ISO 27001:2022 is the fastest-growing ISO standard and for good reason. It is becoming a strategic priority for many businesses with the ever-growing awareness of online threats and increasing digitalisation of our lives. The purpose of ISO 27001:2022 is to:
a) help businesses to preserve the confidentiality, integrity and availability of their information
b) create a benchmark against which the performance of companies can be judged
c) help clients and customers gain confidence that information security risks are adequately managed
When you first look at the standard, the layout and terminology can be confusing. However, as you understand further how ISO 27001 is structured the logic starts to appear.
The ISO 27001 standard is broken into two halves: Clauses 1-10; and Annex A. The clauses outline the general framework for your information security system, whilst Annex A describes the 93 controls you need to consider as you implement your management system.
The ISO 27001 standard is written around 10 clauses. Of the ten clauses, it is clauses 4-10 that are audited. Clauses 1-3 are used to set the scene of the standard but are less important when it comes to your ISO 27001 implementation.
Clause 4 - Context of the Organisation
Your organisation must identify, monitor and review external and internal issues that could impact information security within your business. These contextual issues can be far reaching and may include obvious threats such as malicious attack, but may also include elements such as fast growth of your business impacting your ability to onboard staff consistently, or the use of significant levels of homeworking. You should document your findings and review them regularly. This clause also asks you to document all the interested parties who have needs and expectations of your business. Finally, this is the clause that requires you to define the scope of your management system; which locations are in scope; is development inhouse or outsourced; which systems are being covered?
Clause 5 - Leadership
Leadership involvement is a critical component in making an information security management system work, and for this reason the standard makes it a requirement. Leadership are required to create your Information Security Policy, set security objectives, be present in the information security reviews and communicate the importance of security throughout the organisation. Some of the ways leaders are involved will be tangible, e.g. the writing of the Information Security Policy, but in other ways their involvement will be intangible, e.g. by acting in a way that positively promotes a culture of security.
Clause 6 - Planning
In Clause 6 of ISO 27001 you need to conduct a detailed risk assessment against a defined risk assessment process. For each risk you identify, you need to assess the magnitude of the risk and how you intend on dealing with it. If you decide the risk is acceptable you can tolerate it. If you evaluate the risk to be unacceptable you can choose to terminate the risk by stopping the process, treat the risk by applying further controls, or transfer the risk to another party. For those risks that you evaluate as needing action, you should establish a risk treatment plan to bring the risk down to an acceptable level.
The second part of Clause 6 is the setting of information security objectives. We find these objectives are often related to companies largest outstanding risks, however they can also aim to take advantage of opportunities you see. Your objectives should be SMART (specific, measurable, attainable, relevant and time-bound).
Clause 7 - Support
This section of the standard is about all the pieces of a management system that act like the oil, allowing everything else to run smoothly. We are talking about making sure you have raised awareness of information security, trained staff on policies and procedures, established lines of internal and external communication on information security matters and applied consistent control over your documented information.
Clause 8 - Operations
Clause 8 requires your organisation to carry out your operations in a controlled manner, applying the information security mechanisms and controls that you have identified. You will need to demonstrate you are keeping on top of supplier management, organisational & product development changes and treating the risks you have identified.
Clause 9 - Performance evaluation
There are three main components of performance evaluation. Firstly you will need to define and measure key information security metrics to have confidence your systems are working. Secondly is the important business of internal auditing - you will need to demonstrate that you regularly audit all the key components of the management system to review performance. Lastly, you will need to hold periodic 'management reviews' in which the person responsible for the daily running of the management systems reports back to the leadership team against a set agenda.
Clause 10 - Improvement
The key mechanism for continual improvement is a 'nonconformance process'. Although this sounds a bit foreboding, it is actually a constructive way to review your systems when something goes wrong and address the root cause of the issue. It is not about finding fault with individuals, rather the focus is on understanding why a process has broken down. The other half of improvement is the general way in which your business continually improves information security arrangements, either through small incremental changes or larger step changes.
Annex A, the Statement of Applicability (SOA) and ISO 27002 are closely linked. Annex A is the section of ISO 27001 which outlines the 93 controls you need to consider in your information security management system. The SOA is a document used to outline the controls that are relevant to your scope and ISO 27002 is a non-auditable supporting standard which is dedicated to giving more detail about each of the 93 controls.
It is useful to have a brief overview of the 4 subsections in Annex A which contain the 93 controls:
Annex A.5 of ISO 27001:2022 covers a broad range of organisational controls that should implement to ensure effective information security management. These controls encompass policies for information security; roles and responsibilities; asset management; access control and secure authentication; supplier relationships; use of cloud services; incident management; business continuity; legal compliance; protection of PII (personally identifiable information); and documentation.
The focus of Annex A.6 is on people controls. This set of clauses requires an organisation to consider information security in recruitment; screening when hiring; terms and conditions of employment; information security awareness and training; confidentiality and NDAs; remote working and information security event reporting.
Annex A.7 shifts focus to the physical security arrangements in offices and the control of physical assets. Companies must consider controls including physical security controls to buildings, offices and other secure areas; monitoring of security perimeters; protection against threats such as fire; location of equipment and screens, and the use of a clear screen and clear desk policy; securing assets off the premises, e.g. at home or when travelling; maintaining and then securely disposing or reissuing equipment.
Finally, Annex A.8 tackles technological controls that should be implemented in the organisation. Another broad grouping of controls includes securing user end point devices; restricting access to information on a need-to-access basis; managing capacity of systems; protecting systems against malware; managing technical vulnerabilities; data masking and the prevention of data leakage; backup of data and redundancy of systems; event logging and activity monitoring; installation of software; network security, cryptography; secure development (either in-house or outsourced); and change management.
Our experienced consultants are available to support you through the process. We can help you perform a gap analysis to understand where your strengths and weaknesses are, host educational sessions to talk you through the requirements of the standard or help you with a full implementation.
Gain confidence that you will deliver secure products and services
Streamline their own due diligence & tender process if you are certified
Meet their own GDPR and regulatory responsibilities
Streamlined tendering processes and point of competitive advantage
Better control of cloud, data and security systems
Sense of pride that you run your business to international best practice
An analysis of the internal and external issues that can impact your business
A well utilised risk management process
Documented and communicated information security policies and procedures
A well deployed process for training staff
Utilisation of well chosen indicators (KPIs) to monitor security performance
A process for managing the relationship with suppliers
Arrangements for controlling assets and access
Controlling development work to build in security from the very start of a project
Business continuity arrangements that are regularly tested
Incident management procedures
Internal audits to check processes are working as intended
Documented management meetings to make key security decisions
Relationship between ISO 27001, ISO 27002 and the Statement of Applicability (SOA)
Becoming certified to ISO 27001 is no small undertaking even with a specialist consultant to guide you through the process. So why is it so important for an increasing number of businesses to achieve certification?
It's a strategic level consideration
Information Security is now undoubtedly a strategic level consideration for many businesses. Three quarters of businesses say cyber security is a high priority for their organisation's senior management and that number is increasing every year. With over two thirds of small and medium size businesses seeking external support in information security in the past year, you are not alone in investigating ISO 27001 as an option.
Cyber security threats are increasing
Every week articles about security threats and breaches are reported in the news. In a world where cyber crime is a very real threat, it's never been more important to safeguard the integrity of your data and demonstrate your security controls through a strong and certified ISO 27001 Information Security Management Systems (ISMS).
It helps you win tenders
A significant driver for small and medium size businesses to obtain certification is that ISO 27001 is becoming a permanent feature in tenders. From web design and software development through to healthcare and charities, clients are requesting tangible and certified evidence from their supply chain that they have strong security processes in place. The willingness to invest in information security certification shows very positive intent to prospective clients.
It protects your customer data and intellectual property
With prospective clients looking for partners with whom they can confidently share their personal and business data, ISO 27001 helps your organisation to alleviate their fears and give assurance that you can keep their data safe. If you have particularly sensitive intellectual property that you need to protect, strong internal as well as external controls are required.
It improves your business continuity planning
With almost every business being critically reliant on digital systems, ensuring your infrastructure can remain up or be quickly brought back online in a business continuity situation is an absolute necessity.
It offers a comprehensive framework
The ISO 27001 standard is comprehensive in nature, laying out the basic building blocks for an information security management system.
The certification process can be confusing when you first research it.
Here, we will throw light on how the process works.
Firstly, you will need to have implemented or be in the process of implementing the Information Security Management System. You don’t need to have fully implemented the system before contacting the certification bodies, however having made a start or knowing how far you have to go can help set a date to aim for.
The next step is to contact one or more certification bodies to ask for quotes. You will be required to provide information about your business (i.e. nature of your work, number of employees and the roles they do, number of sites) so the certification body can make a good approximation about how many days it will take an assessor to audit your business.
We recommend contacting at least two certification bodies since the price and number of days they expect the audit to take can vary.
Based upon the quotes received, you will need to decide the most appropriate body to certify your business and set a fixed date for your Stage 1 and Stage 2 audits.
Before the external audits you must fully implement your management system. This includes organising processes, creating policies, conducting internal audits, holding a management review and putting in place other mechanisms. A good consultant can help you put in place a management system with maximum efficiency.
On the agreed dates, you will receive two rounds of audits, a Stage 1 and Stage 2 audit, usually 4 - 6 weeks apart. On successful completion of these audits, you will receive the certificate
The Stage 1 Audit
A Stage 1 audit is an initial visit from the assessor in which they aim to; get a feeling for your business and the processes involved; check your readiness for the full Stage 2 audit; and see if there are any major gaps that need to be filled before Stage 2
This is an important step as if anything is missing it can be resolved before the full audit. You cannot ‘fail’ a Stage 1 audit however you should have your management system as fully implemented as possible. If your system is particularly weak at Stage 1, the Stage 2 audit may be postponed and you may need another Stage 1 audit to determine readiness at a later date. A good consultancy like 2SB will help you be ready for your Stage 1 so nothing major is missing from your system and that you can move on smoothly to the Stage 2 audit.
The Stage 2 Audit
At Stage 2 the assessor will take a much deeper look into your business processes. They will be walking around, speaking to staff in the organisation, looking at whether your own processes are well implemented, and checking to see if the systems meet the requirements of the ISO standard. The auditor will typically take a job, project or process and look at it from start to finish to understand how you initiate, deliver and then follow up projects, or produce products.
The Stage 2 audit will give one of three results:
i. Your system is well implemented and meets the requirements of the standard. There may be some recommendations for improvements but there are no nonconformances. You will receive your certificate.
ii. There have been minor nonconformances observed, and these need to resolved. You will receive a report giving you details of the minor nonconformance(s) and a timeframe to address them within. Once you have submitted proof that the nonconformance(s) has been addressed you will receive your certificate.
iii. There is a major nonconformance observed. In this case it is likely you will have to resolve the issue and undergo another audit to confirm it has been addressed. Generally, major nonconformances will be prevented by the Stage 1 audit which should highlight any major gaps in the system.
Once gained, the certificate is valid for three years, with the UKAS requirement that surveillance audits carried out annually and re-certification audits every third year.
What are surveillance audits?
Once you have gained your initial certification, you will be required to have annual surveillance audits to ensure that your system is still functioning as intended.
Surveillance audits are ‘lighter’ audits than the initial certification audit and will generally focus on higher risk/more critical business functions and on areas that nonconformances have been previously observed. If a minor nonconformance is raised during a surveillance audit, you will be required to address this before the next annual audit. If a major nonconformance is raised, this will need to be addressed and proof submitted or further audits carried out to ensure the system has been repaired.
What is a re-certification audit?
The re-certification audit forms the final part of the certification cycle. It is more in depth than the surveillance audits and successfully passing it will give a renewed certificate for a further three year cycle (with annual surveillance audits).