The ISO 27001 Standard for Your Organization

The ISO 27001 Standard for Your Organization

When it comes to keeping information assets secure, ISO 27001 is an international standard, published by the International Standardization Organization [ISO], that many organizations look forward to. Initially, developed based on the British standard BS 7799-2, it describes how to manage Information Security in an organization. The first revision of the standard was published in 2005, the next revision was published in 2013 and the latest revision (which is specifically a European version) was done in 2017, making it ISO/IEC 27001:2017.

A common misconception is that  ISO 27001 is only for “large” organizations is neither true nor good! This international standard can be implemented in any kind of organization, small or large, private or state-owned, profit or non-profit. World’s best experts in the field of information security have written this Standard. It provides a methodology for the implementation of an Information Security Management System [ISMS] in an organization and enables it to become certified. This means that an independent Certifying Body has validated & confirmed that the organization has implemented an ISMS that is compliant with ISO 27001. Today, ISO 27001 has become the most popular information security standard globally and many organizations are certified in it.

How does ISO 27001 Work?

ISO 27001 aims at protecting the Confidentiality, Integrity and Availability, commonly known as “CIA Triad”, of the information in a business. This is done by finding out what possible problems can impact  the security of information, a process which is called “Risk Assessment”, and then describing what needs to be done to prevent it, which is called “Risk Treatment” or “Risk Mitigation”. This is why it is also commonly & rightly perceived that the main philosophy of ISO 27001 is based on the concept of “managing risks”. It facilitates to find out where the risks exist and how they should be treated systematically.

The controls that should be implemented are in the form of Policies, Procedures, Processes, Tracking, Monitoring and Technical Implementation such as modification to equipment and software. In many scenarios, organizations already have the ISMS software and hardware in place, but they use them in an insecure manner and hence, the majority of the ISO 27001 implementations are about setting the organizational rules that are necessary to prevent security breaches. Since such implementation needs multiple Policies, Procedures, Processes, People and Assets to be managed, ISO 27001 has defined how to fit all these elements together in the ISMS. So, managing information security is not only about Antivirus and Firewalls, but it is about managing processes, managing human resources, legal protection, physical protection and much more.

What makes ISO 27001 Good for Your Organization?

An organization can achieve the following four (4) essential business benefits with the implementation of ISO 27001 Standard:

1. Adherence to Legal Requirements: There are several regulations, laws and contractual requirements associated with information security, and most of them can be resolved by implementing ISO 27001. It provides the perfect model to comply with them all.
2. Lower Costs: The idea behind ISO 27001 standards is to prevent security incidents from occurring, since every incident, small or large, costs money to the organization. Hence, by preventing them, an organization can save a lot of money. The investment in ISO 27001 certification is comparatively smaller than the cost savings you will achieve.
3. Achieving Marketing Advantage: In case, your organization obtains the ISO 27001 certification while your competitors do not, then you will have an advantage over them in the eyes of your Clients & Customers, who are sensitive about keeping their information safe.
4. Better Organization: Usually, fast-growing organizations do not have time to stop and define their procedures and processes. As a result, very often Employees do not know what needs to be done, who will do it and when it should be done. ISO 27001 implementation facilitates resolving such situations since it encourages organizations to write down their main processes and enables them to reduce the lost time of their workforce.

Neumetric, a cybersecurity services, consulting & product company, recommends that information security should be a part of an organization’s overall risk management with an overlap with IT, ISMS security, operations and business continuity.

ISO 27001 Standard

ISO 27001 contains 11 Clauses and an Annex A. Clauses 0 to 3 are not mandatory for implementation since they are introductory in nature. Clauses 4 to 10 are mandatory, which means all their requirements must be implemented in an organization if it wishes to be compliant with the Standard. Controls from Annex A should be implemented only if confirmed as applicable in the Statement of Applicability.

• Clause0: Introduction: Defines the purpose of ISO 27001 and its compatibility with other management standards.
• Clause1: Scope: Defines that the standard is applicable to any organization.
• Clause2: Normative References: Introduces ISO/IEC 27000 as a standard where terms and definitions are provided.
• Clause3: Terms and Definitions: Introduces ISO/IEC 27000.
• Clause4: Context of the Organization: It is a part of the Plan phase in the Plan-Do-Check-Act [PDCA] cycle that defines requirements for understanding internal and external issues, interested parties and their requirements, along with describing the ISMS scope.
• Clause5: Leadership: This Clause describes top management responsibilities, setting the roles, and contents of the top level Information security policy.
• Clause6: Planning: It describes the requirements for risk assessment, risk treatment, Statement of Applicability, risk treatment plan, and setting the objectives of information security.
• Clause7: Support: It describes the requirements for availability of resources, awareness, competences, communication, and control of documents and records.
• Clause8: Operation: It is a part of the Do phase in the PDCA cycle that determines the implementation of risk assessment and treatment, along with controls and other processes required to achieve information security objectives.
• Clause9: Performance Evaluation: It is a part of the check phase in the plan–do–check–act cycle. It describes the requirements for measurement, monitoring, evaluation, analysis, internal audit and management review.
• Clause10: Improvement: This is a part of the Act phase that defines requirements for corrections, nonconformities, corrective actions and continual improvement.
• Annex A: It provides a catalogue of 114 Controls grouped into 14 Control Sets (A.5 to A.18) which are based on the reference standard ISO 27002.

According to Annex SL of the International Organization for Standardization ISO/IEC Directives, Clause titles in ISO 27001 are the same as in ISO 22301:2012, in the new ISO 9001:2015, and other management standards. This will enable easier integration of these standards.

Implementing ISO 27001 Standard

You need to follow these steps to implement the ISO 27001 standard in your organization

1. Obtain the support of your  Top Management.
2. Use a Project Management methodology
3. Define the scope of your ISMS.
4. Prepare the top-level Information Security Policy
5. Describe the Statement of Applicability
6. Define the Risk Assessment Methodology
7. Perform a Risk Assessment
8. Define the Risk Treatment Plan
9. Treat the identified Risks.
10. Describe how you will measure the effectiveness of your controls and the ISMS
11. Implement all applicable Controls and Procedures
12. Execute training and awareness programs
13. for information security.
14. Perform daily operations as defined by the ISMS documentation
15. Monitor and measure the ISMS
16. Perform an Internal Audit
17. Perform Management Review
18. to keep your Top Management updated about the ISMS.
19. Enforce corrective actions as necessary.

Obtaining ISO 27001 Certification

Organizations can obtain their ISMS certification by proving that they are compliant with all the mandatory Clauses of the ISO 27001 Standard.

Certification Audit is performed by an accredited  “Certifying Body”. The certification audit, which is known as the “External Audit” is performed in three  Stages.

1. Stage 1 Audit: This covers the Documentation review, where the Auditor reviews the ISMS documentation.
2. Stage 2 Audit: This is the stage where an Auditor will conduct an onsite audit to check if all the activities in an organization are compliant with ISO 27001 and ISMS documentation or not.
3. Stage 3: This stage refers to Surveillance visits. Once the ISO 27001 Certificate is issued, during its 3-year validity, the Auditor will check whether the organization is maintaining its ISMS or not.

Neumetric, a cyber security services, consulting & products organization, can help you reduce your security cost without compromising your security posture. Our years of in-depth experience in handling security for organizations of all sizes & in multiple industries make it easier for us to quickly execute cost-cutting activities that do not bring value to you, while you continue focusing on the business objectives of the Organization.