Guide to ISO 27001 Requirements and Certification Process
By Mark Bird, Date published: 2021-03-05
In this article, we talk about the ISO 27001 certification process and requirements. If stakeholders in your organisation are contemplating whether to take ISO 27001 or SOC2, read this article we published previously that compares the two security compliance frameworks.
ISO 27001 is an information security management certification. The certification centres around an organisation’s risk management processes such as risk assessment, treatment, and acceptance.
An ISO 27001 implementation generally consists of two aspects. The first one being the ISO 27001 information security management system requirements. The second aspect involves the security controls that are used to treat risk. These security controls are found in Annex A of ISO 27001. Alternatively, a more detailed version is also found in ISO 27002.
ISO 27001 Information Security Management Requirements
The management requirements for ISO 27001 consist of six main domains. These management requirements are generally non-technical in nature and are mostly related to policies and procedures. The policies and procedures demonstrate how the organisation plans and manages its information security management system. This includes, but is not limited to, topics like resourcing, operations, and performance evaluation.
At the crux of the standard is the risk management process. Risk management ensures that organisations can identify, analyse, treat and accept risk. The organisation should have documented all processes and procedures relating to risk management. Additionally, the risk management processes should all be aligned with each other. For example, an organisation who has implemented security controls should understand why those controls are implemented and what risk the security controls are intended to mitigate. These decision-making processes must be documented.
Once the information security management system and associated risk management processes are well-defined and documented, the organisation can start formalizing its risk treatment methods. This includes the selection of security controls to treat specific risks as well as the establishment of a security controls baseline.
ISO 27002 Code of Practice for Information Security Controls
ISO 27002 is the baseline security controls that ISO 27001 recommends organisations should implement. Simply put it, it’s a set of measures to help treat risk. Treating risk basically means either:
- Using security controls to either reduce the likelihood of the risk materializing or;
- Reducing the impact that the risk would have on the organisation.
For example, endpoint protection solutions make it difficult for malicious users to conduct malicious activities on systems. Thus, reducing the likelihood of a full system compromise. Whereas the encryption of sensitive data greatly reduces the impact of a data breach as, without the keys, the malicious attacker would not be able to decrypt the sensitive information.
If necessary, organisations should augment these baseline security controls with other security controls to treat any specific risk that would otherwise not be covered. In total, ISO 27002 has a baseline set of 14 domains containing 114 security controls. The domains are:
- Information security policies
- Organisation of information security
- Human resource security
- Asset management
- Access control
- Physical environmental security
- Operations security
- Communications security
- System acquisition, development, and maintenance
- Supplier relationships
- Information security incident management
- Information security aspects of business continuity management
Implementation and Certification Process
The ISO 27001 implementation generally starts with a scoping exercise to determine the controls or requirements that are not relevant to the organisation. Controls or requirements can be irrelevant for many reasons. For example, the organisation might not have a physical office, hence, any security controls regarding physical offices can possibly be out of scope. This ensures that the organisation is not audited for security controls and requirements that are irrelevant. Typically, a gap analysis is also conducted alongside the scoping exercise. The gap analysis identifies ISO 27001 security controls or requirements that are deficient in the organisation. These security controls and requirements are either not implemented at all or implemented in such a way that does not fulfil ISO 27001 requirements. The outputs of this gap analysis and scope exercise are a Statement of Applicability and gap analysis report.
Next, the organisation must implement processes, procedures or security controls in the organisation to ensure that the ISO 27001 requirements are met. These processes, procedures and security controls can range from a security governance council to the implementation of technical controls like firewalls.
If your organisation is relatively new to technology risk management, engaging a consultancy will help tremendously with the implementation. The consultants should have a library of toolkits and guidelines to help the implementation process. If necessary, they can do the technical implementation of security controls.
Lastly, once all the requirements and security controls are implemented, the organisation can separately engage an external certification body to do the audit. Audit activities include interviewing key stakeholders in the organisation, requesting access to key documentation or even conducting technical verification tests. If all goes well, the organisation will be given an ISO 27001 certification which is valid for three years.
The information security management requirements in ISO 27001 ensures that organisations have the processes to properly identify and assess information security risk in their organisations while the Code of Practice for Information Security Controls in 27002 provides organisations with a set of security controls with which they can reduce the likelihood or business impact of a risk materialising. Additionally, the organisation should continuously monitor the effectiveness of security controls with metrics to ensure that the controls remain effective as the threat landscape changes.
As the cyber landscape continues to evolve with the sophistication of threat actors, this continuous process of risk management and risk treatment will help secure the organisation and its digital assets from threat actors.
Pragma is a cybersecurity consultancy with global headquarters in Singapore, Australia, Vietnam and the UK. Our strong partnerships and investment in an experienced team are demonstrated in these four solutions; Cyber and Regulatory Consultancy, Incident Response, Cloud Security and Security Testing. Pragma provides full ISO 27001 implementation services for organisations who want a smooth sailing process from the start guided by professionals. Feel free to contact us at email@example.com for a free consultation.
This article does not constitute legal advice.
The opinions expressed in the column above represent the author’s own.