What are the requirements of ISO 27001?

ISO 27001 is the international standard for an Information Security Management system, but what is the meaning behind the number?

This post will give you a brief overview of ISO 27001 Requirements, and some advice on the easiest way to implement ISO 27001.

What does ISO 27001 Mean?

In our previous blog: What is ISO 27001? we discussed the basics and advised you to purchase the ISO 27001 document online to take a look at the requirements.

In this blog we will take a slightly deeper look at some of the requirements.

ISO 27001 Management Framework

The first thing you will notice when you purchase a copy of ISO 27001 is the clause structure. There are 10 Main clauses, followed by Annex A, which contains a list of Controls.

The 10 main clauses follow ISO’s High-Level Common Clause Structure, known as Annex SL. This means that is you have knowledge of other ISO standards, or add them afterwards, it is easy to integrate standards together.

However, if this is you first ISO Standard, let’s start at the beginning. The first 10 clauses set out a management framework focused on continual improvement.

In previous ISO standards this was aligned to Deming’s “Plan, Do, Check, Act” (PDCA) cycle. Now, while this theory can still be applied, the standard is not explicit in stating this example.

Let’s break down the clauses:

Good News!

Clauses 0-3 cover some housekeeping about the ISO 27001 document itself, so while you should be aware of them, there is no need to document anything.

Introduction – Provides introductory text to the document.
Scope – Confirms the purpose of the ISO document.
Normative References – Discusses related standards, in this case ISO 27000 (see below).
Terms & Definitions – Confirms the means of particular terms used in the standard. In this case, the clause refers back to ISO 27000 which provides a glossary of terms.

Starting the Real ISO 27001 Work

All the Activity Starts at Clause 4 as follows:

Clause 4 – Context of the Organisation, including defining the scope of your ISMS and considering Internal and External Interested Parties.

Clause 5 – Leadership, a renewed focus on your management system being supported from the top and implemented at every level of the organisation. Clause 5 includes assigning roles and responsibilities; and the Information Security Policy Statement.

Clause 6 – Planning, known best for the risks and opportunities section which requires consideration of the Confidentiality, Integrity and Availability threats to your information. 6.2 requires Information Security Objectives to be set.

Clause 7 – Support, takes care of some housekeeping tasks including competency, awareness and documented information. These are common requirements across Annex SL based standards.

Clause 8 – Operation, in most standards clause 8 contains the bulk of the standard’s unique requirements, HOWEVER, the majority of ISO 27001 Requirements are addressed through the risk management process which is defined earlier in clause 6 and is supported through the 114 controls and control objectives set out in Annex A. Most other standards do not have such a directive annex.

Clause 9 – Performance Evaluation, The standard moves in to Deming’s ‘Check’ stage as requirements for Monitoring, Measurement, analysis & evaluation go along side Internal Audit and Management Review.

Clause 10 – Improvement, the final part of the framework which can be demonstrated throughout your work in earlier clauses.

What are the Annex A Requirements?

Unlike many other ISO Standards, ISO 27001:2022 provides 93 controls and control objectives which can be used to manage the risks identified in clause 6, or just for peace of mind.

Annex A is split into 4 sections from A5 to A8. This odd numbering system has been inherited from previous standards where the controls were first defined.

Information Security is not just I.T Security

As you will see below, the controls cover a variety of business areas, which means you should consider the people resources you need from different areas of the business in order to effectively implement controls

A.5 Organisational Controls

A.6 People Controls

A.7 Physical Controls

A.8 Technological Controls

Excluding Annex A Controls

You do not have to apply every control.

However, if you do exclude a control there must be a justified reason. Reasons for both inclusion and exclusion must be documented within the Statement of Applicability (SOA) document, as required in Clause 6 of the Standard.

Often the majority of Annex A controls are applied.

Where to Start with ISO 27001 Implementation?

The scale and structure of ISO 27001 can be daunting but ISO Consultants like Assent are here to help.

We have online ISO project management software which can break up the implementation process in to stages.

Many customers also find our Gap, App & Wrap approach an efficient way of implementing ISO 27001.

And while ISO 27001 Certification is not mandatory [according to the standard itself], most companies see the real value being within the UKAS Accredited Certification marks following an external audit of the system.

Finally, although it is not just an I.T Security standard, technology plays an important part in ISO 27001 Requirements, and organisations can benefit from other cyber security activities such as Simulated Phishing Tests.

5 Advantages of ISO 27001

_____________________________________________

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
CONSENT	16 years 3 months 23 days 8 hours	These cookies are set via embedded youtube-videos. They register anonymous statistical data on for example how many times the video is displayed and what settings are used for playback.No sensitive data is collected unless you log in to your google account, in that case your choices are linked with your account, for example if you click “like” on a video.
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.

Cookie	Duration	Description
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	These cookies are set via embedded youtube-videos.
yt-remote-device-id	never	These cookies are set via embedded youtube-videos.