ISO 27001 Overview and Guides

ISO 27001 Overview and Guides

ISO 27001 is a globally recognized framework, part of the ISO/IEC 27000 series, for governing an organization’s information security program by providing a clear set of requirements for an Information Security Management System (ISMS).

TrustCloud supports the 2022 version as well as the 2013 version.

What is an ISMS?

ISMS stands for Information Security Management System and is a collection of documents, including policies, processes, procedures, and controls, that together implement an effective risk management process.

When building out your ISMS, it’s your responsibility to ensure that the controls, policies, and procedures you adopt help you meet the following information security objectives:

• Confidentiality: ensuring that only authorized individuals have access to data
• Integrity: data is always complete and accurate.
• Availability: Data is easily accessible by authorized individuals.

ISO 27001 is composed of 10 sections (referred to as “clauses” in ISO 27001 terminology) and one annex. While the first three clauses are introductory in nature and serve as an overview of the process itself, clauses 4 to 10 are more strategic, providing guidelines for securing the business as a whole. Each clause contains a set of guidelines intended to improve your company’s security posture We have outlined these below:

1. Clause 4: Context of the organization
   Establish the context of the ISMS by outlining and documenting how your organization is structured, your contractual relationships, and the way you run your business.
2. Clause 5: Leadership
   Define the policies that govern your organization, list the roles and responsibilities of team members working on putting the ISMS together, ensure that the team has the necessary resources, and conduct regular reviews.
3. Clause 6: Planning
   When planning your company’s long-term goals and upcoming work, it’s critical that security and risk are taken into account. The guidelines in this clause surround the processes for doing so.
4. Clause 7: Support
   Ensure that the appropriate supporting evidence is created, collected, and maintained as you build out your ISMS.
5. Clause 8: Operation
   Develop, implement, and control processes around information security.
6. Clause 9: Performance evaluation
   Establish processes to ensure that your ISMS is continuously monitored and evaluated.
7. Clause 10: Improvement
   Ensures that once performance is evaluated, all gaps are addressed.

In addition to these clauses, ISO 27001 includes a single annex, titled Annex A. This annex comprises 114 controls, divided into 14 categories, that should be considered when aiming to comply with the standard. The security objectives and controls defined in Annex A can be used as a baseline when creating your own set of controls for ISO 27001. However, the list of control objectives and controls contained within Annex A is not exhaustive and may not apply to your environment; as such, additional security objectives and controls can also be created from scratch or selected from other frameworks. When an Annex A control is not implemented, a justification for its exclusion must be documented and presented to the auditor.

The first few sections of the appendix are introductory and are followed by control sets in sections numbered Annex A.5 to Annex A.18. Here is a brief overview of these categories:

1. Annex A.5: Information Security Policies
   Show that the policies you’ve developed are in line with the overall organization’s practices.
2. Annex A.6: Organization of Information Security
   Show that your organization has a framework for implementing and maintaining information security practices for both on-premise and remote devices.
3. Annex A.7: Human Resources Security
   Show that your organization has the right procedures to help employees and contractors understand their obligations to protect sensitive data. Data should be protected both while they are employed and after they have left the organization or switched roles.
4. Annex A.8: Asset Management
   Show that you are able to identify and classify information assets and that you’ve put measures in place to protect data from unauthorized disclosure, modification, removal, or destruction.
5. Annex A.9: Access Control
   Show that you’ve developed and are adhering to procedures around who has access to information and systems both within and outside the organization.
6. Annex A.10: Cryptography
   Show that measures have been taken to protect the confidentiality, integrity, and availability of data in your possession.
7. Annex A.11: Physical and environmental security
   Prove that you’ve taken the necessary steps to secure data, whether it is stored on premises, externally, in software, or in physical files.
8. Annex A.12: Operations Security
   If you are working with vendors to process information, show that the data being shared with these organizations is protected and secure.
9. Annex A.13: Communications Security
   Show that you’re securing your networks and protecting the information that travels through them.
10. Annex A.14: System acquisition, development, and maintenance
    Show that data security is a consideration when purchasing new systems or upgrading existing ones.
11. Annex A.15: Supplier Relationships
    Show that the vendors you’re working with are safeguarding the data you share with them.
12. Annex A.16: Information Security Incident Management
    Show that you’ve implemented mechanisms to manage and report on any security incidents, and fix any issues in a timely manner.
13. Annex A.17: Information Security Aspects of Business Continuity Management
    Show that in the event of a disruption, the business can continue and the information systems will be available.
14. Annex A.18: Compliance
    You need to show that you are able to meet legal obligations and have a plan to mitigate any legal, statutory, regulatory, or contractual breaches.

Why Should I Pursue an ISO 27001 Certification?

If you want to expand into global markets and need to prove to your international customers that you’re taking data security seriously, ISO 27001 helps you demonstrate efforts towards mitigating information security risks. The specifics involved in pursuing an ISO 27001 attestation really depend on the market, the wants or needs of the organization’s customers, as well as any regulatory requirements with which the organization needs to comply. Companies in the following industries most typically need ISO 27001:

1. IT companies may use the ISO 27001 framework as a guideline to protect the data they handle and comply with contractual security requirements.
2. Financial companies are required to follow the strictest laws and requirements to ensure their customers’ and stakeholders’ data is safe.

That being said, the ISO 27001 framework is intended to be applicable to all organizations, regardless of type, size, or nature, and any organization with sensitive data may find it beneficial to adhere to it.

Traditionally, ISO 27001 can cost anywhere from $15,000 to $100,000 when you factor in the cost of the audit firm as well as internal costs including productivity, staff training, and resources needed to meet specific requirements.

TrustCloud believes compliance shouldn’t be beyond affordability. We want to make the readiness and audit processes affordable and simple. The cost is broken down into two areas:

1. A compliance automation platform. By automating much of the process, platforms such as TrustOps help you reduce and better manage your internal costs. We’ve developed a transparent and straightforward pricing structure to make it easier for you to manage the overall cost of the program.
2. An auditor. TrustCloud has developed strong relationships with a number of audit firms. These firms are trained on the platform and know how to evaluate your business. They are also able to pass along discounts as a result of a referral from TrustCloud. ISO 27001 audit partners in the TrustCloud network charge between $7,000 to $40,000 for audits, depending on the maturity and complexity of the engagement.

How long is the ISO 27001 process going to take?

Given the complex structure of ISO 27001, it can take months, or even a year, to meet all the requirements by putting all the requisite controls, policies, and procedures in place. If you’ve decided to pursue an ISO 27001 attestation, our recommendation is to kickstart this process sooner rather than later.

In addition to the months of preparation, an auditor may spend 6 to 12 months going through your ISMS, depending on the size of your organization and the complexity of your ISMS.

There is a faster way to do your audit preparation, and it involves leveraging automation to implement controls, craft policies, and prove that you’re doing what you say you are.

TrustOps will save you time, resources, and money!

Click on the next article to understand how to get started with ISO 27001!