Post

ISO 27001 - Overview

Posted
By Erich Mair 5 min read

Introduction

The Information Security Management Standard (ISO 27001) was first published in 2005 and has now seen a recent update in 2022. The ISO 27001 is the international standard used to mitigate InfoSec risks that an organization may face. The new ISO 27001:2022 comes with moderate updates to its Information Security Controls, which addresses the increasing sophistication of evolving security challenges. An ISO 27001 certification audit occurs in a 3-year cycle.

  • Other related ISO standards:
    • ISO 27002 → covers the implementation of the 27001 InfoSec controls.
    • ISO 27701 → covers privacy controls
    • ISO 31000 → covers risk management programs

The ISO 27001 Certification

An Information Security Management System (ISMS) is an approach to maintaining an organization’s information security. An ISMS may be certified compliant with ISO 27001 through an audit process. This process consists of a three-stage external audit (defines by ISO 17021 & 27006 standards).

Stage 1: It’s an informal, preliminary review of an organization’s ISMS. This review will involve checks of an organization’s key documentation, such as their Risk Treatment Plan, Statement of Applicability, and Information Security policy.

Stage 2: Involves independently testing an organization’s ISMS against ISO 27001 requirements. This stage is the detailed and formal compliance audit portion. The auditors (ISO 27001 Lead Auditors) will search for evidence that the ISMS has been designed and implemented properly, while also being in operation. Organizations that pass this stage will have their ISMS certified as compliant with ISO 27001.

Stage 3 (Ongoing): This stage involves routine follow-up reviews or audits. Periodic re-assessments will confirm that the organization still remains in compliance with the ISO 27001 standard, and that their ISMS continues to operate as specified and intended. These re-assessments are conducted at least annually but are often conducted more frequently.

Structure of ISO 27001

ISO 27001:2022 has ten clauses, plus a long annex.

Part 1 (Clauses)

  1. Scope of the standard
  2. How the document is referenced
  3. Reuse of the terms and definitions in ISO/IEC 27000
  4. Context of the Organization
  5. Leadership
  6. Planning
  7. Support
  8. Operation
  9. Performance Evaluation
  10. Improvement

Part 2 (Annex A)

List of control groups and their objectives:

A.5 Organizational controls - contains 37 controls.
A.6 People controls - contains 8 controls.
A.7 Physical controls - contains 14 controls.
A.8 Technological controls - contains 34 controls.

A.5 Organizational controls

  • ISO 27002 5.1 Policies for information security
  • ISO 27002 5.2 Information security roles and responsibilities
  • ISO 27002 5.3 Segregation of duties
  • ISO 27002 5.4 Management responsibilities
  • ISO 27002 5.5 Contact with authorities
  • ISO 27002 5.6 Contact with special interest groups
  • ISO 27002 5.7 Threat intelligence – NEW
  • ISO 27002 5.8 Information security in project management
  • ISO 27002 5.9 Inventory of information and other associated assets – CHANGE
  • ISO 27002 5.10 Acceptable use of information and other associated assets – CHANGE
  • ISO 27002 5.11 Return of assets
  • ISO 27002 5.12 Classification of information
  • ISO 27002 5.13 Labelling of information
  • ISO 27002 5.14 Information transfer
  • ISO 27002 5.15 Access control
  • ISO 27002 5.16 Identity management ISO 27002 5.17 Authentication information – NEW
  • ISO 27002 5.18 Access rights – CHANGE
  • ISO 27002 5.19 Information security in supplier relationships
  • ISO 27002 5.20 Addressing information security within supplier agreements
  • ISO 27002 5.21 Managing information security in the ICT supply chain – NEW
  • ISO 27002 5.22 Monitoring, review and change management of supplier services – CHANGE
  • ISO 27002 5.23 Information security for use of cloud services – NEW
  • ISO 27002 5.24 Information security incident management planning and preparation – CHANGE
  • ISO 27002 5.25 Assessment and decision on information security events
  • ISO 27002 5.26 Response to information security incidents
  • ISO 27002 5.27 Learning from information security incidents
  • ISO 27002 5.28 Collection of evidence
  • ISO 27002 5.29 Information security during disruption – CHANGE
  • ISO 27002 5.30 ICT readiness for business continuity – NEW
  • ISO 27002 5.31 Identification of legal, statutory, regulatory and contractual requirements
  • ISO 27002 5.32 Intellectual property rights
  • ISO 27002 5.33 Protection of records
  • ISO 27002 5.34 Privacy and protection of PII
  • ISO 27002 5.35 Independent review of information security
  • ISO 27002 5.36 Compliance with policies and standards for information security
  • ISO 27002 5.37 Documented operating procedures

A.6 People controls

  • ISO 27002 6.1 Screening
  • ISO 27002 6.2 Terms and conditions of employment
  • ISO 27002 6.3 Information security awareness, education and training
  • ISO 27002 6.4 Disciplinary process
  • ISO 27002 6.5 Responsibilities after termination or change of employment
  • ISO 27002 6.6 Confidentiality or non-disclosure agreements
  • ISO 27002 6.7 Remote working – NEW
  • ISO 27002 6.8 Information security event reporting

A.7 Physical controls

  • ISO 27002 7.1 Physical security perimeter
  • ISO 27002 7.2 Physical entry controls
  • ISO 27002 7.3 Securing offices, rooms and facilities
  • ISO 27002 7.4 Physical security monitoring
  • ISO 27002 7.5 Protecting against physical and environmental threats
  • ISO 27002 7.6 Working in secure areas
  • ISO 27002 7.7 Clear desk and clear screen
  • ISO 27002 7.8 Equipment siting and protection
  • ISO 27002 7.9 Security of assets off-premises
  • ISO 27002 7.10 Storage media – NEW
  • ISO 27002 7.11 Supporting utilities
  • ISO 27002 7.12 Cabling security
  • ISO 27002 7.13 Equipment maintenance
  • ISO 27002 7.14 Secure disposal or re-use of equipment

A.7 Technological controls

  • ISO 27002 8.1 User endpoint devices – NEW
  • ISO 27002 8.2 Privileged access rights
  • ISO 27002 8.3 Information access restriction
  • ISO 27002 8.4 Access to source code
  • ISO 27002 8.5 Secure authentication
  • ISO 27002 8.6 Capacity management
  • ISO 27002 8.7 Protection against malware
  • ISO 27002 8.8 Management of technical vulnerabilities
  • ISO 27002 8.9 Configuration management
  • ISO 27002 8.10 Information deletion – NEW
  • ISO 27002 8.11 Data masking – NEW
  • ISO 27002 8.12 Data leakage prevention – NEW
  • ISO 27002 8.13 Information backup
  • ISO 27002 8.14 Redundancy of information processing facilities
  • ISO 27002 8.15 Logging
  • ISO 27002 8.16 Monitoring activities
  • ISO 27002 8.17 Clock synchronization
  • ISO 27002 8.18 Use of privileged utility programs
  • ISO 27002 8.19 Installation of software on operational systems
  • ISO 27002 8.20 Network controls
  • ISO 27002 8.21 Security of network services
  • ISO 27002 8.22 Segregation in networks
  • ISO 27002 8.23 Web filtering – NEW
  • ISO 27002 8.24 Use of cryptography
  • ISO 27002 8.25 Secure development lifecycle
  • ISO 27002 8.26 Application security requirements – NEW
  • ISO 27002 8.27 Secure system architecture and engineering principles – NEW
  • ISO 27002 8.28 Secure coding
  • ISO 27002 8.29 Security testing in development and acceptance
  • ISO 27002 8.30 Outsourced development
  • ISO 27002 8.31 Separation of development, test and production environments
  • ISO 27002 8.32 Change management
  • ISO 27002 8.33 Test information
  • ISO 27002 8.34 Protection of information systems during audit and testing – NEW

Source: https://www.iso.org/standard/82875.html

Security Frameworks, Defensive Frameworks
Security Frameworks
This post is licensed under CC BY 4.0 by the author.