What is ISO/IEC 27001?
ISO/IEC 27001 is a member of the ISO 27000 family of standards. The ISO 27001 standard is internationally accepted as a specification for an Information Security Management System (ISMS). It is one of the most widely used information security principles worldwide.
ISO 27001 outlines the necessary steps for establishing, implementing, maintaining and continually improving an ISMS. It also specifies how to assess and treat information security threats that are specific to an organization’s requirements. Its purpose is to provide guidance on how to protect information assets through the development and maintenance of an ISMS.
Every organization can benefit from ISO 27001 compliance. The requirements outlined in the standard are generic and are designed to be applicable to organizations of any type, size or nature. Certification to ISO/IEC 27001 is not obligatory, although some suppliers may require organizations to be ISO certified as a condition to work with them.
ISO 27001 was first released in 2005 to replace the BS7799-2 standard from the nineties. ISO 27001 was later updated in 2013 and, just recently, it received a fresh look with the release of its third edition in October of 2022. Most of the changes are minor. The main changes are as follows:
- The full title was changed from “Information technology — Security techniques — Information Security Management Systems — Requirements” to “Information security, cybersecurity and privacy protection — Information security management systems — Requirements.”
- There are minor word changes and some clarifications, one new clause, five new sub-clauses and the number of two clauses have been swapped.
- The most major change was aligning the Annex A controls to the new version of ISO 27002 which was released in February 2022.
There is officially a three-year transition period until October 31, 2025, at which point everyone will need to be compliant with the updated standard. Having said that, until October 31, 2023, organizations can complete their implementation and obtain certification based on ISO 27001:2013, after which they will have two years to graduate to ISO 27001:2022.
What are the requirements for ISO 27001?
ISO 27001 includes seven clauses as follows:
Clause 4: Context of the Organization
Clause 5: Leadership
Clause 6: Planning
Clause 7: Support
Clause 8: Operation
Clause 9: Performance evaluation
Clause 10: Improvement
When an organization claims conformity with the standard, they must adhere to all of the requirements outlined in Clauses 4 to 10 without excluding any of them.
Clauses 4 to 10 are about building a management system to run your information security, known as the information security management system (ISMS).
In addition, ISO 27001 has an Annex A section. This section is taken directly from the ISO 27002 standard. ISO 27002 / Annex A is intended to be used alongside Clause 6 which includes requirements for applying a risk assessment and the selection of appropriate risk treatment options according to those results. As you decide how to respond to each of your risks, you will determine controls to implement the different risk treatments chosen. You can design your own controls or use any sources to obtain them.
This is where Annex A comes in. Annex A contains a list of possible information security controls you can use to treat your risks. Organizations are directed to Annex A to ensure that no necessary information security controls are overlooked.
If you decide to go down the path of designing your own risk treatment controls, according to ISO 27001, you are required to compare the controls you’ve chosen to those in Annex A and verify that no necessary controls have been omitted.
This is accomplished by creating a Statement of Applicability which should include:
- a list of your chosen controls;
- justification for their inclusion;
- whether your controls have been implemented or not; and
- the justification for excluding any of the Annex A controls (for example, excluding the physical controls because you don’t have a physical office to protect).
Organizations can get certified by an accredited certification body following a successful audit of the organization’s ISMS.
Why should you be ISO 27001 compliant?
Companies all over the world are looking for ways to improve the security of the data and information that drives their operations. The paths to a data breach are varied, ranging from cyber attacks and hacking to human error and data leaks.
By adopting ISO 27001 for risk management and security excellence, you commit to not only implementing and maintaining all security policies and procedures but also creating and continually improving an information security management system (ISMS) to optimize and continuously track your risks.
The ISMS ensures the confidentiality, integrity and availability of your information through a thorough risk management process and gives confidence to stakeholders (clients, employees, suppliers, etc.) that your risks are adequately managed.
As you develop and refine your ISMS, you will be putting in the work to identify threats, analyze their potential effects, and implement controls to minimize them. With the ISO framework in place, your organization will be built on best practices that will support your business, customers and team. You will be able to build a structured business with defined policies and procedures, monitor risk more effectively, explain the impact of potential threats, increase customer trust, and set your business up for long-term success.
In addition, implementing ISO 27001 can simplify the process of achieving compliance with various international laws and compliance standards such as the GDPR and SOC 2 and can help you meet the information security controls of best practice frameworks such as the NIST CSF.
Compliance proves to internal and external parties your organization’s ability to meet your own information security requirements.
How to achieve compliance with ISO 27001:2022?
Organizations seeking to comply with the ISO/IEC 27001 must undergo audits regularly and implement and maintain its requirements. These mandatory requirements include ISMS scope determination, information security policy and topic-specific policies, risk assessment processes and procedures, the Statement of Applicability, evidence of competence, evidence of monitoring, and many more.
The Centraleyes platform provides a streamlined and supportive process for achieving ISO 27001 compliance, walking organizations through the necessary steps to fully prepare for the audits. With built-in questionnaires, templates for the Statement of Applicability and the required ISO policies, automated data collection and analysis, prioritized remediation guidance, and real-time customized scoring, companies will find everything they need to make it to the finish line, with the coveted certification just around the corner. The platform enables organizations to reach complete ISO readiness, both for companies who choose to use it as a risk framework and for those who want to prepare for full compliance with ISO 27001. Centraleyes offers full coverage for the 2013 version and the latest October 2022 release.
In addition, Centraleyes offers a smart mapping feature, linking the ISO 27001 questionnaire to its control inventory. This allows organizations to easily share information across various frameworks throughout the platform, saving time and money while also improving the accuracy of their data. The platform also provides organizations with complete visibility into their cyber risk levels and compliance status, and generates a report to help with audit preparation.
ISO/IEC 27001 and related standards