ISO 27001 Standard: A Bite-Sized Guide to the Standard

ISO 27001, also known as ISO/IEC 27001, is an international standard that sets the framework for an Information Security Management System (ISMS). This standard could potentially play a critical role in safeguarding sensitive data and ensuring the security of information assets for any organization that chooses to adhere to it.

In this article, you will delve deep into ISO 27001, exploring its significance, principles, benefits, and much more.

What is ISO 27001?

ISO 27001 is an International Standard has been prepared to provide the requirements for establishing, implementing, maintaining and continuously improving an information security management system (ISMS). The adoption of an information security management system is a strategic decision to be made by an organization.

The purposes and objectives of the organization, the security requirements, the organizational processes in use, your organization’s size and structure all have an impact on the development and execution of the information security management system. It is normal that these elements change over time.

The information security management system protects the confidentiality, integrity and availability (CIA) of information by providing a set of policies and procedures, technical controls and physical controls.

It is crucial that your organization’s operations and general management structure include the information security management system and that information security is taken into account when designing processes, information systems, and controls. It is expected that an ISMS implementation will be tailored to the needs of your organization.

The Principles of ISO 27001

ISO 27001 is based on a number of principles, which are essential for the effective implementation of an ISMS.

Principle 1: Leadership

Leadership is essential for the success of any ISMS. Top management must be committed to information security and must provide the necessary resources and support for the implementation and maintenance of the ISMS.

Context of the Organization and Management Support

An ISMS can only function with the support of top management. It is part of your job as a GRC analyst to speak technology and sell the merits and potential benefits of a properly supported ISMS. This would encourage them to invest significant time and money into the ISMS.

Your organization will determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its information security management system.

Understanding the needs and expectations of stakeholders

Your organization must determine interested parties that are relevant to the information security management system. These are your stakeholders e.g management, employees, suppliers, partners, third parties etc. The organization must also understand the requirements of these interested parties.

Principle 2: Planning

Management must decide which business services and processes will be part of the ISMS. They will then develop an ISMS plan that outlines the scope, how they will implement and maintain the ISMS. The plan should be carried out in stages that will include the following:

• An overarching Information system policy that contains information security objectives of your organization.
• An inventory of all assets (people, processes, IP, technology etc.)
• A risk assessment to identify, classify and assess the risks to the organization’s information assets that are within the scope of the ISMS.
• A risk treatment plan to mitigate the identified risks.
• A set of policies and procedures to implement the risk treatment plan.
• A communication plan to communicate the ISMS to all relevant stakeholders.

Stage 1: Conduct an Information security risk assessment.

Your organization will have to define and apply an information security risk assessment process that:

a) establishes and maintains information security risk criteria that should include parameters around:

• the risk acceptance criteria
• criteria for performing information security risk assessments.

b) ensures that repeated information security risk assessments produce consistent, valid and comparable results

c) By using the information security risk assessment process to identify risks related to the loss of confidentiality, integrity, and availability for information within the scope of the ISMS, one can determine the information security risks as well as the risk owners.

d) analyses the information security risks:

• to assess the potential consequences that would result if the risks identified in risk assessment were to occur.
• assess the likelihood of the occurrence of the risks identified in risk assessment and determine the levels of risk.

e) evaluates the information security risks by comparing the results of risk analysis with the risk criteria established in risk assessment and then prioritizing the analyzed risks for risk treatment.

Stage 2: Information security risk treatment

With the results of the risk assessment now available to your organization, they can now select appropriate information security risk treatment options. The risk treatment options include:

• Mitigation
• Remediation or rejection
• Acceptance
• Transfer

Your organization can now determine specific controls within the above options that are necessary to formulate and implement an information security risk treatment plan.

Stage 3: Establish Information security objectives and plans to achieve them.

Your organization shall establish information security objectives at relevant functions and levels.

The information security objectives should:

a) be consistent with the information security policy.

b) take into account applicable information security requirements, and risk assessment and risk treatment results.

c) be updated as appropriate.

Your organization should retain documented information on the information security objectives. When planning how to achieve its information security objectives, your organization will need to consider:

f) what will be done.

g) what resources will be required.

h) who will be responsible.

Principle 3: Support

Organizations will provide the resources and support necessary to implement and maintain the ISMS after of course you have sold to them the benefits and ISMS brings.

These resources would include capacity building, developing and implementing security awareness programs, and providing access to the necessary tools and technologies.

Competence

As part of the responsibilities of your organization towards ensuring that the ISMS is properly implemented, the organization should determine the necessary competence of person(s) working on the ISMS.

Your organization should ensure that these persons are competent on the basis of appropriate education, training, or experience. In the event of a skills gap, actions to acquire the necessary competence must be considered. Applicable actions may include, for example: the provision of training to, the mentoring of, or the reassignment of current employees; or the hiring or contracting of competent persons.

Documented information

Your organization’s ISMS would need to have documented information; this is required by this Standard. Also, a best practice is having documented information determined by the organization as being necessary for the effectiveness of the ISMS.

Creating and updating

When creating and updating documented information the organization will have to take into consideration appropriate identification and description (e.g., a title, date, author, or reference number), format (e.g., language, software version, graphics) and media to be e.g., paper, electronic)

Your organization must also ensure the confidentiality, integrity, and availability of the documented information.

Principle 4: Operation

Organizations must implement the necessary controls to protect their information assets. These controls can include technical controls, such as firewalls and intrusion detection systems, and administrative controls, such as access control policies and procedures.

Principle 5: Performance evaluation

Organizations must monitor and evaluate their ISMS to ensure that it is effective and that it is meeting the organization’s needs. This includes conducting internal audits, reviewing security incidents, and collecting feedback from stakeholders.

Monitoring, measurement, analysis and evaluation

Your organization will have to evaluate the information security performance and the effectiveness of the information security management system.

Your organization would have to determine:

• what needs to be monitored and measured, including information security processes and controls.
• the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results.
• when the monitoring and measuring shall be performed.
• who shall monitor and measure.
• when the results from monitoring and measurement shall be analyzed and evaluated.

Internal audit

As part of your organizations plan to evaluate the performance if the ISMS, internal audits will be conducted at planned intervals to provide information on whether the ISMS adheres to the requirements of this standard, the organization’s own requirements.

Your organization shall plan, establish, implement and maintain an audit programme that considers the frequency, methods, responsibilities, planning requirements and reporting. The audit programme shall take into consideration the importance of the processes concerned and the results of previous audits.

Principle 6: Improvement

Organizations must continuously improve their ISMS. This includes identifying areas where the ISMS can be improved and implementing the necessary changes.

Issues Around Nonconformity and corrective action

Nonconformity is an expected occurrence during the lifecycle of an ISMS. The organization should always be on the lookout for when a nonconformity occurs. This is to ensure that they can react to it, and as applicable take action to control and correct it deal with the consequences.

The organization will need to evaluate the causes of nonconformity to avoid reoccurrence. This will be done systematically by:

• reviewing the nonconformity.
• determining the causes of the nonconformity.
• determining if similar nonconformities exist, or could potentially occur;
• implement any action needed.
• review the effectiveness of any corrective action taken.
• make changes to the information security management system, if necessary.

Corrective actions will be appropriate to the effect of the nonconformities encountered. In that scenario, the organization shall retain documented information as evidence of the nature of the nonconformities and any subsequent actions taken, and the results of any corrective action.

Conclusion( I can finally catch my breath)….

ISO 27001’s principles form the bedrock of effective information security management. By adhering to these principles, your organization can establish a robust ISMS that not only protects sensitive data but also enhances overall business process. Whether it’s through commitment to cybersecurity, continuous improvement, risk management, or compliance, ISO 27001’s principles guide organizations towards a more secure and cybersafe future.

I hope you have found value in today’s article, consider subscribing and following me on my socials. If you have any questions, I am only a DM away.

• LinkedIn: https://www.linkedin.com/in/m49d4ch3lly
• Twitter: https://twitter.com/m49D4ch3lly
• Facebook: https://www.facebook.com/m49d4ch3ly
• GitHub: https://github.com/UFarouk10
• Gmail: Umarfarouk037@gmail.com
• Link to ISO 27000 Publicly Available Standards (iso.org)