A summary of ISO 27001 requirements for information security

| Sieuwert van Otterloo | Security

ISO / IEC 27001 is an official standard for the information security of organisations. Regrettably the standard is not freely available, making it harder than necessary to look up what is actually required by ISO 27001. This has led to some misconceptions. While we still recommend you to read the full standard, we decided to create a good summary to help anyone understand this important information security resource.

An outline of ISO 27001

There are at least two versions of ISO / IEC 27001. The 2005 version and the 2013 version. Both versions are quite similar with some minor differences, based on changing expert insights between the years 2005 and 2013. For this summary we use the latest version, version 2013. This standard addresses the following topics (chapter numbers in brackets):

  • The organisational context (4)
  • Involvement of the leadership (5)
  • Planning and objectives (6)
  • Support including resources and communication (7)
  • Operational aspects (8)
  • Evaluation of performance (9)
  • Continuous improvement (10)

Each of these topics describes part of an Information Security Management System or ISMS. The ISO 27001 standard is focused on the higher level goal of making sure that organisations have a structure (called a management system in ISO-speak) that ensures that the organisation improves on information security. This ISMS is not an IT system, but a description of processes  in your organisation. It consists of goals, resources, policies and process descriptions. Only these higher level elements are required by ISO 27001.

Underlying concepts

There are two ideas that are not explicitly mentioned in ISO 27001 but that are important for understanding ISO 27001. We recommend studying these ideas before reading the actual standard document. The first idea is that of risk management: before taking any action, teams should understand what the assets are that are worth protecting, what the risks are and how these risks are controlled. See this article on asset inventory and this one on risk management for further details.
The second idea that you need to understand in order to implement ISO 27001 is the plan-do-check-act cycle. Before taking action, you need to have a clear goal (plan) and think how you will check if the action works and what to do after the check. See this article on continuous improvement using plan-do-check-act for further details.

Detailed requirements and documentation

For each of the topics listed above, the ISO 27001 standard specifies detailed requirements. If you have not done this already and you want to get certified, we recommend you to read the actual standard first. Below is a short checklist of all items that are described:

  • Organisation context description (4.1)
  • Stakeholders / interested parties in information security (4.2)
  • The ISMS scope (4.3)
  • Commitment from top management (5.1)
  • Availability of a information security policy document (5.2)
  • Roles and responsibilities for information security(5.3)
  • Determining risks and opportunities (6.1.1)
  • Defining and executing a process for risk assessment(6.1.2) and risk treatment (6.1.3). Part of this is to create a statement of applicability that indicates which best practice controls are or are not implemented
  • Creating  measurable security objectives (6.2)
  • Resources for the ISMS (7.1)
  • Appropriate training / competencies for the staff responsible for the ISMS.   (7.2) See also our Information Security NL Special Interest Group as one way to fulfil this requirement.
  • Awareness for all staff in scope (7.3)
  • Communication plan for internal and external communication about information security(7.4)
  • Sufficient documentation about your ISMS including size of your organisation, complexity and competence of people (7.5.1). It must be updated appropriately (7.5.1) and controlled (7.5.3)
  • Planning and control of operational aspects. Basically this is about doing plan-do-check-act and prove this using documentation. (8.1)
  • Planning a security risk assessment at regular intervals (8.2)
  • Implementing the treatment plan (8.2, for treatment plan see 6.1.3)
  • Monitoring the effectiveness of the ISMS, by seeing if the goals are reached (9.1)
  • Planning and execution of regular internal audits (9.2)
  • Planning and execution of  regular management reviews (9.3)
  • Taking management action if things do not go as planned (10.1). Again, this is part of doing plan-do-check-act correctly
  • Making sure there is continuous improvement (10.2). This is not just about plan-do-check-act but also about collecting feedback on each meeting from participants and similar improvement steps.

Some common misconceptions

In many companies that use ISO27001 for information security, one hears statements such as “It is required to change passwords every quarter” or “ISO 27001 requires us to upgrade our firewall”. This is technically not true. The ISO 27001 standard does not mention any concrete controls. ISO 27001 requires that you have information security goals, resources, policies and processes (the ISMS). You should execute these processes. Depending on which assets and risks the information security team identifies, you can in theory make your own decisions about which controls you implement and how.

In practice, many organisations do tend to implement similar controls. There is a small set of controls that is widely accepted as best practices. There is actually a second standard, ISO 27002, that is a collection of these best practice controls. This standard is officially a just-for-information standard, but in practice many people use this standard as a checklist to see if they are doing enough. Officially however you should make your own decisions and only implement these controls if there is an actual risk.

Another misconception about information security, is that it is an IT topic or IT responsibility. ISO 27001 requires the involvement of the whole organisation, not just the IT department. For instance the top management must set the goals and provide budget and resources, and HR is typically involved in resolving staff related risks. If information security is limited to the IT department, you are not compliant to ISO 27001.

A third misconception that often occurs, is an over-focus on the actual number of controls and measures that is implemented. You are compliant with ISO 27001 if you have a working ISMS process. ISO 27001 is a process standard, and you should focus on implementing the process. Implementing most or all controls is not a goal or requirement.

Compliance and certification

Many organisations use the standard ISO 27001 not just because they want to do the right thing, but also because they want to obtain a security certificate. There is a subtle difference between being compliant to ISO27001, and obtaining a certificate. Any organisation that is willing to put in enough commitment, time and resources can become compliant to ISO27001 by just doing the work.

Once you meet all requirements, you can call yourself compliant. To become certified, there is an additional step: You need to find an official party that is accredited to do ISO 27001 certifications, and ask such party to do a review of the ISMS. Whether certification is worth the additional time and costs varies per organisation.

In our experience, the cost and effort of full ISO 27001 certification is considered expensive by many organisations. For this reason we developed the more agile Security Verified standard. The Security Verified standard is based on the same principles or best practices, but has publicly available requirements and a faster and more efficient review process. The standards are compatible. One can start with implementing a good ISMS, get a Security Verified certificate once all the basics are in place.

You can continue improving your ISMS and get a ISO 27001 certificate later on when the less important stuff is also in place and you have more experience running your ISMS. Either way, we and all other experts recommend anyone to take information security seriously. It is worth it to invest in building an ISMS, regardless of what certification you decide to pursue. Studying the standard ISO 27001 is an important first step in this direction.

Image credit: Ben White via Unsplash

Author: Sieuwert van Otterloo
Dr. Sieuwert van Otterloo is a court-certified IT expert with interests in agile, security, software research and IT-contracts.