Information is one of the most valuable assets of an organization; if not the most valuable. Therefore, like any asset, information needs protecting. An organization needs to use a systematic approach to protect its valuable information and that is what ISO/IEC 27001 brings - a systematic approach to identifying and managing security risks to ensure that information is kept secure.
Information security is commonly defined using the C-I-A triad: confidentiality (information is available only to authorized users); integrity (information is accurate and complete) and availability (authorized users have access to information when they need it). Non-repudiation (the concept that ensures a subject cannot deny performing an action or event) is another key concept that in most theories complements the C-I-A triad and is considered as equally important as confidentiality, integrity and availability.
At international level there are different frameworks for information security developed by different organizations like ISACA, NIST or, of course ISO. According to the International Standards Organization (ISO) “ISO 27000 family of standards helps organizations keep information assets secure”. Information may include intellectual property, contracts and financial data, information generated from research and development, customer or employee private data or information provided by third parties.
RIGCERT is accredited for the certification of information security management systems according to ISO/IEC 27001:2013. Our accreditation certificate is available here.
ISO 27001 includes management system specific requirements as well as an annex with 114 information security controls divided into 14 different categories.
Below we explain the requirements of ISO/IEC 27001:2013 as well as the security controls from Annex A of this standard.
In order to obtain conformity with ISO 27001 the organization is required to fulfill the requirements of the standard including the information security controls from Annex A that are applicable to its specific. The organization is free to develop and implement supplementary information security controls to those in Annex A, if it considers necessary.
The requirements of ISO/IEC 27001 are grouped into 7 major chapters: Context of the organization, Leadership, Planning, Support, Operation, Performance evaluation and Improvement
The organization is required to identify internal and external issues that are relevant to its purpose and can affect its information security management system. Some examples of internal issues include – the structure of the organization, equipment and technology used, competence of personnel, organization culture, etc while external issues can include: information security related legislation, trends in information security, market and competition, financial and economic issues, etc.
The standard requires the organization to identify the interested parties (parties having an interest in the organization’s information security management system) along with their relevant needs and expectations. Some examples of interested parties are: clients, employees, suppliers, community, business partners, users of the organization’s products and services, etc.
The organization has to define the scope of its ISMS – activities and locations included in the information security management system. The company can decide to include all its activities and locations in the ISMS or apply the system only to some activities and/ or some locations.
Top management is required to support the management system and demonstrate its commitment with respect to information security. Top management is also required to define an information security policy that is communicated inside the organization and made public to interested parties, as appropriate. It is also the task of top management to assign responsibilities and authorities to staff with regards to information security. In order to have a functional information security management system and to obtain benefits from its implementation the involvement and support of top management is key.
ISO/IEC 27001:2013 requires for an information security risk assessment. The methodology used for this assessment is at the choice of the organization. The risk assessment needs to be updated whenever needed (ex. in case of changes in the organization structure, following information security incidents, etc). Starting from the risk assessment results the company has to apply a risk treatment process and implement information security controls. A statement of applicability is required by the standard that contains the information security controls from Annex A of ISO 27001 along with justification of the decision to implement or not each control.ISO/IEC 27001:2013 requires that the organization defines information security objectives and plan actions for their achievement.
The resources needed for the implementation of the information security management system have to be available. The organization is required to determine the competence needed for persons having an impact on information security. The company should ensure that persons are competent and, whenever needed, actions are taken to acquire the competence required (e.g. information security training). Persons doing work under the organization’s control have to be aware of the information security policy, their contribution to the information security management system, the benefits of improved information security performance as well as the implications of not conforming with information security requirements. The organization has to ensure that efficient communication (internal and external) processes are implemented. The information security management system shall include documented information. The extent of the documentation differs from one organization to the other depending on structure, size and specifics of activity. Controls for creating and updating the ISMS documented information have to be established (defining a format for the documents, the media – paper and/ or electronic, controls for the review and approval of documents). Also controls with regards to access, distribution, retrieval, use, storage, preservation, control of changes, retention and disposition of documented information have to be implemented. Those controls refer to both documents elaborated inside the organization and documents of external origin (e.g. documents from clients, external suppliers, etc.).
The requirements are for the organization to plan, implement and control the processes needed to fulfill information security requirements. Planned changes have to be controlled to mitigate any adverse effects on information security, while the organization is also required to control any outsourced processes that may impact security.
ISO 27001:2013 requires the organization to evaluate its information security performance as well as the effectiveness of the information security management system. At planned intervals the organization has to perform internal audits to ensure that the ISMS conforms to its own security requirements as well as the requirements of ISO/IEC 27001; it is effectively implemented and maintained. Top management shall review periodically the information security management system to ensure its continuing suitability, adequacy and effectiveness.
Whenever information security related nonconformities are identified the organization has to react by implementing corrections (meant to control the nonconformity and its consequences) and corrective actions (that eliminate the root cause of the nonconformity). ISO/IEC 27001:2013 requires that the organization improves continually its information security management system.
Annex A of ISO/IEC 27001:2013
A5 – Information security policies
The standard requires the organization to define a set of information security policy, approved by top management and communicated to employees and to relevant interested parties. The policies have to be reviewed periodically and whenever significant changes occur in the organization, to confirm their suitability, adequacy and effectiveness.
A6 – Organization of information security
Responsibilities with regards to information security have to be assigned to company’s personnel. Conflicting duties and areas of responsibility shall be segregated (e.g. initiation and approval of transactions). The organization is required to maintain adequate contacts with authorities on information security aspects. Appropriate contacts with special interest groups, security forums or associations should be kept. Information security needs to be addressed in project management, regardless of the type of the project. The use of mobile devices involves significant information security risks so the standard requires a policy and supporting security measures to manage those risks. If the organization uses teleworking (work from remote locations – e.g. work from home, public places, etc) then a policy and security measures have to be established to address teleworking.
A7 – Human resource security
The organization is required to perform background verification on all candidates for employment. The level of detail should be in line with the access to information and security risks associated to the position. Contractual agreements and other employment documents should specify information security related requirements. The management of the organization should require employees and contractors to apply information security in accordance with the policies and procedures of the organization. All employees and contractors will be receive awareness on information security. A formal disciplinary process to take action against employees who have committed security breaches has to be implemented and communicated to all personnel. Those information security responsibilities and duties that remain valid after the termination or change of employment (e.g. confidentiality clauses) shall be defined, communicated and applied.
A8 – Asset management
An inventory of assets associated with information and information processing facilities has to be drawn up and maintained. “Owners” (persons or structures of the organization) have to be assigned to assets. ISO 27001 requires the organization to establish, document and implement rules for the acceptable use of information and assets associated with information or information processing facilities. The organization is required to ensure that, when their employment or contract is terminated, the employees and contractors return all organizational assets in their possession. ISO 27001 asks the company to define and apply a system for the classification of information taking into consideration aspects like value, criticality and sensibility to unauthorized disclosure or modification. A system of labeling information according to the classification rules shall be applied. In accordance with the classification scheme adopted the organization needs to develop and implement rules for handling assets. The organization is required to have procedures/ rules for the management of removable media (e.g. external HDD, USB sticks, CDs and DVDs, etc), including rules for securely disposing of media that is no longer used. Media containing information shall be protected against unauthorized access, misuse or corruption during transportation.
A9 – Access control
An access control policy (addressing both physical access and access to networks and applications) has to be established and documented. The organization has to ensure that users are only provided with access to network services that they have been specifically authorized to use. ISO/IEC 27001:2013 requires for a formal process of user registration and de-registration while the allocation and use of privileged access rights has to be restricted and controlled. The organization needs to ensure that upon termination of their employment, contract or agreement, access rights of employees and external parties are removed. The password management system should be interacted and ensure quality passwords. There have to be controls restricting users’ access to program source code.
A10 - Cryptography
If the organization uses cryptography to protect the confidentiality, authenticity and/ or integrity of information then a policy on the use of cryptographic controls shall be developed and implemented. The use, protection and lifetime of cryptographic keys generated shall be addressed in a policy also.
A11 – Physical and environmental security
ISO/IEC 27001:2013 requires the organization to define security perimeters meant to protect areas that contain either sensitive or critical information and information processing facilities. Only authorized personnel should be allowed to access secure areas. Physical security for offices, rooms and facilities has to be designed and applied. The organization is required to design and apply physical protection against natural disasters, malicious attack or accidents. Delivery and loading areas (areas where external unauthorized persons have access) shall be controlled and, if possible, isolated from information processing facilities, to prevent unauthorized access. The standard requires that equipment is sited and protected to reduce risks from environmental threats and hazards and opportunities for unauthorized access. Protection systems for power failures and other disruptions shall exist. The organization should use systems to protect cabling carrying data or supporting information services (using for example security measures generically referred to as TEMPEST) to protect from interception or interference. Equipment shall be maintained according to specification to ensure optimal operation. ISO 27001 requires the organization to ensure that assets are not taken off-sites without prior authorization and when this happens they need to be protected taking into consideration relevant risks. Equipment has to be verified to ensure sensitive data and licensed software is removed or overwritten prior to disposal or re-use. The standard requires users to ensure adequate protection of unattended equipment while the organization shall develop and apply a clear desk and clear screen policy.
A12 – Operations security
ISO/IEC 27001 requires the existence of documented operating procedures available to users who need them. Changes in the organization and changes to business processes need to be controlled so that they don’t affect information security. The organization has to monitor the use of its resources and make projections of future capacity needs to ensure optimal operation. Development, testing and operational environments have to be separated. The organization shall ensure controls for malware detection, prevention and recovery. Backup copies of information and system images have to be taken regularly and tested to ensure they can be relied upon. Event logs (including errors, exceptions, faults and information security events) have to be produced, kept and regularly reviewed. Logs have to be protected from tampering and unauthorized access. System administrator activities should be logged and the logs protected and regularly reviewed. The clocks of all relevant information processing facilities should be synchronized. The organization should ensure procedures to control the installation of software on operational systems.ISO 27001 requires the organization to obtain in a timely fashion information on technical vulnerabilities of information systems, evaluate those vulnerabilities and implement measures to address the associated risks. Audit activities for operational systems should be disruptions to business processes are minimized.
A13 – Communications security
ISO 27001 requires the organization to manage and control networks so that information in systems and applications is protected. Aspects regarding information security as well as service levels should be agreed with network services providers (regardless whether they are in-house of outsourced).Different groups of information services, users and information systems shall be segregated on networks.The organization is required to define and apply procedures and controls to protect the transfer of information regardless of the types of communication equipment used. Information exchanged through electronic messaging (e.g. email or instant messaging programs) shall be adequately protected. Requirements for confidentiality and non-disclosure shall be documented and shall reflect the needs of the organization to protect its information.
A14 – System acquisition, development and maintenance
Information security related requirements are to be included in the organization’s requirements for new information systems or enhancements to existing systems. Confidential information passing over public networks (e.g. the case of online payments) shall be protected from fraudulent activity, contract dispute and unauthorized disclosure and modification. ISO/IEC 27001:2013 requires the organization to develop and apply rules for the development of software. Following changes to operating platforms the organization shall review and test critical business applications to ensure there is no adverse impact on information security.The organization should have rules to discourage modifications to software packages. ISO 27001 requires for secure development environments to be established and appropriately protected, in case the organization develops software in-house. The activity of outsourced system developers has to be supervised and monitored. Testing of software products should involve also security functionalities and test data should be adequately protected.
A15 – Supplier relationships
The organization has to agree and document with suppliers information security requirements for mitigating the risks associated with the supplier’s access to the organization’s assets. Information security requirements have to be agreed with every supplier that accesses, processes, stores, communicates or provides IT equipment and services. There requirements should refer also to risks associated with the information and communications technology services and product supply chain. The organization shall monitor, review and audit supplier service delivery.
A16 – Information security incident management
ISO/IEC 27001:2013 requires organizations to establish procedures and assign responsibilities to ensure a quick and appropriate response to information security incidents. Security events shall be reported as quickly as possible using efficient communication processes. The organization shall require its employees and contractors using its information systems and services to note and report any observed or suspected information security vulnerability. Information security events shall be assessed to decide whether they represent information security incidents or not. The organization shall respond to information security incidents and the knowledge gained from analyzing and responding to incidents shall be used to reduce the likelihood or impact of future security incidents.
A17 – Information security continuity
ISO 27001 requires the organization to embed information security into its continuity management, by defining controls to ensure that information security is preserved in case of adverse situations (i.e. crisis or disaster). The organization shall have sufficient redundancy for its information processing facilities to meet availability needs.
A18 – Compliance
ISO 27001 requires the organization to identify and update applicable legal, contractual and regulatory requirements referring to information security. Procedures to ensure compliance with intellectual property, privacy and personally identifiable information requirements have to be established. Cryptography shall be used according to existing legislation (if applicable). The organization is required to ensure the independent review of its approach to managing information security i.e. controls, policies, procedures, etc) at planned intervals and whenever significant changes occur. Managers are required to regularly review compliance with applicable information security policies and procedures in their areas of responsibility.
Those are in a very brief presentation the requirements of ISO/IEC 27001:2013.
Some of the requirements may not be applicable due to the activities of the organization and of course supplementary controls can be defined and implemented if necessary.
ISO/IEC 27001 can be implemented and certified successfully in large corporations but also in small businesses that wish to demonstrate they have controls in place to protect the information they process and store.
For certification purposes please contact us by e-mail at firstname.lastname@example.org.
If you're looking for training on the requirements of ISO/IEC 27001 or the application of this standard for cybersecurity check out our online courses below.
It is a set of elements (policies, processes and procedures) used by an organization to fulfil its objectives and perform its tasks. A management system can address a single discipline (e.g. quality management system or information security management system) or several disciplines at the same time, in what is referred to as an integrated management system. It is the choice of the organization what type of management system it chooses to implement and certify.
For every discipline there are specific standards that define the requirements for a management system (e.g. ISO 9001, ISO 14001 or ISO/IEC 27001). An organization wishing to obtain the certification of its management system has to demonstrate during an initial certification audit that it fulfils the requirements of the specific standards used as reference for certification.
Regardless of the discipline all management systems generally require organizations to define roles, responsibilities and authorities for personnel, document policies, establish objectives and actions to achieve them, demonstrate operation in controlled conditions, monitor, measure, analyze and evaluate performance and act to continually improve the system.
A management system can be implemented by the organization using internal resources or with the help of external consultants . The management system needs to be maintained and continually improved.
To be useful, a management system should become an integral part of the organization’s activities and not a set of requirements separated from operational routine.
The support from top management is vital for the success of a management system in the organization.
Certification is an attestation from a third party (usually called registrar or certification body) that the management system implemented by an organization fulfills the requirements of applicable standard(s).
So, in fact, not the organization is the subject of certification but its management system.
The certification process begins with the application sent by the organization looking to obtain certification. It has to be a written application and its useful to the certification body for understanding what is required and to plan the resources needed to provide the certification services.
A contract for the certification is signed.
The certification audit is done to evaluate how the requirements of the standard(s)/ reference documents are implemented. The audit team is made of one or several members and the audit duration depends on a series of factors like the standards for certification involved, the size of the organization, its activities. locations, etc.
In case the conclusions of the audit are positive and there are no other elements that may affect the certification, the certification body issues the conformity certificate(s).
The document General rules for the certification of management systems contains detailed information about how the certification process works, what are the requirements for obtaining and maintaining certifications.
Management system certifications are valid for 3 years, with the condition that successful yearly surveillance audits are performed (in the first and second year after certification). Surveillance audits are meant to evaluate if the management system certified continues to respect applicable requirements.
The certification program is the document that specifies the planning of surveillance audits and it is communicated to the organization at certification date.
In the third year the recertification audit takes place and the organization enters another 3-year certification cycle in similar conditions as the previous.
In case surveillance audits are not performed as scheduled the certification may be suspended. During suspension the certification is temporarily invalid. If during suspension the situation is not corrected the certification is withdrawn.
Appeals refer to decisions of RIGCERT with regards to a certain certification (e.g. not granting, suspending, withdrawal, etc) while complaints may refer to a series of aspects like: the personnel working on behalf of RIGCERT, activities of the organizations certified by RIGCERT, activities of third parties connected to RIGCERT, etc.
Appeals and complaints should be sent at email@example.com and are treated confidentially.
RIGCERT personnel involved in the review and decision regarding a certain appeal or complaint have not been involved in the case being reviewed.
The review can include actions like performing special audits, request of information from the parties involved and is concluded with a formal decision communicated to the appellant and/ or complainant.
Detailed information on the appeals and complaints handling process are available in the document General rules for the certification of management systems.
Want to work with us
Complete the form below with your personal information and we will contat you as soon as possible.