What is ISO 27001? Intro to the global information security gold standard.

As cybercrime continues to grow and cyber threats continue to evolve, businesses are under mounting pressure to demonstrate their commitment to information security.

Enter ISO 27001: the globally recognized best practice for managing your information security and running an ISMS (information security management system). ISO 27001 is the most popular information security standard worldwide. That's why also many of your will be familiar with it and appreciate compliance towards it.

Whether you're new to ISO 27001 or looking to strengthen your current practices, this post will walk you through its essentials, why it matters, and how it can improve your approach to information security.

What is an information security standard?

Let's start from the very basics. ISO 27001 is a security standard. That means it provides a structurized set of best practices you can follow. These best practices are created by experts on the field to represent the best possible ways to mitigate cyber risks.

Some security standards (like ISO 27001) also include a certification mechanism. That means, you can have an external accredited auditor verify (according to a preset list of rules) that you comply with all the best practices in the standard. As an end result of this process you'll then receive a certificate for your organization.

From the point-of-view of a person responsible for information security in an organization, security standards provide e.g. the following benefits:

• Get a battle-tested list of best practices: You don't need to build your information security program from scratch, and can save time as you utilize the best practices created by field experts and tested by hundreds of thousands of organizations.
• Understand your own security level: Are you 30/100, 60/100 or 90/100 compliant with ISO 27001? That gives your organization something to think about and enables setting goals. Too often organizations are basing their information security understanding on a hunch of done (often only technological) investments, without really anything to compare to.
• Creating customer-friendly security communication: Your customer will also know ISO 27001 and thus reporting against that will mean something for them. Compliance with a world-class standard like ISO 27001 indicates a secure organization that takes information security seriously and can be trusted with customer data.

What kind of contents ISO 27001 includes?

In ISO 27001 these best practices come in two shapes:

• Top management requirements: These ensure you define your information security program clearly and manage it properly.
• Infromation security controls: These ensure you're taking good care of the confidentiality, integrity and availability of data. Controls cover topics like ...

ISO 27001 top management requirements

There's 22 top management requirements presented in ISO 27001's current version (2022).

Each requirement displays a clear name, identifier (the number) and a description of the requirement that needs to be met to be compliant with the standard.

example pic

Security management requirements cover topics like:

• 4. Context of the organization (i.e. understanding the organization): Identify the organization’s environment, key factors, and stakeholders that could affect information security.
• 5. Leadership: Top management must actively support the ISMS by setting a clear goals, allocating responsibilities, and promoting a culture that prioritizes information security.
• 6. Planning (i.e. risk management): Develop a structured approach to identify, evaluate and treat information security risks and implement the planned actions to mitigate chosen risks.
• 7. Support (i.e. resources and documentation): Ensure the organization has the resources, skills, and knowledge to implement the ISMS successfully. Maintain well-organized documentation and communicate clearly about security practices.
• 8. Operation (i.e. execution of the ISMS): Put the ISMS into action by implementing controls and running key processes (e.g. risk management and continuous improvement). Ensure ISMS gets run reliably and consistently in daily activities.
• 9. Performance evaluation (i.e. monitoring and review): Regularly assess how well the ISMS is performing through audits, reviews, and metrics. Use this information to evaluate the effectiveness of the ISMS.
• 10. Continuous improvement: Continuously improve the ISMS by addressing nonconformities, taking corrective actions, and enhancing processes to ensure ISMS remains effective and up to date.

ISO 27001 information security controls

There's 93 information security controls in ISO 27001's current version (2022).

Each control displays a clear name, identifier (the number), the mandatory part to implement and guidelines for hardening the implementation even further. The guidelines for information security controls are available on the ISO 27002 document.

example pic

In the current version of ISO 27001, controls are categorized to 4 chapters, which are organizational controls, people controls, physical controls and technological controls. This grouping nicely underlines the fact, that only a subset of information security is mainly technological. In many controls your processes, personnel awareness or physical protections are more highlighted than technological safeguards.

The ISO 27001 information security controls cover all aspects of information security, for example:

• Asset management: Identifying, categorizing, defining ownership and thus systematically managing and protecting key information assets (e.g. data systems, data, people, physical sites, equipment).
• Identity and access management: Define processes for ensuring only authorized individuals can access information assets, e.g. through role-based access management, access reviews, protecting authentication information and robust log-on procedures.
• Supplier relationships: Identifying important suppliers (e.g. data system providers and data processors) and managing risks from them to your data by e.g. categorizing suppliers and ensuring have enough assurance of good information security level.
• Continuity management: Ensures critical operations and information remain available during disruptions through strong backup processes, creating and practicing continuity plans and defining continuity requirements for different assets or processes.
• Human resource security: Ensures employees understand their security responsibilities, follow their personal guidelines, are vetted before access, and follow other security policies throughout their tenure.
• Physical security: Safeguards facilities, equipment, and information from unauthorized physical access, damage, or interference, ensuring a secure physical environment.
• System and network security: Protect the IT infrastructure by managing vulnerabilities, controlling access, and ensuring secure configurations to prevent unauthorized access or disruptions.
• Threat and vulnerability management: Have processes for following the evolving threat landscape and identifying technical vulnerabilities to mitigate risks to information assets.
• Incident management: Ensure you have the capability to identify and investigate potential security incidents, and when identified ensure systematic response, treatment and analysis of incidents to minimize impact and preventing recurrence.
• Application security: Ensure developed software is designed, developed, tested and maintained with robust controls to protect data and prevent vulnerabilities throughout its lifecycle.

The good thing in ISO 27001's controls is, that all information security aspects are strongly included.

Some popular questions related to ISO 27001

What's the difference between ISO 27001 and ISO 27002 documents?

ISO 27001 document outlines the processes and policies an organization must follow to achieve and maintain effective information security. All the requirement of this document are mandatory to comply with, if you want to get certified.

On its Annex A, ISO 27001 refers to the controls explained in more detail in ISO 27002.

ISO 27002 document provides guidance and best practices for implementing the controls listed in Annex A of ISO 27001. You're usually expected to implement most controls, but some can be deemed "not applicable" when you present a strong reasoning.

On its implementation guidance sections ISO 27002 provides recommendations on how to customize and adapt controls based on each organization’s specific needs. These parts are not mandatory to implement, but provide really valuable details.

So to summarize, you need to utilize both documents together. More detailed information security control guidance is in 27002, information security management requirements are explained in 27001.

What in an ISMS (information security management system)?

An ISMS (Information Security Management System) refers to the central system where you've documented needed information that explains how you comply with standards requirements and implement the controls.

The standard doesn't give any format requirements for the ISMS - it can be a single tool like Cyberday, or it can be a bunch of words, excels, powerpoints and writings on the wall. But you will need to provide an ISMS description document for an auditor, that explains the structure of the ISMS and contents for them.

Role of the ISMS is to ensure all information security related measures are clearly documented, assigned, and monitored. It provides the structured approach to managing information security and connecting all its parts together.

What does ISO refer to?

ISO refers to the International Organization of Standardization. If you want to access to actual contents of the ISO 27001 and ISO 27002 documents, you need to buy them e.g. through their website at ISO.org.

You may see the ISO 27001 standard also referred to as ISO/IEC 27001:2022. The IEC part refers to the joint effort with the International Electrotechnical Commission. The end part (:2022 in this case) refers the most recent version of the standard, which was was released in 2022.

How can you utilize ISO 27001?

There are many different approaches to utilizing ISO 27001. I'll present a few here that we've seen on our customer base:

• Use it as a benchmark: Cherry-pick good practices to implement in your own security measures and find good guidance to improve step-by-step.
• Find your infomation security level: Compare your current measures against ISO 27001 to create understanding of how well you currently match to its best practices - so you can set goals for future.
• Aim to get compliant: Set it as an internal goal to comply with the whole standard, so you're ready to report about your ISO 27001 compliance e.g. towards customers or authorities.
• Aim to get certified: When you want to have the strongest possible evidence of your ongoing compliance, and ensure you continuously improve your ISMS, you'll partner up with an accredited auditor and go through a certification audit.

Each of the methods builds you a stronger base to continue to the next, so they support eachother nicely.

Who can utilize ISO 27001?

The ISO 27001 standard can be utilized by any organization, regardless of size, industry, or type. As long as you want to improve your information security and utilize best practices, you're in its scope.

Our organization has been ISO 27001 certified for around 6 years. At that time we were small, and since then we have grown quite a lot. In addition we've helped hundreds of organizations of all kind of industries improve their ISO 27001 compliance through the Cyberday app. So we've seen it work on practice for eveyone that is interested in improving their information security.

Different organizations may benefit from the standard in a little different ways. For SMEs an ISO 27001 certification can be in large part a way to create trust and credibility. In large organizations it can provide structure for managing information security risks across multiple departments, country branches and complex supply chains. In regulated industries it can assist in meeting customer and legal compliance requirements.