The Ultimate Manual To ISO/IEC 27001
In the world of information security management systems (ISMS), ISO/IEC 27001 is a widely-known standard. It helps organizations of all sizes improve the security of assets related to intellectual property, financials, employee information, and other sensitive data. If you’re ready to implement ISO/IEC 27001 in your company, this guide will teach you how.
What is ISO/IEC 27001 Anyway?
ISO/IEC 27001 is a globally recognized standard for information security management.
These standards were originally published back in 2005 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). The standards were revised again by these organizations in 2013.
In short, ISO/IEC 27001 was created to help businesses of all sizes improve data security by adapting an ISMS (information security management system). These globally recognized systematic standards apply to organizations across all industries.
ISO/IEC 27001 does more than just provide businesses with the formula for protecting sensitive data. Organizations can also be ISO/IEC 27001 certified as a way of proving to customers and partners alike that their data is safeguarded properly.
It’s worth noting that the ISO/IEC 27001 does not require specific solutions, tools, or methods for data security. Instead, the ISO/IEC 27001 standards act as the framework for all policies and processes within an ISMS as it pertains to how data is used and controlled.
How ISO/IEC 27001 Works
The primary focus of ISO/IEC 27001 is to protect three main aspects of information within a company—confidentiality, integrity, and availability.
Organizations must set up an ISMS where only authorized individuals can access sensitive information (confidentiality) and only authorized users can change the information (integrity). The availability component of this standard means that the information must be available to authorized individuals whenever it’s needed.
This is accomplished through risk assessment and mitigation. Once the risks have been identified, a company must come up with specific security controls to prevent them.
As per the ISO/IEC 27001 standards, companies must create a document called the “Statement of Applicability” to define the controls that will be implemented for information security.
To fully comprehend how ISO/IEC 27001 works, you need to understand the basics of an ISMS—information security management system.
An ISMS is essentially a set of rules that an organization must establish to achieve the following:
- Identify risks within the information
- Identify stakeholder expectations as it relates to information security
- Define clear objectives on what must be accomplished with information security
- Determine what safeguards, controls, and mitigation methods can meet expectations
- Execute the risk prevention methods for information security
- Monitor and measure whether or not the standards are performing as intended
- Continue making improvements to the entire information security system
These rules can be formally identified as documents, procedures, and policies. ISO/IEC 27001 explains which documents must be created for minimum compliance.
Let’s take a look at how some real organizations in different sectors are using ISO/IEC 27001 to improve the way information security is handled.
Example 1: The University of Tampa
The University of Tampa is a private mid-sized educational institution with a primary focus on liberal arts and business. As the university experienced an increase in enrollments and expansion, the organization set out to improve data security practices.
UT achieved an ISO/IEC 27001 certification for the first time in 2015.
Tammy Clark, UT’s vice president of information technology and security, used ISO/IEC 27001 to realign the staff’s roles and responsibilities for data security. These were outlined in everyone’s job descriptions and monitored in an annual evaluation.
Here are some examples of how the ISMS is used at the university:
- Technology software vendors must comply with a risk assessment questionnaire and provide evidence of data encryption, certification, and audits.
- Multi-factor authentication is required for enterprise applications used off-campus.
- Student security awareness ambassadors are appointed on campus.
- All full-time and part-time faculty must complete an online training module related to their individual roles and responsibilities.
The implementation of these information security standards helped decrease phishing incidents and increased data protection capabilities. It also created more of a security awareness culture university-wide.
Example 2: Amazon Web Services (AWS)
AWS is a cloud computing service provider. It’s a global leader trusted by big brands like Netflix, Kellogg’s, GE, Intuit, and more.
Amazon Web Services maintains an ISO/IEC 27001 certification and applies these standards to its information security management system. The ISMS defines how AWS manages data security with a comprehensive and holistic approach.
AWS systematically evaluates security risks and measures the potential threats associated with all vulnerabilities. They’ve created a suite of information security procedures to mitigate risks associated with their customers and system architecture as well.
The organization takes proactive steps to ensure information security controls are managed on an ongoing basis.
By complying with ISO/IEC 27001 standards and maintaining certification, AWS is a global leader in its industry.
Example 3: RS Software
RS Software is an India-based company in the electronic payments industry. This is obviously an industry where proper information security is a top priority.
Prior to implementing ISO/IEC 27001 standards, RS Software had some gaps in its data security protocols. More specifically, paperwork, proprietary knowledge, and other non-IT assets were vulnerable.
The organization used ISO/IEC 27001 to reinvent an information security management system. Today, they’ve officially implemented 132 of the 133 controls recommended by ISO/IEC 27001. According to the company’s general manager for quality and benchmarking, physical security and business continuity have both been beefed up after implementing an ISMS at RS Software.
Example 4: Cisco
Cisco is a global leader in cloud software, networking, and cybersecurity solutions. This innovative company is one of the most well-recognized names in the business world.
The organization proudly displays its information security certifications, like ISO/IEC 27001, on its website.
Cisco uses ISO/IEC 27001 to preserve confidentiality, integrity, and availability of information by implementing a risk management process. The ISO/IEC 27001 certification applies to the company’s broad scope of services related to networking, data centers, security products, communication systems, collaboration, video, and more.
How to Get Started With ISO/IEC 27001
As you can see from the examples above, ISO/IEC 27001 can be applied to a wide range of potential use cases for companies across every industry imaginable. Here’s a step-by-step guide for getting started with ISO/IEC 27001:
Step 1: Define Information Security Management System (ISMS) Goals
Information security is a broad subject. Before you can implement ISO/IEC 27001 standards, you need to start by identifying the specific purposes of this initiative.
Every business is different, so your goals may not be the same as other organizations that have used ISO/IEC 27001 to beef up data security. Here’s a brief overview of potential benefits that you can achieve with an ISMS:
- Legal Requirements and Compliance — Laws and regulations for data security are constantly changing depending on the industry. Examples include GDPR, CCPA, HIPAA, and PCI DSS. By implementing an ISMS, you can create and define a methodology to comply with these types of regulatory requirements.
- Reduce Costs — Many organizations apply the ISO/IEC 27001 standards to reduce costs associated with information security breaches. Failing to secure sensitive data can be costly, and it’s usually much less expensive to invest in a process that prevents breaches and information leaks from happening in the first place.
- Competitive Advantage — If your organization is ISO/IEC 27001 certified and your competitors are not, you can gain a significant advantage in your industry. Customers, partners, and third-party entities alike will feel more comfortable working with you, knowing that you prioritize the protection of sensitive information.
- Improved Organization and Scalability — Large organizations have a tough time defining processes and procedures at scale. As a result, the staff company-wide doesn’t have clear instructions on what needs to happen and how to accomplish tasks related to information security. An ISMS helps you get organized, so everyone in the organization knows what’s expected of them in certain situations.
By identifying your ISMS needs and goals, it will be much easier to narrow your focus when it’s time to formally document ISO/IEC 27001 standards.
Step 2: Identify Risks and Create a Risk Mitigation Plan
Next, you need to figure out what part of your information security system is vulnerable. Create a list of all information assets and IT services that need to be protected in the ISMS.
You’ll also need to define the scope of your ISMS during this stage. This will help you determine how the ISMS will be used at scale during day-to-day operations within the organization.
Take your time and clearly define all potential assets and risks that are relevant to information security. Depending on the size of your business, this step might be handled by an entire team.
Determine where sensitive information is stored, whether it be in the cloud, on physical hardware, on portable flash drives, in file cabinets, or wherever else it might be.
Then you’ll need to establish a security baseline—which is the minimum level of security required to conduct your operation effectively. Depending on your industry, there might be strict standards for data security that you need to follow. This will be included in the baseline.
What are your organization’s biggest information security vulnerabilities?
Analyze those risks and establish a mitigation plan to reduce the threat levels. It’s common for IT managers to go through this step using a risk matrix.
You can quantify all of your risks with a numbered score based on the potential damage and the likelihood of the threat occurring. High scores in these categories imply big threats that need to be prioritized with direct action, while you might decide to tolerate low risks or treat them by improving certain controls.
Some organizations eliminate risks by avoiding those situations entirely. Other times, you can transfer the risk by taking out an insurance policy or making an agreement with third parties.
Step 3: Implement Policies and Procedures to Control Information Security Risks
Now it’s time to create detailed policies for your information security management system. Here’s an overview of what’s required by ISO/IEC 27001, as described in clauses 4 through 10 of Annex A:
- Context of Organization — Define the ISMS scope, requirements for internal issues, external issues, and requirements of all interested parties.
- Leadership — Identify the roles and responsibilities of top-level management.
- Planning — Explain all requirements for risk assessment, risk mitigation, risk treatment plan, information security objectives, and the Statement of Applicability.
- Support — Describe the availability of resources, communication, and how documents and records will be controlled.
- Operation — Identify risk management implementation and all processes required to achieve data security goals and objectives.
- Evaluation — Explain all of the requirements to monitor, measure, analyze, and evaluate your ISMS for an internal audit.
- Improvement — Define the procedure for continuous improvement and corrective actions in the ISMS.
The list of policies and procedures will vary based on the company’s industry, data assets, and overall organizational structure.
Step 4: Get ISO/IEC 27001 Certification
The ISO and IEC develop international standards, but they do not perform certifications or issue certificates. All certifications are issued by third-party certification bodies.
To find an accredited certification body, the ISO recommends that you contact the national accreditation organization in your country. You can also use the International Accreditation Forum as a resource.
Organizations will need to pass an audit performed by the certification body before a certificate is issued. Part of the audit includes having all official documents written, as required by ISO/IEC 27001. Those documents include:
- Scope of ISMS
- Information Security Policy and Objectives
- Risk Assessment and Risk Treatment Methodology
- Statement of Applicability
- Risk Treatment Plan
- Risk Assessment Report
- Access Control Policy
- Acceptable Use of Assets
- Inventory of Assets
- Definition of Security Roles and Responsibilities
- Operating Procedures for IT Management
- Supplier Security Policy
- Secure System Engineering Principles
- Business Continuity Procedures
- Incident Management Procedure
- Statutory, Regulatory, and Contractual Requirements
Here’s a link to obtain the official ISO/IEC 27001 information security standards. It can be purchased for ₣118 (Swiss Francs), the equivalent of about $130 USD.
The 23-page document will explain how to implement these security standards and ultimately pass an audit for your certification.