What is ISO?
ISO stands for the International Organization for Standardization. The ISO is a non-governmental, federation of bodies that develop the commercial quality and risk management international standards for over 150 countries.
ISO standards cover policies, processes, and procedures for topics sectors such as scientific testing protocols, technology development, labor conditions, and more.
Overview of ISO 27001 & 27002
The ISO 27001 is a standard and certification on how an organization can best manage its information security program. It includes policies, procedures and controls.
The ISO 27002 standard is supplementary to ISO 27001 and outlines 12 main sections for organizations to implement ISO 27001. While 27001 is a leaner, 30-page document, 27002 is far more in-depth at 90+ pages.
Furthermore, while organizations can obtain certification for ISO 27001, they can not achieve certification for ISO 27002 because 27002 isn’t a management standard but rather a supplement to 27001.
What are the requirements of ISO 27001?
The most critical components of ISO 27001 center around:
- Scoping your information security management system (ISMS);
- Conducting a risk assessment; and
- Designing a risk treatment plan.
ISO 27001 details a number of important actions to take toward obtaining certification including:
- Creating an information security policy and objectives
- Creating information risk treatment protocols
- Creating an overall risk treatment plan
- Documenting a risk assessment report
- Documenting training, required skills, and qualifications for employees
- Measuring and monitoring results
- Designing an internal audit program
- Documenting the result of internal audits
- Documenting management review of internal audit
- Documenting corrective actions taken
There are also an additional 14 controls referred to as Annex A, that may or may not apply depending on the controls you design for your organization. Those include:
- Defining security roles and responsibilities (A.7.1.2 and A.13.2.4)
- Taking an inventory of assets (A.8.1.1)
- Defining acceptable use of assets (A.8.1.3)
- Creating an access control policy (A.9.1.1)
- Defining operating procedures for IT management (A.12.1.1)
- Defining secure system engineering principles (A.14.2.5)
- Defining a supply chain security policy (A.15.1.1)
- Creating an incident management procedure (A.16.1.5)
- Creating a business continuity plan (A.17.1.2)
- Defining statutory, regulatory and contractual requirements (A.18.1.1)
- Creating logs of user activities, security events, and exceptions (A.12.4.1 and A.12.4.3)
Who does ISO 27001 affect?
ISO 27001 applies to organizations across all industries, and provides a framework for how they should manage their data securely. Furthermore, ISO 27001 can be modified depending on the unique information security risks facing your organization.
While it applies to all organizations that handle sensitive data, ISO 27001 is most typically used in the following industries and verticals:
- Information Technology
- Insurance companies
- Banks, brokerages, and other financial institutions
- Government agencies
How to become certified in ISO 27001 & 27002
The following can serve as a general guide to help you obtain ISO 27001 certification.
- Create a compliance program.
It’s important to give compliance the due diligence it deserves. This means allocating a team and resources to understand your compliance requirements, perform a risk assessment, and audit your business systems and processes to uncover potential compliance issues.
- Determine the scope ISO 27001 ISMS Program.
In addition to your compliance program, you will also be required to undergo an ISO audit if you plan to achieve certification for ISO 27001. This will require planning to ensure you have met all the necessary requirements prior to your audit. Audits can be costly so your organization should be properly prepared to avoid any potential recertification costs.
- Have an internal audit prior to your official ISO audit.
To make your official audit go as seamlessly as possible, it’s best to conduct an internal audit first to double-check that you’ve met all the appropriate requirements, and if not, apply mitigation before it’s caught in your external audit. Furthermore, continuous internal audits are a good measure to ensure continual improvement over time.
- Document your compliance program, your controls, and any mitigation you’ve done.
Compliance documentation is a heavy and critical element of your ISO 27001 audit. Thus, any of your controls, compliance measures, risk assessment results, and remediation of issues should be documented to facilitate a better certification audit.
Key Takeaways
- The ISO is a non-governmental, global federation of bodies that develop risk management and quality standards for over 150 countries.
- ISO 27001 outlines a framework for a modern information security management program and guidance for organizations to protect their data.
- ISO 27002 supplements ISO 27001 with guidelines for the controls an organization will require to implement a successful ISMS.
- Organizations can achieve certification for ISO 27001 but not 27002.