As one of the first data protection standards, ISO/IEC 27001 provides a comprehensive framework for information security management systems which can be adopted by any organization. ISO/IEC 27002 complements 27001, providing more specific security controls and guidance on their implementation.
What is the ISO 27001 standard?
What is the ISO 27002 standard?
Is ISO 27001 compliance, audit or certification mandatory?
What is the difference between ISO 27001 and SOC 2?
What are the ISO 27001 requirements?
What are the ISO 27001 security controls?
What documents and records are mandatory under ISO 27001?
What is the ISO 27001 standard?
ISO/IEC 27001 is a global standard designed to establish, maintain and continuously improve a corporate Information Security Management System (ISMS) to protect corporate data in a holistic manner. It is jointly developed and maintained by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). The first version of the standard (27001:2005) was published in 2005. The current version is 27001:2022.
The overarching ISO 27001 standard encompasses people, technology and processes within covered organizations, providing multidimensional protection from diverse risks and threats. The standard also calls for commitment and support for information security by management at all levels of an organization. In addition to traditional cybersecurity requirements, ISO 27001 covers areas such as business continuity and disaster recovery, human risk management and security awareness, physical protection of non-digital information and regulatory compliance. It is considered one of the most inclusive data protection standards and goes far beyond technology and IT processes. Large companies may spend several years implementing all of the requirements prior to achieving certification.
Interestingly, and in contrast with other well-known security standards such as NIST 800-53 or NIST 800-171, the text of the ISO 27001 standard is not publicly available and has to be purchased for a small fee at the ISO website in a PDF, EPUB or paper format.
What is the ISO 27002 standard?
The ISO/IEC 27002 standard merely supplements ISO 27001 by providing detailed guidelines and actionable best practices on how to implement the ISMS security controls from Annex A of the ISO 27001. The most recent version of ISO 27002 is currently ISO 27002:2022.
In contrast to the ISO 27001 standard, there is no formal certification process for ISO 27002 compliance. However, it can be expressly incorporated in ISO 27001 ISMS documentation as the primary source of guidance for security controls implementation. Integration of ISO 27002 into ISO 27001 is considered to be good practice, and provides additional assurance for concerned parties.
ISO 27017 further expands ISO 27002 controls for the cloud environment, and is considered best practice among cloud service providers.
Is ISO 27001 compliance, audit or certification mandatory?
In contrast to laws and regulations, such as GDPR in the EU or NYDFS in the state of New York, ISO 27001 compliance and certification are not mandatory. However, the standard has effectively become a widespread prerequisite for suppliers of many large organizations and governmental entities, many of whom now require ISO 27001 certification from their contractors and vendors.
Many organizations incorporate mandatory ISO 27001 compliance, certified by an external audit, into their third-party risk management program (TPRM). They may contractually impose yearly submission of external audit reports, periodic onsite inspections and even monetary fines for unresolved non-conformity with the standard. Repetitive violations of these contractual provisions may lead to contract termination and loss of business for suppliers.
External ISO 27001 audit and certification is voluntary. But most organizations prefer to be audited by an accredited auditor (e.g. UKAS or ANAB), also known as accredited registrar or accredited certification body, to independently validate their adherence to the standard.
What is the difference between ISO 27001 and SOC 2?
Service Organization Control (SOC), designed and maintained by the American Institute of Certified Public Accountants (AICPA), is not a certification but rather a set of interrelated auditing reports validating proper implementation of internal controls by service companies.
There are different types of SOC reports. SOC 2 report attests compliance with security controls from so-called Trust Service Principles (TSP) that include five categories of controls: security, availability, confidentiality, processing integrity and privacy. There are two types of SOC 2 reports: the SOC 2 Type 1 report provides a snapshot of organizational state of security at a specific point of time; the SOC 2 Type 2 report encompasses compliance during a certain period of time, usually spanning 6 to 12 months, validating continuous compliance with the enacted security controls. Compared to ISO 27001 certification, SOC 2 reports – attesting conformity with the TSP controls – are considerably less complicated and time-consuming to obtain.
Valid SOC 2 reports may be provided only by licensed Certified Public Accountant (CPA) firms or individuals. SOC 2 is more prevalent in the US, while ISO 27001 is more of an international and globally recognized standard. An ISO 27001-certified organization should normally have no difficulties in obtaining SOC 2 Type 1 and Type 2 reports.
What are the ISO 27001 requirements?
A significant number of modern security standards and laws, such as PCI DSS or the SHIELD Act, are largely focused on technology and practical implementation of the related security controls. But ISO 27001 also emphasizes the importance of people and processes in the organization, promotes security awareness and requires personal involvement of top management with the continuous improvement of the ISMS.
The ISO 27001:2022 standard is composed of 10 Clauses with numerous subclauses:
1. Scope
2. Normative References
3. Terms and definitions
4. Context of the organization
- Understanding the organization and its context
- Understanding the needs and expectations of interested partie
- Determining the scope of the information security management system
- Information security management system
5. Leadership
- Leadership and commitment
- Policy
- Organizational roles, responsibilities and authorities
6. Planning
- Actions to address risks and opportunities
- Information security objectives and planning to achieve them
7. Support
- Resources
- Competence
- Awareness
- Communication
- Documented information
8. Operation
- Operational planning and control
- Information security risk assessment
- Information security risk treatment
9. Performance evaluation
- Monitoring, measurement, analysis and evaluation
- Internal audit
- Management review
10. Improvement
- Continual improvement
- Nonconformity and corrective action
While the Clauses 1 to 3 are merely introductory, proper implementation of Clauses 4 to 10 is mandatory to achieve compliance with the standard. The ISO 27001 requirements offer a risk-based approach to implementation and continuous improvement of corporate information security strategy, based on a multifaceted ISMS, capable of adequately mitigating technical, physical, human and legal risks to an acceptable level.
Under the standard, risk assessment and consequent risk mitigation planning may be unique for each organization; ISO 27001 neither dictates the method of conducting risk assessments, nor does it set a minimum bar for risk acceptance or tolerance. This unique feature of ISO 27001 provides organizations with fairly broad flexibility, adjustable to their specific business context, needs and priorities. Having said that,risk treatment plans will obviously need to meet , existing laws and industry regulations.
Organizations looking for sound risk assessment and treatment methodologies should consider the ISO 27005 standard that provides detailed guidelines on risk management. Similarly to ISO 27002 mentioned above, ISO 27005 supplements the ISO 27001 standard.
What are the ISO 27001 security controls?
By virtue of Clause 6.1.2, ISO 27001 requires organizations to perform an ongoing risk assessment, along with a risk treatment process described in Clause 6.1.3.
There are no specific security controls in the standard, with organizations able to select their own security controls to mitigate any risks. However, Annex A of ISO 27001 contains a non-exhaustive list of recommended security controls, as a way of providing more specific technical guidance to organizations. Implementation of these security controls are elaborated by ISO 27002.
ISO 27001:2022 Annex A currently contains 93 controls grouped in 4 sections (A.5 – A.8) in:
A.5 Organizational controls
A.6 People controls
A.7 Physical controls
A.8 Technological controls
The wide spectrum of security controls, spanning from physical safeguards and security training to supply chain risk management and meeting regulatory requirements, makes ISO 27001 one of the most comprehensive data protection standards.
For instance, 534Elsewhere A.5.32 addresses intellectual property requirements by preventing negligent or unwitting infringement of licensing agreements or violation of copyright law. Privacy legislation is covered by the control A.5.34 that mandates protection of personal data (PII) as prescribed by the applicable privacy laws, such as LGPD in Brazil or PDPA in Singapore. Thus, a violation of applicable law or industry standard, such as HIPAA or PCI DSS, may potentially trigger a major non-conformity with ISO 27001 and even lead to a suspension of certification if spotted during an annual audit.
It is important to note that the foregoing controls from the Annex A may be excluded if irrelevant for the ISMS scope or non-applicable for the organizational context. Nonetheless, it is good practice to consider all of the controls, avoid exclusions and properly document risk mitigation controls in case a currently non-applicable control becomes necessary one day.
One should also bear in mind that the controls from Annex A are not a ceiling but rather a bottom line. When a risk assessment requires additional security controls in order to adequately mitigate identified risks to an acceptable level, additional controls must be implemented even if they are not expressly mentioned in the Annex.
How to implement ISO 27001?
Cybersecurity professionals commonly follow divergent checklist approaches to tactically implement the ISO 27001 standard, depending on the location, industry or size of the business seeking certification. The underlying strategy is, however, pretty similar and consistent.
First, the organization wishing to be ISO 27001 certified should analyze and agree on the underlying needs and the desired outcomes of the ISMS within the context of its business (Clause 4.1). When doing so, the organization should likewise consider “relevant” needs and concerns of the so-called interested parties (Clause 4.2). The interested parties can include clients, partners, employees or regulators who may be positively or negatively affected by the ISMS implementation. For instance, customers will certainly appreciate more assurance that their data is adequately protected, while suppliers may be wary of additional due diligence requirements.
The organization must then define the actual scope of the ISMS (Clause 4.3). ISO 27001 scoping is somewhat similar to the PCI DSS scoping of the Cardholder Data Environment (CDE), but, in contrast to the clearly imposed guidelines for the CDE scope, ISO 27001 may apply to any part, office or specific site of the covered entity. It’s essential to properly determine the boundaries of the ISMS, considering organizational context and needs, as well as involvement of third parties in the business processes (e.g. external cloud storage or outsourced credit card processing). Commonly, small and medium-sized organizations select their entire infrastructure to be in the ISMS scope, while large international businesses may exclude some offices or locations, where no sensitive data is processed or stored, to reduce costs. Any unjustified or excessively wide exclusions (e.g. of regional offices or departments that have access to the data that the ISMS aims to protect) will likely be a red flag – so it’s important to take care with the scoping process.
The next step is to obtain a long-term commitment from the organizational leadership (Clause 5.1) to continuously support and adequately maintain the ISMS through the allocation of requisite resources and promoting a healthy security culture within the organization. Clause 5.2 is probably one of the most straightforward; it requires the creation of detailed documentation, including numerous policies and procedures to describe the ISMS, underlying processes and implemented security controls. Eventually, the organization should unambiguously assign roles and responsibilities, and grant necessary authority to employees to fulfill their ISMS-related duties, pursuant to Clause 5.3 of the standard.
Crucial ISMS implementation steps derive from Clause 6.1 that includes risk assessment, analysis and treatment. In a nutshell, subclauses 6.1.1 to 6.1.3 require the organization to cautiously identify and assess the applicable risks, define a reasonably acceptable risk level and then determine and implement security controls to efficiently mitigate those risks. During this phase, the Statement of Applicability (SoA) comes into play. This foundational ISMS document should contain a list of necessary controls, justifications for their inclusion and implementation status, as well as justifications for exclusions (if any). From a practical viewpoint, the SoA may be a Microsoft Excel file providing easily understood information about the current ISMS status.
Akin to some privacy laws that impose specific qualifications or experience requirements for Data Protection Officers (DPO), Clause 7.2 of ISO 27001 requires covered organizations to determine necessary experience, training or education for personnel who will implement and maintain the ISMS. There are no specific requirements under the standard, but the skills must be sufficient to execute ISMS-related tasks in a competent and qualified manner.
Subsequent Clauses 7.3 and 7.4 require personnel to be aware of the ISMS existence and its requirements, and as well as an effective communication process within the organization to ensure efficient promulgation of ISMS-related information and updates internally. Clause 7.5 provides guidance on maintenance and safeguarding of the ISMS documentation, including role-based access, version control and retention. Ideally, all people within the organization should be familiar with the relevant policies and procedures and share their feedback with the ISMS management team for continuous improvement purposes.
Practical implementation of the security controls, interrelated processes and procedures is described by Clauses 8.1 to 8.3. Success of the ISMS implementation and achievement of its goals shall be measured in an ongoing manner as stipulated by Clauses 9.1 to 9.3, including effectiveness evaluation, internal audit and subsequent management review.
Finally, Clauses 10.1 and 10.2 guide organizations on how to mitigate the identified non-conformities by taking corrective actions in a continual and incremental manner.
What documents and records are mandatory under ISO 27001?
Although there are no formal requirements regarding formatting of ISMS documentation, the following information must be documented somewhere in writing:
• Scope of the ISMS
• Information security policy and objectives
• Risk assessment and risk treatment methodology
• Statement of Applicability
• Risk treatment plan
• Risk assessment and risk treatment report
• Definition of security roles and responsibilities
• Inventory of assets
• Acceptable use of assets
• Access control policy
• Operating procedures for IT management
• Secure system engineering principles
• Supplier security policy
• Incident management procedure
• Business continuity procedures
• Legal, regulatory and contractual requirements
Some organizations maintain a highly complex ecosystem of interconnected catalogues, policies, procedures and other documents mapped to the specific ISO 27001 Clauses or security controls from Annex A. It is, however, recommended to tailor ISMS documentation to the needs and context of the particular organization, keeping everything as simple as possible. The less complex the documentation, the less it will eventually cost to maintain, improve and audit it.
To comply with the continuous improvement requirements of the standard and to support ongoing efforts with verifiable evidence, organizations should also maintain the following written records:
• Records of training, skills, experience and qualifications
• Monitoring and measurement results
• Internal audit program
• Results of internal audits
• Results of the management review
• Results of corrective actions
• Logs of user activities, exceptions and security events
There is no specific file format or design requirements for these records, – what matters is accessibility, readability, traceability and ease of maintenance
List of authoritative ISO 27001 resources
• ISO/IEC 27001 web page
• ISO/IEC 27002 web page
• ISO/IEC 27005 web page
• ISO certification guidelines
• EU ENISA on the ISO 27001
How much does ISO 27001 audit and certification cost?
Organizations should bear in mind that external audit and formal certification come after implementation of the ISO 27001 requirements. The entire process may take many months and usually is the most significant component of ISMS implementation cost. External audit and ISO 27001 certification are merely the culmination of a complex, laborious and time-consuming process.
The audit process is composed of two externally performed audits for ISO 27001 standard compliance. The first audit is more focused on the ISMS documentation review and aims to assess overall readiness of the organization to fulfill the ISO 27001 requirements in a sustainable manner. The second part is dedicated to in-depth inspection of the documentation and implemented security controls, to ascertain that they are sufficient to mitigate the risks in terms of compliance with the existing ISMS policies and procedures. External auditors usually impose an annual surveillance audit that is comparatively short and often focused on reviewing how previously identified non-conformities, newly discovered risks or security incidents have been treated by the organization. Failure to comply with the ISMS requirements or largely inadequate security controls may lead to certification suspension.
The cost of auditing and certification may greatly vary depending on the scope of the ISMS, nature of the business, quantity and complexity of the security controlsthe . An SME can spend anything from 15 to 20 thousand USD, while a multinational business from a highly regulated industry, handling large volumes of sensitive data dispersed around the globe, should be prepared to invest a seven digit figure. As mentioned above, it is vital to select a duly accredited auditor, such as SGS or BSI, with a proven track record of ISO auditing.
Disclaimer: No Legal Advice. The information on this page conveys general information only and does not provide a legal advice. The information on this page may not reflect the most recent legal developments. No action should be taken in reliance on the information on this page. A licensed attorney should be contacted for advice on specific legal issues.