Understanding The ISO 27001 Framework

Download as pdf or txt
Download as pdf or txt
You are on page 1of 9
At a glance
Powered by AI
The key takeaways are that ISO 27001 is an internationally recognized information security standard that can help organizations mature their security posture and articulate their security stance to customers. Implementing a framework like ISO 27001 is a good first step for organizations looking to improve their security.

The core elements of the ISO 27001 framework are the 10 clauses, 14 categories, 35 control objectives, and 114 controls that make up the standard. Clauses 4-10 define the ISMS while the 114 controls are defined in Annex A.

According to ISO 27001, the essential elements (clauses) of an ISMS are: governance (clauses 4-5), risk management (clauses 6 and 8), strategic planning (clauses 6-8), internal auditing and performance monitoring (clauses 9-10).

ISO 27001:

The Path to
Certification (Part 2)
Understanding the ISO 27001
Framework

Bottom Line Up Front


Cybersecurity is a business problem impacting the Contents
livelihoods of companies and their owners. As a result,
Leadership must take steps to proactively mature their ISO 27001 Framework Elements .................................2
information security posture and articulate their ISO 27001 Clauses 4-10 .............................................. 2
security posture to current and prospective customers.
ISO 27001 Annex A (Control Framework)................... 2
A great place to begin maturing your security ISO 27001 Explained in Detail .....................................3
environment is through the implementation of a
security framework such as ISO 27001. If you are ISMS: Essential Elements (Clauses 4-10) .................... 3
considering program implementation, this three-part Governance (Clauses 4 and 5) ................................ 4
whitepaper series will provide all the information you Risk Management (Clause 6 and 8) ........................ 4
need to make an educated decision on ISO 27001
adoption. Strategic Planning (Clauses 6, 7, and 8) .................. 5
Internal Audit and Performance Monitoring (Clause
This Whitepaper Series Includes: 9 and 10) ................................................................. 5
Part 1: Will present a business case which outlines why Annex A Controls ........................................................ 6
organizations should consider ISO 27001 certification Controls and Self-Assessment Questions ............... 6
from business perspective (Read it Here)
The Certification Process ............................................9
Part 2: Will cover the essential elements of the ISO
27001 Framework (This Whitepaper)

Part 3: Will cover the ISO 27001 certification process


from start to finish

ISO 27001: The Path to Certification | Page 1


ISO 27001 Framework Elements 9 Performance evaluation - monitor, measure, analyze
and evaluate/audit/review the information security
controls, processes and management system,
Before we begin dissecting the ISO 27001 framework, it
systematically improving things where necessary. This is
is important that we establish a common understanding
where ISO requires an independent audit of the ISMS.
of ISO 27001’s core elements.
10 Improvement - address the findings of audits and
ISO 27001 is an internationally recognized information
reviews (e.g. nonconformities and corrective actions),
security standard that is comprised of 10 clauses, 14
make continual refinements to the ISMS.
categories, 35 control objectives, and 114 controls.
Companies may choose to align to ISO 27001 as part of ISO 27001 Annex A (Control Framework)
security best practices and/or choose to pursue ISO
27001 certificaiton. This is the section that outlines the 14 categories, 35
control objectives and 114 controls. You may refer to
Clauses 4-10 are typically referred to as the Information ISO/IEC 27002 for further detail on the controls,
Security Management System, while the 114 control including implementation guidance.
requirements are called “Annex A.”
A.5 Information Security Policies – Defines
ISO 27001 Clauses 4-10 requirements for policies and procedures.
When most people think of ISO 27001, they A.6 Organization of Information Security – Defines
immediately consider the 114 controls that make up ISO requirements for roles and responsibilities.
27001’s Annex A. Often ignored, however, is Clauses 4-
10. These clauses are the core of ISO 27001 and A.7 Human Resource Security – Defines requirements
establish the system of management necessary to build for pre-employment, during employment, and
and maintain an effective information security program. termination.
If you are considering ISO 27001 certification, clauses 4- A.8 Asset Management – Defines requirements for
10 are the main focus of the audit. inventory, ownership, and use of assets.
4 Context of the organization - understanding the A.9 Access Control – Defines requirements for user
organizational context, the needs and expectations of access management throughout the user lifecycle.
‘interested parties’ and defining the scope of the ISMS.
A.10 Cryptography – Defines requirements for
5 Leadership - top management must demonstrate cryptographic controls and key management.
leadership and commitment to the ISMS, mandate
policy, and assign information security roles, A.11 Physical and Environment Security
responsibilities and authorities. A.12 Operations Security – Defines requirements for
6 Planning - outlines the process to identify, analyze security operations such as system security, backup,
and plan to treat information risks, and clarify the logging, malware, and vulnerability management.
objectives of information security. This is the first clause A.13 Communications Security – Defines requirements
that requires a risk assessment. for network security and information transfer.
7 Support - adequate, competent resources must be A.14 System Acquisition, Development and
assigned and awareness raised. Maintenance – Defines requirements for security in the
8 Operation - a bit more detail about assessing and system development and change management lifecycle.
treating information risks, managing changes, and A.15 Supplier Relationships – Defines requirements for
documenting requirements. security as related to vendors.

ISO 27001: The Path to Certification | Page 2


A.16 Informaiton Security Incident Management – ISMS can be daunting and confusing. Thus, it is helpful
Defines requirements for management of security to think about these requirements as being a part of
incidents. one of four categories: Governance, Risk Management,
Strategic Planning, and Performance Monitoring.
A.17 Information Security Aspects of Business
Continuity Management – Defines requirements for 1) Governance
information security continuity and redundancies.
Governance includes establishing leadership and
A.18 Compliance – Defines requirements for legal and ownership of security, defining roles on the
contractual requirements. organizational chart, authoring and implementing
policies and procedures related to information security,
ISO 27001 Explained in Detail and ensuring appropriate resources are available to
support the security program. Governance is a key
In this section we will explore the essential elements of element of clauses 4-10 of ISO 27001 and especially
ISO 27001 including the “ISMS” and “Annex A” controls. relevant to clauses 4 “Context” and 5 “Leadership.”

2) Risk Assessment/Risk Management


Governance (Clauses 4 and 5)
Information Security Management System

(Leadership, Roles, Policies, Procedure, People) Risk management is an essential element of establishing
a process to identify, analyze, and treat risks. A risk
(ISMS) (Clauses 4-10)

Risk Assessment (Clauses 6 and 8) management program should grant authorization and
(Provides context, drives decision making, drives planning) authority of those individuals responsible for
information security (often called the information risk
Strategic Planning (Clauses 6, 7, 8)
council, or similar).
(Plan for Information Security, Key Performance Indicators,
Communication Plans.)
A formalized risk assessment is the process which helps
leadership identify key risks, prioritize resources and
Internal Audit/Performance Monitoring (Clause 9 and 10)
(Management Visibility, Drives Continuous Improvement) controls, and align the security program with business
objectives. Risk assessment and risk management are
Annex A: directly linked to clauses 6 “Planning” and 8
(114 Controls – Reference ISO 27002) “Operation.”

3) Strategic Planning
ISMS: Essential Elements (Clauses 4-10)
The strategic plan defines how the security program will
As a philosophical point, ISO 27001 establishes a system be tactically implemented. It is typically a 12-month
of management (hence the term information security outlook on the initiatives that comprise the security
management system or ISMS) that empowers program. It typically includes key projects, security
management to establish, implement, govern, and program improvements, people, budgets, a
continuously improve the information security communication plan, and key performance indicators
environment. This, in short, is the ISMS. (measurables) required to execute on the information
security program.
There are many elements of a functional ISMS that
must be implemented in order to satisfy ISO 27001 Strategic planning is most closely tied to clause 6.2, but
certification requirements. These requirements are is especially relevant to clauses 6 “Planning,” 7
described in Clauses 4-10 of ISO 27001. “Support,” and 8 “Operation.”

For those unfamiliar with ISO 27001, reading through 4) Internal Audit/Performance Monitoring
these clauses for the first time and trying to understand
Internal audit is the mechanism by which management
the scope of what needs to be done to implement an
gains visibility into the information security program,

ISO 27001: The Path to Certification | Page 3


identifies areas for improvement, and drives continuous
improvement. The internal audit function must be Document Checklist | Governance
independent from the security program and qualified to
do an effective audit. Internal audit and continuous + ISMS Document – this document contains the
improvement are key elements of clause 9 context, requirements, and scope of the
“Performance Evaluation” and 10 “Improvement.” organizations ISMS and aligns with Clauses 4-10.
+ Information Security Policy(s) – The master security
Now that we have a basic understanding of the ISMS, policy or a base security policy with derivative
we will discuss these areas at length and map them policies on specific topics such as access control,
back to their specific clauses within ISO 27001’s ISMS cryptographic controls, and change management.
(Clauses 4-10). We will also outline the specific + Statement of Applicability (SoA) – identifies the
documents you will need to create to support ISO security controls to be included in the ISMS, justifies
27001 certification efforts. the choice of included controls and whether they
are implemented or not, and justifies the excluded
Governance (Clauses 4 and 5) controls from Annex A.
Establishing an effective governance structure that
supports information security program objectives is an
essential element of the ISMS, primarily outlined in
Risk Management (Clause 6 and 8)
clauses 4 and 5 of ISO 27001.
The Risk Management workstream helps the
1) Scope and Context (Clause 4) organization establish a defined risk identification,
The organization should articulate the scope and intake, and analysis process and satisfies elements of
boundaries of the ISMS including relevant people, clauses 6 and 8 of ISO 27001.
processes, technologies, locations, and interested 1) Opportunities, Risk Assessment and Risk
parties. (See sections 4.1-4.4 in the ISO 27001 standard) Treatment (Clauses 6.1, 8.2, and 8.3)
2) Leadership and Policy (Clause 5) The risk management process is the Company’s
Clause 5’s primary concern is top level leadership’s formalized approach to risk identification, risk
commitment to continuous improve of the information measurement, risk treatment, and risk acceptance. It is
security program. In addition, the clause lays out the important that the organization establish a formal risk
requirement for leadership involvement (clause 5.1), management office (often called the information risk
defined policies which articulate management’s intent council (IRC)), complete a formal risk assessment
(clause 5.2), and defined roles, responsibilities, and process, and maintain a formal log of identified risks
granted authorities (clause 5.3). which are communicated formally to the IRC.

Authoritative Guidance
Executing an effective risk assessment is complex (and
At more than 20% per year, North merits a separate whitepaper); however, there are
America has the largest growth rate of several accompanying standards that you should
familiarize yourself with to implement a risk
ISO 27001 certifications in the world. management program.
ISO 27001 has become table stakes to • ISO 31000 Enterprise Risk Management
show clients we take security seriously. • ISO 27005 is an adaption of the ISO 31000
framework for Information Security. ISO 27005
-CEO, US Based Technology Company explains in detail how to conduct a risk assessment
and is also aligned with ISO 27001 requirements.

ISO 27001: The Path to Certification | Page 4


indicators (KPIs) and regular communication cadences
Document Checklist | Risk Management including status reports and formalized status meetings.

+ Risk Management Charter – Established the


information risk council and grants this office the Document Checklist | Strategic Planning
authority and responsibility to measure and treat
+ Program Roadmap – Project plan outlining what
identify risks.
you are going to do, when you plan to do it, and
+ Risk Management Policy – Policy that outlines
who will execute.
management expectations related to risk
+ Security Program Resource Plan – The resource
management and risk assessment process.
plan should include budget for personnel, toolsets,
+ Risk Assessment Report – Report outlining the
implementations, etc.
results of the risk assessment.
+ Key Performance Indicators (KPIs) – Defined
+ Risk Register – Formal log of identified risk.
measurables tied to program success indicators.
+ Communication Plan – Plan to communicate with
key stakeholders including status reporting and
Strategic Planning (Clauses 6, 7, and 8) meeting cadences.

The goal of the security program strategic plan is to


layout program priorities for the next 12 months. The
strategic plan should consider all elements of the ISMS Internal Audit and Performance Monitoring (Clause
including the context of the organization, results of the 9 and 10)
risk assessment, and overall business objectives. The
Understanding that no program is perfect or stagnant,
strategic plan should also consider resources that will
ISO 27001 emphasizes Management’s commitment to
be required to execute the plan, including personnel
continuous improvement. As a result, ISO 27001
and budget.
requires that management measure the program on a
Objectives and Planning (Clause 6.2) periodic basis and take actions to improve the program
based on the results. On key element of measuring the
Clause 6.2 requires that an organization establish
security program is internal audit.
formalized “security objectives” and plans to achieve
those objectives. The security objectives should be in The Internal Audit workstream satisfies clause 9.2 and
alignment with the business’s goals. requires that the internal audit function is formally
defined and authorized to carry out assessments. ISO
1) Support (Clause 7.1)
27001 requires that the internal audit function have:
Clause 7.1 requires that an organization “determine and “Specified responsibilities; establish independence,
provide resources” needed to establish, implement, objectivity, and impartiality of the internal audit
maintenance, and continue to improve the information function; a defined internal audit plan of audit activities;
security program. The term “resources” includes both allocated resources; defined audit procedures; executed
personnel and budget. audit activities; report on audit findings; and
nonconformity follow-up activities.”
2) Operational planning (Clause 8.1)
Included in the internal audit activities is the testing of
Clause 8.1 reemphasizes the requirements outlined in the ISMS to include clauses 4-10 and the Annex A
clause 6.2, but adds that the organization must have controls. Since not all organizations have an
established mechanisms in place “to have confidence independent, objective, and impartial internal audit
that the processes have been carried out as planned.” function capable of auditing the ISMS, organizations
Most commonly, organizations satisfy this requirement may leverage third party assessors to execute internal
by implementing agreed-upon key performance audit activities.

ISO 27001: The Path to Certification | Page 5


• Are policies properly communicated to employees?
Document Checklist | Internal Audit and • Are security policies subject to review?
Performance Monitoring • Are the reviews conducted at regular intervals?
• Are reviews conducted when circumstances
+ Internal Audit Policy – Policy that defines the roles, change?
responsibilities, authority, and process that governs
internal audit. The policy should define auditor A.6 Organization of Information Security – Defines
qualifications and methodology. requirements for roles and responsibilities.
+ Internal Audit Plan – The internal audit plan should Sample Questions to Consider:
be a 3-year plan (in alignment with the 3-year ISO
27001 certification). The plan must be “risk based” • Are responsibilities for the protection of individual
and include the entirety of the ISMS Scope. assets clearly identified and defined and
+ Internal Audit Report – Results of the annual communicated to the relevant parties?
internal audit in line with the Internal Audit plan. • Do all projects go through some form of
+ Management Action Plans – Management information security assessment?
commitments as a result of any internal audit • Does a mobile device policy exist?
findings. • Is there a set process for remote workers to get
access?

A.7 Human Resource Security – Defines requirements


In summary, the foundation of the ISMS is top level for pre-employment, during employment, and
Management’s ability to control and continuously termination.
improve the security program in alignment with
Sample Questions to Consider:
identified risks and opportunities. Next, we will take a
deeper look into the 114 controls that comprise Annex • Are background verification checks carried out on
A and consider a few self-assessment questions that all new candidates for employment?
may provide insight into your current alignment with • Are all employees, contractors and third party users
ISO 27001 requirements. asked to sign confidentiality and non-disclosure
agreements?
Annex A Controls
• Are managers (of all levels) engaged in driving
Controls and Self-Assessment Questions security within the business?
• Do all employees, contractors and 3rd party users
ISO 27001 Annex A is the section that outlines the 14
undergo regular security awareness training
categories, 35 control objectives and 114 controls
appropriate to their role and function within the
companies should consider alignment with. You may
organization?
refer to ISO/IEC 27002 for further detail on the controls,
• Is there a documented process for terminating or
including implementation guidance.
changing employment duties?
Below we will outline each category and suggest a few
A.8 Asset Management – Defines requirements for
questions you may consider to assess your ability to
inventory, ownership, and use of assets.
align to the framework.
Sample Questions to Consider:
A.5 Information Security Policies – Defines
requirements for policies and procedures. • Is there an inventory of all information and physical
Sample Questions to Consider: IT assets?
• Is the inventory accurate and kept up to date?
• Do Security policies exist? • Is there a policy governing information
• Are all policies approved by management? classification?

ISO 27001: The Path to Certification | Page 6


• Is there a process by which all information can be • Is there a rigorous equipment maintenance
appropriately classified? schedule?
• Is there a policy governing removable media? • Is there a process controlling how assets are
• Is there a physical media transfer policy? removed from site?
• Is media in transport protected against • Does the organization have a policy around how
unauthorized access, misuse or corruption? unattended equipment should be protected?

A.9 Access Control – Defines requirements for user A.12 Operations Security – Defines requirements for
access management throughout the user lifecycle. security operations such as system security, backup,
logging, malware, and vulnerability management.
Sample Questions to Consider:
Sample Questions to Consider:
• Is there a documented access control policy?
• Is access to all systems limited based on the • Is there a controlled change management process in
principle of lease priviledge? place?
• Is there a formal provisioning and deprovisioning • Is there a capacity management process in place?
process? • Does the organization enforce segregation of
• Are privileged access accounts separately managed development, test and operational environments?
and controlled? • Are processes to detect malware in place?
• Is there a formal management process in place to • Is there an agreed backup policy?
control allocation of secret authentication • Are appropriate event logs maintained and regularly
information? reviewed?
• Do you perform periodic user access reviews? • Are sysadmin / sysop logs maintained, protected
• Are complex passwords required? and regularly reviewed?
• Are privilege utility programs restricted and • Is there a vulnerability management program?
monitored? • Is there a process to risk assess and react to any
• Is access to the source code of the Access Control new vulnerabilities as they are discovered?
System protected? • Do you perform penetration tests?

A.10 Cryptography – Defines requirements fo A.13 Communications Security – Define requirements


cryptographic controls and key management. for network security and information transfer.

Sample Questions to Consider: Sample Questions to Consider:

• Is there a policy on the use of cryptographic • Is there a network management process in place?
controls? • Does the organization implement a risk
• Is there a cryptographic key management policy? management approach which identifies all network
services and service agreements?
A.11 Physical and Environment Security
• Is security mandated in agreements and contracts
Sample Questions to Consider: with service providers (in house and outsourced)?
• Are security related SLAs mandated?
• Are sensitive or critical information areas
• Does the network topology enforce segregation of
segregated and appropriately controlled?
networks for different tasks?
• Do secure areas have suitable entry control systems
• Do organizational policies govern how information
to ensure only authorized personnel have access?
is transferred?
• Are environmental hazards identified and
• Are relevant technical controls in place to prevent
considered when equipment locations are selected?
non-authorized forms of data transfer?
• Is there a UPS system or back up generator?

ISO 27001: The Path to Certification | Page 7


• Do contracts with external parties and agreements Sample Questions to Consider:
within the organization detail the requirements for
• Are management responsibilities clearly identified
securing business information in transfer?
and documented in the incident management
• Do security policies cover the use of information
processes?
transfer while using electronic messaging systems?
• Is there a process for reviewing and acting on
A.14 System Acquisition, Development and reported information security events?
Maintenance – Defines requirements for security in the • Is there a process for reporting of identified
system development and change management lifecycle. information security weaknesses?
• Is there a process to ensure information security
Sample Questions to Consider:
events are properly assessed and classified?
• Are information security requirements specified • Is there a forensic readiness policy?
when new systems are introduced?
A.17 Information Security Aspects of Business
• Are controls in place to prevent incomplete
Continuity Management – Defines requirements for
transmission, misrouting, unauthorized message
information security continuity and redundancies.
alteration, unauthorized disclosure, unauthorized
message duplication or replay attacks? Sample Questions to Consider:
• Are there policies mandating the implementation
• Do BCP/DR Policies exist?
and assessment of security controls?
• Do you perform a BIA?
• Is there a formal change control process?
• Do you perform BCP/DR testing?
• Is there a policy in place which mandates when and
how software packages can be changed or • Are systems reduandant to ensure availability?
modified? A.18 Compliance – Defines requirements for legal and
• Do all projects utilize the secure development contractual requirements.
environment appropriately during the system
development lifecycle? Sample Questions to Consider:
• Where systems or applications are developed, are • Has the organization identified and documented all
they security tested as part of the development relevant legislative, regulatory or contractual
process? requirements related to security?
A.15 Supplier Relationships – Defines requirements for • Does the organization keep a record of all
security as related to vendors. intellectual property rights and use of proprietary
software products?
Sample Questions to Consider: • Does the organization monitor for the use of
• Is information security included in contracts unlicensed software?
established with suppliers and service providers? • Are records protected from loss, destruction,
• Is there an organization-wide risk management falsification and unauthorized access or release in
approach to supplier relationships? accordance with legislative, regulatory, contractual
and business requirements?
• Are suppliers provided with documented security
requirements? • Is personal data protected in accordance with
relevant legislation?
• Is supplier access to information assets &
infrastructure controlled and monitored? • Are cryptographic controls protected in accordance
with all relevant agreements, legislation and
• Are suppliers subject to regular review and audit?
regulations?
A.16 Informaiton Security Incident Management – • Is the organizations approach to managing
Defines requirements for management of security information security subject to regular independent
incidents. review?

ISO 27001: The Path to Certification | Page 8


• Is the implementation of security controls subject to
regular independent review?
Let’s Get Started
• Does the organization regularly conduct technical
compliance reviews of its information systems?
Contact a Professional

Authoritative Guidance Christian Hyatt, Managing Director


ISO 27001 is accompanied by ISO 27002 which provides CISA | CISM | ISO 27001 Lead Auditor | PCI QSA
detailed implementation guidance for the 114 controls. [email protected]
404.333.1669
Annex A Controls | Did you Know? Christian White, Managing Director
Did you know that you can achieve ISO 27001 CISA | CRISC | PCI QSA | ISO 27001 Lead Implementer
certification even if some controls are not currently [email protected]
implemented? It is a common myth (and often costly) 770.289.3505
that all controls must be implemented. Contact a
professional to learn more about the nuances to ISO
27001 implementation and how to achieve certification. risk3sixty
IT Audit | Cyber Risk | Compliance Advisory

Risk3sixty, LLC, is an Atlanta-based Information Risk


The Certification Process Management (IRM) advisory firm focused on IT audit,
Cyber Risk, and compliance consulting and software
If you are considering ISO 27001 certification and would solutions.
like to understand the process in detail check out Part 3
in our whitepaper series where we cover the ISO 27001 Our management-level consulting team leverages deep
certification process in detail. industry experience and unique technology solutions to
enhance risk visibility, reduce the burdens of
If you would like assistance with guided implementation compliance, and create actionable programs which
and certification, risk3sixty can help. Following enable executives and their management teams to
risk3sixty’s guided implementation process, our clients make better decisions.
have 100% ISO 27001 certification success rate. We can
assist with every step of the project from complete Phalanx
implementation, auditor selection, and working directly
with the auditor during the certification process. Manage Security and Compliance in One Platform
From vulnerability scanning, to policy curation, team
✓ 100% Certification Success Rate collaboration, audits, and assessments - manage your
✓ 100% three-year client retention entire security and compliance program in a single
✓ Our clients consistently report 50% faster platform.
implementation
✓ Supported by a complete team of security and ✓ Simple and Fast Implementation
compliance experts ✓ One-Click Compliance Reporting
✓ Quickly Assess Risk with Asset Labeling
✓ Leveraging our audit workflow platform Phalanx, we
✓ Complete Team Collaboration
save our clients an average of 50% over attempting
✓ Project Management to Vulnerability Closure
to implement ISO 27001 without assistance ✓ Automated Scan and Rescan to Validate Issue Closure
✓ Our firm is peer reviewed for rigorous quality ✓ Management-Level KPIs and Progress Reporting
standards by an independent CPA firm (read our ✓ Customized Workflow.
results here). ✓ ISO 27001, SOC 2, GDPR, PCI DSS, and more!

ISO 27001: The Path to Certification | Page 9

You might also like