InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
If you’re a security practitioner dealing with ISO 27001, you’re probably wondering what new things you will need to implement as part of the changes that will be made to this standard during 2022.
What you’ll notice is that some of these new controls are very similar to old controls from the 2013 revision; however, because these controls were categorized as new in ISO 27002:2022, I have listed all 11 in this article.
As the main source for this article, I’ve used guidelines from ISO 27002:2022 – I’ve given an overview of requirements, technology, people, and documentation, but if you’d like to learn about these controls in more depth, you can purchase the ISO 27002 2022 standard.
Finally, keep in mind that these controls are not mandatory – ISO 27001 allows you to exclude a control if (1) you identified no related risks, and (2) there are no legal/regulatory/contractual requirements to implement that particular control.
If you’re into ISO implementation or auditing, then you know that ISO books are a valuable resource. They can teach you new things, introduce you to new concepts around implementation, auditing and help you stay up-to-date on the latest trends in your field. That’s why I’ve put together this list of 6 essential reference eBooks for ISO professional.
THE SHORT HANDBOOK CONTAINING EXPERT GUIDANCE ON ISO INTERNAL AUDIT
Author, auditor, and experienced ISO consultant Dejan Kosutic has created this shorter book, as part of the handbook ISO pocket book series, focused solely on preparing for the ISO internal audit.
This book, ISO Internal Audit: A Plain English Guide, is based on Advisera’s internal auditor online courses. It provides a quick read for people who are focused solely on preparing for ISO 9001, ISO 14001, ISO 27001, OHSAS 18001, ISO 22000, ISO 20000, or internal audits against any other ISO standard, and don’t have the time (or need) to read a comprehensive book about ISO implementation. It has one aim in mind: to give you the knowledge and practical tips to prepare for the ISO internal audit without struggle, stress, or headaches.
Author and experienced ISO consultant Dejan Kosutic has created this shorter book as part of the ISO pocket book series, focused solely on preparation for the ISO implementation.
This book, Preparations for the ISO Implementation Project: A Plain English Guide, is based on an excerpt from Kosutic’s previous book Secure & Simple. It provides a quick read for people who are focused solely on preparation for the implementation of an ISO standard (e.g., ISO 9001, ISO 14001, ISO 27001, ISO 20000, ISO 22000, OHSAS 18001, ISO 13485, or IATF 16949), and who don’t have the time (or need) to read a comprehensive book about ISO implementation. It has one aim in mind: to give you the knowledge and practical advice you need to prepare for your ISO implementation without struggle, stress, or headaches.
Author and experienced ISO consultant Dejan Kosutic has created this shorter book, as part of the ISO pocket book series, focused solely on managing ISO documentation.
This book, Managing ISO Documentation: A Plain English Guide, is based on an excerpt from Kosutic’s previous book Secure & Simple. It provides a quick read for people who are focused solely on preparing documentation for ISO 9001, ISO 14001, ISO 27001, ISO 20000, ISO 22000, OHSAS 18001, ISO 13485, and/or IATF 16949, and don’t have the time (or need) to read a comprehensive book about ISO implementation. It has one aim in mind: to give you the knowledge and practical tips to manage your ISO documentation without struggle, stress, or headaches.
Author, certification auditor, and experienced ISO consultant Dejan Kosutic has created this shorter book, as part of the handbook ISO pocket book series, focused solely on preparing for the ISO 9001/ISO 14001/ISO 27001 certification audit.
This book, Preparing for ISO Certification Audit: A Plain English Guide, is based on an excerpt from Kosutic’s previous book Secure & Simple. It provides a quick read for people who are focused solely on preparing for ISO 9001, ISO 14001, ISO 27001, or certification audit against any other ISO standard, and don’t have the time (or need) to read a comprehensive book about ISO implementation. It has one aim in mind: to give you the knowledge and practical tips to prepare for the ISO certification audit process and pass the certification without struggle, stress, or headaches.
Author and experienced information security consultant Dejan Kosutic has created this shorter book, as part of the ISO pocket book series, focused solely on safeguards specified in ISO 27001:2013.
This book, ISO 27001 Annex A Controls in Plain English, is based on an excerpt from his previous book Secure & Simple. It provides a quick read for people who are focused solely on security controls, and don’t have the time (or need) to read a comprehensive book about ISO 27001. This series of handbooks has one aim in mind: To help you understand what these 114 controls are all about. In the second book of this series, ISO 27001 Annex A Controls in Plain English.
THE SHORT HANDBOOK CONTAINING EXPERT GUIDANCE FOR THE RISK MANAGEMENT OF ISO 27001
Author and experienced information security consultant Dejan Kosutic has created this shorter book, as part of the handbook ISO pocket book series, focused solely on the issues of risk management according to ISO 27001.
This book, ISO 27001 Risk Management in Plain English, is based on an excerpt from his previous book Secure & Simple. It provides a quick read for people who are focused solely on risk management, and don’t have the time (or need) to read a comprehensive book about ISO 27001. It has one aim in mind: to give you the knowledge and practical step-by-step process you need to successfully implement ISO 27001 risk assessment and treatment – without struggle, stress, or headaches.
I just wanted to inform you that, at the end of September, Advisera launched “Second Course Exam for Free” promotional campaign. The campaign will start on September 22, and end on September 29, 2022.
In this promotion the second course exam is completely FREE OF CHARGE.
The bundles are displayed on two landing pages, one with bundles related to ISO 9001 and another with bundles related to ISO 27001.
Foundations course exam bundles:
ISO 9001 Foundations exam + ISO 14001 Foundation exam
ISO 9001 Foundations exam + ISO 27001 Foundation exam
ISO 9001 Foundations exam + ISO 13485 Foundation exam
ISO 9001 Foundations exam + ISO 45001 Foundation exam
ISO 14001 Foundations exam + ISO 45001 Foundation exam
Internal Auditor course exam bundles:
ISO 9001 Internal Auditor exam + ISO 14001 Internal Auditor exam
ISO 9001 Internal Auditor exam + ISO 27001 Internal Auditor exam
ISO 9001 Internal Auditor exam + ISO 13485 Internal Auditor exam
ISO 9001 Internal Auditor exam + ISO 45001 Internal Auditor exam
ISO 14001 Internal Auditor exam + ISO 45001 Internal Auditor exam
Lead Auditor course exam bundles:
ISO 9001 Lead Auditor exam + ISO 14001 Lead Auditor exam
ISO 9001 Lead Auditor exam + ISO 13485 Lead Auditor exam
ISO 9001 Lead Auditor exam + ISO 45001 Lead Auditor exam
ISO 14001 Lead Auditor exam + ISO 45001 Lead Auditor exam
Lead Implementer course exam bundles:
ISO 9001 Lead Implementer exam + ISO 14001 Lead Implementer exam
ISO 9001 Lead Implementer exam + ISO 13485 Lead Implementer exam
ISO 9001 Lead Implementer exam + ISO 45001 Lead Implementer exam
ISO 14001 Lead Implementer exam + ISO 45001 Lead Implementer exam
2/ ISO 27001/EU GDPR-related bundles:
ISO 27001 Foundations exam + EU GDPR Foundations exam
ISO 27001 Foundations exam + ISO 9001 Foundation exam
ISO 27001 Internal Auditor exam + EU GDPR Data Protection Officer exam
ISO 27001 Internal Auditor exam + ISO 9001 Internal Auditor exam
ISO 27001 Lead Auditor exam + ISO 9001 Lead Auditor exam
ISO 27001 Lead Implementer exam + ISO 9001 Lead Implementer exam
Take ISO 27001 course exam and get the EU GDPR course exam for Free
DISC LLC presents a phase approach to deliver ISO 27001 Internal Audit services to SaaS businesses.
The Engagement:
We understand that your core business is your SaaS application and you desire an audit. The audit is to be an independent assessment of the company’s ISMS, to measure the maturity of the program, to identify if the program is ready to pass the certification audit for ISO 27001:2013 certification, and provide strategic guidance for achieving the certification. Our focus will be your application which is hosted at AWS/Azure and you have xxx employees who create, maintain, and manage the application.
The audit will be conducted remotely and we will have a dedicated contact person assigned to our audit team to facilitate access to documentation, records, and select staff for interviews. We will complete your standard audit process documentation according to the ISO 27001 standard.
The Plan:
Below is our high-level audit plan for your ISO 27001internal audit. We propose a staged and flexible approach so we may progressively tune our audit process to deliver maximum business value to you.
Phase 1: This phase starts within a week one of signing of an engagement contract. First step is a kickoff meeting to discuss the overall audit engagement, to finalize the formal audit plan, and to establish access to documents to be reviewed. We will review the available documents based on the ISO27001 standard. At the end of this phase we will present our findings in a briefing session.
Phase2: Phase 2 kickoff will be based on the document review and coordinate scheduling interviews that focus on critical processes to establishing the degree that the various control procedures have been activated. This is a critical part of the audit process. We will measure the maturity of required controls that has been implemented and present the findings for review within another review session (schedule subject to availability for interviews).
Phase 3: Recommendations will be the focus of this phase. This will also start with a kickoff meeting to establish a coordinated plan for what measures are already planned and what new measures are required to actually pass (to-be state) the certification audit. This final step can save you a lot of effort as we can help you navigate to the end goal of passing the audit and also create the precise measures that have maximum business value. The closing meeting of this phase will present our collective recommendations.
All of the efforts outlined above are aligned to a compliant internal audit process with a few enhancements that are value-add. These audit records will likely be a primary target of the certification audit so they need to be well executed. Your controls also have to be tailored to your business. We can help get you certified but that doesn’t mean you are actually secure. We can help you do both. Missing the secure part would be devastating to you and to all of your customers. This is our value-add.
If you have a question about ISO 27001 internal audit:
The purpose of this document is to define the methodology for assessment and treatment of information risks, and to define the acceptable level of risk.
The document is optimized for small and medium-sized organizations – we believe that overly complex and lengthy documents are just overkill for you.
There are 3 appendices related to this document. The appendices are not included in the price of this document and can be purchased separately
The purpose of this table is to list all information resources, vulnerabilities and threats, and assess the level of risk. The table includes catalogues of vulnerabilities and threats.
The document is optimized for small and medium-sized organizations – we believe that overly complex and lengthy documents are just overkill for you.
This document is an appendix. The main document is not included in the price of this document and can be purchased separately
The purpose of this table is to determine options for the treatment of risks and appropriate controls for unacceptable risks. This table includes a catalogue of options for treatment of risks as well as a catalogue of 114 controls prescribed by ISO 27001.
The document is optimized for small and medium-sized organizations – we believe that overly complex and lengthy documents are just overkill for you.
This document is an appendix. The main document is not included in the price of this document and can be purchased separately
The purpose of this document is to define which controls are appropriate to be implemented in the organization, what are the objectives of these controls, how they are implemented, as well as to approve residual risks and formally approve the implementation of the said controls.
The document is optimized for small and medium-sized organizations – we believe that overly complex and lengthy documents are just overkill for you.
The purpose of this document is to determine precisely who is responsible for the implementation of controls, in which time frame, with what budget, etc.
The document is optimized for small and medium-sized organizations – we believe that overly complex and lengthy documents are just overkill for you.
ISO 27001 is a widely-known international standard on how to manage information security.
In this Help Net Security video, Nicky Whiting, Director of Consultancy, Defense.com, talks about the challenges of achieving ISO 27001, a widely-known international standard.
ISO 27001 certification is not obligatory. Some organizations choose to implement it in order to benefit from the best practice it contains. Others decide they want to get certified to reassure customers and clients.
47 document templates – unlimited access to all documents required for ISO 27001 & 27017 & ISO 27018 certification, plus commonly used non-mandatory documents
Access to video tutorials
Email support
Expert review of a document
One hour of live one-on-one online consultations with an ISO 27001 & ISO 27017 & ISO 27018 expert
Upcoming: free toolkit update for the new ISO 27001 2022 revision
Fully optimized for small and medium-sized companies
Information classification is a process in which organisations assess the data that they hold and the level of protection it should be given.
Organisations usually classify information in terms of confidentiality – i.e. who is granted access to view it. A typical system contains four levels of confidentiality:
Confidential (only senior management have access)
Restricted (most employees have access)
Internal (all employees have access)
Public information (everyone has access)
As you might expect, larger and more complex organisations will need more levels, with each one accounting for specific groups of employees who need access to certain information.
The levels shouldn’t be based on employees’ seniority but on the information that’s necessary to perform certain job functions.
Take the healthcare sector for example. Doctors and nurses need access to patients’ personal data, including their medical histories, which is highly sensitive.
However, they shouldn’t have access to other types of sensitive information, such as financial records.
In these cases, a separate classification should be created to distinguish between sensitive medical information and sensitive administrative information.
Where does ISO 27001 fit in?
Organizations that are serious about data protection should follow ISO 27001.
Control objective A.8.2 is titled ‘Information Classification’, and instructs that organisations “ensure that information receives an appropriate level of protection”.
ISO 27001 doesn’t explain how you should do that, but the process is straightforward. You just need to follow four simple steps.
1) Enter your assets into an inventory
The first step is to collate all your information into an inventory (or asset register).
You should also note who is responsible for it (who owns it) and what format it’s in (electronic documents, databases, paper documents, storage media, etc.).
2) Classification
Next, you need to classify the information.
Asset owners are responsible for this, but it’s a good idea for senior management to provide guidelines based on the results of the organization’s ISO 27001 risk assessment.
Information that would be affected by more significant risks should usually be given a higher level of confidentiality. But be careful, because this isn’t always the case.
There will be instances where sensitive information must be made available to a broader set of employees for them to do their job. The information may well pose a threat if it’s confidentiality is compromised, but the organisation must make it widely available in order to function.
3) Labelling
Once you’ve classified your information, the asset owner must create a system for labelling it.
You’ll need different processes for information that’s stored digitally and physically, but it should be consistent and clear.
For example, you might decide that paper documents will be labelled on the cover page, the top-right corner of each subsequent page and the folder containing the document.
For digital files, you might list the classification in a column on your databases, on the front page of the document and the header of each subsequent page.
4) Handling
Finally, you must establish rules for how to protect each information asset based on its classification and format.
For example, you might say that internal paper documents can be kept in an unlocked cabinet that all employees can access.
By contrast, restricted information should be placed in a locked cabinet, and confidential information stored in a secure location.
Additional rules should be established for data in transit – whether it’s being posted, emailed or employees carry it with them.
You can keep track of all these rules by using a table like this:
Use a table to simplify the data handling documentation process.
For a limited time only, ITG is offering bestselling implementation guides free with each toolkit purchase.*
All the pre-written policies and procedures you’ll ever need.
Written by our expert team of in-house consultants, who have been delivering cyber security and data privacy consultancy for years.
Reviewed throughout the year to ensure you’re always working from the most up-to-date documentation, in line with the latest guidance and standard revisions, including free upgrades.
Accessible on our Cloud-based platform, DocumentKits, so you can collaborate with team members, viewing, editing and downloading documents any time, anywhere.
Whether you’re a small organisation with limited resources or an international firm, achieving ISO 27001 certification will be a challenge.
Anyone who has already been through the process will know that. You must assemble a team, conduct a gap analysis and risk assessment, apply security controls, create documentation and perform staff awareness training. And that’s before you even get into internal audits and certification audits.
To make matters more complicated, once you’ve certified to ISO 27001, you must maintain your compliance status and regularly recertify.
Organisations must do this to ensure that they have maintained their compliance practices and accounted for changes in the way they operate.
In this blog, we look at the key issues you must address if you are to maintain ISO 27001 compliance.
How often do you need recertify to ISO 27001?
An organisation’s ISO 27001 certification lasts three years. The certificate itself will state the date at which certification was issued and when it will expire.
As that day approaches, the organisation must apply for recertification. This can be with the same body that performed the initial audit or it can be with another registrar.
How to maintain ISO 27001 certification
Organisations can ensure that their ISO 27001 practices remain compliant by following these seven steps.
1.Continually test and review risks
Your ISMS (information security management system) was built to address risks that you identified during the certification process, but the threat landscape is constantly evolving.
As such, you must regularly monitor the risks you face to ensure that your defences are adequate. Part of this process will involve vulnerability scans and other tools that can automatically spot new risks. However, you should also perform more rigorous tests on a regular basis.
To remain compliant, you must complete an ISO 27001 risk assessment at least once a year or whenever you make substantial changes to your organisation.
You can use the results of the assessment to determine whether your controls work as intended and whether additional defences should be adopted.
2.Keep documentation up to date
The policies and processes you wrote during the initial implementation will have been created specifically for the way your organisation operated at that time.
However, your operations will no doubt evolve and you need to ensure that your documentation takes that into account. Have you made a significant change in the way you perform certain actions? Have you undertaken new activities involving sensitive data? Has the physical premises changed in any way?
If the answer to any of those questions is yes, then you must amend your documentation accordingly.
3.Perform internal audits
An internal audit provides a comprehensive review of the effectiveness of your ISMS. Alongside a risk assessment and a documentation review, it will help you assess the status of your ISO 27001 compliance.
You will have conducted an internal audit as part of your initial certification process, so you should already have the framework to hand, which you can repeat as part of your compliance maintenance.
4.Keep senior management informed
Unless you are extremely lucky, the maintenance practices outlined above will reveal weaknesses that you must address if you are to remain compliant.
Remedying those vulnerabilities will take time and resources, which requires you to gain board-level approval. As such, you should keep senior management informed of both your activities maintaining the ISMS and the benefits that it has brought.
For example, your defences might have played a direct role in preventing a data breach or cyber attack. If so, you should have logged and investigated the event, in which case you’ll have proof of the ISMS’s effectiveness that you can bring to the board.
An ISMS isn’t just about preventing security breaches, though. It also helps organisations operate more efficiently and responsibly. You should also provide evidence of this, presenting key performance indicators and interviews with employees and other stakeholders.
5.Establish a regular management review process
In addition to informing the board of the ISMS’s successes, you should also involve them in the review process. This is where you can discuss opportunities for improvement or necessary changes that must be made.
There is no requirement for how often the management review should take place, but it should be at least once a year and ideally every six months.
6.Stay on top of corrective actions
If there’s a theme to these tips, it’s that your ISMS isn’t set in stone. As such, it should evolve to meet the threats that your organisation faces.
By regularly monitoring the effectiveness of your ISMS, you should be able to perform corrective actions that prevent weaknesses from spilling over into major problems. Some of these changes could be minor tweaks to processes and policies, or the addition of a new tool.
However, some corrective actions will require a significant overhaul of your practices. These should be discussed during the management review process and could involve ongoing adjustments and monitoring.
7.Promote ongoing information security staff awareness
One of the key principles of ISO 27001 is that effective information security is everybody’s responsibility. Compliance should not be left to the IT department or managers.
Anyone in the organisation that handles sensitive data plays a role in the organisation’s security. They must understand their obligations for protecting sensitive information and appreciate the stakes involved.
You are required to provide staff awareness training as part of your certification process, but those lessons should be repeated on a regular basis. As with your management review, it should be at least annually but ideally twice yearly.
For organisations looking for a quick and effective way to meet their staff awareness training requirements, IT Governance is here to help.
With this 45-minute training course, you can enable your employees to demonstrate their competence in information security and ISO 27001 with digital badges.
The package comes with an annual licence, making it quick and easy to refresh employees’ knowledge on a regular basis.
Build your ISO 27001 knowledge and win new business with Advisera’s free ISO 27001 online courses. And you can be sure that you chose the right learning partner, since all Advisera’s courses are now accredited by ASIC, the internationally respected assurance body for online learning providers worldwide.
The courses’ structure is simple:
Modules that cover important topics related to ISO 27001.
Video lectures give you an opportunity to learn from ISO 27001 top experts.
Quizzes teach you how to apply what you have learned through practical examples.
Recap quiz at the end of each module helps you reinforce the acquired knowledge.
You can choose the course based on your specific needs:
ISO 27001 Foundations course – you’ll learn about all of the standard’s requirements and the best practices for compliance.
ISO 27001 Internal Auditor course – besides the knowledge about the standard, you’ll also learn how to perform an internal audit in the company.
ISO 27001 Lead Auditor course – besides the knowledge about the standard, it also includes the training you need to become certified as a certification auditor.
ISO 27001 Lead Implementer course – besides the knowledge about the standard, it also includes the training you need to become an independent consultant for Information Security Management System implementation.
The online courses are suitable both for beginners and experienced professionals.
Learn at your preferred speed from any location at any time.
If you have planned an ISO 27001 implementation, but you are unsure of whether you should go with the 2013 revision or wait for the 2022 revision to be published, we have a solution for you.
ISO 27701 specifies the requirements for establishing, implementing, maintaining, and continually improving a PIMS (privacy information management system).
Compliance with ISO 27701 shows customers and stakeholders that your organization takes privacy legislation seriously. ISO 27701 serves as an extension to ISO 27001. Organizations that have implemented ISO 27001 will be able to incorporate the controls and requirements of ISO 27701 to extend their existing data security practices to achieve complete coverage of data security and privacy management.
If you are already an ISO 27701 expert, have you considered developing your career as an auditor? ITG Certified ISO 27701 PIMS Lead Auditor Training Course teaches you how to extend an ISO 27001 audit program and conduct a PIMS audit against ISO 27701.
