ISO/IEC 27001 formally specifies an Information Security Management System (ISMS), a suite of activities concerning the management of information risks (called ‘information security risks’ in the standard). The ISMS is an overarching management framework through which the organization identifies, analyzes and addresses its information risks. The ISMS ensures that the security arrangements are fine-tuned to keep pace with changes to the security threats, vulnerabilities and business impacts – an important aspect in such a dynamic field, and a key advantage of ISO27k’s flexible risk-driven approach as compared to, say, PCI-DSS.
The standard covers all types of organizations (e.g. commercial enterprises, government agencies, non-profits), all sizes (from micro-businesses to huge multinationals), and all industries or markets (e.g. retail, banking, defense, healthcare, education and government). This is clearly a very wide brief.
ISO/IEC 27001 does not formally mandate specific information security controls since the controls that are required vary markedly across the wide range of organizations adopting the standard. The information security controls from ISO/IEC 27002 are noted in annex A to ISO/IEC 27001, rather like a menu. Organizations adopting ISO/IEC 27001 are free to choose whichever specific information security controls are applicable to their particular information risks, drawing on those listed in the menu and potentially supplementing them with other a la carte options (sometimes known as extended control sets). As with ISO/IEC 27002, the key to selecting applicable controls is to undertake a comprehensive assessment of the organization’s information risks, which is one vital part of the ISMS.
Furthermore, management may elect to avoid, transfer or accept information risks rather than mitigate them through controls – a risk treatment decision within the risk management process.
Structure of the standard
ISO/IEC 27001:2013 has the following sections:
0. Introduction – the standard describes a process for systematically managing information risks.
1. Scope – it specifies generic ISMS requirements suitable for organizations of any type, size or nature.
2. Normative references – only ISO/IEC 27000 is considered absolutely essential to users of ’27001: the remaining ISO27k standards are optional.
3. Terms and definitions – see ISO/IEC 27000.
4. Context of the organization – understanding the organizational context, the needs and expectations of ‘interested parties’ and defining the scope of the ISMS. Section 4.4 states very plainly that “The organization shall establish, implement, maintain and continually improve” the ISMS.
5. Leadership – top management must demonstrate leadership and commitment to the ISMS, mandate policy, and assign information security roles, responsibilities and authorities.
6. Planning – outlines the process to identify, analyze and plan to treat information risks, and clarify the objectives of information security.
7. Support – adequate, competent resources must be assigned, awareness raised, documentation prepared and controlled.
8. Operation – a bit more detail about assessing and treating information risks, managing changes, and documenting things (partly so that they can be audited by the certification auditors).
9. Performance evaluation – monitor, measure, analyze and evaluate/audit/review the information security controls, processes and management system, systematically improving things where necessary.
10. Improvement – address the findings of audits and reviews (e.g. nonconformities and corrective actions), make continual refinements to the ISMS.
Annex A Reference control objectives and controls – little more in fact than a list of titles of the control sections in ISO/IEC 27002. The annex is ‘normative’, implying that certified organizations are expected to use it, but the main body says they are free to deviate from or supplement it in order to address their particular information risks. Annex A alone is hard to interpret. Please refer to ISO/IEC 27002 for more useful detail on the controls, including implementation guidance.
Bibliography – points readers to five related standards, plus part 1 of the ISO/IEC directives, for more information. In addition, ISO/IEC 27000 is identified in the body of the standard as a normative (i.e. essential) standard and there are several references to ISO 31000 on risk management.
Mandatory requirements for certification
ISO/IEC 27001 is a formalized specification for an ISMS with two distinct purposes:
It lays out the design for an ISMS, describing the important parts at a fairly high level;
It can (optionally) be used as the basis for formal compliance assessment by accredited certification auditors in order to certify an organization compliant.
The following mandatory documentation is explicitly required for certification:
ISMS scope (as per clause 4.3)
Information security policy (clause 5.2)
Information risk assessment process (clause 6.1.2)
Information risk treatment process (clause 6.1.3)
Information security objectives (clause 6.2)
Evidence of the competence of the people working in information security (clause 7.2)
Other ISMS-related documents deemed necessary by the organization (clause 7.5.1b)
Operational planning and control documents (clause 8.1)
The results of the [information] risk assessments (clause 8.2)
The decisions regarding [information] risk treatment (clause 8.3)
Evidence of the monitoring and measurement of information security (clause 9.1)
The ISMS internal audit program and the results of audits conducted (clause 9.2)
Evidence of top management reviews of the ISMS (clause 9.3)
Evidence of nonconformities identified and corrective actions arising (clause 10.1)
Various others: Annex A mentions but does not fully specify further documentation including the rules for acceptable use of assets, access control policy, operating procedures, confidentiality or non-disclosure agreements, secure system engineering principles, information security policy for supplier relationships, information security incident response procedures, relevant laws, regulations and contractual obligations plus the associated compliance procedures and information security continuity procedures. However, despite Annex A being normative, organizations are not formally required to adopt and comply with Annex A: they can use other structures and approaches to treat their information risks.
Certification auditors will almost certainly check that these fifteen types of documentation are (a) present, and (b) fit for purpose.
The standard does not specify precisely what form the documentation should take, but section 7.5.2 talks about aspects such as the titles, authors, formats, media, review and approval, while 7.5.3 concerns document control, implying a fairly formal ISO 9000-style approach. Electronic documentation (such as intranet pages) are just as good as paper documents, in fact better in the sense that they are easier to control and update.