How do you interpret Domains, Control Objectives and Controls in ISO 27001 standard?

ISO 27001 has for the moment 11 Domains, 39 Control Objectives and 130+ Controls. Following is a list of the Domains and Control Objectives.

1. Security policy
Information security policy
Objective: To provide management direction and support for information security in accordance with business requirements and relevant laws and regulations.
2. Organization of information security
Internal organization
Objective: To manage information security within the organization.
External parties
Objective: To maintain the security of the organization’s information and information processing facilities that are accessed, processed, communicated to, or managed by external parties.

3. Asset management
Responsibility for assets
Objective: To achieve and maintain appropriate protection of organizational assets.
Information classification
Objective: To ensure that information receives an appropriate level of protection.

4. Human resources security
Prior to employment
Objective: To ensure that employees, contractors and third party users understand their responsibilities, and are suitable for the roles they are considered for, and to reduce the risk of theft, fraud or misuse of facilities.
During employment
Objective: To ensure that all employees, contractors and third party users are aware of information security threats and concerns, their responsibilities and liabilities, and are equipped to support organizational security policy in the course of their normal work, and to reduce the risk of human error.
Termination or change of employment
Objective: To ensure that employees, contractors and third party users exit an organization or change employment in an orderly manner.

5. Physical and environmental security
Secure areas
Objective: To prevent unauthorized physical access, damage and interference to the organization’s premises and information.
Equipment security
Objective: To prevent loss, damage, theft or compromise of assets and interruption to the organization’s activities.

6. Communications and operations management
Operational procedures and responsibilities
Objective: To ensure the correct and secure operation of information processing facilities.
Third party service delivery management
Objective: To implement and maintain the appropriate level of information security and service delivery in line with third party service delivery agreements.
System planning and acceptance
Objective: To minimize the risk of systems failures.
Protection against malicious and mobile code
Objective: To protect the integrity of software and information.
Objective: To maintain the integrity and availability of information and information processing facilities.
Network security management
Objective: To ensure the protection of information in networks and the protection of the supporting infrastructure.
Media handling
Objective: To prevent unauthorized disclosure, modification, removal or destruction of assets, and interruption to business activities.
Exchange of information
Objective: To maintain the security of information and software exchanged within an organization and with any external entity.
Electronic commerce services
Objective: To ensure the security of electronic commerce services, and their secure use.
Objective: To detect unauthorized information processing activities.

7. Access control
Business requirement for access control
Objective: To control access to information.
User access management
Objective: To ensure authorized user access and to prevent unauthorized access to information systems.
User responsibilities
Objective: To prevent unauthorized user access, and compromise or theft of information and information processing facilities.
Network access control
Objective: To prevent unauthorized access to networked services.
Operating system access control
Objective: To prevent unauthorized access to operating systems.
Application and information access control
Objective: To prevent unauthorized access to information held in application systems.
Mobile computing and teleworking
Objective: To ensure information security when using mobile computing and teleworking facilities.

8. Information systems acquisition, development and maintenance
Security requirements of information systems
Objective: To ensure that security is an integral part of information systems.
Correct processing in applications
Objective: To prevent errors, loss, unauthorized modification or misuse of information in applications.
Cryptographic controls
Objective: To protect the confidentiality, authenticity or integrity of information by cryptographic means.
Security of system files
Objective: To ensure the security of system files.
Security in development and support processes
Objective: To maintain the security of application system software and information.
Technical Vulnerability Management
Objective: To reduce risks resulting from exploitation of published technical vulnerabilities.

9. Information security incident management
Reporting information security events and weaknesses
Objective: To ensure information security events and weaknesses associated with information systems are communicated in a manner allowing timely corrective action to be taken.
Management of information security incidents and improvements
Objective: To ensure a consistent and effective approach is applied to the management of information security incidents.

10. Business continuity management
Information security aspects of business continuity management
Objective: To counteract interruptions to business activities and to protect critical business processes from the effects of major failures of information systems or disasters and to ensure their timely resumption.

11. Compliance
Compliance with legal requirements
Objective: To avoid breaches of any law, statutory, regulatory or contractual obligations, and of any security requirements.
Compliance with security policies and standards, and technical compliance
Objective: To ensure compliance of systems with organizational security policies and standards.
Information systems audit considerations
Objective: To maximize the effectiveness of and to minimize interference to/from the information systems audit process.

PCI SSC [Payment Card Industry Security Standard Council]Data Security Standards Overview

The PCI Security Standards Council offers robust and comprehensive standards and supporting materials to enhance payment card data security. These materials include a framework of specifications, tools, measurements and support resources to help organizations ensure the safe handling of cardholder information at every step. The keystone is the PCI Data Security Standard (PCI DSS), which provides an actionable framework for developing a robust payment card data security process — including prevention, detection and appropriate reaction to security incidents.

Tools to assist organizations validate their PCI DSS compliance include Self Assessment Questionnaires. The chart linked here shows some of the tools available to help organizations become PCI DSS-compliant.

For device vendors and manufacturers, the Council provides the PIN Transaction Security (PTS) requirements, which contains a single set of requirements for all personal identification number (PIN) terminals, including POS devices, encrypting PIN pads and unattended payment terminals. A list of approved PIN transaction devices can be accessed here.

To help software vendors and others develop secure payment applications, the Council maintains the Payment Application Data Security Standard (PA-DSS) and a list of Validated Payment Applications.

The Council also provides training to professional firms and individuals so that they can assist organizations with their compliance efforts. The Council maintains public resources such as lists of Qualified Security Assessors (QSAs), Payment Application Qualified Security Assessors (PA-QSAs), and Approved Scanning Vendors (ASVs). Large firms seeking to educate their employees can take advantage of the Internal Security Assessor (ISA) education program.

General audit terms defined in ISO 27001

  • Audit – the process by which a subject area is independently reviewed and reported on by one or more competent auditors on behalf of stakeholders
  • Audit checklist – a structured questionnaire or workplan to guide the auditors in testing the area being audited
  • Audit evidence – information gathered from the area being audited such as written documentation, computer printouts, interviews and observation
  • Audit finding – the auditor’s summary/description and analysis of an inadequately mitigated risk to the organization
  • Audit observation – an optional or advisory audit recommendation which carries less weight than an audit recommendation
  • Audit plan or programme – a project plan for an audit laying out the main audit activities and heir timing
  • Audit recommendation – a corrective action that is proposed to address one or more identified audit findings, that must be addressed prior to certification or recertification of the ISMS
  • Audit report – a formal report to management documenting the key findings and conclusions of the audit
  • Audit risk – the potential for an audit to fail to meet its objectives, for example by using unreliable, incomplete or inaccurate information
  • Audit schedule – a diary of planned audits
  • Audit subject – the in-scope organization/s, or parts of an organization, which are being audited
  • Audit test – a check conducted by the auditors to verify whether a control is effective, efficient and adequate to mitigate one or more risks to the organization
  • Audit work papers – documents written by the auditors recording their examination, findings and analysis of the ISMS, including completed audit checklists
  • Compliance audit – a type of audit specifically designed to assess the extent to which the audit subject conforms to stated requirements
  • ISMS audit – an audit centred on the organization’s Information Security Management System (ISMS)
  • Risk-based audit – an audit planned on the basis of an assessment of risks

Are you for ISO/IEC 27001:2013? Self Assessment

1. The organization and its context…
-Have the internal and external issues that are relevant to the ISMS, and that impact on the achievement of its expected outcome, been determined?

2. Needs and expectations of interested parties
-Has the organization determined the interested parties that are relevant to the ISMS?
-Have the requirements of these interested parties been determined, including legal, regulatory and contractual requirements?

3. Scope of the ISMS
-Have the boundaries and applicability of the ISMS been determined to establish its scope, taking into consideration the external and internal issues, the requirements of interested parties and the interfaces and dependencies with other organizations?
-Is the scope of the ISMS documented?

4. Leadership and management commitment
Is the organization’s leadership commitment to the ISMS demonstrated by:
• Establishing the information security policy and objectives, in consideration of the strategic direction of the organization, and in promotion of continual improvement?
• Ensuring the integration of the ISMS requirements into its business processes?
• Ensuring resources are available for the ISMS, and directing and supporting individuals, including management, who contribute to its effectiveness?
• Communicating the importance of effective information security and conformance to ISMS requirements?

5. Information security policy
-Is there an established information security policy that is appropriate, gives a framework for setting objectives, and demonstrates commitment to meeting requirements and for continual improvement?
-Is the policy documented and communicated to employees and relevant interested parties?
6. Roles and responsibilities
-Are the roles within the ISMS clearly defined and communicated?
-Are the responsibilities and authorities for conformance and reporting on ISMS performance assigned?

7. Risks and opportunities of ISMS implementation
-Have the internal and external issues, and the requirements of interested parties been considered to determine the risks and opportunities that need to be addressed to ensure that the ISMS achieves its outcome, that undesired effects are prevented or reduced, and that continual improvement is achieved?
-Have actions to address risks and opportunities been planned, and integrated into the ISMS processes, and are they evaluated for effectiveness?

8. Information security risk assessment
-Has an information security risk assessment process that establishes the criteria for performing information security risk assessments, including risk acceptance criteria been defined?
-Is the information security risk assessment process repeatable and does it produce consistent, valid and comparable results?
-Does the information security risk assessment process identify risks associated with loss of confidentiality, integrity and availability for information within the scope of the ISMS, and are risk owners identified?
-Are information security risks analysed to assess the realistic likelihood and potential consequences that would result, if they were to occur, and have the levels of risk been determined?
-Are information security risks compared to the established risk criteria and prioritised?
-Is documented information about the information security risk assessment process available?

9. Information security risk treatment
-Is there an information security risk treatment process to select appropriate risk treatment options for the results of the information security risk assessment, and are controls determined to implement the risk treatment option chosen?
-Have the controls determined, been compared with ISO/IEC 27001:2013 Annex A to verify that no necessary controls have been missed?
-Has a Statement of Applicability been produced to justify Annex A exclusions, and inclusions together with the control implementation status?
-Has an information security risk treatment plan been formulated and approved by risk owners, and have residual information security risks been authorised by risk owners?
-Is documented information about the information security risk treatment process available?

10. Information security objectives and planning to achieve them
-Have measurable ISMS objectives and targets been established, documented and communicated throughout the organization?
-In setting its objectives, has the organization determined what needs to be done, when and by whom?

11. ISMS resources and competence
-Is the ISMS adequately resourced?
-Is there a process defined and documented for determining competence for ISMS roles?
-Are those undertaking ISMS roles competent, and is this competence documented appropriately?

12. Awareness and communication
-Is everyone within the organization’s control aware of the importance of the information security policy, their contribution to the effectiveness of the ISMS and the implications of not conforming?
-Has the organization determined the need for internal and external communications relevant to the ISMS, including what to communicate, when, with whom, and who by, and the processes by which this is achieved?

13. Documented information
-Has the organization determined the documented information necessary for the effectiveness of the ISMS?
-Is the documented information in the appropriate format, and has it been identified, reviewed and approved for suitability?
-Is the documented information controlled such that it is available and adequately protected, distributed, stored, retained and under change control, including documents of external origin required by the organization for the ISMS?

14. Operational planning and control
-Has a programme to ensure the ISMS achieves its outcomes, requirements and objectives been developed and implemented?
-Is documented evidence retained to demonstrate that processes have been carried out as planned?
-Are changes planned and controlled, and unintended changes reviewed to mitigate any adverse results?
-Have outsourced processes been determined and are they controlled?
-Are information security risk assessments performed at planned intervals or when significant changes occur, and is documented information retained?
-Has the information security risk treatment plan been implemented and documented information retained?

15. Monitoring, measurement and evaluation
-Is the information security performance and effectiveness of the ISMS evaluated?
-Has it been determined what needs to be monitored and measured, when, by whom, the methods to be used, and when the results will be evaluated?
-Is documented information retained as evidence of the results of monitoring and measurement?

16. Internal audit
-Are internal audits conducted periodically to check that the ISMS is effective and conforms to both ISO/IEC 27001:2013 and the organization’s requirements?
-Are the audits conducted by an appropriate method and in line with an audit programme based on the results of risk assessments and previous audits?
-Are results of audits reported to management, and is documented information about the audit programme and audit results retained?
-Where non conformities are identified, are they subject to corrective action (see section 18)?

17. Management review
-Do top management undertake a periodic review of the ISMS?
-Does the output from the ISMS management review identify changes and improvements?
-Are the results of the management review documented, acted upon and communicated to interested parties as appropriate?

18. Corrective action and continual improvement
-Have actions to control, correct and deal with the consequences of non-conformities been identified?
-Has the need for action been evaluated to eliminate the root cause of non-conformities to prevent reoccurrence?
-Have any actions identified been implemented and reviewed for effectiveness and given rise to improvements to the ISMS?
-Is documented information retained as evidence of the nature of non-conformities, actions taken and the results?

19. Security controls – as applicable, based on the results of your information security risk assessment
-Are information security policies that provide management direction defined and regularly reviewed?
-Has a management framework been established to control the implementation and operation of security within the organization, including assignment of responsibilities and segregation of conflicting duties?
-Are appropriate contacts with authorities and special interest groups maintained?
-Is information security addressed in Projects?
-Is there a mobile device policy and teleworking policy in place?
-Are human resources subject to screening, and do they have terms and conditions of employment defining their information security responsibilities?
-Are employees required to adhere to the information security policies and procedures, provided with awareness, education and training, and is there a disciplinary process?
-Are the information security responsibilities and duties communicated and enforced for employees who terminate or change employment?
-Is there an inventory of assets associated with information and information processing, have owners been assigned, and are rules for acceptable use of assets and return of assets defined?
-Is information classified and appropriately labelled, and have procedures for handling assets in accordance of their classification been defined?
-Are there procedures for the removal, disposal and transit of media containing information?
-Has an access control policy been defined and reviewed, and is user access to the network controlled in line with the policy?
-Is there a formal user registration process assigning and revoking access and access rights to systems and services, and are access rights regularly reviewed, and removed upon termination of employment?
-Are privileged access rights restricted and controlled, and is secret authentication information controlled, and users made aware of the practices for use?
-Is access to information restricted in line with the access control policy, and is access controlled via a secure log-on procedure?
-Are password management systems interactive and do they enforce a quality password?
-Is the use of utility programs and access to program source code restricted?
-Is there a policy for the use of cryptography and key management?
-Are there policies and controls to prevent unauthorised physical access and damage to information and information processing facilities?
-Are there policies and controls in place to prevent loss, damage, theft or compromise of assets and interruptions to operations?
-Are operating procedures documented and are changes to the organization, business processes and information systems controlled?
-Are resources monitored and projections made of future capacity requirements?

-Is there separation of development, testing and operational environments?
-Is there protection against malware?
-Are information, software and systems subject to back up and regular testing?
-Are there controls in place to log events and generate evidence?
-Is the implementation of software on operational systems controlled, and are there rules governing the installation of software by users?
-Is information about technical vulnerabilities obtained and appropriate measures taken to address risks?
-Are networks managed, segregated when necessary, and controlled to protect information systems, and are network services subject to service agreements?
-Are there policies and agreements to maintain the security of information transferred within or outside of the organization?
-Are information security requirements for information systems defined and is information passing over public networks and application service transactions protected?
-Are systems and rules for the development of software established and changes to systems within the development lifecycle formally controlled?
-Are business critical applications reviewed and tested after changes to operating system platforms and are there restrictions to changes to software packages?
-Have secure engineering principles been established and are they maintained and implemented, including secure development environments, security testing, the use of test data and system acceptance testing?
-Is outsourced software development supervised and monitored?

-Are there policies and agreements in place to protect information assets that are accessible to suppliers, and is the agreed level of information security and service delivery monitored and managed, including changes to provision of services?
-Is there a consistent approach to the management of security incidents and weaknesses, including assignment of responsibilities, reporting, assessment, response, analysis and collection of evidence?

-Is information security continuity embedded within the business continuity management system, including determination of requirements in adverse situations, procedures and controls, and verification of effectiveness?
-Are information processing facilities implemented with redundancy to meet availability requirements?
-Have all legislative, statutory, regulatory and contractual requirements and the approach to meeting these requirements been defined for each information system and the organization, including but not limited to procedures for intellectual property rights, protection of records, privacy and protection of personal information and regulation of cryptographic controls?
-Is there an independent review of information security?
-Do managers regularly review the compliance of information processing and procedures within their areas of responsibility?
-Are information systems regularly reviewed for technical compliance with policies and standards?

Example/sample ISO/IEC 27001:2013 ISMS scoping statements

Sample 1

The Information Security Management System (ISMS) applies to the provision of trusted and managed information security services to internal and external customers of <ORGANIZATION> in accordance with the ISMS Statement of Applicability revision xx, dated xx-xxx-xxxx

Sample 2

As stated in the Information Security Management System (ISMS) Statement of Applicability, revision xx, dated xx-xxx-xxxx, the ISMS encompasses <ORGANIZATION>’s Information Technology Division Office, Computer Lab, Storehouse and Computer Classroom, covering business activities relating to the provision of operation, maintenance and management of Internet and Web services and systems.

Sample 3

The provision of e-Business solutions that are fully integrated to deliver the complete process and management of e-Business components including: workflows; contacts; e-mail; bulletin boards; news; events; traffic analysis and audits on a secure hosted platform, 24 hours a day, 365 days a year, as per the Statement of Applicability approved by senior management on xx-XXX-xxxx.


Note: be aware that if you narrow the scope of your ISMS, you are also going to:

  • Reduce the implementation costs to some degree, although you will still need to implement a comprehensive management system to be certified compliant to ISO/IEC 27001;
  • Reduce the business benefits compared to a more broadly-scoped ISMS; and
  • Have to define security interfaces for information flows and processes that span or extend beyond the in-scope area to the remainder, since everything outside the scoped area is relatively untrustworthy.

Mandatory requirements for ISO/IEC 27001:2013 certification

Mandatory requirements for certification

ISO/IEC 27001 is a formalized specification for an ISMS with two distinct purposes:

  1. It lays out, at a fairly high level, what an organization can do in order to implement an ISMS;
  2. It can (optionally) be used as the basis for formal compliance assessment by accredited certification auditors in order to certify an organization.

The following mandatory documentation (or rather “documented information” in the curiously stilted language of the standard) is explicitly required for certification:

  1. ISMS scope (as per clause 4.3)
  2. Information security policy (clause 5.2)
  3. Information security risk assessment process (clause 6.1.2)
  4. Information security risk treatment process (clause 6.1.3)
  5. Information security objectives (clause 6.2)
  6. Evidence of the competence of the people working in information security (clause 7.2)
  7. Other ISMS-related documents deemed necessary by the organization (clause 7.5.1b)
  8. Operational planning and control documents (clause 8.1)
  9. The results of the risk assessments (clause 8.2)
  10. The decisions regarding risk treatment (clause 8.3)
  11. Evidence of the monitoring and measurement of information security (clause 9.1)
  12. The ISMS internal audit program and the results of audits conducted (clause 9.2)
  13. Evidence of top management reviews of the ISMS (clause 9.3)
  14. Evidence of nonconformities identified and corrective actions arising (clause 10.1)
  15. Various others: Annex A, which is normative, mentions but does not fully specify further documentation including the rules for acceptable use of assets, access control policy, operating procedures, confidentiality or non-disclosure agreements, secure system engineering principles, information security policy for supplier relationships, information security incident response procedures, relevant laws, regulations and contractual obligations plus the associated compliance procedures and information security continuity procedures.

Certification auditors will almost certainly check that these fifteen types of documentation are (a) present, and (b) fit for purpose.  The standard does not specify precisely what form the documentation should take, but section 7.5.2 talks about aspects such as the titles, authors, formats, media, review and approval, while 7.5.3 concerns document control, implying a fairly formal ISO 9000-style approach.

Structure of the ISO/IEC 27001:2013 standard

ISO/IEC 27001:2013 has the following sections:

0  Introduction – the standard uses a process approach.

1  Scope – it specifies generic ISMS requirements suitable for organizations of any type, size or nature.

2  Normative references – only ISO/IEC 27000 is considered absolutely essential to users of ’27001: the remaining ISO27k standards are optional.

3  Terms and definitions – a brief, formalized glossary, soon to be superseded by ISO/IEC 27000.

4  Context of the organization – understanding the organizational context, the needs and expectations of ‘interested parties’, and defining the scope of the ISMS.  Section 4.4 states very plainly that “The organization shall establish, implement, maintain and continually improve” a compliant ISMS.

5  Leadership – top management must demonstrate leadership and commitment to the ISMS, mandate policy, and assign information security roles, responsibilities and authorities.

6  Planning – outlines the process to identify, analyze and plan to treat information security risks, and clarify the objectives of information security.

7  Support – adequate, competent resources must be assigned, awareness raised, documentation prepared and controlled.

8  Operation – a bit more detail about assessing and treating information security risks, managing changes, and documenting things (partly so that they can be audited by the certification auditors).

9  Performance evaluation – monitor, measure, analyze and evaluate/audit/review the information security controls, processes and management system in order to make systematic improvements where appropriate.

10  Improvement – address the findings of audits and reviews (e.g. nonconformities and corrective actions), make continual refinements to the ISMS

Annex A  Reference control objectives and controls – little more in fact than a list of titles of the control sections in ISO/IEC 27002.  The annex is ‘normative’, implying that certified organizations are expected to use it, but they are free to deviate from or supplement it in order to address their particular information security risks.

Bibliography – points readers to five related standards, plus part 1 of the ISO/IEC directives, for more information.  In addition, ISO/IEC 27000 is identified in the body of the standard as a normative (i.e. essential) standard and there are several references to ISO 31000 on risk management.

Important Points When Using Statements of Applicability (SOAs): ISO 27001

  • Organizations should identity all control objectives and actual controls selected for implementation when completing the SOA.
  • The SOA doesn’t need to contain confidential asset and process information.
  • Controls in addition to those stated in the standard may also be stated as part of the SOA.
  • Any ISO 27001 controls that are not selected for compliance must be explained.

Determining Maturity Levels before implementing ISO 27001

When assessing the organization’s compliance maturity level, auditors should determine whether or not the implementation team is able to answer the following questions:​

  • ​​Does a document exist that specifies the scope of compliance?
  • According to ISO 27001, a scope document is required when planning the standard’s implementation. The document must list all the business processes, facilities, and technologies available within the organization, along with the types of information within the ISMS. When identifying the scope of compliance, companies must clearly define the dependencies and interfaces between the organization and external entities.
  • Are business processes and information flows clearly defined and documented?
  • Answering this question helps to determine the information assets within the scope of compliance and their importance, as well as to design a proper set of controls to protect information as it is stored, processed, and transmitted across various departments and business units.
  • Does a list of information assets exist? Is it current?
  • All assets that may affect the organization’s security should be included in an information asset list. Information assets typically include software, hardware, documents, reports, databases, applications, and application owners. A structured list must be maintained that includes individual assets or asset groups available within the company, their location, use, and owner. The list should be updated regularly to ensure accurate information is reviewed during the compliance certification process.
  • How are information assets classified?
  • Information assets must be classified based on their importance to the organization and level of impact, and whether their confidentiality, availability, and integrity could be compromised.
  • Is a high-level security policy in place?
  • Critical to implementing an information security standard is a detailed security policy. The policy must clearly convey management’s commitment to protecting information and establish the business’ overall security framework and sense of direction. It should also identify all security risks, how they will be managed, and the criteria needed to evaluate risks.
  • Has the organization implemented a risk assessment process?
  • A thorough risk assessment exercise must be conducted that takes into account the value and vulnerabilities of corporate IT assets, the internal processes and external threats that could exploit these vulnerabilities, and the probability of each threat. If a risk assessment methodology is in place, the standard recommends that organizations continue using this methodology.
  • Is a controls’ list available?
  • Necessary controls should be identified based on risk assessment information and the organization’s overall approach for mitigating risk. Selected controls should then be mapped to Annex A of the standard — which identifies 133 controls divided in 11 domains — to complete a statement of applicability (SOA) form. A full review of Annex A acts as a monitoring mechanism to identify whether any control areas have been missed in the compliance planning process.
  • Are security procedures documented and implemented?
  • Steps must be taken to maintain a structured set of documents detailing all IT security procedures, which must be documented and monitored to ensure they are implemented according to established security policies.
  • Is there a business continuity (BC) management process in place?
  • A management process must be in place that defines the company’s overall BC framework. A detailed business impact analysis based on the BC plan should be drafted and tested and updated periodically.
  • Has the company implemented a security awareness program?
  • Planning and documentation efforts should be accompanied by a proper IT security awareness program so that all employees receive training on information security requirements.
  • Was an internal audit conducted?
  • An internal audit must be conducted to ensure compliance with the standard and adherence to the organization’s security policies and procedures.
  • Was a gap analysis conducted?
  • Another important parameter to determine is the organization’s level of compliance with the 133 controls in the standard. A gap analysis helps organizations link appropriate controls with the relevant business unit and can take place during any stage of the compliance process. Many organizations conduct the gap analysis at the beginning of the compliance process to determine the company’s maturity level.
  • Were corrective and preventive actions identified and implemented?
  • The standard adheres to the Plan-Do-Check-Act” (PDCA) cycle (PDF, 62KB) to help the organization know how far and how well it has progressed along this cycle. This directly influences the time and cost estimates to achieve compliance. To complete the PDCA cycle, the gaps identified in the internal audit must be addressed by identifying the corrective and preventive controls needed and the company’s compliance based on the gap analysis.
  • Are there mechanisms in place to measure control effectiveness?
  • Measuring control effectiveness is one of the latest changes to the standard. According to ISO 27001, organizations must institute metrics to measure the effectiveness of the controls and produce comparable and reproducible results.
  • Is there a management review of the risk assessment and risk treatment plans?
  • Risk assessments and risk treatment plans must be reviewed at planned intervals at least annually as part of the organization’s ISMS management review.

Tips for ISO 27001 Imlementation

1. Decision

Senior management need to be behind the decision for ISO 27001 certification. There is definite value in communicating this internally, it enforces the company’s aspiration to pursue best practice.

What is needed? Concise and positive briefing to senior management outlining benefits and how it provides a platform for business growth.

2. ISO Management Representative

The company appoints a responsible and knowledgeable manager to run the programme and implementation. This person will become the company’s ISO 27001 specialist, understanding the controls and milestones needed towards accreditation.

What is needed? Selection of the right individual with a specific job description and knowledge of ISO and ISMS requirements.

3. Gap Analysis and Risk Assessment

An assessment of risk or a gap analysis is conducted to find out what can go wrong and which threats endanger the Confidentiality, Integrity and Availability of information. This is to understand the maturity of existing controls within the business and to determine the risk profile.

What is needed? The gap analysis followed by a risk assessment of all in scope people, processes and technology performed by a qualified auditor. Understanding the maturity of controls and risk profile.

4. Scope & Implementation Plan

The review of output from the gap analysis allows the business to validate the scope of implementation and the functional / operational boundaries. For each risk identified, appropriate controls are set to manage the risk in a systematic way. This will ensure nothing important is missed. Important milestones, time requirements, dates for any pre assessment and staged audits are set.

What is needed? A step by step concise guide to explain the ISO 27001 process in sufficient detail.

5. Employee Introduction

It is important to engage with employees from the beginning to ensure they buy in to the ISO 27001 certification process and respond appropriately. Also to help them to understand the individual, company and client benefits.

What is needed? A short and easy-to-understand ISO 27001 and security introduction briefing that focuses on how employees are affected and their role in the successful implementation.

6. ISO Documentation, documentation, documentation, documentation!

ISO 27001 certification requires extensive documentation addressing all relevant millstones and individual controls. This forms the criteria the company is measured against to meet the ISO standard.

What is needed? A set of policies, standards and procedures to ensure the business is adhering to all requirements in an efficient and achievable manner.

7. Realisation

With the gap analysis, scope and documentation ready, it is time to put new processes into ‘business as usual’ throughout the company to start realising the many benefits of ISO 27001. At this stage it would be beneficial to conduct a pre assessment to ensure the company is on the right track and validate the evidence.

What is needed? Pre assessments forms, checklists and the gathering of evidence. Communication to staff about the revised processes, the need to adopt them fully and report back on what isn’t working.

8. Internal ISO 27001 Audits

ISO 27001 requires an internal audit to assess where the company is at with the milestones and the implementation phase. An auditor will complete documentation assessing the risk, noting controls and remediation to highlight the improvements required.

What is needed? An experienced internal or external auditor. Audit tools that include forms, complete audit checklists and audit reports.

9. ISO 27001 Certification

The most important step is to pass the ISO 27001 certification audit. An independent assessor will issue a certificate stating that the business is meeting the ISO 27001 controls and requirements. The appointed internal representative needs to be confident with the process they have followed and consider how to best interact with the assessor.

What is needed? Employee preparation for the ISO 27001 certification including questions that may be asked and the areas the audit will focus on. An independent assessor from a reputable company.

10. Maintaining the ISO 27001 Certification

It is important to keep the ISO management system working by its integration into daily operations. The business should focus on continual improvement.

What is needed? A reinforcement message to employees. Focus on maintaining the standards through an internal champion. Treat it as integral component of the business processes and not a one off project.

What is ISO 27001?

ISO/IEC 27001 formally specifies a management system that is intended to bring information security under explicit management control. Being a formal specification means that it mandates specific requirements. Organisations that claim to have adopted ISO/IEC 27001 can therefore be formally audited and certified compliant with the standard. ISO/IEC 27001 requires that management:

  • Systematically examines the organisation’s information security risks, taking account of the threats, vulnerabilities, and impacts.
  • Designs and implements a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable.
  • Adopts an overarching management process to ensure that the information security controls continue to meet the organisation’s information security needs on an on-going basis.

Why is ISO 27001 so important and what business benefits does it offer?

The business benefits from ISO 27001 certification are considerable. Not only do the standards help ensure that a business’ security risks are managed cost-effectively, but the adherence to the recognised standards sends a valuable and important message to customers and business partners: this business does things the correct way. ISO 27001 is invaluable for monitoring, reviewing, maintaining and improving a company’s information security management system and will unquestionably give partner organisations and customers greater confidence in the way they interact with your business.

The benefits

  • ISO 27001 is the de facto international standard for Information Security Management
  • It demonstrates a clear commitment to Information Security Management to third parties and stakeholders
  • It can provide a framework to ensure the fulfilment of commercial, contractual and legal responsibilities
  • It provides a significant competitive advantage, and can effectively be a license to trade with companies in certain regulated sectors
  • It provides for inter-operability between organisations or groups within an organisation
  • It can provide compliance with, or certification against, a recognised external standard which can often be used by management to demonstrate due diligence.

Implementing ISO27001: tips and controls

According to the website there are now over 6,000 organisations worldwide that have attained certification against the ISO27001:2005 Information Security Standard. So what are the real business benefits these organisations have seen as a result of implementing ISO27001? Have there been any other benefits apart from those directly associated with information security that have arisen as a result of these projects? And what should others consider before embarking on the journey to implement the ISO27001:2005 information security standard?


What are the key changes in the ISO 27001: 2013 revision, as well as the benefits?

The key benefit of this new ISO 27001 is that it can be more easily implemented in smaller companies – a greater degree of flexibility is allowed, and a smaller number of mandatory documents is needed. For instance, the risk assessment process is simplified, and there are no more requirements to document procedures like internal audit or corrective action.

What are the new security controls and how does the 2013 revision deal with new risks?

First of all, the number of suggested controls in the 2013 revision has actually decreased from 133 to 114 – therefore, it is easier now to find the controls that are really needed for a particular risk. The new controls are these: A.6.1.5 Information security in project management, A.14.2.1 Secure development policy, A.14.2.5 Secure system engineering principles, A.14.2.6 Secure development environment, A.14.2.8 System security testing, A.16.1.4 Assessment of and decision on information security events, and A.17.2.1 Availability of information processing facilities.

How much new mandatory documentation is there, and for certified companies is there lots of work involved in implementing these?

There is actually less documentation required. If a company is already certified against the old 2005 revision of ISO 27001, only about 10-20% of the existing documents will need to be changed, and some of the documents may now be deleted. Therefore, the effort to make this transition to the 2013 revision won’t be too big.

Let’s say you’re talking to a company that hasn’t implemented ISO 27001; how would you explain the benefits of this standard, the implementation program, and how this can help them in the long term?

The most important thing is to make the decision makers (i.e. the top management) interested in this project, because they are the ones who will approve the project or reject it. And to do this you have to find which business benefits could be achieved by implementing information security in your company.

Benefits: (1) compliance – by implementing ISO 27001, a company will comply with all the information security legislation, but also with contractual requirements that clients are enforcing more and more; (2) marketing advantage – companies with this certificate might get some new clients who are looking for this kind of guarantee for the security of their information; (3) decreasing the costs – by implementing ISO 27001, many security incidents will be prevented, and the investment in implementing this standard is usually far less than the cost of remediation of the incidents; and (4) optimizing the business processes – since the standard requires defining exactly who needs to do what, when and how, this means that employees will be spending less time searching for ways to perform their tasks.

Unfortunately, too many IT and security professionals focus on IT benefits instead of focusing on business benefits – but by presenting the benefits like “We will be more secure,” or even worse, “We will have a nice secondary location,” this doesn’t really say anything to the top management on how it will increase their profits, decrease costs, achieve their strategic goals, or limit their business risks.

It sounds like once the initial work is complete, the rules and procedures ISO 27001 puts in place can reduce mistakes and make the IT department’s job easier?

Exactly! The problem is that very often IT professionals see this standard as unnecessary bureaucracy; but in reality, if the rules for using the information technology are clear for everyone in the company, the number of problems related to IT will decrease. This means IT departments will be dealing less with resolving the problems like “Why don’t I see this icon anymore,” and can focus on more strategic things.

What are the benefits of implementing ISO 27001 with other management standards?

If a company has already implemented, e.g., ISO 9001, it will decrease the time required for ISO 27001 implementation by 30% – this is because these two standards have a lot in common and, for instance, some of the documentation written for ISO 9001 can be used for ISO 27001 as well.

But there is one standard that is even more compatible with ISO 27001: the business continuity standard ISO 22301. When implementing ISO 27001, with 10% additional effort a company can implement ISO 22301 too, because these two standards are highly compatible and about 60% of their requirements are the same.


ISO 27001:2013 standard benefits, implementation tips and security controls

What are the key changes in the ISO 27001: 2013 revision, as well as the benefits?

The key benefit of this new ISO 27001 is that it can be more easily implemented in smaller companies – a greater degree of flexibility is allowed, and a smaller number of mandatory documents is needed. For instance, the risk assessment process is simplified, and there are no more requirements to document procedures like internal audit or corrective action.

What are the new security controls and how does the 2013 revision deal with new risks?

First of all, the number of suggested controls in the 2013 revision has actually decreased from 133 to 114 – therefore, it is easier now to find the controls that are really needed for a particular risk. The new controls are these: A.6.1.5 Information security in project management, A.14.2.1 Secure development policy, A.14.2.5 Secure system engineering principles, A.14.2.6 Secure development environment, A.14.2.8 System security testing, A.16.1.4 Assessment of and decision on information security events, and A.17.2.1 Availability of information processing facilities.

How much new mandatory documentation is there, and for certified companies is there lots of work involved in implementing these?

As I mentioned previously, there is actually less documentation required. If a company is already certified against the old 2005 revision of ISO 27001, only about 10-20% of the existing documents will need to be changed, and some of the documents may now be deleted. Therefore, the effort to make this transition to the 2013 revision won’t be too big.

How to make a transition from ISO 27001 2005 revision to 2013 revision

Transition steps

The easiest way to make the transition to the 2013 revision is by following these steps:

1) List all interested parties. You should list all your stakeholders (the persons and companies that can influence your information security or can be influenced by it), and their requirements. If you already listed all the statutory, regulatory and contractual requirements according to the old A.15.1.1 control, then you have already done half of your job.

2) Define interfaces in the ISMS scope. According to the 2013 revision, as part of your scope definition you need to identify the interfaces between the activities made by your organization and the activities that are performed by third parties.

3) Align ISMS objectives with the company’s strategy. 2013 requires you to determine whether the information security objectives are compatible with the strategic direction of the company.

4) Changes in the top-level policy. The top-level policy shouldn’t be called “ISMS policy” anymore, but rather “Information security policy.” It doesn’t have to include requirements like alignment with strategic risk management, nor the criteria for evaluation of risk.

5) Make changes to your risk assessment process. First, you need to identify risk owners for each of your risks; second, you don’t need to use the methodology based on identifying the assets, threats and vulnerabilities anymore, so if you wish you can identify your risks in some other (simpler) way; and lastly, you need to identify all the outsourced processes and decide on how to control them – this is best done during the risk assessment process. Accordingly, you need to change both your Risk assessment methodology, and your risk assessment results.

6) Identify status of controls in Statement of Applicability. This is a small change, but significant from an implementation point of view – in the SoA for each control you must indicate whether it has been implemented or not. Of course, you will need to change the structure of the controls in the SoA, as specified in step 11).

7) Obtain approval from risk owners. According to the new revision, you must ask the risk owners to approve your Risk treatment plan and accept your residual information security risks.

8) Plan the communication in a systematic way. You should determine a process for who will communicate to whom, what will be communicated and when. This includes both internal and external parties.

9) Decide what to do with your management procedures. The requirements for preventive actions do not exist anymore (preventive actions basically became a part of the risk assessment process), so you can decide whether to delete that procedure or not; there are no more requirements to keep the remaining management procedures (Document control, Internal audit, Corrective action) documented, so you if you wish you can delete those procedures as well, but you must maintain those 3 processes even though they are not documented.

10) Write new policies and procedures. If you haven’t already written the following documents, you will have to do so now because if you selected related controls as applicable, writing a document became mandatory: Secure system engineering principles (control A.14.2.5), Supplier security policy (control A.15.1.1), Incident management procedure (control A.16.1.5), and Business continuity procedures (control A.17.1.2).

11) Reorganize your controls. Annex A got mixed up quite a bit, but essentially most of the old controls remained, while only a handful of new ones appeared: A.6.1.5 Information security in project management, A.14.2.1 Secure development policy, A.14.2.5 Secure system engineering principles, A.14.2.6 Secure development environment, A.14.2.8 System security testing, A.16.1.4 Assessment of and decision on information security events, and A.17.2.1 Availability of information processing facilities.

12) Measurement and reporting. Requirements became much stricter in the 2013 revision: (1) the objectives should be set in a measurable way (if possible) in order to enable easier measurement (clause 6.2 b); (2) all activities to address risks and opportunities must be evaluated (6.1.1 e 2); (3) when planning how to achieve information security objectives, it must be defined how the results will be evaluated (6.2 j); (4) it must be determined what will be monitored and measured, when it will be done, who will do the measuring and who will evaluate the results (9.1); and (5) the responsibilities for the reporting of the ISMS performance must be clearly assigned (5.3 b).

ISO 27001:2005 ISMS Implementation Checklist

The purposes for this implementation / interview checklist are to:

a)           Gauge the level of compliance to ISO 27001:2005 Information Security Mgmt System – Requirements by your group / dept / division

b)           Facilitate the provision of information necessary for ISO 27001:2005 implementation

c)           Serve as a training materials for understanding the ISO 27001:2005 requirements


view / download: 27001-2005 ISMS chk [referred from]