ISO 27001 is a widely-known international standard on how to manage information security.
In this Help Net Security video, Nicky Whiting, Director of Consultancy, Defense.com, talks about the challenges of achieving ISO 27001, a widely-known international standard.
ISO 27001 certification is not obligatory. Some organizations choose to implement it in order to benefit from the best practice it contains. Others decide they want to get certified to reassure customers and clients.
47 document templates â unlimited access to all documents required for ISO 27001 & 27017 & ISO 27018 certification, plus commonly used non-mandatory documents
Access to video tutorials
Email support
Expert review of a document
One hour of live one-on-one online consultations with an ISO 27001 & ISO 27017 & ISO 27018 expert
Upcoming: free toolkit update for the new ISO 27001 2022 revision
Fully optimized for small and medium-sized companies
Information classification is a process in which organisations assess the data that they hold and the level of protection it should be given.
Organisations usually classify information in terms of confidentiality â i.e. who is granted access to view it. A typical system contains four levels of confidentiality:
Confidential (only senior management have access)
Restricted (most employees have access)
Internal (all employees have access)
Public information (everyone has access)
As you might expect, larger and more complex organisations will need more levels, with each one accounting for specific groups of employees who need access to certain information.
The levels shouldnât be based on employeesâ seniority but on the information thatâs necessary to perform certain job functions.
Take the healthcare sector for example. Doctors and nurses need access to patientsâ personal data, including their medical histories, which is highly sensitive.
However, they shouldnât have access to other types of sensitive information, such as financial records.
In these cases, a separate classification should be created to distinguish between sensitive medical information and sensitive administrative information.
Where does ISO 27001 fit in?
Organizations that are serious about data protection should follow ISO 27001.
Control objective A.8.2 is titled âInformation Classificationâ, and instructs that organisations âensure that information receives an appropriate level of protectionâ.
ISO 27001 doesnât explain how you should do that, but the process is straightforward. You just need to follow four simple steps.
1) Enter your assets into an inventory
The first step is to collate all your information into an inventory (or asset register).
You should also note who is responsible for it (who owns it) and what format itâs in (electronic documents, databases, paper documents, storage media, etc.).
2) Classification
Next, you need to classify the information.
Asset owners are responsible for this, but itâs a good idea for senior management to provide guidelines based on the results of the organization’s ISO 27001 risk assessment.
Information that would be affected by more significant risks should usually be given a higher level of confidentiality. But be careful, because this isnât always the case.
There will be instances where sensitive information must be made available to a broader set of employees for them to do their job. The information may well pose a threat if itâs confidentiality is compromised, but the organisation must make it widely available in order to function.
3) Labelling
Once youâve classified your information, the asset owner must create a system for labelling it.
Youâll need different processes for information thatâs stored digitally and physically, but it should be consistent and clear.
For example, you might decide that paper documents will be labelled on the cover page, the top-right corner of each subsequent page and the folder containing the document.
For digital files, you might list the classification in a column on your databases, on the front page of the document and the header of each subsequent page.
4) Handling
Finally, you must establish rules for how to protect each information asset based on its classification and format.
For example, you might say that internal paper documents can be kept in an unlocked cabinet that all employees can access.
By contrast, restricted information should be placed in a locked cabinet, and confidential information stored in a secure location.
Additional rules should be established for data in transit â whether itâs being posted, emailed or employees carry it with them.
You can keep track of all these rules by using a table like this:
Use a table to simplify the data handling documentation process.
For a limited time only, ITG is offering bestselling implementation guides free with each toolkit purchase.*
All the pre-written policies and procedures youâll ever need.
Written by our expert team of in-house consultants, who have been delivering cyber security and data privacy consultancy for years.
Reviewed throughout the year to ensure youâre always working from the most up-to-date documentation, in line with the latest guidance and standard revisions, including free upgrades.
Accessible on our Cloud-based platform, DocumentKits, so you can collaborate with team members, viewing, editing and downloading documents any time, anywhere.
Whether youâre a small organisation with limited resources or an international firm, achieving ISO 27001 certification will be a challenge.
Anyone who has already been through the process will know that. You must assemble a team, conduct a gap analysis and risk assessment, apply security controls, create documentation and perform staff awareness training. And thatâs before you even get into internal audits and certification audits.
To make matters more complicated, once youâve certified to ISO 27001, you must maintain your compliance status and regularly recertify.
Organisations must do this to ensure that they have maintained their compliance practices and accounted for changes in the way they operate.
In this blog, we look at the key issues you must address if you are to maintain ISO 27001 compliance.
How often do you need recertify to ISO 27001?
An organisationâs ISO 27001 certification lasts three years. The certificate itself will state the date at which certification was issued and when it will expire.
As that day approaches, the organisation must apply for recertification. This can be with the same body that performed the initial audit or it can be with another registrar.
How to maintain ISO 27001 certification
Organisations can ensure that their ISO 27001 practices remain compliant by following these seven steps.
1.Continually test and review risks
Your ISMS (information security management system) was built to address risks that you identified during the certification process, but the threat landscape is constantly evolving.
As such, you must regularly monitor the risks you face to ensure that your defences are adequate. Part of this process will involve vulnerability scans and other tools that can automatically spot new risks. However, you should also perform more rigorous tests on a regular basis.
To remain compliant, you must complete an ISO 27001 risk assessment at least once a year or whenever you make substantial changes to your organisation.
You can use the results of the assessment to determine whether your controls work as intended and whether additional defences should be adopted.
2.Keep documentation up to date
The policies and processes you wrote during the initial implementation will have been created specifically for the way your organisation operated at that time.
However, your operations will no doubt evolve and you need to ensure that your documentation takes that into account. Have you made a significant change in the way you perform certain actions? Have you undertaken new activities involving sensitive data? Has the physical premises changed in any way?
If the answer to any of those questions is yes, then you must amend your documentation accordingly.
3.Perform internal audits
An internal audit provides a comprehensive review of the effectiveness of your ISMS. Alongside a risk assessment and a documentation review, it will help you assess the status of your ISO 27001 compliance.
You will have conducted an internal audit as part of your initial certification process, so you should already have the framework to hand, which you can repeat as part of your compliance maintenance.
4.Keep senior management informed
Unless you are extremely lucky, the maintenance practices outlined above will reveal weaknesses that you must address if you are to remain compliant.
Remedying those vulnerabilities will take time and resources, which requires you to gain board-level approval. As such, you should keep senior management informed of both your activities maintaining the ISMS and the benefits that it has brought.
For example, your defences might have played a direct role in preventing a data breach or cyber attack. If so, you should have logged and investigated the event, in which case youâll have proof of the ISMSâs effectiveness that you can bring to the board.
An ISMS isnât just about preventing security breaches, though. It also helps organisations operate more efficiently and responsibly. You should also provide evidence of this, presenting key performance indicators and interviews with employees and other stakeholders.
5.Establish a regular management review process
In addition to informing the board of the ISMSâs successes, you should also involve them in the review process. This is where you can discuss opportunities for improvement or necessary changes that must be made.
There is no requirement for how often the management review should take place, but it should be at least once a year and ideally every six months.
6.Stay on top of corrective actions
If thereâs a theme to these tips, itâs that your ISMS isnât set in stone. As such, it should evolve to meet the threats that your organisation faces.
By regularly monitoring the effectiveness of your ISMS, you should be able to perform corrective actions that prevent weaknesses from spilling over into major problems. Some of these changes could be minor tweaks to processes and policies, or the addition of a new tool.
However, some corrective actions will require a significant overhaul of your practices. These should be discussed during the management review process and could involve ongoing adjustments and monitoring.
7.Promote ongoing information security staff awareness
One of the key principles of ISO 27001 is that effective information security is everybodyâs responsibility. Compliance should not be left to the IT department or managers.
Anyone in the organisation that handles sensitive data plays a role in the organisationâs security. They must understand their obligations for protecting sensitive information and appreciate the stakes involved.
You are required to provide staff awareness training as part of your certification process, but those lessons should be repeated on a regular basis. As with your management review, it should be at least annually but ideally twice yearly.
For organisations looking for a quick and effective way to meet their staff awareness training requirements, IT Governance is here to help.
With this 45-minute training course, you can enable your employees to demonstrate their competence in information security and ISO 27001 with digital badges.
The package comes with an annual licence, making it quick and easy to refresh employeesâ knowledge on a regular basis.
Build your ISO 27001 knowledge and win new business with Adviseraâs free ISO 27001 online courses. And you can be sure that you chose the right learning partner, since all Adviseraâs courses are now accredited by ASIC, the internationally respected assurance body for online learning providers worldwide.
The coursesâ structure is simple:
Modules that cover important topics related to ISO 27001.
Video lectures give you an opportunity to learn from ISO 27001 top experts.
Quizzes teach you how to apply what you have learned through practical examples.
Recap quiz at the end of each module helps you reinforce the acquired knowledge.
You can choose the course based on your specific needs:
ISO 27001 Foundations course â youâll learn about all of the standardâs requirements and the best practices for compliance.
ISO 27001 Internal Auditor course â besides the knowledge about the standard, youâll also learn how to perform an internal audit in the company.
ISO 27001 Lead Auditor course â besides the knowledge about the standard, it also includes the training you need to become certified as a certification auditor.
ISO 27001 Lead Implementer course â besides the knowledge about the standard, it also includes the training you need to become an independent consultant for Information Security Management System implementation.
The online courses are suitable both for beginners and experienced professionals.
Learn at your preferred speed from any location at any time.
If you have planned an ISO 27001 implementation, but you are unsure of whether you should go with the 2013 revision or wait for the 2022 revision to be published, we have a solution for you.
ISO 27701 specifies the requirements for establishing, implementing, maintaining, and continually improving a PIMS (privacy information management system).
Compliance with ISO 27701 shows customers and stakeholders that your organization takes privacy legislation seriously.âŻISO 27701 serves as an extension to ISO 27001. Organizations that have implemented ISO 27001 will be able to incorporate the controls and requirements of ISO 27701 to extend their existing data security practices to achieve complete coverage of data security and privacy management.
If you are already an ISO 27701 expert, have you considered developing your career as an auditor? ITG âŻCertified ISO 27701 PIMS Lead Auditor Training CourseâŻteaches you how to extend an ISO 27001 audit program and conduct a PIMS audit against ISO 27701.âŻâŻ
Certified ISO 27001 ISMS Lead Auditor Training Course
ISO 27001 Lead Auditor is the qualification of choice for ISO 27001 professionals, recognized by employers worldwide.
Implementing and maintaining compliance with the Standard requires comprehensive knowledge of ISO 27001.
ITGâŻCertified ISO 27001 ISMS Lead Auditor Training CourseâŻgivesâŻparticipantsâŻa solid understanding of the requirements of an ISO 27001 audit and the knowledge to ensure conformity to the Standard.
If you are already a qualified ISO 27001 auditor, enhance your career by taking ITG Certified ISO 27701 PIMS Lead Auditor Training Course, which will teach you how to conduct audits against ISO 27701,âŻin line with international data protection regimes.
ISO 27001 certification requires organizations to prove their compliance with the Standard with appropriate documentation, which can run to thousands of pages for more complex businesses. But with the ISO 27001 Cybersecurity Toolkit, you have all the direction and tools at hand to streamline your project.
Â
ISO 27001 Cybersecurity Toolkit Accelerate your ISO 27001 cybersecurity project and benefit from ready-to-use policies and procedures. The toolkit includes: A complete set of mandatory and supporting documentation templates Helpful project tools to ensure complete coverage of the Standard Guidance documents and direction from expert ISO 27001 practitioners
Now that the festive frenzies have almost finished and you still have a few quiet days to spend at home, this is a great time to invest in your education. Enhance your knowledge of ISO 27001 with our wide range of books. Available in a variety of formats, including audiobook, softcover, Kindle and ePub, they cover everything you need to know about ISO 27001 and how to implement it. You can also focus on gaining an ISO 27001 qualification and top up your CPD/CPE points with our self-paced training courses. Until January 3, you can get 10% off self-paced training courses by using the promo code XMASTRAIN at checkout*.âŻ
 ISO 27001 controls â A guide to implementing and auditing
ISO 27001 controls â A guide to implementing and auditing Ideal for information security managers, auditors, consultants and organizations preparing for ISO 27001 certification, this book will help readers understand the requirements of an ISMS (information security management system) based on ISO 27001. Similarly, for anyone involved in internal or external audits, the book includes the definitive requirements that auditors must address when certifying organizations to ISO 27001 Buy now
Nine Steps to Success â An ISO 27001 Implementation Overview, North American edition
Get to grips with the requirements of the ISO 27001 Standard and discover how to make your ISO 27001 implementation project a success with this must-have guide from international ISO 27001 expert Alan Calder. The ideal resource for anyone tackling ISO 27001 implementation for the first time, it details the key steps of an ISO 27001 project from inception to certification and explains each element of the ISO 27001 project in simple, non-technical language. Buy now
   Information Security Risk Management for ISO 27001/ISO 27002
Information Security Risk Management for ISO 27001/ISO 27002Ideal for risk managers, information security managers, lead implementers, compliance managers and consultants, as well as providing useful background material for auditors, this book will enable readers to develop an ISO 27001-compliant risk assessment framework and deliver real, bottom-line business benefits. Buy now
If you want to understand ISO 27001, this handbook is all you need. It not only explains in a clear way what to do, but also the reasons why.
This book helps you to bring the information security of your organization to the right level by using the ISO/IEC 27001 standard.
An organization often provides services or products for years before the decision is taken to obtain an ISO/IEC 27001 certificate. Usually, a lot has already been done in the field of information security, but after reading the requirements of the standard, it seems that something more needs to be done: an âinformation security management system’ must be set up. A what?
This handbook is intended to help small and medium-sized businesses establish, implement, maintain and continually improve an information security management system in accordance with the requirements of the international standard ISO/IEC 27001. At the same time, this handbook is also intended to provide information to auditors who must investigate whether an information security management system meets all requirements and has been effectively implemented.
This handbook assumes that you ultimately want your information security management system to be certified by an accredited certification body. The moment you invite a certification body to perform a certification audit, you must be ready to demonstrate that your management system meets all the requirements of the Standard. In this book, you will find detailed explanations, more than a hundred examples, and sixty-one common pitfalls. It also contains information about the rules of the game and the course of a certification audit.
There are numerous ways of approaching the implementation of an ISMS. The most common method to follow is a âPlan Do Check Actâ process.
ISO 27001 is the international security standard that details the requirements of an ISMS.
ISO 27001, along with the best-practice guidelines contained in ISO 27002, serve as two excellent guides to get you started with implementing an ISMS.
A certified ISMS, independently audited by an approved certification body, can serve as the necessary reassurance to customers and potential clients that the organization has taken the steps required to protect their information assets from a range of identified risks.
The strength of an ISMS is based on the robustness of the information security risk assessment, which is key to any implementation.
The ability to recognize the full range of risks that the organization and its data may face in the foreseeable future is a precursor to implementing the necessary mitigating measures (known as âcontrolsâ).
ISO 27001 provides a list of recommended controls that can serve as a checklist to assess whether you have taken into consideration all the controls necessary for legislative, business, contractual, or regulatory purposes.
However, you might not be as familiar with ISO 27002. Itâs a supplementary standard that provides advice on how to implement the security controls listed in Annex A of ISO 27001.
Although ISO 27001 is the more well-known standard â and the one that organisations certify to â neither can be considered in isolation. This blog explains why thatâs the case, helping you understand how each standard works and the differences between them.
What is ISO 27001?
ISO 27001 is the central framework of the ISO 27000 series, which is a series of documents relating to various parts of information security management.
The Standard contains the implementation requirements for an ISMS. These are essentially an overview of everything you must do achieve compliance.
This is particularly useful at the start of your project, or if youâre looking for general advice but canât commit to a full-scale implementation project.
ISO 27002 is a supplementary standard that focuses on the information security controls that organisations might choose to implement.
These controls are listed in Annex A of ISO 27001, which is what youâll often see information security experts refer to when discussing information security controls. However, whereas Annex A simply outlines each control in one or two sentences, ISO 27002 dedicates an average of one page per control.
This is because the Standard explains how each control works, what its objective is, and how you can implement it.
The differences between ISO 27001 and ISO 27002
There are three main differences between ISO 27001 and ISO 27001:
Detail
If ISO 27001 went into as much detail as ISO 27002, it would be unnecessarily long and complicated.
Instead, it provides an outline of each aspect of an ISMS, with specific advice being found in additional standards. ISO 27002 is only one of these. For example, ISO 27003 covers ISMS implementation guidance and ISO 27004 covers the monitoring, measurement, analysis and evaluation of the ISMS.
Certification
You can certify to ISO 27001 but not to ISO 27002. Thatâs because ISO 27001 is a management standard that provides a full list of compliance requirements, whereas supplementary standards such as ISO 27002 address one specific aspect of an ISMS.
Applicability
A key thing to consider when implementing an ISMS is that not all information security controls will apply to your organisation.
ISO 27001 makes that clear, specifying that organisations conduct a risk assessment to identify and prioritise information security threats. ISO 27002 doesnât mention this, so if you were to pick up the Standard by itself, it would be practically impossible to figure out which controls you should adopt.
When you should use each standard
ISO 27001 and ISO 27002 have different objectives and will be helpful in different circumstances.
If youâre starting out with the Standard or are planning your ISMS implementation framework, then ISO 27001 is ideal. You should refer to ISO 27002 once youâve identified the controls that youâll be implementing to learn more about how each one works.
This one-day course provides a comprehensive introduction to the key elements required to comply with ISO 27001. Youâll learn from expert information security consultants and have the chance to review case studies and participate in group discussions and practical exercises.
Developed by the team that led the worldâs first successful ISO 27001 implementation project, this one-day course provides a comprehensive introduction to Standard.
Youâll learn from expert information security consultants, as they explain:
ISO 27001 management system documentation;.
How to plan, scope and communicate throughout your ISO 27001 project; and
The key steps involved in an ISO 27001 risk assessment.
