Since its debut in 2005, the ISO/IEC 27001 standard has become a management system of growing importance and use in information security as the scope, number and impact of security incidents continues to scale worldwide. Among the indicators of its growing popularity, the 2018 ISO survey recorded a 36% increase in 27001 certifications in the US.
The ISO/IEC 270001 standard portfolio, also known as the ISO 27000 series, is published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). ISO standards can help any organization manage the security of IT assets, such as intellectual property, financial information, confidential information or other information entrusted by third parties. ISO27001 specifically explains how to implement and manage an Information Management Security System (ISMS) and improve enterprise information security overall. ISO 27001 is considered the core standard in the series with its focus on ISMS implementation requirements.
ISO 27001 Compliance and Certification Value
Not only is ISO 27001 the centerpiece; it is the only standard in the series that has compliance, assessment, management and audit processes, and a growing complement of resources and expertise, for organizations to use to verify and certify its ISMS. A standards-based approach helps ensure that security risks are defined and managed internally. What’s more adherence to the standard demonstrates to customers and business partners that an organization is using proven information security practices and is trustworthy. Applying a focus to ISO 27001 compliance and resources to certification prove invaluable for monitoring, reviewing, maintaining and improving an organization’s ISMS and accelerating other business benefits (see below).
ISO 27001 Standard Elements
ISO 27001 has two main parts:
- An Information Security Management System (ISMS)
- A set of controls used to address and reduce an organization’s risk
An ISMS is a set of processes and systematic practices that, altogether, help IT and business leaders understand and manage information security by assessing risks and vulnerabilities, recognizing gaps and taking action to reduce overall risk to the organization. The ISMS primary elements and the questions they answer include:
- Information security policy: What are the rules to keep information assets secure?
- Objectives: What are the ISMS goals and desired outcomes?
- Risk assessment and treatment: What are the biggest risks? How can they be reduced?
- Roles and responsibilities: Who is involved in the ISMS, and what do they do?
- Competence: What skills are needed by those involved in the ISMS?
- Awareness training: Do employees know of the ISMS and what they should do to support it?
- Communication: How, what and when are communications conducted, internally and externally, regarding the ISMS?
- Monitoring and measuring: How is the ISMS evaluated as efficient and effective?
- Internal audit: Is the ISMS periodic checked to verify operations and results?
- Management review: Is the ISMS managed and under control?
- Continuous improvement: What is the systematic approach—monitored results and feedback cycles–to improve ISMS performance and reduce risk?
ISO 27001’s set of 114 reference controls is contained in Annex A. They provide a framework of security standards and are organized into 14 areas, including Information Security Policies, Human Resources, Access Control, Incident Management, and others, as well as the detail required for compliance. Although organizations often place initial emphasis on the controls, to help with challenges such as anti-virus, vulnerability scanning, or change management, the ISMS is just as important and can pose more problems when implementing the ISO 27001 standard.
The ISO 27001 Family in Context
In total, there are more than 50 individual standards, including ISO 27000, an introduction to the family and clarifications of key terms and definitions. Other important standard family members related to information security include:
- ISO 27002: discusses the information security controls organizations might choose to implement and suggested implementation methods. Organizations are only required to adopt controls relevant to its risk assessment.
- ISO 27017 and ISO 27018: explaining how organizations should protect sensitive information in the cloud. This has become especially important recently as organizations increasingly migrate sensitive information on online servers:
- ISO 27017 is a code of practice that provides extra information about how to apply the Annex A controls to information stored in a cloud environment;
- ISO 27018 is similar but provides additional considerations for personal data in the cloud.
ISO 27701: the newest in the ISO 27000 series, covers what organizations must do when implementing a Privacy Information Management System (PIMS). It was created in response to the European Union’s General Data Protection Regulation (GDPR), which instructs organizations to adopt “appropriate technical and organizational measures” to protect personal data but doesn’t specifically state how they should do that. ISO 27701 fills that gap, essentially adding privacy related controls into the ISO 27001 framework.
ISO 27001 Consultants Bring Expertise, Add Value
As with any business and technology journey it’s important to know where an organization’s current state, the path forward, and the needed resources. Organizations may already have ISMS elements and some processes in place, but the pressures of everyday operations and resource constraints preclude a standards-based, more systematic approach. By partnering with experts versed in ISO 27001 organizations take an essential step to understand the ISMS environment today and build a roadmap to achieve a robust ISMS implementation and a globally recognized certification. The Alchemi Advisory Group has the expertise and the experience to assess information security at the enterprise level and develop a strategy and uniquely tailored path for ISMS success and certified recognition.