What is ISO/IEC 27001?
ISO/IEC 27001 is a member of the ISO 27000 family of standards. The ISO 27001 standard, which replaces the BS7799-2 standard, is internationally accepted as a specification for an Information Security Management System (ISMS). It is one of the most widely used information security principles worldwide.
Within the context of the enterprise, the structure defines the criteria for developing and constantly enhancing an information security management system. It also contains requirements for assessing and treating information security threats that are specific to the organization’s needs. The ISO/IEC 27001:2013 standards are general and intended for all organizations and industries. Certification to ISO/IEC 27001 is not obligatory.
What are the requirements for ISO 27001?
The ISO standard approaches information security from a risk-based perspective. This requires companies to identify information security threats and to implement effective controls to address them.
There are 114 controls in Annex A of ISO 27001, which are divided into 14 categories.
The following are the 14 categories of Annex A:
- A.5 Information security policies – controls on how policies are written and reviewed
- A.6 Organization of information security – controls on how responsibilities are assigned
- A.7 Human resources security – controls before employment, during, and after the employment
- A.8 Asset management – controls related to inventory of assets and acceptable use
- A.9 Access control – controls for the management of access rights of users, systems and applications
- A.10 Cryptography – controls related to encryption and key management
- A.11 Physical and environmental security – controls defining secure areas, entry controls, protection against threats, equipment security, etc
- A.12 Operational security – lots of controls related to the management of IT production
- A.13 Communications security – controls related to network security
- A.14 System acquisition, development and maintenance – controls defining security requirements
- A.15 Supplier relationships – controls on agreements and monitoring suppliers
- A.16 Information security incident management – controls for reporting events and weaknesses
- A.17 Information security aspects of business continuity management – controls requiring the planning of business continuity
- A.18 Compliance – controls requiring the identification of applicable laws and regulations
Aside from IT security (i.e., firewalls, anti-virus, etc.), this information security framework includes sections such as managing processes, legal protection, managing human resources and physical protection. Organizations are not required to implement all 114 of ISO 27001’s controls. These different controls are simply a list of possibilities that you should consider based on your organization’s requirements.
Why should you be ISO 27001 compliant?
Companies all over the world are looking for ways to improve the security of the data and information that drives their operations. The paths to a data breach are various and varied, ranging from cyber attacks and hacking to human error and data leaks.
By adopting ISO 27001 for security excellence, you commit to not only evaluating all security policies and procedures but also making significant and meaningful improvements to the information security management system (ISMS) to optimize and continuously track security.
By putting in the work to identify threats, analyze their potential effects, and implement controls to minimize them as you develop and refine your ISMS, you will build a framework based on ISO-certified best practices that will support your business, customers, and team. You will be able to better monitor risk, build a structure within your company, explain the effect of potential and realized threats, create authorization policies to securely protect the information, increase consumer trust, and set the business up for long-term success.
In addition, implementing ISO 27001 helps you meet the information security requirements of various international laws such as the EU GDPR (General Data Protection Regulation) and the NIS Regulations (Network and Information Systems).
How to achieve compliance?
Organizations seeking to comply with the ISO/IEC 27001 must undergo audits regularly and implement its requirements. These mandatory requirements vary from ISMS scope definition, security policy definition, risk assessment process, evidence of competence, evidence of monitoring, evidence of audits, and many more.
The Centraleyes platform provides solutions that streamline and support the process of achieving compliance such as built-in questionnaires, automated data collection and analysis, prioritized remediation guidance and real-time customized scoring. These tools assist with meeting the ISO 27001 framework, both for companies who chose to use this as a risk framework and for those who want to prepare for full compliance with ISO 27001.
Through the Centraleyes platform, your organization will also gain full visibility to its cyber risk levels and compliance and be fully prepared for the necessary audits.