ISO/IEC 27001
ISO/IEC 27001 is an international standard to manage information security. The standard was originally published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in 2005,[1] revised in 2013,[2] and again most recently in 2022.[3] There are also numerous recognized national variants of the standard. It details requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS) – the aim of which is to help organizations make the information assets they hold more secure.[4] Organizations that meet the standard's requirements can choose to be certified by an accredited certification body following successful completion of an audit. The effectiveness of the ISO/IEC 27001 certification process and the overall standard has been addressed in a large-scale study conducted in 2020.[5]
How the standard works
Most organizations have a number of information security controls. However, without an information security management system (ISMS), controls tend to be somewhat disorganized and disjointed, having been implemented often as point solutions to specific situations or simply as a matter of convention. Security controls in operation typically address certain aspects of information technology (IT) or data security specifically; leaving non-IT information assets (such as paperwork and proprietary knowledge) less protected on the whole. Moreover, business continuity planning and physical security may be managed quite independently of IT or information security while Human Resources practices may make little reference to the need to define and assign information security roles and responsibilities throughout the organization.
ISO/IEC 27001 requires that management:
- Systematically examine the organization's information security risks, taking account of the threats, vulnerabilities, and impacts;
- Design and implement a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable; and
- Adopt an overarching management process to ensure that the information security controls continue to meet the organization's information security needs on an ongoing basis.
What controls will be tested as part of certification to ISO/IEC 27001 is dependent on the certification auditor. This can include any controls that the organisation has deemed to be within the scope of the ISMS and this testing can be to any depth or extent as assessed by the auditor as needed to test that the control has been implemented and is operating effectively.
Management determines the scope of the ISMS for certification purposes and may limit it to, say, a single business unit or location. The ISO/IEC 27001 certificate does not necessarily mean the remainder of the organization, outside the scoped area, has an adequate approach to information security management.
Other standards in the ISO/IEC 27000 family of standards provide additional guidance on certain aspects of designing, implementing and operating an ISMS, for example on information security risk management (ISO/IEC 27005).
History of ISO/IEC 27001
BS 7799 was a standard originally published by BSI Group[6] in 1995. It was written by the UK government's Department of Trade and Industry (DTI) and consisted of several parts.
The first part, containing the best practices for information security management, was revised in 1998; after a lengthy discussion in the worldwide standards bodies, it was eventually adopted by ISO as ISO/IEC 17799, "Information Technology - Code of practice for information security management." in 2000. ISO/IEC 17799 was then revised in June 2005 and finally incorporated in the ISO 27000 series of standards as ISO/IEC 27002 in July 2007.
The second part of BS7799 was first published by BSI in 1999, known as BS 7799 Part 2, titled "Information Security Management Systems - Specification with guidance for use." BS 7799-2 focused on how to implement an Information security management system (ISMS), referring to the information security management structure and controls identified in BS 7799-2. This later became ISO/IEC 27001:2005. BS 7799 Part 2 was adopted by ISO as ISO/IEC 27001 in November 2005.
BS 7799 Part 3 was published in 2005, covering risk analysis and management. It aligns with ISO/IEC 27001:2005.
Very little reference or use is made to any of the BS standards in connection with ISO/IEC 27001.
Key Principles of ISO/IEC 27001
The foundation of ISO/IEC 27001 is based on several key principles:
ISO/IEC 27001 emphasizes the importance of identifying and assessing information security risks. Organizations are required to implement risk management processes to identify potential threats, evaluate their impact, and develop appropriate mitigation strategies.
The standard outlines a comprehensive set of security controls in Annex A, categorized into 14 domains. These controls address various aspects of information security, such as access control, cryptography, physical security, and incident management.
ISO/IEC 27001 promotes a culture of continual improvement in information security practices. Regular monitoring, performance evaluation, and periodic reviews help organizations adapt to evolving threats and enhance their ISMS effectiveness.
ISO/IEC 27001 Certification Process
Obtaining ISO/IEC 27001 certification involves a series of well-defined steps:
Scoping: Organizations determine the scope of their ISMS, defining the boundaries and assets to be covered.
Risk Assessment: A risk assessment is conducted to identify and evaluate information security risks, ensuring that appropriate controls are implemented to manage these risks effectively.
Gap Analysis: A gap analysis compares the organization's existing information security practices against the requirements of ISO/IEC 27001 to identify areas for improvement.
ISMS Development: Based on the results of the risk assessment and gap analysis, the organization develops and implements its ISMS, incorporating the necessary security controls.
Internal Audits: Internal audits are conducted to assess the effectiveness and compliance of the implemented ISMS with the ISO/IEC 27001 standard.
Certification Audit: The organization undergoes an independent certification audit by an accredited certification body to assess its ISMS compliance with ISO/IEC 27001.
Certification Decision: If the audit demonstrates compliance, the organization is awarded the ISO/IEC 27001 certification.
Benefits of Becoming ISO/IEC 27001 Certified
Achieving ISO/IEC 27001 certification offers numerous benefits to organizations, including:
Enhanced Information Security Posture: ISO/IEC 27001 certification demonstrates a commitment to robust information security practices, bolstering the organization's ability to protect sensitive data and assets.
Building Trust with Customers and Stakeholders: Certification instils confidence in customers, partners, and stakeholders, assuring them that their information is handled with utmost care and security.
Meeting Regulatory and Legal Requirements: ISO/IEC 27001 certification aids in compliance with various data protection and privacy regulations, such as the General Data Protection Regulation (GDPR) in the European Union.
Competitive Advantage: Organizations with ISO/IEC 27001 certification gain a competitive edge over rivals, especially when participating in tenders or bidding for projects that require stringent security measures.
Risk Mitigation: By implementing a risk-based approach to information security, organizations can proactively identify and mitigate potential threats, reducing the likelihood of security incidents.
Incident Response Preparedness: The standard's incident management controls ensure that organizations are well-prepared to handle security incidents promptly and efficiently, minimizing their impact.
ISO/IEC 27001 and Data Privacy
ISO/IEC 27001 complements data protection regulations, such as the GDPR. While ISO/IEC 27001 focuses on information security management, the GDPR primarily addresses data protection and privacy. The implementation of both frameworks enables organizations to address security and privacy concerns comprehensively.
Continuous Improvement and Maintenance
Obtaining ISO/IEC 27001 certification is not a one-time accomplishment; rather, it requires continuous improvement and maintenance. Organizations must periodically review and update their ISMS to adapt to changing risks, technology, and regulatory requirements. Regular internal audits and management reviews are essential to ensure the effectiveness and relevance of the ISMS.
Certification
An ISMS may be certified compliant with the ISO/IEC 27001 standard by a number of Accredited Registrars worldwide.[7] Certification against any of the recognized national variants of ISO/IEC 27001 (e.g. JIS Q 27001, the Japanese version) by an accredited certification body is functionally equivalent to certification against ISO/IEC 27001 itself.
In some countries, the bodies that verify conformity of management systems to specified standards are called "certification bodies", while in others they are commonly referred to as "registration bodies", "assessment and registration bodies", "certification/ registration bodies", and sometimes "registrars".
The ISO/IEC 27001 certification, like other ISO management system certifications, usually involves a three-stage external audit process defined by ISO/IEC 17021[8] and ISO/IEC 27006[9] standards:
- Stage 1 is a preliminary, informal review of the ISMS. For example there are checks for the existence and completeness of key documentation, such as the organization's information security policy, Statement of Applicability (SoA), and Risk Treatment Plan (RTP). This stage serves to familiarize the auditors with the organization and vice versa.
- Stage 2 is a more detailed and formal compliance audit, independently testing the ISMS against the requirements specified in ISO/IEC 27001. The auditors will seek evidence to confirm that the management system has been properly designed and implemented, and is in fact in operation (for example by confirming that a security committee or similar management body meets regularly to oversee the ISMS). Certification audits are usually conducted by ISO/IEC 27001 Lead Auditors. Passing this stage results in the ISMS being certified compliant with ISO/IEC 27001.
- Ongoing involves follow-up reviews or audits to confirm that the organization remains in compliance with the standard. Certification maintenance requires periodic re-assessment audits to confirm that the ISMS continues to operate as specified and intended. These should happen at least annually but (by agreement with management) are often conducted more frequently, particularly while the ISMS is still maturing.
See also
References
- "ISO/IEC 27001 International Information Security Standard published". bsigroup.com. BSI. Retrieved 21 August 2020.
- Bird, Katie (14 August 2013). "NEW VERSION OF ISO/IEC 27001 TO BETTER TACKLE IT SECURITY RISKS". iso.org. ISO. Retrieved 21 August 2020.
- ISO/IEC. "ISO/IEC 27001:2022". ISO.org. Retrieved 29 November 2022.
- "ISO/IEC 27001:2013". ISO. Retrieved 9 July 2020.
- Akinyemi, Iretioluwa; Schatz, Daniel; Bashroush, Rabih (2020). "SWOT analysis of information security management system ISO 27001". International Journal of Services Operations and Informatics. 10 (4): 305. doi:10.1504/ijsoi.2020.111297. ISSN 1741-539X.
- "Facts and figures". bsigroup.com.
- Ferreira, Lindemberg Naffah; da Silva Constante, Silvana Maria; de Moraes Zebral, Alessandro Marcio; Braga, Rogerio Zupo; Alvarenga, Helenice; Ferreira, Soraya Naffah (October 2013). "ISO 27001 certification process of Electronic Invoice in the State of Minas Gerais". 2013 47th International Carnahan Conference on Security Technology (ICCST). Medellin: IEEE. pp. 1–4. doi:10.1109/CCST.2013.6922072. ISBN 978-1-4799-0889-9. S2CID 17485185.
- ISO/IEC 17021.
- ISO/IEC 27006.