What is the purpose of ISO 27001?
ISO 27001 was developed to help organizations, of any size or any industry, to protect their information in a systematic and cost-effective way, through the adoption of an Information Security Management System (ISMS).
Why is ISO 27001 important?
Not only does the standard provide companies with the necessary know-how for protecting their most valuable information, but a company can also get certified against ISO 27001 and, in this way, prove to its customers and partners that it safeguards their data.
Individuals can also get ISO 27001-certified by attending a course and passing the exam and, in this way, prove their skills to potential employers.
Because it is an international standard, ISO 27001 is easily recognized all around the world, increasing business opportunities for organizations and professionals.
What is an ISMS?
An Information Security Management System (ISMS) is a set of rules that a company needs to establish in order to:
- identify stakeholders and their expectations of the company in terms of information security
- identify which risks exist for the information
- define controls (safeguards) and other mitigation methods to meet the identified expectations and handle risks
- set clear objectives on what needs to be achieved with information security
- implement all the controls and other risk treatment methods
- continuously measure if the implemented controls perform as expected
- make continuous improvement to make the whole ISMS work better
Why do we need ISMS?
There are four essential business benefits that a company can achieve with the implementation of this information security standard:
Comply with legal requirements – there is an ever-increasing number of laws, regulations, and contractual requirements related to information security, and the good news is that most of them can be resolved by implementing ISO 27001 – this standard gives you the perfect methodology to comply with them all.
Achieve competitive advantage – if your company gets certified and your competitors do not, you may have an advantage over them in the eyes of those customers who are sensitive about keeping their information safe.
Lower costs – the main philosophy of ISO 27001 is to prevent security incidents from happening – and every incident, large or small, costs money. Therefore, by preventing them, your company will save quite a lot of money. And the best thing of all – investment in ISO 27001 is far smaller than the cost savings you’ll achieve.
Better organization – typically, fast-growing companies don’t have the time to stop and define their processes and procedures – as a consequence, very often the employees do not know what needs to be done, when, and by whom. Implementation of ISO 27001 helps resolve such situations, because it encourages companies to write down their main processes (even those that are not security-related), enabling them to reduce lost time by their employees.
Up to 80% Funding available for consultancy service fees & certification fees.
Being Certified Project Management Consultants, we are recognized by Enterprise Singapore fund up to 80% of the project cost through the EDG programme if you engage us now!
Click Here for more information on the grant support.
Our Flow Of Work
Scope determination is critical to a successful ISO-27001 certification effort. The scope needs to be broad enough to ensure that it will satisfy key stakeholders (e.g., clients, shareholders) but narrow enough to ensure the initial effort remains manageable.
Risk Assessment/Management is fundamental to an ISMS. This “information and the processes that act on it” approach yields a much more intuitive process that drives far greater value, in less time
The risk treatment plan defines the controls required, including the necessary extent and rigor, to treat (mitigate) risk to a level that is deemed acceptable by management. It is a fundamental ISMS artifact and forms the basis/standard for the gap assessment.
Understanding the gap between the current and desired state of the Information Security Management System (e.g., ISO-27001) is a key input into a “Prioritized Roadmap” (Gap Remediation Plan).
Understanding the gap between the current and desired state of the control practices is a key input into a “Prioritized Roadmap” (Gap Remediation Plan). ISO-27002 Gap Assessments are widely used outside of ISO-27001 certification efforts as a “best security practices” gap assessment and can also be used to serve as a form of design/operational attestation.
Ideally, gap remediation will be largely accomplished by the internal team, rather than a third party (like Pivot Point Security). An internally focused approach leveraging a third party for SME on demand, templates and artifact validation, maximizes the development of organizational knowledge/expertise, ensures that key personnel are “stakeholders” in the resultant control environment and prevents an organization from being overly reliant on a third party to operate the ISMS post certification.
Security metrics are critical to the optimal operation of an ISMS, as they are integral to demonstrating the continuous improvement principles that are inherent in most ISMSs. This service is focused on simplifying the process of measuring, reporting and hence systematically improving ISMS effectiveness.
PSPs form the backbone of any ISMS. Remarkably, although PSPs are the most basic elements of an ISMS, they are also one of the most complex to implement effectively. This is largely due to the comprehensive and inter-dependent nature of PSPs. Key decision points to consider before embarking on a PSP effort:
- Structure: Ideally Policies, Standards & Procedures are segregated, which simplifies ongoing administration and version management. However, most organizations combine them, which yields complexity where a particular procedure is integral to multiple Standards and/or procedures.
- Presentation: Most organizations leverage a linear document format for PSPs, which does a poor job of communicating their hierarchical nature and interdependencies. Increasingly, Wikis, SharePoints, and/or dedicated ISMS management systems are being leveraged to address this challenge.
- Audience: PSPs often have multiple audiences (e.g., employees, IT personnel, contractors, consultants, management). Audience, structure and presentation are highly inter-related and are critical to ensuring that PSPs are understood and followed. If the desired audience can’t EASILY find all of the information relevant to a particular issue they are attempting to address, a non-conformity is almost certain to occur.
- Business: The company’s size, risk/risk tolerance, internal expertise, resource availability, budget and current PSP maturity level significantly impacts the effort.
- External: The regulations and external business contexts can notably impact the effort.
- Version Control: It is critical that mechanisms to ensure that all necessary approvals for changes are auditable, version histories are retained and only current versions are readily accessible.
Integral to the PDCA model of most ISMSs is a requirement to conduct an internal audit to determine whether the control objectives, controls, processes and procedures of its ISMS:
- Conform to the requirements of ISO-27001 and relevant legislation or regulations;
- Conform to identified information security requirements;
- Are effectively implemented and maintained; and
- Perform as expected.
What are the requirements for ISO 27001?
The mandatory requirements for ISO 27001 are defined in its clauses 4 through 10 – this means that all those requirements must be implemented in an organization if it wants to be compliant with the standard. Controls from Annex A must be implemented only if declared as applicable in the Statement of Applicability.
The requirements from sections 4 through 10 can be summarized as follows:
Clause 4: Context of the organization – defines requirements for understanding external and internal issues, interested parties and their requirements, and defining the ISMS scope.
Clause 5: Leadership – defines top management responsibilities, setting the roles and responsibilities, and contents of the top-level Information Security Policy.
Clause 6: Planning – defines requirements for risk assessment, risk treatment, Statement of Applicability, risk treatment plan, and setting the information security objectives.
Clause 7: Support – defines requirements for availability of resources, competencies, awareness, communication, and control of documents and records.
Clause 8: Operation – defines the implementation of risk assessment and treatment, as well as controls and other processes needed to achieve information security objectives.
Clause 9: Performance evaluation – defines requirements for monitoring, measurement, analysis, evaluation, internal audit, and management review.
Clause 10: Improvement – defines requirements for nonconformities, corrections, corrective actions, and continual improvement.
ISO 27001 mandatory documents
ISO 27001 specifies a minimum set of policies, procedures, plans, records, and other documented information that are needed to become compliant.
ISO 27001 requires the following documents to be written:
- Scope of the ISMS (clause 4.3)
- Information Security Policy and Objectives (clauses 5.2 and 6.2)
- Risk Assessment and Risk Treatment Methodology (clause 6.1.2)
- Statement of Applicability (clause 6.1.3 d)
- Risk Treatment Plan (clauses 6.1.3 e and 6.2)
- Risk Assessment Report (clause 8.2)
- Definition of security roles and responsibilities (controls A.7.1.2 and A.13.2.4)
- Inventory of Assets (control A.8.1.1)
- Acceptable Use of Assets (control A.8.1.3)
- Access Control Policy (control A.9.1.1)
- Operating Procedures for IT Management (control A.12.1.1)
- Secure System Engineering Principles (control A.14.2.5)
- Supplier Security Policy (control A.15.1.1)
- Incident Management Procedure (control A.16.1.5)
- Business Continuity Procedures (control A.17.1.2)
- Statutory, Regulatory, and Contractual Requirements (control A.18.1.1)
And these are the mandatory records:
- Records of training, skills, experience and qualifications (clause 7.2)
- Monitoring and measurement results (clause 9.1)
- Internal Audit Program (clause 9.2)
- Results of internal audits (clause 9.2)
- Results of the management review (clause 9.3)
- Results of corrective actions (clause 10.1)
- Logs of user activities, exceptions, and security events (controls A.12.4.1 and A.12.4.3)
What are the 14 domains of ISO 27001?
There are 14 “domains” listed in Annex A of ISO 27001, organized in sections A.5 to A.18. The sections cover the following:
A.5. Information security policies: The controls in this section describe how to handle information security policies.
A.6. Organization of information security: The controls in this section provide the basic framework for the implementation and operation of information security by defining its internal organization (e.g., roles, responsibilities, etc.), and through the organizational aspects of information security, like project management, use of mobile devices, and teleworking.
A.7. Human resource security: The controls in this section ensure that people who are under the organization’s control are hired, trained, and managed in a secure way; also, the principles of disciplinary action and terminating the agreements are addressed.
A.8. Asset management: The controls in this section ensure that information security assets (e.g., information, processing devices, storage devices, etc.) are identified, that responsibilities for their security are designated, and that people know how to handle them according to predefined classification levels.
A.9. Access control: The controls in this section limit access to information and information assets according to real business needs. The controls are for both physical and logical access.
A.10. Cryptography: The controls in this section provide the basis for proper use of encryption solutions to protect the confidentiality, authenticity, and/or integrity of information.
A.11. Physical and environmental security: The controls in this section prevent unauthorized access to physical areas, and protect equipment and facilities from being compromised by human or natural intervention.
A.12. Operations security: The controls in this section ensure that the IT systems, including operating systems and software, are secure and protected against data loss. Additionally, controls in this section require the means to record events and generate evidence, periodic verification of vulnerabilities, and make precautions to prevent audit activities from affecting operations.
A.13. Communications security: The controls in this section protect the network infrastructure and services, as well as the information that travels through them.
A.14. System acquisition, development and maintenance: The controls in this section ensure that information security is taken into account when purchasing new information systems or upgrading the existing ones.
A.15. Supplier relationships: The controls in this section ensure that outsourced activities performed by suppliers and partners also use appropriate information security controls, and they describe how to monitor third-party security performance.
A.16. Information security incident management: The controls in this section provide a framework to ensure the proper communication and handling of security events and incidents, so that they can be resolved in a timely manner; they also define how to preserve evidence, as well as how to learn from incidents to prevent their recurrence.
A.17. Information security aspects of business continuity management: The controls in this section ensure the continuity of information security management during disruptions, and the availability of information systems.
A.18. Compliance: The controls in this section provide a framework to prevent legal, statutory, regulatory, and contractual breaches, and audit whether information security is implemented and is effective according to the defined policies, procedures, and requirements of the ISO 27001 standard.
A closer look at these domains shows us that managing information security is not only about IT security (i.e., firewalls, anti-virus, etc.), but also about managing processes, legal protection, managing human resources, physical protection, etc.