Research on ISO 27001

1. Introduction
The most important asset for any organization is its information. Hence, the main concern
for an organization should be providing security for those valuable assets. Information
security is fundamental responsibility of any small or large-scale organization in order to
achieve its objectives effectively. In order to provide information security, organization
follows certain standard and their frameworks. ISO (International Organization for
standardization) is an independent, non-governmental organization which develops
standards to ensure the quality, safety and efficiency of a product, services and systems
(Wilber, 2020). There is a wide area of industry which follows ISO and information
security is one of them.

Almost every small to large scale organization are connected to internet hence, risk
associated with cyber-attacks and data breaches continue to increase. An effective
approach should help defend against both internal and external threats. ISO 27001 is the
international standard that provides the specification for an information security
management system (ISMS). It provides a model and detailed specification on reducing
an organizations exposure to information security. ISO 27001 is a part of ISO/IEC 27000
series. The main objective to establish ISO 27001 is to help organization of any industry
to protect their information in a systematic and cost-effective way by implementing
information security management system (ISMS). It is the best approach which helps
organization to mange people process and technology.
2. History
The first standard for information security was published in 1995 as BS7799. After
revising it, this document was accepted as the international standard for information
security management. Various parts of this standard were published in later years. The
second part of BS7799 was published in 1999 and this became ISO/IEC 27001:2005.
BS7799 was adopted by ISO as ISO/IEC 27001 in November 2005. Currently used
version of ISMS is ISO 27001:2013.

3. Requirements for ISO 27001

Those organization who wants to be compliant with this standard must meet the
requirements mentioned in ISO 27001 clauses from 4 to 10. There are total 10
requirements but the mandatory is from 4 to 10.

4. Context of the organization

The organization shall determine external and internal issues that affects its ability to
achieve the intended outcomes of its ISMS. The organization shall determine the
interested parties that are applicable to the information security management system.
This may include legal and regulatory requirements. Similarly, organization shall
determine the scope of the ISMS. Lastly, organization shall establish, implement,
maintain and continually improve ISMS with the requirement of the standard.
5. Leadership:

Top management shall demonstrate leadership and commitment with respect to the
ISMS. They shall establish an information security policy. Top management shall ensure
that the responsibilities and authorities for respective roles.

6. Planning:

Organization shall determine risk assessment, risk treatment, statement of applicability,

risk treatment plan and setting the information security objectives.

7. Support:

The organization shall determine and provide the resources needed for the
establishment, implementation, maintenance and continual improvement of the
information security management system. Individual working under the organization shall
be aware of the information security policy and ISMS. Organization ISMS also shall define
for competencies, awareness, communication and control of documents and records

8. Operation

Organization shall define the implementation of risk assessment and treatment as well as
controls and other processes needed to achieve information security objectives.

9. Performance evaluation

The organization shall define requirements for monitoring, measurement, analysis,

evaluation, internal audit and management review

10. Improvement:

Organization shall define the requirements for nonconformities, corrections, corrective

actions and continual improvement.
4. Domains of ISO 27001
There are 114 controls in 14 groups and 35 control categories; the 2005 standard had
133 controls in 11 groups.

• A.5: Information security policies (2 controls)

• A.6: Organization of information security (7 controls)
• A.7: Human resource security - 6 controls that are applied before, during, or after
employment
• A.8: Asset management (10 controls)
• A.9: Access control (14 controls)
• A.10: Cryptography (2 controls)
• A.11: Physical and environmental security (15 controls)
• A.12: Operations security (14 controls)
• A.13: Communications security (7 controls)
• A.14: System acquisition, development and maintenance (13 controls)
• A.15: Supplier relationships (5 controls)
• A.16: Information security incident management (7 controls)
• A.17: Information security aspects of business continuity management (4
controls)
• A.18: Compliance; with internal requirements, such as policies, and with external
requirements, such as laws (8 controls)