ISO 27001 Basics
ISO 27001 defines how to organise information security in any kind of organisation, profit or non-profit, private or state-owned, small or large. It is safe to say that this standard is the foundation of information security management.
ISO 27001 is for information security the same thing that ISO 9001 is for quality – it is a standard written by the world’s best experts in the field of information security and aims to provide a methodology for the implementation of information security in an organisation. It also enables an organisation to get certified, which means that an independent certification body has confirmed that information security has been implemented in the best possible way in the organisation.
Given the importance of ISO 27001, many legislatures have taken this standard as a basis for drawing up different regulations in the field of personal data protection, protection of confidential information, protection of information systems, management of operational risks in financial institutions, etc.
ISO 27001 prescribes how to manage information security through a system of information security management. Such a management system, just like ISO 9001 or ISO 14001, consists of four phases that should be continuously implemented in order to minimise risks to the confidentiality, integrity and availability of information.
The phases are the following:
- The Plan Phase – This phase serves to plan the basic organisation of information security, set objectives for information security and choose the appropriate security controls (the standard contains a catalogue of 133 possible controls)
- The Do Phase – this phase includes carrying out everything that was planned during the previous phase
- The Check Phase – the purpose of this phase is to monitor the functioning of the ISMS through various “channels”, and check whether the results meet the set objectives
- The Act Phase – the purpose of this phase is to improve everything that was identified as non-compliant in the previous phase
The cycle of these four phases never ends, and all the activities must be implemented cyclically in order to keep the ISMS effective.
ISO 27001 requires the following documents:
- The scope of the ISMS
- The ISMS policy
- Procedures for document control, internal audits, and procedures for corrective and preventive actions
- All other documents, depending on applicable controls
- Risk assessment methodology
- Risk assessment report
- Statement of applicability
- Risk treatment plan
The amount and accuracy of documentation depends on an organisation's size and security requirements – this means that a dozen documents will be enough for a small organisation, while large and complex organisations will have several hundred documents in their ISMS.
The Plan phase consists of the following steps:
- Determining the scope of the ISMS
- Writing an ISMS Policy
- Identifying the methodology for risk assessment and determining the criteria for risk acceptance
- Identification of assets, vulnerabilities and threats
- Evaluating the size of risks
- Identification and assessment of risk treatment options
- Selection of controls for risk treatment
- Obtaining management approval for residual risks
- Obtaining management approval for implementation of the ISMS
- Writing a Statement of applicability that lists all applicable controls, states which of them have already been implemented, and those which are not applicable
This phase consists of the following activities:
- Writing a risk treatment plan – describes who, how, when and with what budget applicable controls should be implemented
- Implementing the risk treatment plan
- Implementing applicable security controls
- Determining how to measure the effectiveness of controls
- Carrying out awareness programs and training of employees
- Management of the normal operation of the ISMS
- Management of ISMS resources
- Implementation of procedures for detecting and managing security incidents
This phase includes the following:
- Implementation of procedures and other controls for monitoring and reviewing in order to establish any violation, incorrect data processing, whether the security activities are carried out as expected, etc.
- Regular reviews of the effectiveness of the ISMS
- Measuring the effectiveness of controls
- Reviewing risk assessment at regular intervals
- Internal audits at planned intervals
- Management reviews to ensure that the ISMS is functioning and to identify opportunities for improvement
- Updating security plans in order to take account of other monitoring and reviewing activities
- Keeping records of activities and incidents that may affect the effectiveness of the ISMS
This phase includes the following:
- Implementation of identified improvements in the ISMS
- Taking corrective and preventive action; applying own and others’ security experiences
- Communicating activities and improvements to all stakeholders
- Ensuring that improvements achieve the desired objectives
In addition to ISO 27001 (formerly BS 7799-2), ISO 27002 (formerly ISO 17799) is an “auxiliary” standard which provides more details on how to implement security controls specified in ISO 27001.
Other standards that may also be useful are ISO 27005, which describes risk assessment procedures in more detail, and BS 25999-2, which gives a detailed description of business continuity management.