What is ISO 27001? ISO 27001 Framework Explained

What does ISO 27001 mean?

ISO 27001 is published by the International Organisation for Standardisation, in a joint endeavour along with the International Electrotechnical Commission. The 27001 standard was first released in 2005, with another edition in 2013, and the current standard published in 2022. All the standards in the 27000 series of standards are produced in tandem with ISO and IEC, and cover information security in various degrees. ISO 27001 is considered foundational for all businesses and, for many, is the best place to start with standards compliance.

ISO and the purpose of the ISO 27001 framework

The purpose of the ISO 27001 is to outline how organisations can create safe, stable, risk-aware information security management systems to handle data securely. The system becomes a way to reduce risk and vulnerabilities and make the organisation more resilient.

The International Organisation for Standardisation is an impartial international body that has been in operation since 1946, and publishes over 25,000 standards, many in the technology sphere. ISO is one of the most-respected standards organisations in the world.

How does ISO 27001 work?

The ISO 27001 “provides requirements for establishing, implementing, maintaining

and continually improving an information security management system.” The document walks through the process of identifying business-specific goals, requirements, processes, etc., and then uses a risk management process to build or update an ISMS system. At all times, processes, systems, and controls across the organisation are viewed through an information security lens. The document can also be used for ISMS assessment and to treat existing risks within the organisation.

The areas covered are Context of the Organisation, Leadership, Planning, Support, Operation, Performance evaluation, and Improvement. Annex A provides an Information security controls reference.

Why is ISO 27001 important?

In gaining compliance with ISO 27001 accreditation, an organisation gets a public stamp of approval that they are managing information security within their business to a high, internationally-recognised standard. The ISO 27001 badge gives customers, clients, peers, prospective employees, and other parties, reassurance in the quality of information management, to an international standard.

What are the three principles of ISO 27001?

The three underlying principles of ISO 27001 is the CIA triad of cybersecurity fundamentals; confidentiality, integrity, and availability.

1. Confidentiality: Data and systems can only be accessed by authorised parties.
2. Integrity: Data and systems can only be edited and deleted by those authorised to do so.
3. Availability: Data and systems can be accessed by authorised parties when they need.

What are the ISO 27001 controls?

The ISO 27001 Annex A controls, or the Information security controls reference, is a list of practical controls that an organisation can implement to attain ISO 27001 certification. Even for organisations not looking to achieve certification, this controls list serves as a good benchmark for information security across the business. The domains addressed in the controls list are organisational, people, physical, and technology.

How many controls are there in ISO 27001?

Annex A of ISO 27001 lists 93 controls across the four domains: Organisational, People, Physical, and Technology. This is down from 114 controls in ISO 27001:2013.

How do you implement ISO 27001 controls?

Each of the controls within Annex A comes with a control objective, making it up to the organisation to figure out how they implement the control. This makes for a flexible design that means controls can be implemented within any business. ISO 27002 is a document that provides guidelines for implementing the controls, making for a handy companion to the ISO 27001.

Organisational controls (Control Number 5)

The Organisational controls (5.1-5.37) include:

• Policies for information security
• Segregation of duties
• Threat intelligence
• Classification of information
• Authentication information

People controls (Control Number 6)

The People controls (6.1-6.8) include:

• Information security awareness, education and training
• Disciplinary process
• Confidentiality or non-disclosure agreements
• Remote working
• Information security event reporting

Physical controls (Control Number 7)

The Physical controls (7.1-7.14) include:

• Physical security perimeters
• Physical entry
• Securing offices, rooms, and facilities
• Working in secure areas
• Clear desk and clear screen

Technological controls (Control Number 8)

The Technological controls (8.1-8.34) include:

• Privileged rights access
• Access to source code
• Protection against malware
• Information deletion
• Monitoring activities

Two parts of the standard

ISO 27001:2022 is in two parts. The first part is the main standard, covering an introductory Scope, Normative references, and Terms and definitions, then in-depth guides on Context of the Organisation, Leadership, Planning, Support, Operation, Performance evaluation, and Improvement. The second part is the annex to the standard, outlining the controls across the four domains.

What are the requirements for ISO 27001?

Apart from the controls outlined in Annex A, sections 4 to 10 of ISO 27001 detail how to document and manage information security.

4: Context of the Organisation

This section deals with the organisation itself and how the scope of the ISMS will be affected due to organisational context.

5: Leadership

The Leadership section outlines the roles and responsibilities of leaders within the space as well as codified policy.

6: Planning

Planning is mainly concerned with how the organisation deals with risks and opportunities in information security planning.

7: Support

The Support section is about how ISMS awareness, training, and communication occurs within the company.

8: Operation

Operation involves operational planning and controls, as well as risk assessment and treatment.

9: Performance evaluation

The Performance evaluation section covers how the organisation measures their success in information security management. This includes monitoring, analysis, auditing, and management reviews.

10: Improvement

Continuous improvement is a key focus of the ISO 27001 and this section outlines exactly how to make that possible.

Annex A: Information security controls reference

The Information security controls reference is covered in detail above.

What is ISO 27001 compliance?

ISO 27001 compliance means that an organisation complies with all the guidance and controls set out in the standard. ISO 27001 certification, on the other hand, is when the organisation tests this in practice by having a third party assessor come in and verify compliance to the standard.

ISO 27001 mandatory documents

As part of complying with the ISO 27001 standard, there are multiple mandatory documents and records that the organisation must keep. These include:

• Scope of the ISMS
• Information security policy and objectives
• Risk assessment and risk treatment methodology
• Statement of Applicability
• Risk treatment plan
• Risk assessment report

What is “ISO 27001 certified”?

Being ISO 27001 certified means an organisation has been audited and certified by an accredited third party assessor, such as Tesserent. ISO itself does not offer any certification services, they simply publish the standard.

Is ISO 27001 mandatory?

The ISO 27001 standard is not mandatory for most organisations, only seen as best practice for security. In some industries, government departments, company subsidiaries, and contracting arrangements, the standard may be compulsory. Always check with overseeing bodies, businesses, and legal contracts to see what is necessary in compliance rules and regulations.