ISO/IEC 27001:2013 — Information technology — Security techniques — Information security management systems — Requirements (second edition) – Brief Overview of Standard.

Abstract

”This International Standard has been prepared to provide requirements for establishing, implementing, maintaining, and continually improving an information security management system …”

Introduction

ISO/IEC 27001 formally specifies an Information Security Management System, a governance arrangement comprising a structured suite of activities with which to manage information risks (called ‘information security risks’ in the standard).

The ISMS is an overarching framework through which management identifies, evaluates and treats (addresses) the organisation’s information risks. The ISMS ensures that the security arrangements are fine-tuned to keep pace with changes to the security threats, vulnerabilities and business impacts – an important aspect in such a dynamic field, and a key advantage of ISO27k’s flexible risk-driven approach as compared to, say, PCI-DSS.

The standard covers all types of organisations (e.g. commercial enterprises, government agencies, non-profits) of all sizes (from micro-businesses to huge multinationals) in all industries (e.g. retail, banking, defense, healthcare, education and government). This is clearly a very wide brief.

ISO/IEC 27001 does not formally mandate specific information security controls since the controls that are required vary markedly across the wide range of organisations adopting the standard. The information security controls from ISO/IEC 27002 are summarised in annex A to ISO/IEC 27001, rather like a menu. organisations adopting ISO/IEC 27001 are free to choose whichever specific information security controls are applicable to their particular information risks, drawing on those listed in the menu and potentially supplementing them with other a la carte options (sometimes known as extended control sets). As with ISO/IEC 27002, the key to selecting applicable controls is to undertake a comprehensive assessment of the organisation’s information risks, which is one vital part of the ISMS.

Furthermore, management may elect to avoid, share or accept information risks rather than mitigate them through controls – a risk treatment decision within the risk management process.

History

ISO/IEC 27001 is derived from BS 7799 Part 2, first published as such by the British Standards Institute in 1999.

BS 7799 Part 2 was revised in 2002, explicitly incorporating the Deming-style Plan-Do-Check-Act cycle.

BS 7799 part 2 was adopted as the first edition of ISO/IEC 27001 in 2005 with various changes to reflect its new custodians.

The second edition of ISO/IEC 27001 was published in 2013, having been extensively revised to align with the other ISO management systems standards. Although explicit references to PDCA were removed, the concept of continuous refinement and systematic improvement remains.

Structure of the standard

ISO/IEC 27001:2013 has the following sections:

0 Introduction – the standard describes a process for systematically managing information risks.

1 Scope – it specifies generic ISMS requirements suitable for organisations of any type, size, or nature.

2 Normative references – only ISO/IEC 27000 is considered absolutely essential to users of ’27001: the remaining ISO27k standards are optional.

3 Terms and definitions – see ISO/IEC 27000.

4 Context of the organisation – understanding the organisational context, the needs and expectations of ‘interested parties’ and defining the scope of the ISMS. Section 4.4 states very plainly that “The organisation shall establish, implement, maintain and continually improve” the ISMS.

5 Leadership – top management must demonstrate leadership and commitment to the ISMS, mandate policy, and assign information security roles, responsibilities and authorities.

6 Planning – outlines the process to identify, analyse and plan to treat information risks, and clarify the objectives of information security.

7 Support – adequate, competent resources must be assigned, awareness raised, documentation prepared and controlled.

8 Operation – a bit more detail about assessing and treating information risks, managing changes, and documenting things (partly so that they can be audited by the certification auditors).

9 Performance evaluation – monitor, measure, analyse and evaluate/audit/review the information security controls, processes and management system, systematically improving things where necessary.

10 Improvement – address the findings of audits and reviews (e.g. nonconformities and corrective actions), make continual refinements to the ISMS.

Annex A Reference control objectives and controls – little more in fact than a list of titles of the control sections in ISO/IEC 27002. The annex is ‘normative’, implying that certified organisations are expected to use it, but the main body says they are free to deviate from or supplement it in order to address their particular information risks. Annex A alone is hard to interpret. Please refer to ISO/IEC 27002 for more useful detail on the controls, including implementation guidance.

Bibliography – points readers to five related standards, plus part 1 of the ISO/IEC directives, for more information. In addition, ISO/IEC 27000 is identified in the body of the standard as a normative (i.e. essential) standard and there are several references to ISO 31000 on risk management.

Mandatory requirements for certification

ISO/IEC 27001 is a formalised specification for an ISMS with two distinct purposes:

1. It lays out the design for an ISMS, describing the important parts at a fairly high level;
2. It can (optionally) be used as the basis for formal conformity assessment by accredited certification auditors in order to certify an organisation conformant.

The following mandatory documentation is explicitly required for certification:

1. ISMS scope (as per clause 4.3)
2. Information security policy (clause 5.2)
3. Information risk assessment process (clause 6.1.2)
4. Information risk treatment process (clause 6.1.3)
5. Information security objectives (clause 6.2)
6. Evidence of the competence of the people working in information security (clause 7.2)
7. Other ISMS-related documents deemed necessary by the organisation (clause 7.5.1b)
8. Operational planning and control documents (clause 8.1)
9. The results of the [information] risk assessments (clause 8.2)
10. The decisions regarding [information] risk treatment (clause 8.3)
11. Evidence of the monitoring and measurement of information security (clause 9.1)
12. The ISMS internal audit program and the results of audits conducted (clause 9.2),  plus an audit procedure (since audit is defined in the current ISO/IEC 27000 as a ‘systematic, independent and documented process’).
13. Evidence of top management reviews of the ISMS (clause 9.3)
14. Evidence of nonconformities identified and corrective actions arising (clause 10.1)
15. Various others:Annex A mentions but does not fully specify further documentation including the rules for acceptable use of assets, access control policy, operating procedures, confidentiality or non-disclosure agreements, secure system engineering principles, information security policy for supplier relationships, information security incident response procedures, relevant laws, regulations and contractual obligations plus the associated compliance procedures and information security continuity procedures. However, despite Annex A being normative, organisations are not formally required to adopt Annex A: they can use other structures and approaches to treat their information risks.

Certification auditors will almost certainly check that these fifteen types of documentation are both present and fit for purpose.

The standard does not specify precisely what form the documentation should take, but section 7.5.2 talks about aspects such as the titles, authors, formats, media, review and approval, while 7.5.3 concerns document control, implying a fairly formal ISO 9000-style approach. Electronic documentation (such as intranet pages) are just as good as paper documents, in fact better in the sense that they are easier to control and update.

ISMS scope and Statement of Applicability (SoA)

Whereas the standard is intended to drive the implementation of an enterprise-wide ISMS, ensuring that all parts of the organisation benefit by addressing their information risks in an appropriate and systematically-managed manner, organisations can scope their ISMS as broadly or as narrowly as they wish – indeed scoping is a crucial decision for senior management (clause 4.3). A documented ISMS scope is one of the mandatory requirements for certification.

Although the  Statement of Applicability is not explicitly defined, it is a mandatory requirement of section 6.1.3. SoA refers to the output from the information risk assessments and, in particular, the decisions around treating those risks. The SoA may, for instance, take the form of a matrix identifying various types of information risks on one axis and risk treatment options on the other, showing how the risks are to be treated in the body, and perhaps who is accountable for them. It usually references the relevant controls from ISO/IEC 27002 but the organisation may use a completely different framework, catalogue, reference or source of controls such as NIST SP800-53, the ISF standard, BMIS and/or COBIT or a custom approach. The information security control objectives and controls from ISO/IEC 27002:2013 are provided as a checklist at Annex A in order to avoid ‘overlooking necessary controls’: they are not required.

The ISMS scope and SoA are crucial if a third party intends to attach any reliance to an organisation’s ISO/IEC 27001 certificate. If an organisation’s ISO/IEC 27001 scope only includes “Acme Ltd. Department X”, for example, the associated certificate says absolutely nothing about the state of information security in “Acme Ltd. Department Y” or indeed “Acme Ltd.” as a whole. Similarly, if for some reason management decides to accept malware risks without implementing conventional antivirus controls, the certification auditors may well challenge such a bold assertion but, provided the associated analyses and decisions were sound, that alone would not be justification to refuse to certify the organisation since antivirus controls are not in fact mandatory.

Metrics

In effect (without actually using the term “metrics”), the 2013 edition of the standard requires the use of metrics on the performance and effectiveness of the organisation’s ISMS and information security controls. Section 9, “Performance evaluation”, requires the organisation to determine and implement suitable security metrics … but gives only high-level requirements.

ISO/IEC 27004 offers advice on what and how to measure in order to satisfy the requirement and evaluate the performance of the ISMS – an eminently sensible approach not dissimilar to that described in PRAGMATIC Security Metrics.

Certification

Certified conformity with ISO/IEC 27001 by an accredited and respected certification body is entirely optional but is increasingly being demanded from suppliers and business partners by organisations that are (quite rightly!) concerned about the security of their information, and about information risks throughout the supply chain/network.

According to the most recent ISO Survey, more than 44,000 organisations with over 84,000 sites worldwide held valid ISO/IEC 27001 certificates in 2020, making this management system standard fourth in popularity behind ISO 9001 (quality assurance), ISO 14001 (environmental protection) and ISO 45001 (health and safety).

Certification brings a number of benefits above and beyond mere conformity, in much the same way that an ISO 9000-series certificate says more than just “We are a quality organisation”. Independent assessment necessarily brings some rigor and formality to the implementation process (implying improvements to information security and all the benefits that brings through risk reduction), and invariably requires senior management approval (which is an advantage in security awareness terms, at least!).

The certificate has marketing potential and brand value, demonstrating that the organisation takes information security management seriously. However, as noted above, the assurance value of the certificate is highly dependent on the ISMS scope, RTP, and SoA – in other words, don’t put too much faith in an organization’s ISO/IEC 27001 certificate if you are highly dependent on its information security. In just the same way that certified PCI-DSS compliance does not mean “We guarantee to secure credit card data and other personal information”, a valid ISO/IEC 27001 certificate is a positive sign but not a cast-iron guarantee about an organization’s information security. It says “We have a conformant ISMS in place”, not “We secure your information”, a subtle but important distinction.

Status of the standard

After its development from/in parallel with British Standard BS 7799-2 and initial numbering as ISO/IEC 24743, ISO/IEC 27001 was first published in mid-2005.

ISO/IEC 27001 was completely rewritten and the second edition was published in 2013 with substantial changes to align this standard with other management systems standards.

ISO/IEC 27002 was extensively revised and re-issued at the same time, hence Annex A to ISO/IEC 27001 was completely updated.

A 2014 technical corrigendum clarified that information is, after all, an asset.

A second technical corrigendum in 2015 clarified that organisations are formally required to identify the implementation status of their information security controls in the SoA.

A proposed third technical corrigendum jumped the shark: SC 27 resisted the urge to carry on tweaking the published standard unnecessarily with changes that should have been proposed earlier.

A Study Period looked at the value and purpose of Annex A in relation to the SoA, concluding that Annex A is a useful link to ISO/IEC 27002 but the main body wording should make it clear that Annex A is entirely optional (discretionary): organisations can adopt whatever set of controls (or indeed other risk treatments) they deem suitable to treat their information risks, provided the process of selecting, implementing, managing, monitoring and maintaining the risk treatments fulfills the (mandatory) main body requirements – in other words, the entire process falls within the ISMS.

A planned amendment to ‘27001 is to be incorporated into a new third edition of the standard i.e. it is likely to become ISO/IEC 27001:2022 if published later this year.  Further changes are required by ISO to reflect the revised Annex SL common structure and boilerplate for management systems standards (see below), hence the date is uncertain.

For purchasing an official copy of this standard, please visit www.iso.org