ISO 27001 is an international standard. But what is it, and what does it mean? The International Standards Organisation (ISO) adopted and now maintains this standard for an Information Security Management System (ISMS). In this context, a Management System is not like a laptop or server, rather it’s a framework or approach. In short, it is a standardised and high-level (but in places very specific) how-to.
The current revision of this standard is ISO 27001:2022. No new ISMS should be developed on the basis of the old 27001:2013 standard.
Note that ISO 9001 (Quality Assurance) and other ISO Management System frameworks also use this same basic layout:
- Introduction - A process for systematically managing InfoSec Risks.
- Scope - A clarification of the concept of Scope: “what is in and what is out”.
- Normative references - ISO/IEC 27000 mainly, but there are others.
- Terms and definitions - Also see ISO/IEC 27000.
- Context of the organisation - Understanding what the organisation is about, its internal and external stakeholders, and the scope of your ISMS.
- Leadership - Top Management must demonstrate leadership and commitment to the ISMS, mandate policy, ensure sufficient resources are available and assigned, etc.
- Planning - The process to identify, analyse and plan to treat Information Risks, to clarify the InfoSec objectives, and to manage ISMS changes.
- Support - Adequate, competent resources must be assigned, awareness raised, documentation prepared and controlled.
- Operation - Assessing and treating information risks in action, managing changes, and documenting things (for internal and external auditing purposes).
- Performance evaluation - monitor, measure, analyse and evaluate/audit/review the InfoSec controls, processes and Management System.
- Improvement - Continuous improvement, systematically refining the ISMS is built into the system.
Sections 4-10 are mandatory, providing the structure for your ISMS, in sufficient detail so that it can be clearly implemented, but generic enough so that it can be applied in any organisation of sufficient size.
Why?
When understood and applied appropriately, ISO 27001 provides an excellent framework for process structure and enhanced functioning of an organisation. It must not be used to just create a lot of documentation that gathers dust on a shelf: that would not only fail the system’s own controls, but also see you not achieve your objectives (in an expensive manner).
Like any standard, it also provides a common “language” for people in the field. When your organisation uses the ISO 27001 framework, you can easily refer external people (who are also familiar with the standard) to a particular clause, answer otherwise pointy questions from your insurance provider, etc. It becomes valuable.
Annex A Information Security Control Reference
You may hear about Annex A, which provides specific controls to implement in your ISMS, so again each control is an opportunity.
Risk Based Approach
Like other frameworks, ISO takes a risk-based approach. The point is not to be as compliant as possible with the controls, but for the organisation to gain a thorough understanding about itself and its processes, and improve over time. Risk is assessed through likelihood and impact, after which appropriate mitigations can be adopted. This helps to focus resources appropriately.
Alignment or Accreditation?
ISO 27001 has a cost of implementation and maintenance, as well as accreditation. Accreditation is renewed annually (in 3 year cycles) and accompanied by external audits. Creation of the appropriate documentation, adjusting some business processes, requires resourcing as well as strategy and diplomacy. We partner with specialised GRC (Governance, Risk and Compliance) companies to help you meet your documentation needs, thus also lowering that cost somewhat.
Some organisations choose to not (yet) go for full accreditation, but instead work towards developing their ISMS and business processes: ISO 27001 alignment. Currently, some government contracts do not actually require ISO 27001 accreditation, proof of alignment is sufficient. Queensland Government (through IS18:2018) currently asks agencies to align with ISO 27001 and the Essential Eight.
Were to Next?
We have Certified ISO 27001 Lead Auditors, who can
- do a gap analysis for your organisation. Where are you now in relation to the standard?
- guide you through the process of implementation and fine-tuning at any stage.
- do an independent internal audit for your organisation.
We do not do external audits or accreditations.
While ISO 27001 may seem daunting, we can certainly make your journey more comfortable, and likely more enjoyable as well. But let’s set your expectations: you’re not going to be completing a new journey within a few months: anyone who promises you that will -let’s phrase this kindly- under-deliver. It is a major undertaking, and not just in terms of documentation. We have the expertise and the experience.
Talk with us to discuss the options that best meet your needs.