InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
The ISO 27001 risk management guide provides a structured methodology for managing information security risks aligned with ISO standards. It first covers setting risk criteria, helping organizations define their risk appetite and identify high-priority assets and vulnerabilities. Risk assessment follows, where risks are quantified based on their likelihood and impact, allowing for prioritization.
The guide emphasizes the importance of treatment planning, advising on risk responses: avoidance, transfer, mitigation, or acceptance, with decisions documented for compliance. Documentation ensures transparency and traceability, forming a record of risk decisions.
A key component is regular review, where organizations reassess risks as threats change, supporting ISO 27001’s principle of continuous improvement. This cyclical approach helps keep the risk management framework adaptable and responsive to evolving security needs.
Additionally, the guide underscores the role of management, recommending their involvement in review and support of risk processes. Management buy-in ensures that security efforts align with strategic goals, encouraging organization-wide commitment.
In summary, the guide helps organizations maintain a robust, adaptive risk management system that meets ISO 27001 standards, enabling proactive risk control. For more detail, you can access the document here.
ISO 27001 certification is more than just a standard; it’s a powerful statement that transforms how your customers perceive your company. This certification represents an unwavering commitment to data security, acting as a digital shield for your business. By safeguarding your most valuable asset—your data—you build unshakeable trust with your customers, showing them that their information is safe in your hands.
Achieving ISO 27001 means your business isn’t just adhering to standards; it’s setting itself apart as a leader in data protection. This certification opens doors to new opportunities, enabling your business to thrive in an increasingly digital world. It’s about ensuring your business’s long-term sustainability and demonstrating a serious commitment to information security.
ISO 27001 is more than a quality seal; it sends a clear message to the world. It shows that your company prioritizes data protection, adheres to the best practices of information security, and reduces the risk of cyber incidents. It also signals that your business is trustworthy, boosting confidence among customers, suppliers, and business partners. This trust gives you a competitive edge, setting you apart from the competition and attracting new business opportunities.
In essence, ISO 27001 is an investment in the future of your business. It not only helps in improving risk management by identifying and mitigating information security risks but also strengthens your business’s foundation. By demonstrating a strong commitment to data security, you can ensure the longevity and success of your company in today’s digital age.
Overall benefits of ISO 27001 certification for businesses include:
Enhanced Data Security: ISO 27001 provides a systematic approach to managing sensitive company information, ensuring that data is protected from unauthorized access, breaches, and other security threats.
Increased Customer Trust: Achieving this certification demonstrates a commitment to data security, building trust among customers, partners, and stakeholders. It shows that your organization takes information security seriously.
Regulatory Compliance: ISO 27001 helps businesses comply with legal and regulatory requirements related to data protection, which can vary across different industries and regions. This reduces the risk of legal penalties and compliance-related issues.
Competitive Advantage: Companies with ISO 27001 certification can differentiate themselves from competitors. It acts as a quality seal, giving you an edge in the market and attracting new clients who prioritize data security.
Improved Risk Management: The certification process involves identifying, assessing, and managing information security risks. This proactive approach helps businesses to mitigate potential threats and vulnerabilities effectively.
Operational Efficiency: Implementing ISO 27001 often leads to streamlined processes and better resource management, as businesses adopt consistent and structured approaches to handling data security.
Global Recognition: ISO 27001 is an internationally recognized standard, which means your business can gain credibility and access to new markets around the world. It assures clients globally that your security practices meet high standards.
Business Continuity: By focusing on risk assessment and management, ISO 27001 helps ensure that your business can continue to operate even in the face of security incidents or disruptions. This resilience is critical for long-term success.
In summary, ISO 27001 certification not only strengthens your data security framework but also boosts your reputation, enhances compliance, and gives you a competitive edge, making it a valuable investment for any business.
Andrew Pattison, a seasoned expert with over 30 years in information security and risk management, emphasizes the pragmatic nature of ISO 27001 in this interview. He explains that ISO 27001 is often misunderstood as a rigid framework when, in fact, it takes a flexible, risk-based approach. This misconception arises because many implementers prioritize certification, leading them to adopt a “you must do X” attitude, which gives the impression that the standard’s clauses are more rigid than they are. Pattison stresses that organizations can tailor controls based on risk, selecting or excluding controls as needed, provided they can justify these decisions.
He explains that a true risk-based approach to ISO 27001 involves understanding risk as the combination of a vulnerability, a threat to that vulnerability, and the likelihood of that threat being exploited. Organizations often focus on sensationalized, niche technical risks rather than practical issues like staff awareness training, which can be addressed easily and cost-effectively. Pattison advises focusing on risks that have a real-world impact, rather than obscure ones that are less likely to materialize.
To keep risk assessments manageable, Pattison advocates for simplicity. He favors straightforward risk matrices and encourages organizations to focus on what truly matters. According to him, risk management should answer two questions: “What do I need to worry about?” and “How do I address those worries?” Complicated risk assessments, often bogged down by mathematical models, fail to provide clear, actionable insights. The key is to maintain focus on where the real risks lie and avoid unnecessary complexity.
Pattison also believes in actively involving clients in the risk assessment process, rather than conducting it on their behalf. By guiding clients through the process, he helps them develop a deeper understanding of their own risks, linking these risks to their business objectives and justifying the necessary controls. This collaborative approach ensures that clients are better equipped to manage their risks in a meaningful and practical way, rather than relying on third parties to do the work for them.
For more information on Andrew Pattison interview, you can visit here
The blog post discusses how ISO 27001 can help address AI-related security risks. AI’s rapid development raises data security concerns. Bridget Kenyon, a CISO and key figure in ISO 27001:2022, highlights the human aspects of security vulnerabilities and the importance of user education and behavioral economics in addressing AI risks. The article suggests ISO 27001 offers a framework to mitigate these challenges effectively.
The impact of AI on security | How ISO 27001 can help address such risks and concerns.
The blog post provides a detailed guide on conducting an ISO 27001 audit, which is crucial for ensuring compliance with information security standards. It covers both internal and certification audits, explaining their purposes, the audit process, and steps such as setting the audit criteria, reviewing documentation, conducting a field review, and reporting findings. The article also emphasizes the importance of having an independent auditor and following up on corrective actions to ensure proper risk management.
The post discusses whether ISO 27001 certification is worth it, highlighting its benefits like improved reputation, enhanced security, and competitive advantage. ISO 27001 offers a comprehensive framework for managing information security risks, focusing on people, processes, and technology. Certification, though not mandatory, provides independent validation of an organization’s commitment to security, which can also reduce penalties in case of data breaches. It positions organizations to stand out, especially in regulated industries like finance and healthcare.
With data breaches and cyber attacks a constant news feature, and the US suffering more publicly disclosed incidents than any other country, it’s no surprise that cybersecurity is an increasingly bigger concern.
Customers, partners, authorities, and other stakeholders all want assurances that organizations are taking reasonable steps to prevent data breaches.
After all, customers want to know that their data is safe. Partners don’t want to end up in the headlines due to a breach in their supply chain. And authorities want organizations to be meeting their legal obligations.
With that in mind, demand for ISO 27001 certification is increasing.
What is ISO 27001?
ISO 27001 is the internationally recognized standard that stipulates the requirements for an ISMS (information security management system). This standard was most recently updated in 2022.
A significant benefit of ISO 27001, compared to alternative standards (such as the NIST Cybersecurity Framework, is that organizations can achieve independent, accredited certification to it.
While organizations implementing an ISMS don’t have to achieve ISO 27001 certification, doing so has numerous benefits. Most notably, it offers potential and existing clients assurance that you’re following information security best practice.
How do you know whether the certificate or the certification body is legitimate?
The best way to validate a potential vendor’s certification is to ask for a copy of their certificate. Any organization with accredited certification should be happy to provide it.
How do you assess whether the certification body is accredited?
Certification bodies must also go through their own strict accreditation process to ensure they meet requirements and are qualified to carry out audits in line with ISO 27001.
To verify that a US certification body is accredited, check whether it is listed on an accreditation body’s website.
Accreditation bodies are selected and appointed by the IAF (International Accreditation Forum). For the US, in 2024, it has listed three accreditation bodies for ISO 27001:
ANAB (ANSI-ASQ National Accreditation Board)
IAS (International Accreditation Service)
UAF (United Accreditation Foundation)
For ISO 27001, ANAB is the biggest accreditation body. Here’s a list of ISO 27001 certification bodies it has accredited.
The hardest part of many projects is knowing where to start.
ISO 27001 is no exception. This standard describes best practice for an ISMS (information security management system).
In other words, it lays out the requirements you must meet, but doesn’t show you the how. How you can adopt or implement them.
With ISO 27001:2013 certification no longer available, many organisations are preparing to adopt the 2022 version of the standard – which means tackling a new Annex A control set, among other new requirements.
The implementation project should begin by appointing a project leader.
They’ll work with other members of staff to create a project mandate, which is essentially a set of answers to these questions:
What do we hope to achieve?
How long will the project take?
Does the project have top management support?
What resources – financial and otherwise – will the project need?
2. Develop the ISO 27001 implementation plan
The next step is to use your project mandate to create a more detailed outline of:
Your information security objectives;
Your project risk register;
Your project plan; and
Your project team.
Information security objectives
Your information security objectives should be more granular and specific than your answer to ‘What do we hope to achieve?’ from step 1.
They’ll inform and be included in your top-level information security policy. They’ll also shape how the ISMS is applied.
Project risk register
Your project risk register should account for risks to the project itself, which might be:
Managerial – will operational management continue to support the project?
Budgetary – will funding continue to see the project through?
Legal – are specific legal obligations at risk?
Cultural – will staff resist change?
Each risk in the register should have an assigned owner and a mitigation plan. You should also regularly review the risks throughout the project.
Project plan
The project plan should detail the actions you must take to implement the ISMS.
This should include the following information:
Resources required
Responsibilities
Review dates
Deadlines
Project team
The project team should represent the interests of every part of the organisation and include various levels of seniority.
Drawing up a RACI matrix can help with this. This identifies, for the project’s key decisions, who’s:
Responsible;
Accountable;
Consulted; and
Informed.
One critical person to appoint and include in the project team is the information security manager. They’ll have a central role in the implementation project and eventually be responsible for the day-to-day functioning of the ISMS.
3. ISMS initiation
You’re now ready to initiate your ISMS!
Documentation structure
A big part of this is establishing your documentation structure – any management system is very policy- and procedure-driven.
We recommend a four-tier approach:
A. Policies These are at the top of the ‘pyramid’, defining your organisation’s position and requirements.
B. Procedures These enact the requirements of your policies at a high level.
C. Work instructions These set out how employees implement individual elements of the procedures.
D. Records These track the procedures and work instructions, providing evidence that you’re following them consistently and correctly.
This structure is simple enough for anyone to grasp quickly. At the same time, it provides an effective way of ensuring you implement policies at each level of your organisation. Plus, that you develop well-functioning, cohesive processes.
Tips for more effective policies and procedures
Your policies and procedures must also be effective. Here are four tips:
Keep them practicable by balancing aspirations against the reality. If your policies and/or procedures appear too idealised, staff will be much less likely to follow them.
Keep them clear and straightforward, so staff can easily follow your procedures.
Use version control, so everyone knows which is the latest document.
Avoid duplication. This will also help with the version control.
Make sure you systematically communicate your documentation – particularly new or updated policies – throughout your organisation. Be sure to also communicate them to other stakeholders.
Continual improvement
As part of your ISMS initiation, you’ll need to select a continual improvement methodology.
First, understand that continual improvement might sound expensive, but is cost-effective if done well. As ISO 27001 pioneer Alan Calder explains:
Continual improvement means getting better results for your investment. That typically means one of two things:
1. Getting the same results while spending less money. 2. Getting better results while spending the same amount of money.
Yes, you need to be looking at your objectives, and asking yourself how well your ISMS is currently meeting them. And where your management system falls short, money may have to be spent.
But many improvements have little financial cost. You can make a process more efficient – perhaps by cutting out a step, or automating some manual work.
While continual improvement is a critical element of an ISO 27001 ISMS, the Standard doesn’t specify any particular continual improvement methodology.
Instead, you can use whatever method you wish, so long as it continually improves the ISMS’s “suitability, adequacy and effectiveness” (Clause 10.1). That can include a continual improvement model you’re already using for another activity.
The core section of the standard retains its 11 clauses with minor modifications, while significant structural revisions have been implemented in the Annex A controls. Control categories have been rearranged, resulting in a reduction in the total number of controls. Broadly speaking, 11 new controls have been added, 57 controls have been consolidated, 23 controls have been rebranded, and three controls have been eliminated. The introduction of these 11 new controls underscores the heightened significance of Cloud, DevOps, and Personal Information, which have evolved over the past decade.
A.5.7 Threat intelligence
A.5.23 Information security for the use of cloud services
A.5.30 ICT readiness for business continuity
A.7.4 Physical security monitoring
A.8.9 Configuration management
A.8.10 Information deletion
A.8.11 Data masking
A.8.12 Data leakage prevention
A.14.1.4 Secure development policy
A.16.2.4 Security of supplier services
A.18.2.3 Protection of personal information in public clouds
ISO 27002:2022 has three control types, #Preventive, #Corrective and #Detective. Some of these controls share more than one control types. There are total 12 Detective, 13 Corrective, and 83 Preventive controls and 15 controls (12+13+83 = 108 -15 = 93) which share more than one control type in ISO 27002:2022 latest guidance. If you like to know more about how and when to start complying with new and latest control guidance, please contact us to book an appointment to discuss the details, how DISC llc can assist your organization with ISO 27001 compliance or certification plans.
In this Help Net Security interview, Robin Long, founder of Kiowa Security, shares insights on how best to approach the implementation of the ISO/IEC 27001 information security standard.
Long advises organizations to establish a detailed project roadmap and to book certification audits at an early stage. He also recommends selecting an internal team that includes a leader with the ISO 27001 Lead Implementer qualification and suggests that in some cases, the best approach to the standard may be to start by prioritizing a limited number of “security wins” before embarking on full implementation.
A few general points about ISO 27001, before getting onto the questions:
1. The documentation behind ISO/IEC 27001:2022 (“ISO 27001”) is broken into two main parts: ISO/IEC 27001 itself, which contains the primary guidance, and a ‘guidance document’ called ISO/IEC 27002, which lists suggested information security controls that may be determined and implemented based on the risk analysis that is carried out according to the requirements of the primary document.
ISO 27001 is also supported by the other standards ISO/IEC 27000:2018 (IT security techniques) and ISO/IEC 27005:2022 (Information security, cybersecurity, and privacy protection), among others.
All these are developed and maintained by the International Organization for Standardization (ISO), which is based in Geneva, Switzerland.
2. Although there are a number of things that you are obliged to do if you’re seeking certified conformity to the standard, it is actually quite flexible about the details. Even the “requirements” – the obligatory clauses in the 27001 document – generally allow a fairly broad range of interpretation. This makes sense when you think that ISO 27001 has been developed as a one-size-fits-all system for all types and sizes of organization that handle sensitive information.
When you look at it like that, it immediately becomes less intimidating.
3. If you decide to go ahead and implement ISO 27001, it’s highly recommended to put together a detailed road map that defines targets of what should be achieved by what date in the timeline of the project (Gantt charts are good for this – look them up!). This helps to keep the project under control and reduces the risk of time and budget overrun. Breaking the project up into weekly components also makes it less daunting.
4. You’ll also need to define a (small) group of people to carry out, maintain and be accountable for implementation of the standard. You might call this the ‘ISMS Team’ (where ISMS means Information Security Management System, another way to describe ISO 27001). This team should ideally incorporate expertise and experience in IT, business development and data protection, and have a channel to senior management.
How do you recommend organizations approach understanding and implementing ISO 27001’s wide range of controls and requirements, especially those new to information security management?
As a consultant myself, I’m aware of the conflict of interest, but I have to say that I do think it makes sense to hire external advice for assistance with implementation of ISO 27001, for internal audit, and interaction with certification auditors.
One of the main responsibilities of such an advisor is to assist with understanding of the standard and information security management generally, at both high and low levels. The range of ISO27002 controls – for example – is wide indeed, but a competent consultant will break them down into manageable portions that are taken on one by one, in a carefully planned order.
Whether or not you decide to hire a consultant, it’s a pretty good idea also to send the leader of the ISMS Team on an ISO2 7001 Lead Implementer (LI) course. These courses typically run for about three days, and they are helpful. Note that ISO 27001 requires the organisation to provide evidence of the competence of key participants in the project, and the LI qualification for a team member indicates a reasonable degree of knowledge and commitment regarding the standard.
Of course, there are also a number of helpful online resources including the ISO27k Forum.
Implementing ISO 27001 can be resource-intensive. What advice do you have for organizations, particularly SMEs, in effectively allocating resources and budget for ISO 27001 implementation?
It’s true that implementation of ISO 27001 necessarily consumes resources, in terms of money and other assets – particularly people’s time. The critical question is whether the resource cost is offset by perceived gains, and this is largely about efficiency of allocation. Among other methods that we can use to attempt to optimise this are:
1. Use of a roadmap – as mentioned above – that takes the organisation all the way through to the two-stage certification audit process at a granular (weekly) level.
2. Early selection of the certification auditor and agreement of tentative dates for the certification audits. The benefits of doing this include the psychological one of getting an end date in the diary to help define the project roadmap. The cost of certification audits is also an important part of the overall budget, and the certification body will provide quotes for these at this stage.
Note that along with the two initial certification audits, there are a couple of (roughly annual) surveillance audits and a recertification audit after three years. These audits all cost money, of course, and require budgeting.
3. Watching out for some of the less obvious costs, including the potential charges associated with:
Legal work on modifications/additions to employment contracts, NDAs etc.
Software that you choose to install e.g., anti-malware, IDS, etc.
What strategies can be employed to convince top management of the necessity and benefits of ISO 27001 compliance?
Consultancy companies love to answer this question – on their websites – with a list of bullet points.
However, I can tell you that in nearly all cases there is just a single key factor at play, and it is a commercial one: Potential important clients or partners have been identified that require certification to the standard. Organisations that operate in sensitive sectors (finance, critical infrastructure, healthcare…) have already learned this or are in the process of learning it, and don’t need to be told about it. If they don’t know, then by all means tell them!
Other reasons that I consider completely valid and credible include:
Perceived improvement in the level of an organisation’s information security provides assurance to other stakeholders apart from clients – investors, senior management, regulators, suppliers and so on – regarding information security risks to the organisation.
Implementation of ISO 27001 can help smaller companies with their expansion. For example, it can help with the development of sound HR policies, with procedures around business continuity, disaster recovery and change management, and several other areas.
Note that ISO 27001 isn’t by any means just about personal data but is also concerned with other types of sensitive information, in particular intellectual property or “IP” (including trade secrets and source code). For many tech start-ups, these are the main assets of the business, and need to be well protected.
Risk management and performance evaluation are critical yet challenging aspects of ISO 27001. How should organizations approach these elements to ensure an effective Information Security Management System (ISMS)?
These are indeed arguably the core areas of ISO 27001. Among the critical things to remember regarding risk assessments are:
You should really at least try to come up with all the possible information security risks (internal and external) that are or might be faced by your organisation. This is best done by brainstorming in a group based around the ISMS Team.
ISO 27001 fundamentally breaks down to: “What information security risks do we face? How should we best manage them?”
Just as the chicken may come before the egg, note that what should happen in this case is that you identify the risks first and then select the controls that help to manage those risks.
You definitely don’t have to apply all of the controls, and nearly all organisations treat some, validly, as non-applicable in their Statement of Applicability. For example, businesses where all employees work remotely simply don’t have the full range of risks that can benefit from mitigation by the physical controls.
When it comes to performance evaluation, it’s largely a case of working through the relevant clauses and controls and agreeing how good a job the organisation is doing trying to meet the associated requirements. The ones that are selected for monitoring, measurement and evaluation will depend on the type and size of the organisation and its business objectives. These are basically key performance indicators (KPIs) for information security and might include supplier evaluations and documented events, incidents, and vulnerabilities.
Specifically for cloud solutions like Microsoft 365, what unique challenges do organizations face in implementing ISO 27001, and how can they be addressed?
The switch towards remote working and use of cloud resources has been quite disruptive for ISO 27001. The 2022 version has been somewhat adapted (via modifications to the controls) to reflect the change in working conditions. However, it still gives a lot of attention to traditional physical places of work, networks, and pre-SaaS style suppliers.
The big switch away from locally downloaded software to cloud services means that we need to take advantage of the flexibility of ISO 27001 to interpret the 27002 controls in a corresponding way, for example:
Thinking less about networks and more about secure configuration of cloud resources.
Focusing on aspects of the ‘supplier relationships’ controls that are relevant to SaaS suppliers.
Remembering that if cloud resources are very important for handling and storage of sensitive data in your business, then the new control 5.23 (Information security for use of cloud services) is correspondingly important for your business and must be tackled carefully and rigorously. It almost definitely applies to you – and there’s a lot there.
Note that business continuity/disaster recovery for an organisation with employees that work remotely using cloud services becomes largely a question of how the relevant cloud provider(s) manage backups, redundancy of storage/compute etc.
ISO 27001 requires a commitment to continuous improvement. How should organizations approach this, particularly regarding incident management and response?
This is an enigmatic section of clause 10 (Improvement) that organisations tend to struggle with (the second part is about dealing with non-conformities and is much clearer regarding what needs to be done).
It seems to me that the best approach is to raise the question of ‘how can we make the ISMS better?’ at the periodic ISMS management meetings, come up with some examples whereby this may be achieved and then provide any observed progress in the right direction. That means that by the time of the first follow-up (surveillance) audit you should be able to present a list of several potential improvements along with how they are being achieved.
I’d like to finish up by mentioning that nothing stops your organisation implementing ISO 27001 without getting the certification, or even doing a partial implementation. Many businesses like the concept of ISO 27001 but aren’t quite ready to commit fully. In that case, I highly recommend the following implementation model:
1. Decide which areas of information security are priorities for your organisation in terms of incremental increase in security, resources (money, time, personnel) required and ease of implementation. You can call these your ‘lowest-hanging security fruit’ if you must. Possible examples include access control, HR security or endpoint security. 2. Work through these one by one according to the relevant 27002 controls. 3. Once you have the highest priority areas covered off, start working on lower levels of priority. 4. After a few months of this, you may feel that ISO 27001 isn’t quite so formidable, and that you are ready to tackle it. Go for it!
ISO 27002, officially named “ISO/IEC 27002 Information Security, Cybersecurity and Privacy Protection – Information Security Controls,” is a widely used and well-known information security standard published by the International Organization for Standardization (ISO). ISO 27002 provides detailed guidelines for the implementation of the controls listed in ISO 27001 Annex A, because ISO 27001 provides only a high-level description of each control. ISO 27002 has become an internationally recognized set of industry best practices that support the implementation of ISO 27001.
The basics
What is the purpose of ISO 27002?
The main purpose of ISO 27002 is to help organizations implement the Annex A controls from ISO 27001, because ISO 27001 does not provide explanations for how these controls should be implemented. ISO 27002 is designed to work in conjunction with ISO 27001, as ISO 27001 describes how to manage security by implementing an Information Security Management System (ISMS).
Why is ISO 27002 important?
ISO 27002 is important because it is the only standard in the ISO 27k series that provides implementation guidance on all 93 controls defined in Annex A of ISO 27001. By using the detailed guidance in ISO 27002, companies can have a much better understanding of the best practices for controls.
ISO 27002 certification – Is it possible?
Certification against ISO 27002 is not possible. ISO 27002 is non-certifiable because, unlike ISO 27001, it is not a management standard. Instead, ISO 27002 is a code of practice (or best practices) for the implementation of security controls that support the ISMS defined in ISO 27001.
How does ISO 27002 support the ISMS?
ISO 27002 supports the ISMS by providing detailed guidance on how to implement the controls necessary to establish and operate an ISMS within a company. For example, ISO 27002 takes a whole page to explain one control, while ISO 27001 dedicates only one sentence to each control. This ensures that organizations have a comprehensive set of guidelines to use as a framework to deploy an effective ISMS in a structured manner.
What is the current version of ISO 27002?
As of the publication date of this article, the current version of ISO 27002 is ISO/IEC 27002:2022. The new 2022 revision of ISO 27002 was published on February 15, 2022.
What is the difference between ISO 27001 and 27002?
As already explained in brief, ISO 27001 is the main standard, and companies can get certified against it; companies cannot certify against ISO 27002:2022 because it is only a supporting standard.
In its Annex A, ISO 27001 provides a list of security controls and what must be achieved with those controls, but it does not explain how they can be implemented. ISO 27002 lists those very same controls and provides guidance on how they could be implemented; however, this guidance in ISO 27002 is not mandatory, i.e., companies can decide whether to use those guidelines or not.
Requirements & security controls
What are the requirements for ISO 27002?
ISO 27002 does not contain explicit requirements for companies to follow — for requirements, you should see ISO 27001. However, ISO 27002 does provide guidance on information security controls that can be applied in an organization.
What are the sections of ISO 27002?
The structure of ISO 27002 is listed and briefly explained below:
Clause 5: Organizational controls – This section contains all controls related to various organizational issues, comprising 37 controls.
Clause 6: People controls – This section focuses on controls related to human resources security, comprising 8 controls.
Clause 7: Physical controls — This section focuses on controls related to the physical environment and equipment, comprising 14 controls.
Clause 8: Technological controls — This section focuses on controls related to technological solutions, comprising 34 controls.
Annex A: Using attributes — This annex provides a matrix of all the new controls, it compares their attributes, and provides suggestions on how to use the controls according to their attributes.
Annex B: Correspondence with ISO/IEC 27002:2013 — This annex provides a mapping between controls from the 2022 revision and the controls from the previous 2013 version.
What is a security control?
ISO 27002 defines a control as “a measure that modifies and/or maintains risk.” Put simply, a control (or a safeguard) is a practice that can be implemented to reduce a risk to an acceptable level. Some examples of security controls include an Access control policy (5.15), Configuration management (8.9), and Secure coding (8.28).
How many controls are there in ISO 27002?
The 2022 revision of ISO 27002 has reduced the number of controls from 114 to 93. Some of the reasons for this reduction in the number of controls include technological advancements and an improvement in the understanding of how to apply security practices.
What are control attributes?
Control attributes provide a standardized way to sort and filter controls against different views to address the needs of different groups.
Attributes options for each control are as follows:
Control types: Preventive, Detective, and Corrective
Information security properties: Confidentiality, Integrity, and Availability
Cybersecurity concepts: Identify, Protect, Detect, Respond, and Recover
Operational capabilities: Governance, Asset management, Information Protection, Human Resource Security, Physical Security, System and Network Security, Application Security, Secure Configuration, Identity and Access Management, Threat and Vulnerability Management, Continuity, Supplier Relationships Security, Legal and Compliance, Information Security Event Management, and Information Security Assurance
Security domains: Governance and Ecosystem, Protection, Defense, and Resilience
These attributes will ease the integration of ISO 27002:2022 controls with other similar security frameworks, like NIST Risk Management Framework. You can read more about the differences between the 2013 and 2022 versions of ISO 27002 in the last section of this article.
How are the controls structured?
The layout for each ISO control in ISO 27002 consists of the following elements:
Control title: The short name of the control
Attribute table: A table that shows the value(s) of each attribute for the given control
Control: A brief description of the control
Purpose: An explanation of why the control should be implemented
Guidance: Instructions for how the control should be implemented
Other information: Additional explanatory text, or references to related documents
The layout is designed to provide comprehensive information and guidance for each control, helping organizations understand and implement the necessary security measures.
How to implement ISO 27002 controls
To effectively implement ISO 27002 controls, follow a process that assesses the organization’s needs; identifies the appropriate controls, and customizes them if necessary; implements them using a structured approach; and then monitors, measures, and continuously improves them. Once completed, the implemented control should address needs at a combined technological, organizational/process, people, and documentation level.
For example, the implementation of control 8.9 Configuration management will address the following aspects:
Technology. The technology whose configuration needs to be managed could include software, hardware, services, or networks. Smaller companies will probably be able to handle configuration management without any additional tools, whereas larger companies probably need some software that enforces defined configurations.
Organization/processes. You should set up a process for proposing, reviewing, and approving security configurations, as well as the processes for managing and monitoring the configurations.
People. Make employees aware of why strict control of security configurations is needed, and train them to define and implement security configurations.
Documentation. ISO 27001 requires this control to be documented. If you are a small company, you can document the configuration rules in your security operating procedures. Larger companies will typically have a separate procedure that defines the configuration process.
Download ISO27000 family of information security standards today!
About This Guide Practical guide for the implementation of an Information Security Management System (ISMS) according to ISO/IEC 27001:2022
About ISO/IEC 27001:2022 ISO/IEC 27001 promotes a holistic approach to information security: vetting people, policies and technology. An information security management system implemented according to this standard is a tool for risk management, cyber-resilience and operational excellence.
ISO 27701 is an international standard that provides guidelines for implementing a privacy information management system (PIMS) based on the requirements of the General Data Protection Regulation (GDPR) and other relevant privacy regulations. It was published by the International Organization for Standardization (ISO) in August 2019.
ISO 27701 is an extension of ISO 27001, which is a widely recognized international standard for information security management. It introduces additional controls and requirements specific to the management of privacy information within an organization.
The standard outlines the framework for establishing, implementing, maintaining, and continually improving a privacy information management system. It helps organizations to identify and manage privacy risks, implement privacy controls, and demonstrate compliance with applicable privacy laws and regulations.
ISO 27701 focuses on protecting individuals’ privacy rights and ensuring responsible handling of personal information. It provides guidance on various aspects of privacy management, including privacy policy development, privacy risk assessment, privacy impact assessments, consent management, data subject rights, data breach management, and vendor management.
By implementing ISO 27701, organizations can enhance their privacy practices, build trust with customers and partners, and demonstrate their commitment to protecting personal information. It is especially relevant for organizations that process large amounts of personal data or handle sensitive information, as it helps them establish a systematic approach to privacy management.
It’s important to note that ISO 27701 is not a certification itself but an extension to ISO 27001. Organizations can seek certification against ISO 27001 and include ISO 27701 requirements as part of their certification process to demonstrate compliance with privacy regulations.
in what situation ISO 27701 certification may be appropriate?
ISO 27701 certification may be appropriate for organizations that handle personal data and are subject to privacy regulations such as the General Data Protection Regulation (GDPR) in the European Union or other similar privacy laws worldwide. Here are some situations where ISO 27701 certification may be relevant:
Data Controllers and Processors: Organizations that act as data controllers or processors and handle personal data on a significant scale can benefit from ISO 27701 certification. This includes organizations in sectors such as healthcare, finance, e-commerce, technology, and marketing that process large volumes of personal information.
Legal and Regulatory Compliance: ISO 27701 certification helps organizations demonstrate compliance with privacy regulations. If an organization operates in jurisdictions with strict privacy laws or serves customers from regions with robust privacy requirements, certification can provide assurance to stakeholders that the organization has implemented appropriate privacy controls.
Third-Party Assurance: Organizations that act as vendors or service providers for other companies may pursue ISO 27701 certification to demonstrate their commitment to privacy management. This can be particularly relevant for organizations providing cloud services, data processing, or other services involving personal data, as it helps build trust and confidence with customers.
Competitive Advantage: ISO 27701 certification can serve as a competitive differentiator for organizations. It showcases their dedication to privacy protection and can attract customers who prioritize strong privacy practices and compliance when selecting vendors or partners.
Data Breach Prevention and Response: ISO 27701 provides guidelines for managing data breaches and responding to privacy incidents effectively. Organizations that want to establish robust incident response procedures and enhance their ability to prevent and manage data breaches can benefit from implementing ISO 27701.
Privacy-Driven Culture: ISO 27701 certification promotes a privacy-centric culture within an organization. It helps organizations establish clear policies, procedures, and training programs to educate employees about privacy responsibilities and foster a privacy-aware mindset throughout the organization.
Ultimately, the decision to pursue ISO 27701 certification depends on the specific needs, risk profile, and regulatory environment of the organization. Conducting a thorough assessment of privacy risks, legal requirements, and business objectives can help determine whether certification is appropriate and beneficial for the organization.
Achieve full compliance with ISO 27701:2019
The ISO 27701 Gap Analysis Tool has been created to help organizations identify whether they are meeting the requirements of the Standard and where they are falling short. Note that this tool assumes that you have a complete and functioning ISO 27001:2013 ISMS (information security management system).
It helps organizations prioritise work areas in order to expand an existing ISMS to take account of privacy. It also gives organizations direction, helping project managers identify where to start.
This standard is ideal for organizations wishing to implement a PIMS that supports their ISMS objectives and helps meet their data privacy compliance requirements, such as those stipulated by the EU’s GDPR (General Data Protection Regulation) and the UK’s DPA (Data Protection Act) 2018.
We’d love to hear from you! If you have any questions, comments, or feedback, please don’t hesitate to contact us. Our team is here to help and we’re always looking for ways to improve our services. You can reach us by email (info@deurainfosec.com), or through our website’s contact form.
ISO 27001 is an internationally recognized Information Security Standard that is widely acclaimed. It is published by the International Organization for Standardization (ISO) and provides a certifiable framework comprising security policies and procedures. The standard aims to assist organizations in safeguarding their data by implementing an Information Security Management System (ISMS).
To obtain ISO 27001 certification, organizations must fulfill the requirements for establishing, implementing, maintaining, and continuously improving an Information Security Management System (ISMS) that aligns with their specific business needs. The ISO 27001 standard consists of two distinct parts: Clauses and Annex A. The Clauses outline the general requirements for an ISMS, while Annex A provides a set of controls and objectives that organizations can choose to implement based on their risk assessment and security requirements.
Clauses 4-10 in ISO 27001 consist of mandatory requirements that all organizations seeking certification must fulfill. Each clause includes several sub-requirements. Here is a brief overview of each clause:
Clause 4: Context of the Organization – Organizations must determine the scope of their ISMS, identify internal and external issues relevant to information security, and define the interested parties.
Clause 5: Leadership – Top management should demonstrate leadership and commitment to the ISMS by establishing policies, assigning responsibilities, and promoting awareness.
Clause 6: Planning – This clause emphasizes the importance of risk assessment and treatment, setting objectives, and planning to achieve them.
Clause 7: Support – Organizations must provide the necessary resources, competence, awareness, communication, and documented information to support the ISMS.
Clause 8: Operation – This clause covers the implementation of risk treatment plans, management of changes, and effective operation of controls and processes.
Clause 9: Performance Evaluation – Organizations need to monitor, measure, analyze, and evaluate the performance of the ISMS and conduct internal audits.
Clause 10: Improvement – This clause focuses on nonconformities, corrective actions, continual improvement, and the management of incidents and improvements.
Meeting these mandatory requirements is crucial for organizations seeking ISO 27001 certification.
Annex A of ISO 27001 comprises a collection of security controls that are not obligatory but can be selectively implemented based on the specific needs of an organization. By conducting a risk assessment, organizations can identify the security controls that align with their security program and effectively address their risks and vulnerabilities. This approach allows organizations to tailor the implementation of controls to their unique requirements and enhance their overall information security posture.
After establishing the necessary policies, procedures, and documentation for ISO 27001 compliance and ISMS is operational, organizations can engage an accredited certification body to perform an audit. This audit assesses the implementation and effectiveness of the Information Security Management System (ISMS) against the ISO 27001 requirements. If the audit is successful and the organization meets all the necessary criteria, an ISO 27001 certificate will be issued, validating the organization’s adherence to the standard and their commitment to information security.
By adhering to ISO 27001 standards, organizations can establish robust policies, procedures, and technology measures that effectively safeguard their data, regardless of its location. This comprehensive approach significantly reduces the risk of cyber-attacks and fosters a culture of information security within the organization.
Obtaining ISO 27001 certification serves as a notable competitive advantage for businesses, irrespective of their industry or size. The certification acts as concrete evidence to customers that the organization is dedicated to protecting their data and fulfilling contractual security obligations. Moreover, ISO 27001 certification holds international recognition, making it instrumental in expanding global business opportunities and establishing trust with partners worldwide.
DISC LLC offers the expertise of a team comprised of former ISO auditors and experienced practitioners who can assist in preparing your organization for a successful ISO 27001 audit. Their services aim to guide you towards certification by identifying and addressing any gaps that may exist within your current security program. They provide support in implementing the required policies, procedures, and technologies to meet the ISO 27001 standards. With their knowledge and experience, DISC LLC can help your organization navigate the certification process and ensure a solid foundation for information security.
Following the attainment of ISO 27001 certification, we offer services to manage and maintain your Information Security Management System (ISMS). Our expert team will diligently oversee and guide your ISMS to ensure ongoing compliance with ISO 27001 requirements, thereby facilitating future certifications. By entrusting us with the management of your ISMS, you can focus on your core business activities while maintaining the necessary level of information security and sustaining your commitment to ISO 27001 standards.
We’d love to hear from you! If you have any questions, comments, or feedback, please don’t hesitate to contact us. Our team is here to help and we’re always looking for ways to improve our services. You can reach us by email (info@deurainfosec.com), or through our website’s contact form.
This article gives some guidance on how to transition to ISO27001:2022 from the 2013 version.
This approach is tried and tested in that I have used it to successfully transition an organization to the new version. In the transition audit there were no nonconformities.
ISO 27001 is a globally recognized standard on information and cyber security. By being compliant with this standard, you are operating in accordance with globally identified best practices. By being ISO 27001 certified, you’re not only operating in accordance with it, but you will also receive a clear stamp as evidence to your customers and other stakeholders that you are working aligned with security best practices.
Common Trap When Pursuing ISO 27001
Often companies who want to pursue ISO 27001 will quickly drop the idea when they start looking into the standard – this is because, often companies fall into the trap of starting with the controls as specified in ISO 270002 . When you only focus on the controls and implementation guidance, it can feel overwhelming and be frustrating as you will notice a lot of the implementation guidance will not make sense to your company and you can be under the impression that you are required to follow all the implementation guidance in order to become compliant or go for the certification.
This is false!
Falling into this trap, you are missing out on the core purpose of the standard. It is not about implementing all the controls and all the guidance you get from the standard – it is about building a functional management system that is aligned with your company context – it is about understanding the issues and risks you as a company are facing, and taking the appropriate measures to protect your assets and information.
How To Go About It The Right Way!
You should always start by focusing on the standard clauses in ISO 27001 that provide clear guidance on how to build a functional management system, when this is done correctly the controls will fall into place in the correct order at the right time in accordance with your company context and the risks that you as a company need to manage.
When people say that small companies should not pursue iso because it is too complex and has too many requirements – the above is the reason why it does not have to be.
All companies should prioritize and have a functional management system on how they secure their own company and the company assets. Protecting your values is a crucial element to stay in business!
Make sure you understand your company, your needs, and please avoid looking at other companies and the measures they have taken to protect themself and think that you have to do the same. Make your management system your own, build it so that it isdesigned to protect your assets. This way, you will have greater success and security will not be something that is forced on your company, it will be a tool to help you work more efficiently and securely.
Summary
To sum it up, ISO 27001 is a great standard to pursue both for small and large organizations.
Make sure you understand the purpose of the standard, and as a result implement a management system that is a perfect fit for your organization for long term success. ISO 27001 done right will result in a more secure and effective company that will again support the main goal of business continuity.
What is BS ISO/IEC 27001:2022 – Expert Commentary about? BS ISO/IEC 27001:2022 is the third edition of this standard. It technically revises, cancels, and replaces the Second Edition – ISO/IEC 27001:2013 (also published as BS EN ISO/IEC 27001:2017). BS ISO/IEC 27001:2022 presents the requirements for an information security management system (ISMS). An ISMS assists an organization to preserve the confidentiality, integrity, and availability of information, in the face of an ever-changing threat landscape, no matter the source of risk. Thus, it deals with threats that can be technological, human, physical and environmental in nature.
The standard requires an organization to adopt a risk management framework to determine the necessary information security controls best suited to their business needs and risk appetite. To help organizations ensure that they have not inadvertently omitted any necessary control, the framework uses a reference set of controls (BS ISO/IEC 27001, Annex A), which also facilitates reliable comparisons to be drawn between organizations. The level of change incorporated into the revised version of the standard is medium.
The main changes compared to the previous edition are: a fully revised reference information security control set (Annex A), which now aligns with ISO/IEC 27002:2022 and alignment with the revised harmonized structure (HS) for management system standards.
Download ISO27000 family of information security standards today!
How to create a transition plan from ISO 27001 2013 to ISO 27001 2022
Transitioning from ISO 27001:2013 to ISO 27001:2022 involves updating your Information Security Management System (ISMS) to meet the new requirements specified in the latest version. Here are some steps you can take to help ensure a smooth transition:
Review the changes: The first step is to familiarize yourself with the changes made in the 2022 version. Some of the key changes include a more risk-based approach, more emphasis on leadership, and greater alignment with other ISO management system standards. You can find a detailed list of changes on the ISO website.
Identify gaps: Once you have reviewed the changes, identify any gaps between your current ISMS and the new requirements. This may involve reviewing your policies, procedures, and controls to ensure they align with the new standard.
Develop an action plan: Based on the gaps you identified, develop an action plan to address them. This may involve updating policies and procedures, implementing new controls, or conducting additional training.
Train staff: It is important to ensure that all relevant staff members are trained on the new requirements and how they impact their roles and responsibilities.
Conduct internal audits: Conduct internal audits to ensure that your updated ISMS is effectively implemented and meets the new requirements.
Seek certification: Once you are confident that your updated ISMS meets the new requirements, seek certification from an accredited certification body.
Monitor and continually improve: Finally, monitor your ISMS and continually improve it to ensure that it remains effective and aligned with the latest best practices.
Overall, transitioning to the new version of ISO 27001 requires careful planning and execution. By following these steps, you can help ensure a successful transition and maintain the security of your organization’s information assets.
We’d love to hear from you! If you have any questions, comments, or feedback, please don’t hesitate to contact us. Our team is here to help and we’re always looking for ways to improve our services. You can reach us by email (info@deurainfosec.com), or through our website’s contact form.
Contact DISC InfoSec if you need further assistance in your ISO 27001 2022 transition Plan
