ISO 27001:2013 is the fastest growing ISO standard and for good reason. It is becoming a strategic priority for many businesses with the ever growing awareness of online threats and increasing digitalisation of our lives. The purpose of ISO 27001:2013 is to:
a) help businesses to preserve the confidentiality, integrity and availability of their information
b) create a benchmark against which the performance of companies can be judged
c) help clients and customers gain confidence that information security risks are adequately managed
When you first look at the standard, the layout and terminology can be confusing. However, as you understand further how ISO 27001 is structured the logic starts to appear.
The ISO 27001 standard is broken into two halves: Clauses 1-10; and Annex A. The clauses outline the general framework for your information security system, whilst Annex A describes the 114 controls you need to consider as you implement your management system.
The ISO 27001 standard is written around 10 clauses. Of the ten clauses, it is clauses 4-10 that are audited. Clauses 1-3 are used to set the scene of the standard but are less important when it comes to your ISO 27001 implementation.
Clause 4 - Context of the Organisation
Your organisation must identify, monitor and review external and internal issues that could impact information security within your business. These contextual issues can be far reaching and may include obvious threats such as malicious attack, but may also include elements such as fast growth of your business impacting your ability to onboard staff consistently, or the use of significant levels of homeworking. You should document your findings and review them regularly. This clause also asks you to document all the interested parties who have needs and expectations of your business. Finally, this is the clause that requires you to define the scope of your management system; which locations are in scope; is development inhouse or outsourced; which systems are being covered?
Clause 5 - Leadership
Leadership involvement is a critical component in making an information security management system work, and for this reason the standard makes it a requirement. Leadership are required to create your Information Security Policy, set security objectives, be present in the information security reviews and communicate the importance of security throughout the organisation. Some of the ways leaders are involved will be tangible, e.g. the writing of the Information Security Policy, but in other ways their involvement will be intangible, e.g. by acting in a way that positively promotes a culture of security.
Clause 6 - Planning
In Clause 6 of ISO 27001 you need to conduct a detailed risk assessment against a defined risk assessment process. For each risk you identify, you need to assess the magnitude of the risk and how you intend on dealing with it. If you decide the risk is acceptable you can tolerate it. If you evaluate the risk to be unacceptable you can choose to terminate the risk by stopping the process, treat the risk by applying further controls, or transfer the risk to another party. For those risks that you evaluate as needing action, you should establish a risk treatment plan to bring the risk down to an acceptable level.
The second part of Clause 6 is the setting of information security objectives. We find these objectives are often related to companies largest outstanding risks, however they can also aim to take advantage of opportunities you see. Your objectives should be SMART (specific, measurable, attainable, relevant and time-bound).
Clause 7 - Support
This section of the standard is about all the pieces of a management system that act like the oil, allowing everything else to run smoothly. We are talking about making sure you have raised awareness of information security, trained staff on policies and procedures, established lines of internal and external communication on information security matters and applied consistent control over your documented information.
Clause 8 - Operations
Clause 8 requires your organisation to carry out your operations in a controlled manner, applying the information security mechanisms and controls that you have identified. You will need to demonstrate you are keeping on top of supplier management, organisational & product development changes and treating the risks you have identified.
Clause 9 - Performance evaluation
There are three main components of performance evaluation. Firstly you will need to define and measure key information security metrics to have confidence your systems are working. Secondly is the important business of internal auditing - you will need to demonstrate that you regularly audit all the key components of the management system to review performance. Lastly, you will need to hold periodic 'management reviews' in which the person responsible for the daily running of the management systems reports back to the leadership team against a set agenda.
Clause 10 - Improvement
The key mechanism for continual improvement is a 'nonconformance process'. Although this sounds a bit foreboding, it is actually a constructive way to review your systems when something goes wrong and address the root cause of the issue. It is not about finding fault with individuals, rather the focus is on understanding why a process has broken down. The other half of improvement is the general way in which your business continually improves information security arrangements, either through small incremental changes or larger step changes.
Annex A, the Statement of Applicability (SOA) and ISO 27002 are closely linked. Annex A is the section of ISO 27001 which outlines the 114 controls you need to consider in your information security management system. The SOA is a document used to outline the controls that are relevant to your scope and ISO 27002 is a non-auditable supporting standard which is dedicated to giving more detail about each of the 114 controls.
It is useful to have a brief overview of the 14 subsections in Annex A which contain the 114 controls:
A.5 Information security policies
You are required to have a range of policies approved by the leadership team, which outline the arrangements you have implemented to meet your own business requirements and the expectations of clients, legislators & regulators.
A.6 Organisation of information security
This clause requires you to consider the framework needed for the Information Security Management System including roles & responsibilities and control for staff working remotely.
A.7 Human resource security
Ensuring you have strong processes in place for recruiting, onboarding, training and termination of employment is critical. In our experience it takes real discipline to stay on top of HR controls, however building repeatable workflows (e.g. using a secure SaaS based solution) makes the process much easier and frees you from the burden.
A.8 Asset management
You will need to ensure that you have a structured method for recording, tracking, issuing and requesting the return of assets. It is also important to define a policy outlining the acceptable use of assets. Apart from hardware, information is also considered an asset so you will need to create a methodology for labeling information (e.g. highly confidential, confidential, internal use) and defining how those documents are used. Finally, this clause lays out the requirement to control the use, transfer and disposal of any media, which may include actions such as defining how devices are used out of the office and how devices containing information are erased and destroyed at the end of their life.
A.9 Access control
Controlling access to information, software and systems is critical. The approach to this varies greatly based upon the size of organisation, whether computers and other devices can be centrally controlled and if your infrastructure is on site or in the cloud. Regardless of the situation, it is important to restrict access to the system or information to only those who really need it and are authorised accordingly, applying the need-to-know or need-to-use principles.
You should establish a process by which you have instant knowledge of who has access to which systems and information. This can range from a simple spreadsheet, to a cloud or site deployed identity management system.
An approach to passwords and logon procedures needs to be established and communicated to staff. Where feasible the most secure method should be utilised (e.g. multi-factor authentication) and businesses should adopt solutions that prevent staff reusing weak passwords (e.g. by adopting password management systems).
You are required to define your approach to the use of encryption and employ it whenever it is required to protect information in transfer and at rest. For organisations who utilise cryptographic keys, a policy needs to be established to manage keys over their whole lifecycle.
A.11 Physical and environmental security
Unauthorised access to physical premises needs to be controlled though the use of secure access controls, with any sensitive areas (e.g. server rooms) being further restricted. You need to define a Clear Desk and Clear Screen Policy and create a culture in which staff do not leave unattended equipment onsite or out of the office. Although more relevant for some businesses than others, you will need to ensure that the location of equipment and security of cabling is considered to prevent unauthorised access to systems or information.
A.12 Operations security
This clause is all about having defined ways of undertaking key operations such as backups, equipment maintenance, issue escalation and system recovery. It also requires the organisation to have a controlled way in which to implement changes, since changes can easily introduce vulnerabilities of not carefully planned.
You will need to introduce defences to protect against malware and ensure you are able to capture key activity in logs that are regularly reviewed. Software installation needs to be restricted to ensure that approval is granted prior to software being installed and utilised - due diligence should be conducted on the provider of the software - do their credentials meet your standards?
A.13 Communications security
You must take adequate measures to protect the information in your networks. Be it through agreements with network providers, segregating networks or controlling how data is transferred over networks, you need to have confidence that data is not compromised and that the uptime of your networks allows you to seamlessly run your operations. Wherever required, you need up to date confidentiality agreements in place with third parties to cover the activities they are performing on your behalf.
A.14 System acquisition, development and maintenance
When developing systems and software, information security needs to be considered from the outset and throughout projects. If you undertake development work you should ensure you have created a Secure Development Policy which outlines the principles and controls engineers should follow including handling of test data, creating secure development environments and system security testing. You will also need to give consideration to change control procedures, outsourced development and including information security in project specifications.
A.15 Supplier relationships
Supplier management is important as without sufficient due diligence vulnerabilities can enter your system. You need to ensure that you assess the risk to information posed by the supplier and apply appropriate controls including confidentiality agreements where required.
A.16 Information security incident management
Regardless of how tightly you control information security in your organisation, there will always remain a small chance that a security event will occur. You need to create a process for handing security events, including the responsibility for sharing details with the ICO, clients and data subjects in certain circumstances.
A.17 Information security aspects of business continuity management
Increasing emphasis is being placed upon business continuity by clients and insurers alike. It is important to have a well documented business continuity plan which includes arrangements to maintain the same level of information security in abnormal operating conditions. Your business continuity plan needs testing regularly and can range from a desktop theoretical study, through to a full disaster recovery drill depending on your business and operations.
The final clause is the requirement to ensure that you are running your operations inline with legislation and regulation. It can be beneficial to keep an information security legal register which outlines the legislation that applies to your business and how you are meeting it. There may also be contractual requirements around your processing of client IP and personal data which you need to demonstrate you are meeting.
Our experienced consultants are available to support you through the process. We can help you perform a gap analysis to understand where your strengths and weaknesses are, host educational sessions to talk you through the requirements of the standard or help you with a full implementation.
Gain confidence that you will deliver secure products and services
Streamline their own due diligence & tender process if you are certified
Meet their own GDPR and regulatory responsibilities
Streamlined tendering processes and point of competitive advantage
Better control of cloud, data and security systems
Sense of pride that you run your business to international best practice
An analysis of the internal and external issues that can impact your business
A well utilised risk management process
Documented and communicated information security policies and procedures
A well deployed process for training staff
Utilisation of well chosen indicators (KPIs) to monitor security performance
A process for managing the relationship with suppliers
Arrangements for controlling assets and access
Controlling development work to build in security from the very start of a project
Business continuity arrangements that are regularly tested
Incident management procedures
Internal audits to check processes are working as intended
Documented management meetings to make key security decisions
Relationship between ISO 27001, ISO 27002 and the Statement of Applicability (SOA)
Becoming certified to ISO 27001 is no small undertaking even with a specialist consultant to guide you through the process. So why is it so important for an increasing number of businesses to achieve certification?
It's a strategic level consideration
Information Security is now undoubtedly a strategic level consideration for many businesses. Three quarters of businesses say cyber security is a high priority for their organisation's senior management and that number is increasing every year. With over two thirds of small and medium size businesses seeking external support in information security in the past year, you are not alone in investigating ISO 27001 as an option.
Cyber security threats are increasing
Every week articles about security threats and breaches are reported in the news. In a world where cyber crime is a very real threat, it's never been more important to safeguard the integrity of your data and demonstrate your security controls through a strong and certified ISO 27001 Information Security Management Systems (ISMS).
It helps you win tenders
A significant driver for small and medium size businesses to obtain certification is that ISO 27001 is becoming a permanent feature in tenders. From web design and software development through to healthcare and charities, clients are requesting tangible and certified evidence from their supply chain that they have strong security processes in place. The willingness to invest in information security certification shows very positive intent to prospective clients.
It protects your customer data and intellectual property
With prospective clients looking for partners with whom they can confidently share their personal and business data, ISO 27001 helps your organisation to alleviate their fears and give assurance that you can keep their data safe. If you have particularly sensitive intellectual property that you need to protect, strong internal as well as external controls are required.
It improves your business continuity planning
With almost every business being critically reliant on digital systems, ensuring your infrastructure can remain up or be quickly brought back online in a business continuity situation is an absolute necessity.
It offers a comprehensive framework
The ISO 27001 standard is comprehensive in nature, laying out the basic building blocks for an information security management system.
The certification process can be confusing when you first research it.
Here, we will throw light on how the process works.
Firstly, you will need to have implemented or be in the process of implementing the Information Security Management System. You don’t need to have fully implemented the system before contacting the certification bodies, however having made a start or knowing how far you have to go can help set a date to aim for.
The next step is to contact one or more certification bodies to ask for quotes. You will be required to provide information about your business (i.e. nature of your work, number of employees and the roles they do, number of sites) so the certification body can make a good approximation about how many days it will take an assessor to audit your business.
We recommend contacting at least two certification bodies since the price and number of days they expect the audit to take can vary.
Based upon the quotes received, you will need to decide the most appropriate body to certify your business and set a fixed date for your Stage 1 and Stage 2 audits.
Before the external audits you must fully implement your management system. This includes organising processes, creating policies, conducting internal audits, holding a management review and putting in place other mechanisms. A good consultant can help you put in place a management system with maximum efficiency.
On the agreed dates, you will receive two rounds of audits, a Stage 1 and Stage 2 audit, usually 4 - 6 weeks apart. On successful completion of these audits, you will receive the certificate
The Stage 1 Audit
A Stage 1 audit is an initial visit from the assessor in which they aim to; get a feeling for your business and the processes involved; check your readiness for the full Stage 2 audit; and see if there are any major gaps that need to be filled before Stage 2
This is an important step as if anything is missing it can be resolved before the full audit. You cannot ‘fail’ a Stage 1 audit however you should have your management system as fully implemented as possible. If your system is particularly weak at Stage 1, the Stage 2 audit may be postponed and you may need another Stage 1 audit to determine readiness at a later date. A good consultancy like 2SB will help you be ready for your Stage 1 so nothing major is missing from your system and that you can move on smoothly to the Stage 2 audit.
The Stage 2 Audit
At Stage 2 the assessor will take a much deeper look into your business processes. They will be walking around, speaking to staff in the organisation, looking at whether your own processes are well implemented, and checking to see if the systems meet the requirements of the ISO standard. The auditor will typically take a job, project or process and look at it from start to finish to understand how you initiate, deliver and then follow up projects, or produce products.
The Stage 2 audit will give one of three results:
i. Your system is well implemented and meets the requirements of the standard. There may be some recommendations for improvements but there are no nonconformances. You will receive your certificate.
ii. There have been minor nonconformances observed, and these need to resolved. You will receive a report giving you details of the minor nonconformance(s) and a timeframe to address them within. Once you have submitted proof that the nonconformance(s) has been addressed you will receive your certificate.
iii. There is a major nonconformance observed. In this case it is likely you will have to resolve the issue and undergo another audit to confirm it has been addressed. Generally, major nonconformances will be prevented by the Stage 1 audit which should highlight any major gaps in the system.
Once gained, the certificate is valid for three years, with the UKAS requirement that surveillance audits carried out annually and re-certification audits every third year.
What are surveillance audits?
Once you have gained your initial certification, you will be required to have annual surveillance audits to ensure that your system is still functioning as intended.
Surveillance audits are ‘lighter’ audits than the initial certification audit and will generally focus on higher risk/more critical business functions and on areas that nonconformances have been previously observed. If a minor nonconformance is raised during a surveillance audit, you will be required to address this before the next annual audit. If a major nonconformance is raised, this will need to be addressed and proof submitted or further audits carried out to ensure the system has been repaired.
What is a re-certification audit?
The re-certification audit forms the final part of the certification cycle. It is more in depth than the surveillance audits and successfully passing it will give a renewed certificate for a further three year cycle (with annual surveillance audits).
The role of the Management Representative is to manage your ISO certified system, to ensure that it is effectively implemented and to prepare it for the annual surveillance visits.
The most recent versions of the standards no longer require a Management Representative, with these responsibilities now transfered to the "top management", this is to ensure that they are fully aware that they are responsible for the effectiveness of the organisation's management system. Thry may also oversee internal audits to ensure the ISO management system is performing as required.
2SB's recommendation is that the "top management" delegate these responsibilities for the management system to a committed member of staff with "top management" still actively involved.