The ISO 27001:2022 standard adopts a process approach for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an organization’s information security management system. ISO 27001 was established by the International Organization for Standardization (ISO). It was first launched in 2005, as a replacement for BS 7799
What’s new in ISO 27001:2022 Compared to ISO 27001:2013?
Management system
The management system of ISO 27001:2022 will contain a few minor changes, aligning it to Annex SL.
These changes include:
- Refinement of 4.2 Interested parties. You must now identify the “relevant” requirements of interested parties and determine which will be addressed through the ISMS (information security management system).
- Refinement of 4.4 ISMS. The ISMS now explicitly includes the “processes needed and their interactions”.
- Refinement of 6.1.3 Risk treatment. There is a new section on planning changes to the ISMS. This does not specify any processes that must be included, so you should determine how you can demonstrate that changes to the ISMS have indeed been planned.
- Refinement of 6.2 Objectives. Information security objectives must now be monitored and made “available as documented information”.
- Addition of 6.3 Change management.
- Refinement of 7.4 Communication. The requirements to define who will communicate and the processes for effecting communication have been replaced by a requirement to define “how to communicate”.
- Rewrite 8.1 Operational planning. The requirement to plan how to achieve information security objectives has been replaced by a requirement to establish criteria for processes to implement actions identified in Clause 6, and to control those processes in line with the criteria. Organisations are now required to control “externally provided processes, products or services” relevant to the ISMS rather than just processes.
- Refinement of 9.1 Monitoring. Methods of monitoring, measuring, analyzing and evaluating the effectiveness of the ISMS now need to be comparable and reproducible.
- The management review must now also consider changes in the needs and expectations of interested parties.
- Splitting 9.2 into 9.2.1 General / 9.2.2 Audit program
- Splitting 9.3 into 9.3.1 General / 9.3.2 Input / 9.3.3 Output
- 10.1 Improvement and 10.2 Nonconformity have switched numbers
ISO 27001 Controls
The controls now also have five types of ‘attributes’ to make them easier to categorise:
- Control type (preventive, detective, corrective)
- Information security properties (confidentiality, integrity, availability)
- Cyber security concepts (identify, protect, detect, respond, recover)
- Operational capabilities (governance, asset management, etc.)
- Security domains (governance and ecosystem, protection, defence, resilience)
The completely new controls are:
- Threat intelligence
- Information security for use of cloud services
- ICT readiness for business continuity
- Physical security monitoring
- Configuration management
- Information deletion
- Data masking
- Data leakage prevention
- Monitoring activities
- Web filtering
- Secure coding
A.5.23 Information security for use of cloud services
Description. This control requires you to set security requirements for cloud services to have better protection of your information in the cloud. This includes purchasing, using, managing, and terminating the use of cloud services.
Technology. In most cases, new technology will not be needed, because the majority of cloud services already have security features. In some cases, you might need to upgrade your service to a more secure one, while in some rare cases, you will need to change the cloud provider if it does not have security features. For the most part, the only change required will be using existing cloud security features more thoroughly.
Organization/processes. You should set up a process to determine security requirements for cloud services and for determining the criteria for selecting a cloud provider; further, you should define a process for determining acceptable use of the cloud, and also the security requirements when cancelling the use of a cloud service.
People. Make employees aware of the security risks of using cloud services, and train them on how to use the security features of cloud services.
Documentation. No documentation is required by ISO 27001; however, if you are a smaller company, you might include rules about cloud services in the Supplier Security Policy. Larger companies might develop a separate policy that would focus specifically on security for cloud services.
A.5.30 ICT readiness for business continuity
Description. This control requires your information and communication technology to be ready for potential disruptions so that required information and assets are available when needed. This includes readiness planning, implementation, maintenance, and testing.
Technology. If you did not invest in solutions that enable resilience and redundancy of your systems, you might need to introduce such technology – this might range from data backup to redundant communication links. These solutions need to be planned based on your risk assessment and how quickly you need your data and your systems to be recovered.
Organization/processes. Besides the planning process, which needs to take into account the risks and business needs for recovery, you should also set up the maintenance process for your technology, and the testing process for your disaster recovery and/or business continuity plans.
People. Make employees aware of potential disruptions that could happen, and train them on how to maintain IT and communication technology so that it is ready for a disruption.
Documentation. No documentation is required by ISO 27001; however, if you are a smaller company, you might include the ICT readiness in the following documents:
- Disaster Recovery Plan – readiness planning, implementation, and maintenance
- Internal Audit Report – readiness testing
If you are a larger organization, or if you implemented ISO 22301, then you should document readiness through the Business Impact Analysis, Business Continuity Strategy, Business Continuity Plan, and Business Continuity Testing Plan & Report.
A.7.4 Physical security monitoring
Description. This control requires you to monitor sensitive areas to enable only authorized people to access them. This might include your offices, production facilities, warehouses, and other premises.
Technology. Depending on your risks, you might need to implement alarm systems or video monitoring; you might also decide to implement a non-tech solution like a person observing the area (e.g., a guard).
Organization/processes. You should define who is in charge of the monitoring of sensitive areas, and what communication channels to use to report an incident.
People. Make employees aware of the risks of unauthorized physical entry into sensitive areas, and train them how to use the monitoring technology.
Documentation. No documentation is required by ISO 27001; however, you might include physical security monitoring in the following documents:
- Procedures that Regulate Physical Security – what is monitored, and who is in charge of monitoring
- Incident Management Procedure – how to report and handle a physical security incident
A.8.9 Configuration Management
Description. This control requires you to manage the whole cycle of security configuration for your technology to ensure a proper level of security and to avoid any unauthorized changes. This includes configuration definition, implementation, monitoring, and review.
Technology. The technology whose configuration needs to be managed could include software, hardware, services, or networks. Smaller companies will probably be able to handle configuration management without any additional tools, whereas larger companies probably need some software that enforces defined configurations.
Organization/processes. You should set up a process for proposing, reviewing, and approving security configurations, as well as the processes for managing and monitoring the configurations.
People. Make employees aware of why strict control of security configuration is needed, and train them on how to define and implement security configurations.
Documentation. ISO 27001 requires this control to be documented. If you are a small company, you can document the configuration rules in your Security Operating Procedures. Larger companies will typically have a separate procedure that defines the configuration process. You will usually have separate specifications that define security configurations for each of your systems, to avoid frequent updates of the documents mentioned in the previous paragraph. Further, all changes to configurations need to be logged to enable an audit trail.
A.8.10 Information deletion
Description. This control requires you to delete data when no longer required, to avoid leakage of sensitive information and to enable compliance with privacy and other requirements. This could include deletion in your IT systems, removable media, or cloud services.
Technology. You should be using tools for secure deletion, according to regulatory or contractual requirements, or in line with your risk assessment.
Organization/processes. You should set up a process that will define which data need to be deleted and when, and define responsibilities and methods for deletion.
People. Make employees aware of why deleting sensitive information is important, and train them on how to do this properly.
Documentation. No documentation is required by ISO 27001; however, you might include rules about information deletion in the following documents:
- Disposal and Destruction Policy – how the information on removable media is deleted
- Acceptable Use Policy – how regular users need to delete the sensitive information on their computers and mobile devices
- Security Operating Procedures – how system administrators need to delete the sensitive information on servers and networks
Larger organizations might also have a Data Retention Policy that defines how long each type of information is needed, and when it needs to be deleted.
A.8.11 Data masking
Description. This control requires you to use data masking together with access control to limit the exposure of sensitive information. This primarily means personal data, because they are heavily regulated through privacy regulations, but it could also include other categories of sensitive data.
Technology. Companies can use tools for pseudonymization or anonymization to mask data if this is required by privacy or other regulations. Other methods like encryption or obfuscation can also be used.
Organization/processes. You should set up processes that will determine which data needs to be masked, who can access which type of data, and which methods will be used to mask the data.
People. Make employees aware of why masking data is important, and train them on which data needs to be masked and how.
Documentation. No documentation is required by ISO 27001; however, you might include rules on data masking in the following documents:
- Information Classification Policy – determine which data are sensitive and what categories of data need to be masked
- Access Control Policy – defines who can access what type of masked or unmasked data
- Secure Development Policy – defines the technology of masking the data
Larger companies, or companies that need to be compliant with the Data Protection Regulation of their country of operation and similar privacy regulations, should also have the following documents:
- Privacy Policy / Personal Data Protection Policy – overall responsibilities for data masking
- Anonymization and Pseudonymization Policy – details on how data masking is implemented in the context of a privacy regulation
A.8.12 Data leakage prevention
Description. This control requires you to apply various data leakage measures to avoid unauthorized disclosure of sensitive information, and if such incidents happen, to detect them promptly. This includes information in IT systems, networks, or any devices.
Technology. For this purpose, you could use systems to monitor potential leakage channels, including emails, removable storage devices, mobile devices, etc., and systems that prevent information from leaking – e.g., disabling download to removable storage, email quarantine, restricting copy and paste of data, restricting upload of data to external systems, encryption, etc.
Organization/processes. You should set up processes that determine the sensitivity of data, assess the risks of various technologies (e.g., risks of taking photos of sensitive information with a smartphone), monitor channels with the potential of data leakage, and define which technology to use to block the exposure of sensitive data.
People. Make employees aware of what kind of sensitive data is handled in the company and why it is important to prevent leakages and train them on what is and what isn’t allowed when handling sensitive data.
Documentation. No documentation is required by ISO 27001; however, you might include rules on data leakage prevention in the following documents:
- Information Classification Policy – the more sensitive the data are, the more prevention needs to be applied
- Security Operating Procedures – which systems for monitoring and prevention should be used by administrators
- Policy on Acceptable Use – what is and what isn’t allowed for regular users
A.8.16 Monitoring activities
Description. This control requires you to monitor your systems to recognize unusual activities and, if needed, to activate the appropriate incident response. This includes monitoring your IT systems, networks, and applications.
Technology. For your networks, systems, and applications, you could monitor the following: security tool logs, event logs, who is accessing what, activities of your main administrators, inbound and outbound traffic, proper execution of the code, and how the system resources are performing.
Organization/processes. You should set up a process that defines which systems will be monitored; how the responsibilities for monitoring are determined; and the methods of monitoring, establishing a baseline for unusual activities, and reporting events and incidents.
People. Make employees aware that their activities will be monitored, and explain what is and what is not considered normal behaviour. Train IT administrators to use monitoring tools.
Documentation. No documentation is required by ISO 27001; however, if you are a smaller company, you might include rules about monitoring in the Security Operating Procedures. Larger companies might develop a separate procedure that would describe how to monitor their systems. On top of this, it would be useful to keep records of monitoring activities.
A.8.23 Web filtering
Description. This control requires you to manage which websites your users are accessing, to protect your IT systems. This way, you can prevent your systems from being compromised by malicious code, and also prevent users from using illegal materials from the Internet.
Technology. You could use tools that block access to particular IP addresses, which could include the usage of anti-malware software. You could also use non-tech methods like developing a list of forbidden websites and asking users not to visit them.
Organization/processes. You should set up processes that determine which types of websites are not allowed, and how the web filtering tools are maintained.
People. Make employees aware of the dangers of using the Internet and where to find guidelines for safe use, and train your system administrators on how to perform web filtering.
Documentation. No documentation is required by ISO 27001; however, if you are a smaller company, you might include rules about web filtering in the following documents:
- Security Operating Procedures – Define rules for system administrators on how to implement web filtering.
- Acceptable Use Policy – Define rules for all users on what is acceptable usage of the Internet.
Larger companies might develop a separate procedure that would describe how the web filtering is performed.
A.8.28 Secure coding
Description. This control requires you to establish secure coding principles and apply them to your software development to reduce security vulnerabilities in the software. This could include activities before, during, and after the coding.
Technology. You might be using tools for maintaining an inventory of libraries, protecting the source code from tampering, logging errors and attacks, and testing; you could also use security components like authentication, encryption, etc.
Organization/processes. You should set up a process for defining the minimum baseline of secure coding – both for internal software development and for software components from third parties, a process for monitoring emerging threats and advice on secure coding, a process for deciding which external tools and libraries can be used, and a process that defines activities done before the coding, during the coding, after the coding (review and maintenance), and for software modification.
People. Make your software developers aware of the importance of using secure coding principles, and train them on methods and tools for secure coding.
Documentation. No documentation is required by ISO 27001; however if you are a smaller company, you might include rules about secure coding in the Secure Development Policy. Larger companies might develop separate procedures for secure coding for each of their software development projects.
Protecting your assets
The standard takes a comprehensive approach to information security. Assets that need protection range from digital information, paper documents, and physical assets (computers and networks) to the knowledge of individual employees. Issues you have to address range from competence development of staff to technical protection against computer fraud.
ISO 27001 will help you protect your information in terms of the following principles:
- Confidentiality ensures that information is accessible only to those authorized to have access.
- Integrity safeguards the accuracy and completeness of information and processing methods.
- Availability ensures that authorized users have access to information and associated assets when required.
ISO 27001 requires that management:
- Systematically examine the organization’s information security risks, taking account of the threats, vulnerabilities, and impacts;
- Design and implement a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable; and
- Adopt an overarching management process to ensure that the information security controls continue to meet the organization’s information security needs on an ongoing basis.
ISO 27001:2022 is intended to be suitable for several different types of use, including the following:
- Use within organizations to formulate security requirements and objectives;
- use within organizations as a way to ensure that security risks are cost-effectively managed;
- use within organizations to ensure compliance with laws and regulations;
- use within an organization as a process framework for the implementation and management of controls to ensure that the specific security objectives of an organization are met;
- definition of new information security management processes;
- identification and clarification of existing information security management processes;
- use by the management of organizations to determine the status of information security management activities;
- use by the internal and external auditors of organizations to determine the degree of compliance with the policies, directives, and standards adopted by an organization;
- use by organizations to provide relevant information about information security policies, directives, standards and procedures to trading partners and other organizations with whom they interact for operational or commercial reasons;
- implementation of business-enabling information security;
- use by organizations to provide relevant information about information security to customers.
Benefits of ISO 27001:2022
The benefits of standardization, and implementation of one or more of the ISO 27000 series are wide and varied. Although they tend to differ from organization to organization, many are common.
The following is a list of potential benefits. As with many items on this website, this is an ongoing project. Please feel free to add further points via the comments option below.
- Interoperability
This is a general benefit of standardization. The idea is that systems from diverse parties are more likely to fit together if they follow a common guideline.
- Assurance
Management can be assured of the quality of a system, business unit, or other entity if a recognized framework or approach is followed.
- Due Diligence
Compliance with, or certification against, an international standard is often used by management to demonstrate due diligence.
- Bench Marking
Organizations often use a standard as a measure of their status within their peer community. It can be used as a benchmark for current position and progress.
- Awareness
Implementation of a standard such as ISO 27001 can often result in greater security awareness within an organization.
- Alignment
Because implementation of ISO 27001 (and the other ISO 27000 standards) tends to involve both business management and technical staff, greater IT and Business alignment often result.
- Compliance
It might seem odd to list this as the first benefit, but it often shows the quickest “return on investment” – if an organization must comply with various regulations regarding data protection, privacy and IT governance (particularly if it is a financial, health or government organization), then ISO 27001 can bring in the methodology which enables to do it most efficiently.
- Marketing edge
In a market which is more and more competitive, it is sometimes very difficult to find something that will differentiate you in the eyes of your customers. ISO 27001 could be indeed a unique selling point, especially if you handle clients’ sensitive information.
- Lowering the expenses
Information security is usually considered a cost with no obvious financial gain. However, there is a financial gain if you lower your expenses caused by incidents. You probably do have an interruption in service, occasional data leakage, or disgruntled employees. Or disgruntled former employees. The truth is, there is still no methodology and/or technology to calculate how much money you could save if you prevented such incidents. But it always sounds good if you bring such cases to management’s attention.
- Putting your business in order
This one is probably the most underrated – if you are a company which has been growing sharply for the last few years, you might experience problems like – who has to decide what, who is responsible for certain information assets, who has to authorize access to information systems, etc.
How to achieve ISO 27001 certification – ISO 27001 implementation / Certification steps
What I offer is a well-defined and globally proven implementation methodology for ISO 27001-2022 certification.
- Gap Analysis
- Awareness Training
- Risk analysis
- Documentation Design and finalization
- Implementation
- Internal Auditor Training and conduct of the internal audit
- Management Review Meeting
- Review of Implementation
- Pre-assessment audit
- Stage 1 – certification audit
- Stage 2 – certification audit
- Award of ISO 27001 certification
- Continual improvement of the system through value-added consulting and training services
These practices form the framework within which you will establish an ISMS.
1 Purchase a copy of the ISO/IEC standards
Before establishing an ISMS and drafting the various documents for your ISMS, you should purchase copies of the pertinent ISO/IEC standards, namely:
a) The code of practice standard: ISO 27002. This standard can be used as a starting point for developing an ISMS. It guides planning and implementing a program to protect information assets. It also provides a list of controls (safeguards) that you can consider implementing as part of your ISMS.
b) The management system standard: ISO/IEC 27001. This standard is the specification for an ISMS. It explains how to apply ISO 27002. It provides the standard against which certification is performed, including a list of required documents. An organization that seeks certification of its ISMS is examined against this standard.
2 Obtain management support
As described in ISO/IEC 27001, management plays an important role in the success of an ISMS.
What you need: Management responsibility section of ISO 27001. Management must commit to the establishment, implementation, operation, monitoring, review, maintenance, and improvement of the ISMS. Commitment must include activities such as ensuring that the proper resources are available to work on the ISMS and that all employees affected by the ISMS have the proper training, awareness, and competency.
Results: Establishment of the following items demonstrates management commitment:
- An information security policy: this policy can be a standalone document or part of an overall security manual that is used by an organization.
- Information security objectives and plans: again this information can be a standalone document or part of an overall security manual that is used by an organization
- Roles and responsibilities for information security: a list of the roles related to information security should be documented either in the organization’s job description documents or as part of the security manual or ISMS description documents.
- Announcement or communication to the organization about the importance of adhering to the information security policy.
- Sufficient resources to manage, develop, maintain, and implement the ISMS.
In addition, management will participate in the ISMS Plan-Do-Check-Act [PDCA] process, as described in ISO 27001 by:
- Determining the acceptable level of risk. Evidence of this activity can be incorporated into the risk assessment documents, which are described later in this guide.
- Conducting management reviews of the ISMS at planned intervals. Evidence of this activity can be part of the approval process for the documents in the ISMS.
- Ensuring that personnel affected by the ISMS are provided with training, are competent for the roles and responsibilities they are assigned to fulfil, and are aware of those roles and responsibilities. Evidence of this activity can be through employee training records and employee review documents.
3 Determine the scope of the ISMS
When management has made the appropriate commitments, you can begin to establish your ISMS. In this step, you should determine the extent to which you want the ISMS to apply to your organization.
What you need: You can use several of the “result” documents that were created as part of step 2, such as:
- The information security policy
- The information security objectives and plans
- The roles and responsibilities that are related to information security and were defined by the management
In addition, you will need:
- Lists of the areas, locations, assets, and technologies of the organization that will be controlled by the ISMS.
- What areas of your organization will be covered by the ISMS?
- What are the characteristics of those areas; its locations, assets, technologies to be included in the ISMS?
- Will you require your suppliers to abide by your ISMS?
- Are there dependencies on other organizations? Should they be considered?
Your goals will be to cover the following:
- the processes used to establish the scope and context of the ISMS.
- the strategic and organizational context
Important: Keep your scope manageable. Consider including only parts of the organization, such as a logical or physical grouping within the organization. Large organizations might need several Information Security Management Systems to maintain manageability. For example, they might have one ISMS for their Finance department and the networks used by that department and a separate ISMS for their Software Development department and systems.
Results: A documented scope for your ISMS. When you have determined the scope, you will need to document it, usually in a few statements or paragraphs. The documented scope often becomes one of the first sections of your organization’s Security Manual. Or, it might remain a standalone document in a set of ISMS documents that you plan to maintain. Often the scope, the security policy, and the security objectives are combined into one document.
4 Identify applicable legislation
After you have determined the scope, identify any regulatory or legislative standards that apply to the areas you plan to cover with the ISMS. Such standards might come from the industry in which your organization works or from state, local, or federal governments, or international regulatory bodies.
What you need: Up-to-date regulatory or legislative standards that might apply to your organization. You might find it helpful to have input and review from lawyers or specialists who are knowledgeable about the standards.
Results: Additional statements in the scope of the ISMS. If your ISMS will incorporate more than two or three legislative or regulatory standards, you might also create a separate document or appendix in the Security Manual that lists all of the applicable standards and details about the standards.
5 Define a method of risk assessment
Risk assessment is the process of identifying risks by analyzing threats to, impacts on, and vulnerabilities of information and information systems and processing facilities, and the likelihood of their occurrence. Choosing a risk assessment method is one of the most important parts of establishing an ISMS. To meet the requirements of ISO 27001, you will need to define and document a method of risk assessment and then use it to assess the risk to your identified information assets, make decisions about which risks are intolerable and therefore need to be mitigated, and manage the residual risks through carefully considered policies, procedures, and controls.
ISO does not specify the risk assessment method you should use; however, it does state that you must use a method that enables you to complete the following tasks:
- Evaluate risk based on levels of confidentiality, integrity, and availability. Some risk assessment methods provide a matrix that defines levels of confidentiality, integrity, and availability and provides guidance as to when and how those levels should be applied,
- Set objectives to reduce risk to an acceptable level
- Determine criteria for accepting the risk
- Evaluate risk treatment options.
There are many risk assessment methods you can choose from, such as those that are prevalent in your industry. For example, if your company is in the oil industry, you might find there are risk assessment methods related to that industry.
When you have completed this step, you should have a document that explains how your organization will assess risk, including:
- the organization’s approach to information security risk management
- criteria for information security risk evaluation and the degree of assurance required
6 Create an inventory of information assets to protect
To identify risks and the levels of risks associated with the information you want to protect, you first need to make a list of all of your information assets that are covered in the scope of the ISMS.
What you will need: You will need the scope that you defined in step 3 and input from the organization that is defined in your scope regarding its information assets.
Result: When you have completed this step, you should have a list of the information assets to be protected and an owner for each of those assets. You might also want to identify where the information is located and how critical or difficult it would be to replace it. This list should be part of the risk assessment methodology document that you created in the previous step. Because you will need this list to document your risk assessment, you might want to group the assets into categories and then make a table of all the assets with columns for assessment information and the controls you choose to apply. The following example shows an asset table.
7 Identify risks
Next, for each asset you defined in the previous step, you will need to identify risks and classify them according to their severity and vulnerability. In addition, you will need to identify the impact that loss of confidentiality, integrity, and availability may have on the assets.
To begin identifying risks, you should start by identifying actual or potential threats and vulnerabilities for each asset. A threat is something that could cause harm. For example, a threat could be any of the following:
- A declaration of the intent to inflict harm or misery
- Potential to cause an unwanted incident, which may result in harm to a system or organization and its assets
- The intentional, accidental, or man-made act that could inflict harm or an act of God (such as a hurricane or tsunami)
A vulnerability is a source or situation with a potential for harm (for example, a broken window is a vulnerability; it might encourage harm, such as a break-in). A risk is a combination of the likelihood and severity or frequency that a specific threat will occur.
What you will need:
- The list of assets that you defined in the previous step
- The risk assessment methodology you defined in Step 5
For each asset, you should identify vulnerabilities that might exist for that asset and threats that could result from those vulnerabilities. It is often helpful to think about threats and vulnerabilities in pairs, with at least one pair for each asset and possibly multiple pairs for each asset.
Results: For each asset, you will have a threat and vulnerability description and, using your Risk Assessment methodology, you will assign levels of confidentiality, integrity, and availability to that asset. If you used a table for step 6, you can add this information to that table, as shown in the following example.
8 Assess the risks
After you have identified the risks and the levels of confidentiality, integrity, and availability, you will need to assign values to the risks. The values will help you determine if the risk is tolerable or not and whether you need to implement a control to either eliminate or reduce the risk. To assign values to risks, you need to consider:
- The value of the asset being protected
- The frequency with which the threat or vulnerability might occur
- The damage that the risk might inflict on the company or its customers or partners
For example, you might assign values of Low, Medium, and High to your risks. To determine which value to assign, you might decide that if the value of an asset is high and the damage from a specified risk is high, the value of the risk should also be high, even though the potential frequency is low. Your Risk Assessment Methodology document should tell you what values to use and might also specify the circumstances under which specific values should be assigned. Also, be sure to refer to your Risk Assessment Methodology document to determine the implication of a certain risk value. For example, to keep your ISMS manageable, your Risk Assessment Methodology might specify that only risks with a value of Medium or High will require control in your ISMS. Based on your business needs and industry standards, risk will be assigned appropriate values.
What you will need:
- Lists of assets and their associated risks and CIA levels, which you created in the previous step.
- Possibly input from management as to what level of risk they are willing to accept for specific assets.
Results: When you have completed your assessment, you will have identified which information assets have intolerable risk and therefore require controls. You should have a document (sometimes referred to as a Risk Assessment Report) that indicates the risk value for each asset. In the next step, you will identify which controls might be applicable for the assets that require control to reduce the risk to tolerable levels. This document can either be standalone or it can be part of an overall Risk Assessment document that contains your risk assessment methodology and this risk assessment.
9 Identify applicable objectives and controls
Next, for the risks that you’ve determined to be intolerable, you must take one of the following actions:
- decide to accept the risk, for example, actions are not possible because they are out of your control (such as natural disaster or political uprising) or are too expensive.
- transfer the risk, for example, purchase insurance against the risk, subcontract the activity so that the risk is passed on to the subcontractor, etc.
- reduce the risk to an acceptable level through the use of controls.
To reduce the risk, you should evaluate and identify appropriate controls. These controls might be controls that your organization already has in place or controls that are defined in the ISO 27002 standard. (Note: An examination of the controls that you already have in place against the standard and then using the results to identify what controls are missing is commonly called a “gap analysis.”)
What you will need:
- Annex A of ISO 27001. This appendix summarizes controls that you might want to choose from.
- ISO 27002, which provides greater detail about the controls summarized in ISO 27001.
- Procedures for existing corporate controls
Results: You should end up with two documents by completing this step:
- A Risk Treatment Plan
- A Statement of Applicability
The Risk Treatment Plan documents the following:
- the method selected for treating each risk (accept, transfer, reduce)
- which controls are already in place
- what additional controls are proposed
- the time frame over which the proposed controls are to be implemented
The Statement of Applicability (SOA) documents the control objectives and controls selected from Annex A. The Statement of Applicability is usually a large table in which each control from Annex A of ISO/IEC 27001 is listed with its description and corresponding columns that indicate whether that control was adopted by the organization, the justification for adopting or not adopting the control, and a reference to the location where the organization’s procedure for using that control is documented. The SOA can be part of the Risk Assessment document, but usually, it is a standalone document because it is lengthy and is listed as a required document in the standard.
10 Set up policy, procedures and Documented Information to control risks
For each control that you define, you must have corresponding statements of policy or in some cases a detailed procedure. The procedure and policies are used by affected personnel so they understand their roles and so that the control can be implemented consistently. The documentation of the policy and procedures is a requirement of ISO 27001.
What you will need: To help you identify which procedures you might need to document, refer to your Statement of Applicability. To help you write your procedures so that they are consistent in content and appearance, you might want to create some type of template for your procedure writers to use.
Results: Additional policy and documented Information. (The number of documents you produce will depend on the requirements of your organization.) Some of these procedures might also generate records. For example, if you have a procedure that all visitors to your facility must sign a visitor log, the log itself becomes a record providing evidence that the procedure has been followed.
11 Allocate resources and train the staff
Adequate resources (people, time, money) should be allocated to the operation of the ISMS and all security controls. In addition, the staff who must work within the ISMS (maintaining it and its documentation and implementing its controls) must receive appropriate training. The success of the training program should be monitored to ensure that it is effective. Therefore, in addition to the training program, you should also establish a plan for how you will determine the effectiveness of the training.
What you will need:
- A list of the employees who will work within the ISMS
- All of the ISMS procedures to use for identifying what type of training is needed and which members of the staff or interested parties will require training
- Management agreement to the resource allocation and the training plans.
Results: Specific documentation is not required in the ISO/IEC standards. However, to provide evidence that resource planning and training have taken place, you should have some documentation that shows who has received training and what training they have received. In addition, you might want to include a section for each employee that lists what training they should be given. Also, you will probably have some type of procedure for determining how many people, how much money, and how much time needs to be allocated to the implementation and maintenance of your ISMS. It’s possible that this procedure already exists as part of your business operating procedures or that you will want to add an ISMS section to that existing documentation.
12 Monitor the implementation of the ISMS
To ensure that the ISMS is effective and remains current, suitable, adequate, and effective, ISO 27001 requires:
- Management to review the ISMS at planned intervals. The review must include assessing opportunities for improvement, and the need for changes to the ISMS, including the security policy and security objectives, with specific attention to previous corrective or preventative actions and their effectiveness.
- Periodic internal audits. The results of the reviews and audits must be documented and records related to the reviews and audits must be maintained.
What you will need: To perform management reviews, ISO 27001 requires the following input:
- results of ISMS internal and external audits and reviews
- feedback from interested parties
- techniques, products, or procedures which could be used in the organization to improve the effectiveness of the ISMS
- preventative and corrective actions (including those that might have been identified in previous reviews or audits)
- incident reports, for example if there has been a security failure, a report that identifies what the failure was, when it occurred, and how it was handled and possibly corrected.
- vulnerabilities or threats not adequately addressed in the previous risk assessment
- follow-up actions from previous reviews
- any organizational changes that could affect the ISMS
- recommendations for improvement
To perform internal audits periodically, you need to define the scope, criteria, frequency, and methods. You also need the procedure (which should have been written as part of step 10) that identifies the responsibilities and requirements for planning and conducting the audits, and for reporting results and maintaining records.
Results: The results of a management review should include decisions and actions related to:
- Improvements to the ISMS
- Modification of procedures that affect information security at all levels within the organization
- Resource needs
- The results of an internal audit should result in the identification of nonconformity and their related corrective actions or preventative actions. ISO 27001 lists the activity and record requirements related to corrective and preventative actions.
13 Prepare for the certification audit
If you plan to have your ISMS certified, you will need to conduct a full cycle of internal audits, management reviews, and activities in the PDCA process. The external auditor will first examine your ISMS documents to determine the scope and content of your ISMS. Then the auditor will examine the necessary records and evidence that you implement and practice what is stated in your ISMS. What you will need:
- All of the documents that you created in the preceding steps.
- Records from at least one full cycle of management reviews, internal audits, and PDCA activities, and evidence of responses taken as the result of those reviews and audits.
Results:
The results of this preparation should be a set of documents that you can send to an auditor for review and a set of records and evidence that will demonstrate how efficiently and completely you have implemented your ISMS.
14 Ask for help
As you can see, establishing, implementing, and maintaining an ISMS can require a lot of work—especially in its formative stages. If you are new to management systems or specifically information security management systems, you can consider hiring us to guide you through the process. Our familiarity with the requirements of an ISMS and the suggested controls.
What I offer in the field of ISO 27001 standard implementation and certification
I can provide unmatched expertise and technical competence to ensure that your ISO 27001 ISMS certification project adds value to your organization.
I provide consulting, training, internal audits, pre-assessment audits and facilitation during ISO 27001 certification audits.
I can offer the global knowledge moulded locally to bring in the best results for the clients and partner their journey of standardization, compliance, growth, success and continual improvements.
Contact now, to get your organization ISO 27001 certified most effectively and efficiently while realizing the true benefits of the certification using our specialized ISMS implementation methodology that is less time-consuming, fast, easy to understand and implement, result-oriented, time-bound and cost-effective. Get ISO 27001 certified now …
