Yes! There is a lot of buzz going on in information security. Questions like ‘is our company secure in terms of Information security?’, ‘How can we check?’, ‘Is there a Checklist?’, ‘What are the information security criteria?’ etc. The solution to all these questions can be found in the basics of an ISO 27001 certification.
What is ISO 27001 Certification?
ISO 27001 standard stands for Information Security Management System (ISMS). It gives a specification for information security. It is the basic framework of a set of policies, practice & procedure that include a regulatory requirement (physical, technical & administrative controls). When we speak about controls, we can simply classify it under three ways along with the department responsible for it.
Physical or Admin controls
Admin or facility manager
Locks, Alarm systems, Video surveillance
Digital or Technical controls
IT Support or IT Manager
Human Resource or Management Heads
What are the simple steps to Implement IT security, Is there an ISO 27001-ISMS Checklist?
Yes, there are a number of ISMS checklists which you can download for reference. Also, you can reach out to our CertPro professionals for such ISMS checklists.
Based on our research which is generally practiced by top companies, we have simplified the standards to 7 steps and they are given below;
Step 1: Identify the key areas of the organization.
Step 2: Classify information simply as confidential, internal, and public.
Step 3: Define the access for the above and identify the risk involved with it.
Step 4: Invest your resources on securing the most valuable assets and confidential information by selecting the right controls.
Step 5: Monitor the controls implemented.
Step 6: Define your back-ups as a Business Continuity Plan.
Step 7: Conduct multiple iterations of audits to narrow down the process.
ISO 9001 Certification
ISO 27001 Certification
ISO 20000 Certification
ISO 22301 Certification
ISO 21001 Certification
ISO 41001 Certification
ISO 50001 Certification
ISO 29001 Certification
ISO 14001 Certification
ISO 45001 Certification
ISO 22000 Certification
FSSC 22000 Certification
ISO 17025 Certification
ISO 13485 Certification
CE Mark Certification
What are the areas of control for ISO 27001 ISMS & what do ISMS clauses mean?
There are 10 clauses in the ISO 27001:2013 version and they represent the following; Clause 1 to clause 3 are non-auditable clauses and clause 4 to clause 10 are auditable clauses. All areas of control are explained from clause 4 to clause 10.
Clause 1- Scope
Clause 2- Normative reference
Clause 3- Terms & definition
Clause 4- Context of organization- Organization context, the scope of work, needs 7 expectations from interested parties, the need of an ISMS and management commitment towards implementing ISMS.
Clause 5- Leadership- defining roles & responsibility, defining ISMS policy, Commitments for implementing ISMS, a person (CISO- Chief Information Security Officer) or a team (Core Team) to look after all ISMS activities.
Clause 6- Planning – ISMS objectives (Setting short term and long term goals) and a plan to achieve those objectives.
Clause 7- Support – Identify the resources, train your team on ISMS, evaluate the skills and increase knowledge of the current system and its requirement. Besides these, you also need to define the internal and external communications and the documentation management system.
Clause 8- Operations – Core business activity and the plans to achieve it, risk identification while planning & choosing the appropriate methodology to treat the risk.
Clause 9- Performance evaluation- Verify, validate, analyze and conduct internal audits and management review meetings.
Clause 10- Improvement- Identifying the areas to be improved, prioritizing & finding the corrective actions and setting new objectives and goals for continual improvement.
Annex A is a reference control objectives and controls
So what is Annex A? Is Annex A and Statement of Applicability (SOA) the same? What does it say?
Annex A is also known as Statement of Applicability (SOA).
A5– Polices for ISMS (Administrative Controls- ISMS policy)
A6– Organization commitment for Information Security (Administrative Controls – Internal duties, Mobile device policies, etc.)
A7– Human Resource security- on before hiring, during tenure and after exit (Administrative controls- Non Disclosure Agreement, Back Ground verification, etc.)
A8– Asset management (Administrative, Physical and Technical controls – Asset responsibility, Classify, label & data handling & disposal)
A9– Limitation on Access (Administrative, Physical and Technical controls – Access Control Policy, User management, Access Responsibility, System & application-level access controls)
A10– Cryptography (Technical control – Policy and key management)
A11– Physical security (Admin controls – Locks, Barriers, surveillance camera, Asset security, etc.)
A12– Operation Security (Administrative, Physical and Technical controls – Document controls, Software & Applications controls, Backups and Logging, Vulnerability Assessment and Penetration Testing VAPT)
A13– Security on Communication (Administrative, Physical and Technical controls- Internal & external Network segregation control, security on sharing data within the network, etc.)
A14– Security on development & the core system (Administrative, Physical and Technical controls- Engineering principles, trusted applications, Test criteria, Back up plans, roll-back procedure, etc.)
A15– Vendor Management (Administrative, Physical and Technical controls- Vendor agreements, Service level agreements, Operational level agreements, Information security in supplier relationship, Response & resolution time, delivery principles, etc.
A16– Incident Management (Administrative, Physical and Technical controls- Procedure, responsibility, Awareness and Disaster management, etc.)
A17– Business Continuity Management (Administrative, Physical and Technical controls- Plan, implement, review & availability)
A18– Compliance (Administrative, Physical and Technical controls- Legal, NDA, Customer agreement, third party audits inputs and output review, administrative and technical compliance)
Now you have the above items as a reference, what to implement, which area to address for information security. You can always reach out to CertPro, our team been technically implementing ISO 27001 and are happy to assist you with implementing, guide you by providing sufficient knowledge and templates.
Who can have ISO 27001? What is the current version? Is there any revision, if so when will it be released?
Organizations operating on huge amounts of data with security of this data as their primary concern. Some of the major sectors are Banking for securing their customer financial data and other company transactions, Hospitals – for securing their patients’ health data & other methodologies of treatment, Software product & service-based companies, Government Offices as most of the citizens’ data is processed and stored, etc.
The latest version is 2013, last reviewed in 2019 and is confirmed to hold the same as the 2013 version.
As there has been a revision in 2019, further reviews and updates usually take on a year to be released. Major changes will be identified and the standard will be revised and released, 2024-25 is the expectated new release year of the standard.