ISO/IEC 27001 AND ISMS

Key Definition

ISO : International Organization for Standardization.

IEC : International Electrotechnical Commission.

Asset : Anything that has value to the organization (e.g. data, hardware, software, people).

Threat : A potential cause of an unwanted incident (e.g. malware, hackers, natural disasters).

Vulnerability : A weakness that can be exploited by a threat (e.g. unpatched software). 

Risk : The potential impact of a threat exploiting a vulnerability. Typically measured by likelihood and impact.

Risk Assessment : The process of identifying, analyzing, and evaluating risks.

Risk Treatment : Deciding how to manage identified risks (e.g. reduce, accept, avoid, transfer).

Control (or Safeguard) : A measure to reduce information security risks (e.g. access control, encryption).

Information Security Policy : A high-level document outlining the organization’s approach to information security.

Confidentiality : Ensuring that information is accessible only to authorized persons.

Integrity: Ensuring the accuracy and completeness of information.

Availability : Ensuring that authorized users have access to information when needed.

Scope : The boundaries of the ISMS — what systems, departments, or locations are covered.

Interested Parties : Stakeholders affected by the ISMS (e.g. customers, regulators, employees).

Statement of Applicability (SoA) : A list of all ISO 27001 controls, stating which are applicable and why.

Nonconformity : A deviation from ISMS requirements or standards.

Corrective Action : Steps taken to eliminate the causes of nonconformities.

Audit : A systematic evaluation to check whether the ISMS meets requirements.

Incident : A single or series of unwanted or unexpected information security events.

Continual Improvement : Ongoing efforts to improve the ISMS effectiveness over time.

Annex A: A list of controls that organizations should consider when designing their ISMS.

Plan-Do-Check-Act (PDCA) cycle: A framework for continual improvement, representing the stages of planning the ISMS, implementing the plan, evaluating its performance, and taking corrective action.

Nonconformity: A failure to meet a requirement of the standard. This is identified during an audit

ISO/IEC 27001 provide a comprehensive framework to help organization of any size and Industry to protect their information , manage risk effectively and build a culture of security.

The fundamental objective of an ISO27001 - Compliant ISMS is to protect CIA Triad of an organization.

CIA Triad

C : Confidentiality

I : Integrity 

A : Availability

How the ISO 27001 framework works

Instead of prescribing specific technologies, ISO 27001 provides a flexible, risk-based methodology

1. Risk assessment: Organizations must systematically identify potential threats and vulnerabilities to their information assets and evaluate their impact and likelihood.
2. Risk treatment: Based on the risk assessment, organizations implement a suite of controls, or safeguards, to manage risks that are deemed unacceptable.
3. Controls (Annex A): Annex A of the standard provides a reference list of 93 controls (in the 2022 version) across four key themes: Organizational, People, Physical, and Technological. Companies select the controls relevant to their specific risks and justify their choices in a Statement of Applicability (SoA).
4. Continual improvement: The ISMS is not a one-time process. It follows a Plan-Do-Check-Act (PDCA) cycle to ensure continuous monitoring, measurement, and enhancement of security controls to adapt to evolving risks.

The current Version of ISO/IEC 27001 :2022 which was published in october 2022. It Annex A is reference list of 93 security controls that an organization choose from when implementing ISMS.These controls are organixed into 4 key themes

4 Key themes of ISO 27001 Controls

Organizational (37 Controls)

These controls focuses on governance , policies , and procedures.

1. Information security policies : Establishing a framework for managing information security.
2. Information security roles and responsibility : Assigining  and communicating security roles throughout the organization.
3. Threat intelligence: Collecting and analyzing information on emerging threats to enhance preparedness.
4. Supplier relationships: Ensuring third-party vendors and partners comply with your security policies.
5. Information security for cloud services: Establishing security measures for managing cloud-based applications and data.
6. Legal, regulatory, and contractual compliance: Adhering to relevant laws and obligations, such as data protection regulations.

People (8 controls)

These controls address the human elements of information security 

1. Screening: Conducting background checks during the hiring process.
2. Security awareness, education, and training: Providing employees with regular training on security best practices.
3. Confidentiality or non-disclosure agreements: Ensuring employees and contractors are legally bound to protect sensitive information.
4. Remote working: Implementing policies and controls to secure remote work environments.
5. Disciplinary process: Defining formal consequences for security policy violations.

Physical (14 controls)

These controls protects the organization's physical assets and environments from unauthorized access, damage, or interference.

1. Physical security perimeters: Implementing barriers like fences and gates to restrict access to facilities.
2. Physical entry controls: Using access control systems, such as key cards and biometric scanners, for sensitive areas.
3. Securing offices, rooms, and facilities: Protecting critical areas with measures like locks and alarms.
4. Clear desk and clear screen policy: Ensuring sensitive information and equipment are secured when not in use.
5. Secure disposal or re-use of equipment: Preventing the unauthorized retrieval of data from disposed assets

Technological (34 Controls)

These controls focus on securing the organization's digital environment.

1. User endpoint protection: Securing devices like laptops and smartphones with encryption and antivirus software.
2. Secure authentication: Implementing robust authentication mechanisms like Multi-Factor Authentication (MFA).
3. Data encryption: Applying cryptography to protect data both at rest and in transit.
4. Configuration management: Defining and enforcing secure configurations for systems and applications.
5. Logging and monitoring: Using tools to track and analyze security events.
6. Secure coding: Promoting secure coding practices in software development to prevent vulnerabilities.

ISO 27001 Certification is a document issued by an accreditation body after audit that confirms that organiation's ISMS meet all the requirement under ISO 27001.

Mandatory requirement to achieve an ISO 27001 Certificate.

1. The implementation of  ISMS frequent risk assessment.
2. The development of security policies and procedures.
3. Carrying out risk management process.
4. Timely reviews of ISMS effectiveness.

Information Security Management System (ISMS)

An ISMS is a structured framework of policies , procedures and controls that systematically manages information risk to ensure data security , confidentiality , integrity and aviailability.

Importance of Implementing ISMS

1. Enhance security posture.
2. Enable continous compliance.
3. Reduce risk exposer.
4. Build trust with stakeholders.

Steps to Implement ISMS

Plan Phase

1. Secure management support : Obtain a formal commitment from top management, including providing the necessary budget, resources, and leadership for the ISMS project.
2. Define the ISMS scope: Determine the boundaries of the ISMS by identifying which departments, locations, business processes, and information assets are to be included. This makes the project manageable and focused.
3. Establish context and stakeholders : Define the organization's internal and external context, as well as the needs and expectations of relevant interested parties like customers, regulators, and partners.
   
   
4. Create an information security policy :  Develop a top-level policy document that states management's commitment and sets the overall objectives and direction for information security.
5. Define the risk management approach : Establish a systematic methodology for identifying, assessing, and treating risks to information assets, including criteria for risk acceptance.
6. Perform a risk assessment : Identify potential threats and vulnerabilities to your information assets within the defined scope. Analyze and evaluate the likelihood and impact of these risks.
7. Prepare the Statement of Applicability (SoA) : This is a key document that lists the controls from the chosen framework (such as Annex A of ISO 27001) that are relevant to your organization. It also justifies the inclusion or exclusion of each control.

Do phase 

1. Implement selected controls : Put the technical, physical, and administrative security controls identified in your risk treatment plan into action. This may involve software and hardware changes, access control updates, and other security measures.
2. Write supporting documentation : Formalize the procedures and guidelines for how your ISMS will operate, including policies for access control, incident management, and data handling.
3. Conduct training and awareness : Train all employees on security policies and procedures to ensure they understand their responsibilities in protecting information. Human factors are critical to a successful ISMS.