money by increasing efficiency and reducing expenses for ineffective defense technology.
How many controls are there in ISO 27001?
The ISO 27001:2022 Annex A has list of 93 controls organized into four sections numbered A.5 through A.8.
How do you implement ISO 27001 controls?
Organizational (Annex A section A.5)
Organizational controls cover information security policies, asset use, and cloud service use.
People (Annex A section A.6)
With only eight total controls, this theme deals with remote work, confidentiality, nondisclosures, and screening to help manage the way employees interact with sensitive information in their day-to-day roles. Controls include onboarding and offboarding processes and responsibilities for incident reporting.
Physical (Annex A section A.7)
Physical controls cover security monitoring, maintenance, facilities security, and storage media. This category focuses on how you are protecting against physical and environmental threats such as natural disasters, theft, and intentional destruction.
Technological (Annex A section A.8)
Technological controls deal with authentication, encryption, and data leakage prevention. This category focuses on properly securing technology through various approaches, including access rights, network security, and data masking.
What Are the Control Attributes in ISO 27001:2022?
Control attributes are a new addition to the standard introduced in ISO 27001:2022. These five attributes are intended to help easily classify and group the controls based on what makes sense to their organization and security needs. ISO 27002:2022 (which provides guidance for how to implement controls outlined in ISO 27001) states in section 4.2 Themes and Attributes:
The five attributes are:
- Control type: preventative, detective, corrective
- Operational capabilities: governance, asset management, information protection, human resource security, etc.
- Security domains: governance and ecosystem, protection, defence, resilience
- Cybersecurity concepts: identify, protect, detect, respond, recover
- Information security properties: confidentiality, integrity, availability
Is ISO 27001 the same as ISO/IEC 27001?
Even though it is sometimes referred to as ISO 27001, the official abbreviation for the International Standard on requirements for information security management is ISO/IEC 27001. That is because it has been jointly published by ISO and the International Electrotechnical Commission (IEC). The number indicates that it was published under the responsibility of Subcommittee 27 (on Information Security, Cybersecurity, and Privacy Protection) of ISO’s and IEC’s Joint Technical Committee on Information Technology (ISO/IEC JTC 1).
What is ISO/IEC 27001 certification and what does it mean to be certified to ISO 27001?
Certification to ISO/IEC 27001 is one way to demonstrate to stakeholders and customers that you are committed and able to manage information securely and safely. Holding a certificate issued by an accreditation body may bring an additional layer of confidence, as an accreditation body has provided independent confirmation of the certification body’s competence. If you wish to use a logo to demonstrate certification, contact the certification body that issued the certificate.
As with other ISO management system standards, companies implementing ISO/IEC 27001 can decide whether they want to go through a certification process. Some organizations choose to implement the standard in order to benefit from its protection, while others also want to get certified to reassure customers and clients.
How is ISO 27001:2022 structured?
ISO 27001 can very broadly be broken into two components:
1. Clauses: ISO 27001 has a list of standards called clauses that define the core processes for building out your ISMS from an organizational and leadership perspective. These 11 clauses are further divided into subsections called “requirements” that break the clauses down into more concrete steps.
Clauses 0 to 3 of the main part of the standard (Introduction, Scope, Normative references, Terms and definitions) serve as an introduction to the ISO 27001 standard. Clauses 4 to 10, which provide the ISO 27001 requirements, are mandatory if the company wants to be compliant with the standard. Clauses 4 to 10 are examined in more detail later in this article.
The 10 clauses of ISO 27001 include:
- Terms and definitions
- Process approach impact
- Plan-Do-Check-Act cycle
- Context of the organization
- Performance evaluation
2. Controls: ISO 27001 has a section called Annex A that lists the physical, logical, and environmental security controls that organizations must put into place in order to be ISO 27001 compliant. Among additions in ISO 27001:2022 are new control groups (categories that ISO uses to segment controls into sections) and new additional controls. Data leakage prevention is among one of the new controls specifically added to ISO 27001 and is required to be in place by 2025.
ISO 27001:2022 has 93 controls grouped into 14 control categories. This is a substantial change from ISO 27001:2013’s 114 controls that were divided into 14 different control categories. Following are the control categories with new controls for ISO 27001:2022 listed as sub-bullets under the appropriate category:
Organizational (37 total controls)
- 5.23 Information security for use of cloud services
- 5.30 ICT readiness for business continuity
- 5.7 Threat Intelligence
People (8 total controls)
Physical (14 total controls)
- 7.4 Physical security monitoring
Technological (34 total controls)
- 8.1 Data masking
- 8.9 Configuration management
- 8.10 Information deletion
- 8.12 Data leakage prevention
- 8.16 Monitoring activities
- 8.23 Web filtering
- 8.28 Secure coding
What are the requirements for ISO 27001?
The requirements from clauses 4 through 10 are as follows:
ISO 27001 Clause 4 Context of Organization
The context of organization controls look at demonstrating that you understand the organization and its context. That you understand the needs and expectations of interested parties and have determined the scope of the information security management system. External and internal issues, as well as interested parties, need to be identified and considered. Requirements may include regulatory issues, but they may also go far beyond.
ISO 27001 Clause 5 Leadership
ISO 27001 wants top-down leadership and to be able to show evidence demonstrating leadership commitment. It requires Information Security Policies that outline procedures to follow. Objectives must be established according to the strategic direction and goals of the organization. Providing resources needed for the ISMS, as well as supporting persons and contributions to the ISMS, are other examples of obligations to meet. Roles and responsibilities need to be assigned, too, to meet the requirements of the ISO 27001 standard and report on the performance of the ISMS.
ISO 27001 Clause 6 Planning
Planning addresses actions to address risks and opportunities. ISO 27001 is a risk-based system so risk management is a key part, with risk registers and risk processes in place. Accordingly, information security objectives should be based on the risk assessment. These objectives need to be aligned with the company’s overall objectives, and they need to be promoted within the company because they provide the security goals to work toward for everyone within and aligned with the company. From the risk assessment and the security objectives, a risk treatment plan is derived based on controls listed in Annex A.
ISO 27001 Clause 7 Support
Education and awareness are established and a culture of security is implemented. A communication plan is created and followed. Another requirement is documenting information according to ISO 27001. Information needs to be documented, created, and updated, as well as controlled. A suitable set of documentation, including a communications plan, needs to be maintained in order to support the success of the ISMS. Resources are allocated and competency of resources is managed and understood. What is not written down does not exist, so standard operating procedures are documented and documents are controlled.
ISO 27001 Clause 8 Operation
Operations are managed and controlled, and risk assessments undertaken.
ISO 27001 Clause 9 Performance Evaluation
Monitors and measures, along with the processes of analysis and evaluation, are implemented. As part of continual improvement, audits are planned and executed and management reviews are undertaken following structured agendas.
ISO 27001 Clause 10 Improvement
The ability to adapt and continually improve is foundational to the ISO 27001 standard. Nonconformities need to be addressed by taking action and eliminating their causes.
Annex A (normative) Information security controls reference
This Annex provides a list of 93 safeguards (controls) that can be implemented to decrease risks and comply with security requirements from interested parties. The controls that are to be implemented must be marked as applicable in the Statement of Applicability.
What are mandatory documents for ISO 27001 certification?
Here is the list of mandatory documents and records:
- ISMS Scope document
- Information Security Policy
- Risk Assessment Report
- Statement of Applicability
- Internal Audit Report
Is ISO 27001 mandatory?
Compliance with ISO 27001 is not mandatory in most countries. Mandates are generally determined by regulatory authorities of respective countries or business partners. Beyond government regulation, some business entities ask for ISO 27001 compliance and/or ISO 27001 certification to ensure all shared information remains secure.
Even if it is not mandatory, IT-enabled businesses can at least build confidence in their product by demonstrating to their customers, partners, and investors their commitment to securing customer data.
What are the ISO 27000 standards?
The ISO 27000 family of information security management standards are a series of mutually supporting information security standards that can be combined to provide a globally recognized framework for best-practice information security management. As it defines the requirements for an ISMS, ISO 27001 is the main standard in the ISO 27000 family of standards. The ISO 27000 family of standards is broad in scope and is applicable to organizations of all sizes and in all sectors. As technology continually evolves, new standards are developed to address the changing requirements of information security in different industries and environments.
What are ISO 27001 supporting standards?
Following are the most used standards in the 27K series that support ISO 27001:
- ISO/IEC 27002:2022, Information security, cybersecurity and privacy protection — Information security controls  ISO/IEC 27003, Information technology — Security techniques — Information security management systems — Guidance  ISO/IEC 27004, Information technology — Security techniques — Information security management — Monitoring, measurement, analysis and evaluation
- ISO/IEC 27005, Information technology — Security techniques — Information security risk management
- ISO/IEC 27007, Information security, cybersecurity and privacy protection — Guidelines for information security management systems auditing
- ISO/IEC 27011, Information technology — Security techniques — Code of practice for Information security controls based on ISO/IEC 27002 for telecommunications organizations
- ISO/IEC 27017, Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services
- ISO/IEC 27018, Information technology — Security techniques — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors
- ISO/IEC 27019, Information technology — Security techniques — Information security controls for the energy utility industry
- ISO/IEC 27031, Information technology — Security techniques — Guidelines for information and communication technology readiness for business continuity
- ISO/IEC 27033 (all parts), Information technology — Security techniques — Network security
- ISO/IEC 27034 (all parts), Information technology — Application security
- ISO/IEC 27035 (all parts), Information technology — Security techniques — Information security incident management
- ISO/IEC 27036 (all parts), Information technology — Security techniques — Information security for supplier relationships
- ISO/IEC 27037, Information technology — Security techniques — Guidelines for identification, collection, acquisition and preservation of digital evidence
- ISO/IEC 27040, Information technology — Security techniques — Storage security
- ISO/IEC 27050 (all parts), Information technology — Electronic discovery
- ISO/IEC TS 27110, Information technology, cybersecurity and privacy protection — Cybersecurity framework development guidelines
- ISO/IEC 27701, Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management — Requirements and guidelines
- ISO 27799, Health informatics — Information security management in health using ISO/IEC 27002
- ISO/IEC 27555, Information security, cybersecurity and privacy protection — Guidelines on personally identifiable information deletion