Last week,
Walter Buyu
mentioned that the next few articles will deal with standards… and we’ll start with ISO 27001. However, before we start “getting our hands dirty”, it's important that we understand the following concepts to achieve a more effective governance:
Policy: This is a formal statement (or an intention) that presents a set of principles regarding a particular topic. This does not have to be detailed. You can read more about the different cybersecurity policies in our article from week 15.
Standard: In a nutshell, this tends to outline the minimum requirements that should be met while creating a new asset or going through a process (for example, pre-employment checks before hiring an individual).
Procedures: This is like an instruction manual that details the step-by-step actions required to meet a goal or mandate.
Guidelines: This outlines best practices. They aren’t mandatory and are usually applied when specific standards do not apply.
Figure 1: The questions each of the above answer (Source:
So, what is ISO 27001?
First of all, ISO 27001 belongs to the ISO 27000 family of standards, which aims at protecting the confidentiality, integrity, and availability (CIA) of the different information assets, and was developed by the International Organization forStandardization (ISO). This entity is independent and non-governmental.
ISO 27001 provides organizations of all sizes, independent of activity (for example, finance, telecommunication, or healthcare), guidance for creating, implementing, maintaining, and continuously improving an Information Security Management System (ISMS).
(Note: You can read more about each standard within the series here).
The benefits of implementing this standard include:
Increased preparedness towards threats.
Enhanced resilience towards cyberattacks.
Top-to-bottom organizational protection.
Alignment with the CIA triad.
Reduction of costs.
Compliance with legal and regulatory, as well as contractual requirements.
Improved customer trust.
(Note: Unfortunately, due to intellectual property issues, we cannot share a free downloadable version of the standard. Should you choose to learn more beyond the summary below, you could get it from here).
The standard is divided into Clauses and Annex A. There are 11 clauses. These include:
Introduction: The standard as well as its purpose are introduced.
Scope: This provides a high-level view of the ISMS and requirements for treating risk. In addition, there’s also mention as to who can use the standard.
Normative References: This highlights the relationship of ISO 27001 with the rest of the ISO 27000 family.
Terms and Definitions: This lists the key terms and definitions.
Context of the Organization: Here the organization needs to demonstrate that they’re aware of internal and external aspects, including stakeholders and regulatory/ compliance requirements. There’s a requirement for each organization to define the scope.
Leadership: This clause mandates management buy-in.
Planning: This states that the ISMS needs to be designed and implemented based on an evaluation of the current IT environment. This clause covers aspects like risk assessment and risk treatment (which must be defined and documented).
Support: This clause, basically, requires that all staff be provided with the required resources (incl. training) to adhere to the standard.
Operation: This clause mentions that the organization must have the necessary processes to handle security risks.
Performance Evaluation: This, basically, highlights the need for internal audits to be conducted regularly.
Improvement: This, basically, states the data gathered from the Performance Evaluation should be used to improve the ISMS (including the addressing of nonconformities).
Annex A, on the other hand, has 93 controls which can be categorized as:
Information Security Policies: This control explains how policies should be documented and reviewed.
Organization of Information Security: This control highlights the need for roles and responsibilities. They should be communicated clearly to each individual.
Human Resource Security: This control provides insight into the onboarding and offboarding of employees (including situations where they might change positions).
Asset Management: This control looks at the security of assets, like hardware, software, and databases.
Access Control: This control answers the question, “How do we manage access to valuable data?”
Cryptography: In a nutshell, this control states that organizations should use encryption whenever possible using strong algorithms.
Physical and Environmental Security: Gaps in physical access can impact cybersecurity hence, this control focuses on securing all the equipment and the physical premises of the organization.
Operational Security: This control, basically, says that organizations must have visibility around the data that flows within the business environment.
Communications Security: This control, as the name suggests, addresses the security around communications (i.e., email and videoconferencing) and that data in transit should be encrypted.
System Acquisition, Development, and Maintenance: This control addresses how systems within the business should be implemented and maintained.
Supplier Relationships: This control addresses the issue of third-party (and the wider supply chain) attacks.
Information Security Incident Management: This control states that the organization must have processes to detect and handle incidents.
Information Security Aspects of Business Continuity Management: This control mandates that companies should be prepared to address undesirable events, including but not limited to floods and outages that could affect the harmony of the CIA triad.
Compliance: This control strongly recommends that the organization take the required steps to demonstrate compliance with legal and regulatory requirements.
The video below highlights the key points you need to know with regard to this standard (including how to get your organization certified).
(Note: You can find an ISO 27001 Implementation Guide here).
(Note: Upon implementation and an independent audit, you will receive a document confirming whether you passed or failed. If you pass, your organization will automatically be certified. The duration of its validity is 3 years after which a renewal will be required. It’s important to mention that a key document you need to maintain is the Statement of Applicability (SoA). You can read about it here).
Next week we’ll look at the CIS Controls.
This article is part of a project called Security Chronicles, written jointly with Walter Buyu.
