What are the requirements of ISO 27001?

ISO 27001 is the international standard for an Information Security Management system, but what is the meaning behind the number?  

This post will give you a brief overview of ISO 27001 Requirements, and some advice on the easiest way to implement ISO 27001.

What does ISO 27001 Mean?

In our previous blog: What is ISO 27001? we discussed the basics and advised you to purchase the ISO 27001 document online to take a look at the requirements.

In this blog we will take a slightly deeper look at some of the requirements.

ISO 27001 Management Framework

The first thing you will notice when you purchase a copy of ISO 27001 is the clause structure.  There are 10 Main clauses, followed by Annex A, which contains a list of Controls.

The 10 main clauses follow ISO’s High-Level Common Clause Structure, known as Annex SL.  This means that is you have knowledge of other ISO standards, or add them afterwards, it is easy to integrate standards together.

However, if this is you first ISO Standard, let’s start at the beginning.  The first 10 clauses set out a management framework focused on continual improvement.

In previous ISO standards this was aligned to Deming’s “Plan, Do, Check, Act” (PDCA) cycle.  Now, while this theory can still be applied, the standard is not explicit in stating this example.  

Let’s break down the clauses:

Good News!

Clauses 0-3 cover some housekeeping about the ISO 27001 document itself, so while you should be aware of them, there is no need to document anything.

  1. Introduction – Provides introductory text to the document.
  2. Scope – Confirms the purpose of the ISO document.
  3. Normative References – Discusses related standards, in this case ISO 27000 (see below).
  4. Terms & Definitions – Confirms the means of particular terms used in the standard.  In this case, the clause refers back to ISO 27000 which provides a glossary of terms.

Starting the Real ISO 27001 Work

All the Activity Starts at Clause 4 as follows:

Clause 4 – Context of the Organisation, including defining the scope of your ISMS and considering Internal and External Interested Parties.

Clause 5 – Leadership, a renewed focus on your management system being supported from the top and implemented at every level of the organisation.  Clause 5 includes assigning roles and responsibilities; and the Information Security Policy Statement.

Clause 6 – Planning, known best for the risks and opportunities section which requires consideration of the Confidentiality, Integrity and Availability threats to your information.   6.2 requires Information Security Objectives to be set.

Clause 7 – Support, takes care of some housekeeping tasks including competency, awareness and documented information.  These are common requirements across Annex SL based standards.

Clause 8 – Operation, in most standards clause 8 contains the bulk of the standard’s unique requirements, HOWEVER, the majority of ISO 27001 Requirements are addressed through the risk management process which is defined earlier  in clause 6 and is supported through the 114 controls and control objectives set out in Annex A. Most other standards do not have such a directive annex.

Clause 9 – Performance Evaluation, The standard moves in to Deming’s ‘Check’ stage as requirements for Monitoring, Measurement, analysis & evaluation go along side Internal Audit and Management Review.

Clause 10 – Improvement, the final part of the framework which can be demonstrated throughout your work in earlier clauses.

What are the Annex A Requirements?

Unlike many other ISO Standards, ISO 27001:2022 provides 93 controls and control objectives which can be used to manage the risks identified in clause 6, or just for peace of mind.

Annex A is split into 4 sections from A5 to A8.  This odd numbering system has been inherited from previous standards where the controls were first defined.

Information Security is not just I.T Security

As you will see below, the controls cover a variety of business areas, which means you should consider the people resources you need from different areas of the business in order to effectively implement controls

A.5 Organisational Controls

A.6 People Controls

A.7 Physical Controls 

A.8 Technological Controls

Excluding Annex A Controls

You do not have to apply every control.

However, if you do exclude a control there must be a justified reason.  Reasons for both inclusion and exclusion must be documented within the Statement of Applicability (SOA) document, as required in Clause 6 of the Standard.  

Often the majority of Annex A controls are applied.

Where to Start with ISO 27001 Implementation?

The scale and structure of ISO 27001 can be daunting but ISO Consultants like Assent are here to help.  

We have online ISO project management software which can break up the implementation process in to stages.

Many customers also find our Gap, App & Wrap approach an efficient way of implementing ISO 27001.

And while ISO 27001 Certification is not mandatory [according to the standard itself], most companies see the real value being within the UKAS Accredited Certification marks following an external audit of the system.

Finally, although it is not just an I.T Security standard, technology plays an important part in ISO 27001 Requirements, and organisations can benefit from other cyber security activities such as Simulated Phishing Tests.

5 Advantages of ISO 27001

_____________________________________________

Robert Clements
Robert Clements
Articles: 301