TABLE OF CONTENTS
Definition of ISO 27000 series
The ISO 27000 Series is an international family of standards jointly proposed by the International Organization for Standardization (ISO) and the International Electrotechnical Commission to help organizations strengthen their information security management systems (ISMS).
It is a systematic approach to managing sensitive company information.
These standards are designed to enhance data security and minimize data leak risks for organizations of every type and size. The series includes standards on various aspects of information security.
For example: While the ISO/IEC 27001 standard lists down requirements for securing ISMS, the ISO 27002 standard contains guidelines on how organizations can meet these standards.
The introduction to the ISO 27000 series emphasizes that these standards allow organizations to establish a framework for managing the security of various information assets. This could be:
- Financial information
- Intellectual property
- Employee details or customer data entrusted to them
Note: The distinction between ISO IEC 27000 and ISO IEC 27001, or simply ISO 27000 and ISO 27001, lies in their application. ISO 27001, being the core standard of the ISO 27000 family, defines the framework and terminology for information security management. Meanwhile, ISO 27001 outlines the prerequisites for the establishment of an Information Security Management System (ISMS).
What is the Purpose of the ISO 27000 series?
The primary purpose of the ISO 27000 security technique is to provide organizations of all sizes and structures with a comprehensive set of guidelines to mitigate risks of cyber attacks and enhance the security of vast amounts of the various types of data they handle.
These standards are concerned with mitigating risk associated with an organization's three major components: its people, processes, and technology.
Importance of ISO 27000 series in information security
The ISO 27000 series consists of a set of 46 individual standards, all designed to strengthen information security in organizations of all forms and sizes.
Together, the standards:
-
Specify the requirements for an ISMS and for organizations certifying these systems
-
Offer direct support, detailed guidance, and interpretation for the entire process of establishing, implementing, maintaining, and improving an ISMS
-
Provide sector-specific guidelines for ISMS
-
Address conformity assessment for ISMS
ISO/IEC 27001:2022 - Information Security Management System (ISMS) Requirements
Introduction to ISO/IEC 27001:2022
The most important and premier standard in the 27000 series, ISO/IEC 27001:2022, lays down “requirements for establishing, implementing, maintaining and continually improving an information security management system.” These requirements are designed to help organizations understand the criteria their ISMS must fulfill to be accredited with an ISO/IEC 27001 certification.
The three principles that inform ISO 27001 include:
-
Confidentiality: All information is confidential and only available to authorized personnel
-
Integrity: Ensuring that data for business operations or kept secure for others is securely stored and protected
-
Availability: Data is available for authorized use at all times
Organizations seek compliance by fulfilling the requirements highlighted in the seven clauses (4-10) covered in the standard. The standard also includes a list of controls or detailed policies, processes, and procedures required to meet these clauses' contents.
While the 2013 version of the ISO 27001 covers 14 domains focused on data security with 114 controls, the revised 2022 version contains restructured 93 controls. 11 new controls have been added to ISO 27001: 2022, Annexure A. These include:
-
A.5.7 Threat intelligence
-
A.5.23 Information security for the use of cloud services
-
A.5.30 ICT readiness for business continuity
-
A.7.4 Physical security monitoring
-
A.8.9 Configuration Management
-
A.8.10 Information deletion
-
A.8.11 Data masking
-
A.8.12 Data leakage prevention
-
A.8.16 Monitoring activities
-
A.8.23 Web filtering
-
A.8.28 Secure coding
To help with their successful implementation, all of the controls mentioned in Annex A of the ISO 27001: 2022 document are further detailed in the next standard, ISO 27002.
Organizations presently certified to ISO 27001:2013 will be granted a three-year window to migrate to ISO/IEC 27001:2022. The transition phase commenced on October 31, 2022, and concludes on October 31, 2025.
Key principles and requirements of ISO/IEC 27001: 2022
The ISO/IEC 27001:2022 includes 7 clauses (4-10) that list requirements to comply with the standards.
-
Clause 4. Context of the organization: Discusses the need for organizations to determine external and internal factors to achieve its purpose of securing their ISMS, understanding the needs and requirements of its relevant stakeholders, and determining the scope of their ISMS
-
Clause 5. Leadership: Highlights the need for organizational leadership to strengthen their ISMS. This includes factors such as high levels of commitment in dealing with information security, creating relevant policies, ensuring clear demarcation of roles and responsibilities, and ensuring proper ways of reporting to the top management
-
Clause 6. Planning: This includes planning processes for both information security risk assessment and treatment. It also includes planning to achieve Information security objectives as well as change management.
-
Clause 7. Support: The support clause requires organizations to provide the necessary support and resources for effective information security management. The organization is also responsible for ensuring employee competence, maintaining evidence of it, and making personnel aware of the information security policy and their roles. It must also manage internal and external communications, specifying what, when, with whom, and how to communicate.
-
Clause 8. Operation: This element of the standard maintains that all organizational processes and operations take place according to ISMS requirements and actions determined in Clause 6, always taking into account information security risk management and treatment.
-
Clause 9. Performance Evaluation: The organization must evaluate information security performance through monitoring, measurement, and internal audits, ensuring valid results. ISO 27001 and ISO 27002, The ISO 2700 Series, consist of documented evidence. Top management must review the system regularly, considering feedback, audit results, risk assessments, and opportunities for improvement.
-
Clause 10. Improvement: Requires organizations to ensure continual improvements concerning all aspects of information security.
The controls listed further in Annex A, and divided into 4 domains, are intended to help organizations meet these requirements.
The benefits of implementing ISO/IEC 27001 are divided into seven clauses (4-10).
These include:
Companies that strictly follow the standards set forth in ISO 27001 are certified by a third-party ISO accreditation body. ISO 27001 is the most commonly earned accreditation in the series. If you're ISO 27001 certified, you:
-
Provide a structured approach to support the process of specifying, implementing, operating, and maintaining a comprehensive, cost-effective, value-creating, integrated, and aligned ISMS that meets the organization’s needs across different operations and sites.
-
Can prevent yourself against data breaches that not only prove costly but also put you at risk of reputational loss
-
Build credibility, creating a better brand image that attracts both consumer trust and larger investments
-
Gain a competitive advantage among your peers
-
Comply with legal, ethical, and regulatory requirements
-
Build better, more structured, and productive business processes as a result of clear allocation of responsibilities and clear asset management practices
-
And lastly, ensure stakeholder confidence
Overview of the control objectives and controls provided by ISO/IEC 27002:2022
This February 2022 update to the ISO 27002 standard has 4 major domains that cover several controls. These are:
a) Organizational controls (Clause 5)
b) People controls (Clause 6)
c) Physical controls (Clause 7)
d) Technological controls (Clause 8)
Each of these controls is further linked to 5 attributes:
-
Control types: Preventive, Detective or Corrective
-
Information Security Properties: Confidentiality, Integrity and Availability
-
Cybersecurity concepts: Identity, Protect, Detect, etc.
-
Operational capabilities: Governance, management, information protection, etc.
-
Security domains: Governance and Ecosystem, Protection, Defense, etc.
The idea is to help organizations thoroughly understand detailed guidelines for an effective ISMS implementation, depending on their unique needs.
List of controls
|
Organizational (37 controls) |
People (8 controls) |
Physical controls (14 controls) |
Technological controls (34 controls) |
|
5.1 Policies for Information Security |
6.1 Screening |
7.1 Physical security perimeter |
8.1 User endpoint devices |
|
5.2 Information security roles and responsibilities |
6.2 Employment terms and conditions |
7.2 Physical entry |
8.2 Privileged access rights |
|
5.3 Segregation of duties |
6.3 Information security awareness, education, and training |
7.3 Securing offices, rooms, and facilities |
8.3 Information access restriction |
|
5.4 Management responsibilities |
6.4 Disciplinary process |
7.4 Physical security monitoring |
8.4 Access to source code |
|
5.5 Contact with Authorities |
6.5 Responsibilities after termination or change of employment |
7.5 Protecting against physical and environmental threats |
8.5 Secure authentication |
|
5.6 Contact with special interest groups |
6.6 Confidentiality or non-disclosure agreements |
7.6 Working in secure areas |
8.6 Capacity management |
|
5.7 Threat intelligence |
6.7 Remote work |
7.7 Clear desk and clear screen |
8.7 Protection against malware |
|
5.8 Information security in project management |
6.8 Information security event reporting |
7.8 Equipment siting and protection |
8.8 Management of technical vulnerabilities |
|
5.9 Inventory of information and other associated assets |
7.9 Security of assets off-premises |
8.9 Configuration management |
|
|
5.10 Acceptable use of information and other associated assets |
7.10 Storage media |
8.10 Information deletion |
|
|
5.11 Return of assets |
7.11 Supporting utilities |
8.11 Data masking |
|
|
5.12 Classification of information |
7.12 Cabling security |
8.12 Data leakage prevention. |
|
|
5.13 Labeling of information |
7.13 Equipment maintenance |
8.13 Information backup |
|
|
5.14 Information transfer |
7.14 Secure disposal or reuse of equipment |
8.14 Redundancy of information processing facilities. |
|
|
5.15 Access control |
8.15 Logging |
||
|
5.16 Identity management |
8.16 Monitoring activities |
||
|
5.17 Authentication information |
8.17 Clock synchronization |
||
|
5.18 Access rights |
8.18 Use of privileged utility programs |
||
|
5.19 Information security in supplier relationships |
8.19 Installation of software on operational systems |
||
|
5.20 Addressing information security within supplier agreements |
8.20 Networks security |
||
|
5.21 Managing information security in the ICT supply chain |
8.21 Security of network services |
||
|
5.22 Monitoring, review and change management of supplier services |
8.22 Segregation of networks |
||
|
5.23 Information security for use of cloud services |
8.23 Web filtering |
||
|
5.24 Information security incident management planning and preparation |
8.24 Use of cryptography |
||
|
5.25 Assessment and decision on information security events |
8.25 Secure development life cycle. |
||
|
5.26 Response to information security incidents |
8.26 Application security requirements. |
||
|
5.27 Learning from information security incidents |
8.27 Secure system architecture and engineering principles |
||
|
5.28 Collection of evidence |
8.28 Secure coding |
||
|
5.29 Information security during disruption |
8.29 Security testing in development and acceptance |
||
|
5.30 ICT readiness for business continuity |
8.30 Outsourced development. |
||
|
5.31 Legal, statutory, regulatory and contractual requirements |
8.31 Separation of development, test and production environments. |
||
|
5.32 Intellectual property rights |
8.32 Change management |
||
|
5.33 Protection of records |
8.33 Test information |
||
|
5.34 Privacy and protection of PII |
8.34 Protection of information systems during audit testing |
||
|
5.35 Independent review of information security |
|||
|
5.36 Compliance with policies, rules and standards for information security |
|||
|
5.37 Documented operating procedures |
Brief Overview of Other Standards of the 27000 Series
Apart from ISO 27001 and ISO 27002, The ISO 2700 Series consists of 46 individual standards, including the 27000 document. Here is a brief breakdown of some of the other standards in the series.
- ISO/IEC 27005:2018 (Information Security Risk Management): Focuses on providing guidelines for information security risk management tailored to the needs of the organization.
- ISO/IEC 27003:2017 ( Information Security Management System Implementation Guidance): Offers guidance on the processes and activities involved in implementing and maintaining an ISMS based on ISO/IEC 27001
- ISO/IEC 27004:2021 (Information Security Management - Monitoring, Measurement, Analysis and Evaluation): Specifies requirements for monitoring, measuring, analyzing, and evaluating the performance and effectiveness of an ISMS to fulfill the requirements of ISO/IEC 27001:2013, 9.1
- ISO/IEC 27006:2022( Requirements for Bodies Providing Audit and Certification of Information Security Management Systems: Sets out requirements for organizations providing audit and certification of ISMS conforming to ISO/IEC 27001.
- ISO/IEC 27007:2020 (Guidelines for Auditors on Information Security Management Systems Auditing) provides guidance for auditors on planning, conducting, and reporting on ISMS audits based on ISO/IEC 27001.
- ISO/IEC 27017:2022 (Code of Practice for Information Security Controls Based on ISO/IEC 27002 for Cloud Services): Offers additional guidelines and controls specific to securing information in cloud environments, building upon ISO/IEC 27002.
- ISO/IEC 27018:2019 (Code of Practice for Protection of Personally Identifiable Information (PII) in Public Clouds Acting as PII Processors): Focuses on protecting personally identifiable information (PII) in public cloud computing environments, outlining guidelines for cloud service providers acting as PII processors.
ISO/IEC 27001 Certification Process
BUI Chief Operating Officer Gayle Roseveare stresses the process of getting certified: “If you’re awarded the ISO/IEC 27001:2022 badge, it’s because you’ve proven your ability to maintain the confidentiality, privacy, and security of sensitive data in line with the stringent principles set out by the ISO and the IEC”.
The preliminary part of the process starts with learning about the ISO 27001 standard. For a deep overview, you can buy a copy or access a free green paper from IT Governance USA.
Leadership buy-in is very important for project success. You need to showcase to upper management how prioritizing security from the top down leads to a security-conscious culture throughout your organization.
Next, evaluate your existing security measures against ISO 27001 requirements to identify areas for improvement and formulate an action plan. Then, the real process begins.
Step 1. Setting goals and building the foundation
Establish the boundaries of your ISMS or Information Security Management System, including whether it applies to all departments or just a select few. Discuss the needs of the stakeholders and internal and external factors. Alternatively, carry out a PESTLE analysis to understand potential impacts.
Additionally, you must set clear information security objectives that satisfy both ISO 27001 requirements and your company's demands. Make sure these objectives are understood, recorded, and tracked to achieve the optimum outcomes.
After that is taken care of, make a management framework that describes the steps and actions needed to achieve the security goals. This structure has to have the following:
-
A clear timetable
-
Unambiguous accountability for ISMS duties
-
Regular audits
Step 2. Threat assessment and handling
The basis of ISO 27001 compliance is risk assessment. The standard emphasizes the value of a rigorous, consistent process even while it doesn't prescribe a particular approach.
Take steps to decrease risks as soon as they are discovered. You have several options: modify, avoid, share, or retain risks.
Select the relevant controls from Annex A or further resources. Make a Statement of Applicability (SoA) that outlines the controls you have chosen and provides an explanation of their suitability for your company. Put the chosen controls into action and make sure your implementation procedures are documented.
Pro Tip: Spend resources on staff training to promote knowledge and skills. Equip ISMS personnel with the necessary skills through training or experience. By teaching all staff members about the information security policy, the ISMS, and the repercussions of non-compliance, you create a culture of security consciousness.
Step 3: Linear documentation and development
Maintain the extensive documentation mandated by ISO 27001 standards. Even though the standard specifies particular forms for documentation, you are free to select other formats if they better meet your needs.
Assess, track, and evaluate your ISMS's performance regularly about its goals. Identify areas for improvement and make the necessary adjustments to improve security and efficiency without necessarily raising prices.
Pro-tip: Conduct methodical internal audits to confirm that your ISMS meets your company's security goals and ISO 27001 criteria. Create a thorough audit program that addresses every facet of your ISMS.
Step 4: Availing the standard
Last but not least, decide which recognized certification body will conduct the ISO 27001 certification audit. Your ISMS documentation will be examined by the certification body of your choice to ensure compliance and completeness. After that, the ISMS's deployment and practical efficacy will also be evaluated by the same.
Once all requirements are satisfied, your organization will be certified with ISO 27001.
Challenges and Considerations in ISO 27000 Compliance
In an interview with Help Net Security, Robin Long, founder of Kiowa Security, states, “The switch towards remote working and use of cloud resources has been quite disruptive for ISO 27001”. He further mentions that despite taking care to adapt to remote and new kinds of work environments, even the latest 2022 update to ISO 27000 doesn’t really make it easy for remote-first organizations as it gives primacy to traditional, physical workspaces.
This, and other challenges, make it difficult for organizations to gain or maintain stringent ISO certifications. Here’s a list of some other common challenges organizations face in complying with ISO 27000 regulations:
Budget constraints
Complying with the rigid ISO standards requires substantial investments to ensure that all organizational processes, people, and systems work with data security in mind.
Depending on your organizational structure, audit costs may range between $30,000 and $70,000 or more. Moreover, organizations need significant resources, such as more manpower and a robust set of tools and software, to comply.
One way out is to begin implementing ISO standards in your most significant business processes before smaller and less significant processes.
Moreover, it makes sense to estimate your ROI and the returns an ISO certification can bring to your organization.
Complex documentation
ISO certifiers require detailed documentation and paperwork to assess your organization's performance against the controls set forth in ISO 27000.
Some of the many required documents include records of training and qualifications, audit logs, management review documents, and more.
Again, this may be tedious, expensive, and time-consuming to maintain, especially for smaller organizations with a limited number of employees.
One way out could be to depend on trusted external ISO certification contractors to document your processes and have specific personnel handle and maintain compliance documents.
Overhauling existing processes
Many existing processes in your organization may not be compliant with ISO standards.
For instance, your organization might have a lot of unrestricted data, or your employees may not be aware of their responsibility for information security.
In this case, existing processes need to be modified, which could lead to extra costs and time.
Conduct a gap analysis to determine which processes could be more easily modified to be ISO-compliant.
Then, you must involve all necessary stakeholders to work towards the transition. Remember, ensuring ISO compliance is a long process for many organizations, but one that comes with its own sweet rewards.
Management and stakeholder resistance
Seeking management or board approval for a costly ISO certification can be a challenge.
That’s because many small to medium-sized businesses may not see the need to invest in such a certification.
However, as the Verizon 2019 Data Breach Investigations Report points out, small businesses remain the number one target for cyber-attacks and account for up to 43% of data breaches in that year, signaling the increasing need for SMBs to adopt the accreditation.
Maintaining Certification and Continuous Improvement
If you have already earned an ISO 27001 accreditation, congratulations! However, keep in mind it must be renewed every 3 years. Here are the best practices to adopt to ensure continuous improvement and maintain your hard-earned ISO certification.
- Conduct regular audits and reviews: Maintaining your ISO certification requires continual internal audits to ensure every aspect of your organization meets the control criteria set forth in the standards. This also includes setting up KPIs and other metrics to track compliance and identifying, documenting, and addressing non-conformities promptly. A dedicated compliance-monitoring platform can also be helpful as it takes the guesswork out of compliance factors and can provide instantaneous alerts for processes that go amiss.
- Maintain up-to-date documentation: Update ISO certification documents timely so they reflect your continuously evolving business processes and operational changes. Perform ongoing risk assessments to identify new threats and vulnerabilities, and update risk treatment plans and control implementations based on the results of these assessments. Also ensure all changes are documented and communicated to relevant stakeholders.
- Prioritize communication and identify POCs: Dedicated personnel overseeing the various aspects of ISO 27000 compliance is a great idea. In large organizations with multiple employees, communication and other barriers always exist that can potentially compromise sensitive information. A dedicated team of personnel handling compliance issues can bridge communication gaps and keep.
IT Asset Management, the ISO 27000 Series, and How Workwize Helps With Compliance
IT Asset Management (ITAM) is a crucial component of an effective Information Security Management System (ISMS) as outlined in the ISO 27000 series.
For instance, controls 5.9 (Inventory of information and other associated assets), 5.10 (Acceptable use of information and other associated assets), and 5.11 (Return of assets) necessitate proper handling and return of all necessary IT assets.
6.7 (Remote working) maintains safe handling of information outside, while 7.13 (Equipment maintenance) and 7.14 (Secure disposal or reuse of equipment) stress the importance of securely maintaining and disposing of equipment.
If you’re looking for a trusted global IT lifecycle management platform, Workwize is what you need. Workwize automates the entire lifecycle of your IT hardware.
Workwize is an ISO 27001-certified IT Asset Management service provider you can rely on to ship equipment to your global workforce, stay compliant with all global and local regulations, and take the headache out of IT asset management worldwide. Book a Demo!
