{"id":1607,"date":"2018-11-29T12:23:28","date_gmt":"2018-11-29T12:23:28","guid":{"rendered":"https:\/\/iso27001.solutions\/?p=1607"},"modified":"2019-03-11T17:51:36","modified_gmt":"2019-03-11T17:51:36","slug":"explanation-of-iso-27001","status":"publish","type":"post","link":"https:\/\/ismsalliance.com\/trends\/about-iso-27001-standard\/explanation-of-iso-27001\/","title":{"rendered":"Explanation of ISO 27001"},"content":{"rendered":"
Information security systems are often regarded by organizations as simple checklists or policies and procedures that deny them a lot of things, far from the way they do their normal business. By sticking to these beliefs, organizations prevent themselves from properly building an ISMS (Information Security Management System) and achieving its full potential, either in operational and financial performance, or marketing reputation.<\/p>\n
Fortunately, there are many frameworks on the market that can help organizations to handle this situation, among them being ISO 27001:2013<\/strong>.<\/p>\n Whether standing alone or integrated with another management system, such as ISO 9001 (Quality), ISO 22301 (Information Security), ISO 14001 (Environment), or OHSAS 18001 (Operational Health and Safety), the ISO 27001:2013 standard provides guidance and direction for how an organization, regardless of its size and industry, should manage information security and address information security risks, which can bring many benefits not only to the organization itself, but also to clients, suppliers, and other interested parties.<\/p>\n But, for those unfamiliar with ISO standards or information security concepts, ISO 27001 may be confusing, so we developed this white paper to help you get inside this world.<\/p>\n Sections 1 to 3 will cover the concepts of process, process approach, and PDCA cycle applicable to ISO management standards, as well as the most important definitions a beginner in information security should know.<\/p>\n The main content of this white paper will follow the same order and numbering of the following clauses required to certify an ISMS against ISO 27001:2013:<\/strong><\/p>\n 4. Context of the organization Additionally, the white paper also covers the content of Annex A, control objectives and security controls (safeguards), numbered from A.5 to A.18. Compliance with the ISO 27001:2013 standard is mandatory for certification, but compliance alone doesn\u2019t guarantee the capacity of an organization to protect information. It\u2019s necessary to create a robust link between requirements, policies, objectives, performance, and actions. And that\u2019s why a process approach, as defined in the previous section, is so useful to implementing an ISMS.<\/p>\n The following diagram presents some examples of inputs, outputs, and activities involved in the risk management process, a cornerstone of an ISO 27001 Information Security Management System, demonstrating how a process approach is a good way to organize and manage information security processes to create value for an organization and other interested parties.<\/p>\n <\/a><\/p>\n By adopting a process approach for information security, an organization can have a better view of how each step contributes to the main objectives of protecting information, allowing it to quickly identify problematic points in performing the process.<\/p>\n<\/div> Since any business is a living thing, changing and evolving because of internal and external influences, it is necessary that the Information Security Management System also be capable of adjusting itself (e.g., objectives and procedures) to follow business changes and remain relevant and useful. The ISO 27001:2013 standard ensures this condition is achieved by adopting a \u201cPlan-Do-Check-Act<\/strong>\u201d cycle (PDCA<\/strong>) in its framework, which can be described as follows:<\/p>\n Plan<\/strong>: the definition of policies, objectives, targets, controls, processes, and procedures, as well as performing the risk management, which support the delivery of information security aligned with the organization\u2019s core business.<\/p>\n Do<\/strong>: the implementation and operation of the planned processes.<\/p>\n Check<\/strong>: the monitoring, measuring, evaluation, and review of results against the information security\u00a0policy and objectives, so corrective and\/or improvement actions can be determined and authorized.<\/p>\n Act<\/strong>: the performing of authorized actions to ensure the information security delivers its results and can be improved.<\/p>\n <\/a><\/p>\n It should be noted that the PDCA cycle is a globally recognized management system methodology that is used across various business management systems, but its use is both compulsory and highly beneficial within ISO 27001:2013.<\/p>\n<\/div> This clause requires the organization to determine all internal and external issues that may be relevant to its business purposes and to the achievement of the objectives of the ISMS itself.<\/p>\n The standard requires the organization to assess who the interest parties are in terms of its ISMS<\/a>, what their needs and expectations may be, which legal and regulatory requirements, as well as contractual obligations, are applicable, and consequently, if any of these should become compliance obligations.<\/p>\n The scope and boundaries and applicability of the ISMS must be examined and defined considering the internal and external issues, interested parties\u2019 requirements, as well as the existing interfaces and dependencies between the organization\u2019s activities and those performed by other organizations.<\/p>\n The scope must be kept as \u201cdocumented information.\u201d<\/p>\n The standard indicates that an ISMS should be established and operated and, by using interacting processes, be controlled and continuously improved.<\/p>\n<\/div> Top management and line managers with relevant roles in the organization must demonstrate genuine effort to engage people in the support of the ISMS.<\/p>\n For more information on this topic, please see the article: Roles and responsibilities of top management in ISO 27001 and ISO 22301.<\/p>\n This clause provides many items of top management commitment with enhanced levels of leadership, involvement, and cooperation in the operation of the ISMS, by ensuring aspects like:<\/strong><\/p>\n Top management has the responsibility to establish an information security policy<\/a>, which is aligned with the organization\u2019s purposes and provides a framework for setting information security objectives, including a commitment to fulfill applicable requirements and the continual improvement of the ISMS. The information security policy<\/a> must be maintained as documented information, be communicated within the organization, and be available to all interested parties.<\/p>\n The standard states that it is the responsibility of top management to ensure that roles, responsibilities, and authorities are delegated and communicated effectively. The responsibility shall also be assigned to ensure that the ISMS meets the terms of the ISO 27001:2013 standard itself, and that the ISMS performance can be accurately reported to top management.<\/p>\n For more information, please see the article: What is the job of Chief Information Security Officer (CISO)?<\/a><\/p>\n<\/div> This clause seeks to cover the \u201cpreventive action\u201d stated in the old ISO 27001:2005. The organization must plan actions to handle risks and opportunities relevant to the context of the organization (section 4.1) and the needs and expectations of interested parties (section 4.2), as a way to ensure that the ISMS can achieve its intended outcomes and results, prevent or mitigate undesired consequences, and continually improve. These actions must consider their integration with ISMS activities, as well as how effectiveness should be evaluated.<\/p>\n The organization must define and apply an information security risk assessment<\/strong><\/a> process with defined information security risk and acceptance criteria, as well as criteria to perform such assessments, so repeated assessments produce consistent, valid, and comparable results.<\/p>\n The risk assessment process must include risk identification, analyses, and evaluation, and the process must be kept as documented information.<\/p>\n Creating documentation is the most time-consuming part of implementing an ISMS and can run into thousands of pages for more complex businesses.<\/p>\n The Statement of Applicability (SoA)<\/a> is one of the crucial, mandatory reports that you will need to produce for your ISO 27001 ISMS.<\/p>\n Under Clause 6.1.3, ISO\/IEC 27001:2013 states that organisations must produce an SoA that:<\/strong><\/p>\n The SoA<\/strong><\/a> will contain at least 114 entries, one for each Annex A control, each of which will include additional information about the control and ideally link to relevant documentation about the implementation of the control.<\/p>\n The SoA is a useful document for everyday operational use and provides a useful roadmap to your ISMS.<\/p>\n The SoA must be updated regularly in line with the continual improvement philosophy of ISO 27001:2013, and as evidence of improvements to controls or compliance requirements.<\/p>\n Developing the SoA can be daunting, but there are tools that can help.<\/p>\n The ISO 27001 ISMS Documentation Toolkit<\/a><\/strong> contains an easy-to-use tool to create your ISO 27001 SoA.<\/p>\n The organization must define and apply an information security risk treatment process to select proper risk treatment options and controls<\/a>. The selected controls must consider, but not be limited to, controls described in Annex A. The main results of the risk treatment process are the statement of applicability<\/a>, and the risk treatment plan, which must be approved by the risk owners. The information security risk treatment process must be kept as documented information.<\/p>\n Information security objectives should be established and communicated at appropriate levels and functions, having considered the alignment with the information security policy<\/a>, the possibility of measurement, and the applicable information security requirements, and results from risk assessment<\/a> and risk treatment<\/a>. The objectives must be updated when deemed necessary.<\/p>\n They must be thought of in terms of what needs to be done, when it needs to be done by, what resources are required to achieve them, who is responsible for the objectives, and how results are to be evaluated, to ensure that objectives are being achieved and can be updated when circumstances require.<\/p>\n Again, it is mandatory that documented information is kept outlining the information security objectives.<\/p>\n<\/div> No mystery here, the standard states that resources required by the ISMS to achieve the stated objectives and show continual improvement must be defined and made available by the organization.<\/p>\n The competence of people given responsibility for the ISMS who work under the organization\u2019s control must meet the terms of the ISO 27001:2013 standard, to ensure that their performance does not negatively affect the ISMS. Competence can be demonstrated by experience, training, and\/or education regarding the assumed tasks. When the competence is not enough, training must be identified and delivered, as well as measured to ensure that the required level of competence was achieved. This is also another aspect of the standard that must be kept as documented information for the ISMS.<\/p>\n Awareness is closely related to competence in the standard. People who work under the organization\u2019s control must be made aware of the information security policy and its contents, what their personal performance means to the ISMS and its objectives, and what the implications of nonconformities may be to the ISMS.<\/p>\n Internal and external communication deemed relevant to the ISMS must be determined, as well as the processes by which they must be effected, considering what needs to be communicated, by whom, when it should be done, and who needs to receive the communication.<\/p>\n \u201cDocumented information,\u201d which you will see mentioned several times during this white paper, now covers both the \u201cdocuments\u201d and \u201crecords\u201d concepts seen in the previous revision of the ISO 27001 standard.<\/p>\n This change was designed to facilitate the management of documents and records required by the standard, as well as those viewed as critical by the organization to the ISMS and its operation. It should also be noted that the amount and coverage of documented information that an organization requires will differ, according to its size, activities, products, services, complexity of processes and their interrelations, and people\u2019s competence.<\/p>\n
\n5. Leadership
\n6. Planning
\n7. Support
\n8. Operation
\n9. Performance evaluation
\n10. Improvement<\/p>\n
\nBesides all this explanatory information, you will find throughout this white paper references to other learning materials.<\/p>\n<\/div>1. Process and process approach of ISO 27001<\/h2>\n<\/div>
1.1 Terms and definitions<\/h3>\n
\n
\nprocess when demanded.<\/li>\n2. Process approach impact of ISO 27001<\/h2>\n<\/div>
3. The Plan-Do-Check-Act cycle of ISMS<\/h2>\n<\/div>
4. Context of the organization<\/h2>\n<\/div>
4.1 Understanding the organization and its context<\/a><\/h3>\n
4.2 Understanding the needs and expectations of interested parties<\/h3>\n
4.3 Determining the scope of the Information Security Management System<\/a><\/h3>\n
4.4 Information Security Management System<\/h3>\n
5. Leadership<\/h2>\n<\/div>
5.1 Leadership and commitment<\/h3>\n
\n
\nrequirements<\/li>\n
\nimprovement.<\/li>\n<\/ul>\n5.2 Policy<\/h3>\n
5.3 Organizational roles, responsibilities and authorities<\/h3>\n
6. Planning ISO 27001<\/h2>\n<\/div>
6.1 Actions to address risks and opportunities<\/h3>\n
6.1.1 General<\/h4>\n
6.1.2 Information security risk assessment<\/h4>\n
\n
6.1.3 Information security risk treatment<\/h4>\n
6.1.4 Information security objectives and plans to achieve them<\/h4>\n
7. Support<\/h2>\n<\/div>
7.1 Resources<\/h3>\n
7.2 Competence<\/h3>\n
7.3 Awareness<\/h3>\n
7.4 Communication<\/h3>\n
7.5 Documented information<\/h3>\n
7.5.1 General<\/h4>\n
7.5.2 Creating and updating<\/h4>\n