Understanding The ISO 27001 Framework
Understanding The ISO 27001 Framework
Understanding The ISO 27001 Framework
The Path to
Certification (Part 2)
Understanding the ISO 27001
Framework
(Leadership, Roles, Policies, Procedure, People) Risk management is an essential element of establishing
a process to identify, analyze, and treat risks. A risk
(ISMS) (Clauses 4-10)
Risk Assessment (Clauses 6 and 8) management program should grant authorization and
(Provides context, drives decision making, drives planning) authority of those individuals responsible for
information security (often called the information risk
Strategic Planning (Clauses 6, 7, 8)
council, or similar).
(Plan for Information Security, Key Performance Indicators,
Communication Plans.)
A formalized risk assessment is the process which helps
leadership identify key risks, prioritize resources and
Internal Audit/Performance Monitoring (Clause 9 and 10)
(Management Visibility, Drives Continuous Improvement) controls, and align the security program with business
objectives. Risk assessment and risk management are
Annex A: directly linked to clauses 6 “Planning” and 8
(114 Controls – Reference ISO 27002) “Operation.”
3) Strategic Planning
ISMS: Essential Elements (Clauses 4-10)
The strategic plan defines how the security program will
As a philosophical point, ISO 27001 establishes a system be tactically implemented. It is typically a 12-month
of management (hence the term information security outlook on the initiatives that comprise the security
management system or ISMS) that empowers program. It typically includes key projects, security
management to establish, implement, govern, and program improvements, people, budgets, a
continuously improve the information security communication plan, and key performance indicators
environment. This, in short, is the ISMS. (measurables) required to execute on the information
security program.
There are many elements of a functional ISMS that
must be implemented in order to satisfy ISO 27001 Strategic planning is most closely tied to clause 6.2, but
certification requirements. These requirements are is especially relevant to clauses 6 “Planning,” 7
described in Clauses 4-10 of ISO 27001. “Support,” and 8 “Operation.”
For those unfamiliar with ISO 27001, reading through 4) Internal Audit/Performance Monitoring
these clauses for the first time and trying to understand
Internal audit is the mechanism by which management
the scope of what needs to be done to implement an
gains visibility into the information security program,
Authoritative Guidance
Executing an effective risk assessment is complex (and
At more than 20% per year, North merits a separate whitepaper); however, there are
America has the largest growth rate of several accompanying standards that you should
familiarize yourself with to implement a risk
ISO 27001 certifications in the world. management program.
ISO 27001 has become table stakes to • ISO 31000 Enterprise Risk Management
show clients we take security seriously. • ISO 27005 is an adaption of the ISO 31000
framework for Information Security. ISO 27005
-CEO, US Based Technology Company explains in detail how to conduct a risk assessment
and is also aligned with ISO 27001 requirements.
A.9 Access Control – Defines requirements for user A.12 Operations Security – Defines requirements for
access management throughout the user lifecycle. security operations such as system security, backup,
logging, malware, and vulnerability management.
Sample Questions to Consider:
Sample Questions to Consider:
• Is there a documented access control policy?
• Is access to all systems limited based on the • Is there a controlled change management process in
principle of lease priviledge? place?
• Is there a formal provisioning and deprovisioning • Is there a capacity management process in place?
process? • Does the organization enforce segregation of
• Are privileged access accounts separately managed development, test and operational environments?
and controlled? • Are processes to detect malware in place?
• Is there a formal management process in place to • Is there an agreed backup policy?
control allocation of secret authentication • Are appropriate event logs maintained and regularly
information? reviewed?
• Do you perform periodic user access reviews? • Are sysadmin / sysop logs maintained, protected
• Are complex passwords required? and regularly reviewed?
• Are privilege utility programs restricted and • Is there a vulnerability management program?
monitored? • Is there a process to risk assess and react to any
• Is access to the source code of the Access Control new vulnerabilities as they are discovered?
System protected? • Do you perform penetration tests?
• Is there a policy on the use of cryptographic • Is there a network management process in place?
controls? • Does the organization implement a risk
• Is there a cryptographic key management policy? management approach which identifies all network
services and service agreements?
A.11 Physical and Environment Security
• Is security mandated in agreements and contracts
Sample Questions to Consider: with service providers (in house and outsourced)?
• Are security related SLAs mandated?
• Are sensitive or critical information areas
• Does the network topology enforce segregation of
segregated and appropriately controlled?
networks for different tasks?
• Do secure areas have suitable entry control systems
• Do organizational policies govern how information
to ensure only authorized personnel have access?
is transferred?
• Are environmental hazards identified and
• Are relevant technical controls in place to prevent
considered when equipment locations are selected?
non-authorized forms of data transfer?
• Is there a UPS system or back up generator?