ISO 27001:

The Path to
Certification (Part 2)
Understanding the ISO 27001
Framework

Bottom Line Up Front

Cybersecurity is a business problem impacting the
livelihoods of companies and their owners. As a result,
Leadership must take steps to proactively mature their
information security posture and articulate their
security posture to current and prospective customers.
A great place to begin maturing your security
environment is through the implementation of a
security framework such as ISO 27001. If you are
considering program implementation, this three-part
whitepaper series will provide all the information you
need to make an educated decision on ISO 27001
adoption.
This Whitepaper Series Includes:
Part 1: Will present a business case which outlines why
organizations should consider ISO 27001 certification
from business perspective (Read it Here)
Part 2: Will cover the essential elements of the ISO
27001 Framework (This Whitepaper)
Contents
ISO 27001 Framework Elements .................................2
ISO 27001 Clauses 4-10 .............................................. 2
ISO 27001 Annex A (Control Framework)................... 2
ISO 27001 Explained in Detail .....................................3
ISMS: Essential Elements (Clauses 4-10) .................... 3
Governance (Clauses 4 and 5) ................................ 4
Risk Management (Clause 6 and 8) ........................ 4
Strategic Planning (Clauses 6, 7, and 8) .................. 5
Internal Audit and Performance Monitoring (Clause
9 and 10) ................................................................. 5
Annex A Controls ........................................................ 6
Controls and Self-Assessment Questions ............... 6
The Certification Process ............................................9

Part 3: Will cover the ISO 27001 certification process

from start to finish

ISO 27001: The Path to Certification | Page 1

ISO 27001 Framework Elements
Before we begin dissecting the ISO 27001 framework, it
is important that we establish a common understanding
of ISO 27001’s core elements.
ISO 27001 is an internationally recognized information
security standard that is comprised of 10 clauses, 14
categories, 35 control objectives, and 114 controls.
Companies may choose to align to ISO 27001 as part of
security best practices and/or choose to pursue ISO
27001 certificaiton.
Clauses 4-10 are typically referred to as the Information
Security Management System, while the 114 control
requirements are called “Annex A.”
ISO 27001 Clauses 4-10
When most people think of ISO 27001, they
immediately consider the 114 controls that make up ISO
27001’s Annex A. Often ignored, however, is Clauses 4-
10. These clauses are the core of ISO 27001 and
establish the system of management necessary to build
and maintain an effective information security program.
If you are considering ISO 27001 certification, clauses 4-
10 are the main focus of the audit.
4 Context of the organization - understanding the
organizational context, the needs and expectations of
‘interested parties’ and defining the scope of the ISMS.
5 Leadership - top management must demonstrate
leadership and commitment to the ISMS, mandate
policy, and assign information security roles,
responsibilities and authorities.
6 Planning - outlines the process to identify, analyze
and plan to treat information risks, and clarify the
objectives of information security. This is the first clause
that requires a risk assessment.
7 Support - adequate, competent resources must be
assigned and awareness raised.
8 Operation - a bit more detail about assessing and
treating information risks, managing changes, and
documenting requirements.
9 Performance evaluation - monitor, measure, analyze
and evaluate/audit/review the information security
controls, processes and management system,
systematically improving things where necessary. This is
where ISO requires an independent audit of the ISMS.
10 Improvement - address the findings of audits and
reviews (e.g. nonconformities and corrective actions),
make continual refinements to the ISMS.
ISO 27001 Annex A (Control Framework)
This is the section that outlines the 14 categories, 35
control objectives and 114 controls. You may refer to
ISO/IEC 27002 for further detail on the controls,
including implementation guidance.
A.5 Information Security Policies – Defines
requirements for policies and procedures.
A.6 Organization of Information Security – Defines
requirements for roles and responsibilities.
A.7 Human Resource Security – Defines requirements
for pre-employment, during employment, and
termination.
A.8 Asset Management – Defines requirements for
inventory, ownership, and use of assets.
A.9 Access Control – Defines requirements for user
access management throughout the user lifecycle.
A.10 Cryptography – Defines requirements for
cryptographic controls and key management.
A.11 Physical and Environment Security
A.12 Operations Security – Defines requirements for
security operations such as system security, backup,
logging, malware, and vulnerability management.
A.13 Communications Security – Defines requirements
for network security and information transfer.
A.14 System Acquisition, Development and
Maintenance – Defines requirements for security in the
system development and change management lifecycle.
A.15 Supplier Relationships – Defines requirements for
security as related to vendors.
ISO 27001: The Path to Certification | Page 2
A.16 Informaiton Security Incident Management – ISMS can be daunting and confusing. Thus, it is helpful
Defines requirements for management of security to think about these requirements as being a part of
incidents. one of four categories: Governance, Risk Management,
Strategic Planning, and Performance Monitoring.
A.17 Information Security Aspects of Business
Continuity Management – Defines requirements for 1) Governance
information security continuity and redundancies.
Governance includes establishing leadership and
A.18 Compliance – Defines requirements for legal and ownership of security, defining roles on the
contractual requirements. organizational chart, authoring and implementing
policies and procedures related to information security,
ISO 27001 Explained in Detail and ensuring appropriate resources are available to
support the security program. Governance is a key
In this section we will explore the essential elements of element of clauses 4-10 of ISO 27001 and especially
ISO 27001 including the “ISMS” and “Annex A” controls. relevant to clauses 4 “Context” and 5 “Leadership.”

2) Risk Assessment/Risk Management

Governance (Clauses 4 and 5)
Information Security Management System

(Leadership, Roles, Policies, Procedure, People) Risk management is an essential element of establishing
a process to identify, analyze, and treat risks. A risk
(ISMS) (Clauses 4-10)

Risk Assessment (Clauses 6 and 8)
(Provides context, drives decision making, drives planning)
Strategic Planning (Clauses 6, 7, 8)
(Plan for Information Security, Key Performance Indicators,
Communication Plans.)
Internal Audit/Performance Monitoring (Clause 9 and 10)
(Management Visibility, Drives Continuous Improvement)
Annex A:
(114 Controls – Reference ISO 27002)
management program should grant authorization and
authority of those individuals responsible for
information security (often called the information risk
council, or similar).
A formalized risk assessment is the process which helps
leadership identify key risks, prioritize resources and
controls, and align the security program with business
objectives. Risk assessment and risk management are
directly linked to clauses 6 “Planning” and 8
“Operation.”

3) Strategic Planning
ISMS: Essential Elements (Clauses 4-10)
The strategic plan defines how the security program will
As a philosophical point, ISO 27001 establishes a system be tactically implemented. It is typically a 12-month
of management (hence the term information security outlook on the initiatives that comprise the security
management system or ISMS) that empowers program. It typically includes key projects, security
management to establish, implement, govern, and program improvements, people, budgets, a
continuously improve the information security communication plan, and key performance indicators
environment. This, in short, is the ISMS. (measurables) required to execute on the information
security program.
There are many elements of a functional ISMS that
must be implemented in order to satisfy ISO 27001 Strategic planning is most closely tied to clause 6.2, but
certification requirements. These requirements are is especially relevant to clauses 6 “Planning,” 7
described in Clauses 4-10 of ISO 27001. “Support,” and 8 “Operation.”

For those unfamiliar with ISO 27001, reading through 4) Internal Audit/Performance Monitoring
these clauses for the first time and trying to understand
Internal audit is the mechanism by which management
the scope of what needs to be done to implement an
gains visibility into the information security program,

ISO 27001: The Path to Certification | Page 3

identifies areas for improvement, and drives continuous
improvement. The internal audit function must be
independent from the security program and qualified to
do an effective audit. Internal audit and continuous
improvement are key elements of clause 9
“Performance Evaluation” and 10 “Improvement.”
Now that we have a basic understanding of the ISMS,
we will discuss these areas at length and map them
back to their specific clauses within ISO 27001’s ISMS
(Clauses 4-10). We will also outline the specific
documents you will need to create to support ISO
27001 certification efforts.
Governance (Clauses 4 and 5)
Establishing an effective governance structure that
supports information security program objectives is an
essential element of the ISMS, primarily outlined in
clauses 4 and 5 of ISO 27001.
1) Scope and Context (Clause 4)
The organization should articulate the scope and
boundaries of the ISMS including relevant people,
processes, technologies, locations, and interested
parties. (See sections 4.1-4.4 in the ISO 27001 standard)
2) Leadership and Policy (Clause 5)
Clause 5’s primary concern is top level leadership’s
commitment to continuous improve of the information
security program. In addition, the clause lays out the
requirement for leadership involvement (clause 5.1),
defined policies which articulate management’s intent
(clause 5.2), and defined roles, responsibilities, and
granted authorities (clause 5.3).
At more than 20% per year, North
America has the largest growth rate of
ISO 27001 certifications in the world.
ISO 27001 has become table stakes to
show clients we take security seriously.
-CEO, US Based Technology Company
Document Checklist | Governance
+ ISMS Document – this document contains the
context, requirements, and scope of the
organizations ISMS and aligns with Clauses 4-10.
+ Information Security Policy(s) – The master security
policy or a base security policy with derivative
policies on specific topics such as access control,
cryptographic controls, and change management.
+ Statement of Applicability (SoA) – identifies the
security controls to be included in the ISMS, justifies
the choice of included controls and whether they
are implemented or not, and justifies the excluded
controls from Annex A.
Risk Management (Clause 6 and 8)
The Risk Management workstream helps the
organization establish a defined risk identification,
intake, and analysis process and satisfies elements of
clauses 6 and 8 of ISO 27001.
1) Opportunities, Risk Assessment and Risk
Treatment (Clauses 6.1, 8.2, and 8.3)
The risk management process is the Company’s
formalized approach to risk identification, risk
measurement, risk treatment, and risk acceptance. It is
important that the organization establish a formal risk
management office (often called the information risk
council (IRC)), complete a formal risk assessment
process, and maintain a formal log of identified risks
which are communicated formally to the IRC.
Authoritative Guidance
Executing an effective risk assessment is complex (and
merits a separate whitepaper); however, there are
several accompanying standards that you should
familiarize yourself with to implement a risk
management program.
• ISO 31000 Enterprise Risk Management
• ISO 27005 is an adaption of the ISO 31000
framework for Information Security. ISO 27005
explains in detail how to conduct a risk assessment
and is also aligned with ISO 27001 requirements.
ISO 27001: The Path to Certification | Page 4

Document Checklist | Risk Management
+ Risk Management Charter – Established the
information risk council and grants this office the
authority and responsibility to measure and treat
identify risks.
+ Risk Management Policy – Policy that outlines
management expectations related to risk
management and risk assessment process.
+ Risk Assessment Report – Report outlining the
results of the risk assessment.
+ Risk Register – Formal log of identified risk.
Strategic Planning (Clauses 6, 7, and 8)
The goal of the security program strategic plan is to
layout program priorities for the next 12 months. The
strategic plan should consider all elements of the ISMS
including the context of the organization, results of the
risk assessment, and overall business objectives. The
strategic plan should also consider resources that will
be required to execute the plan, including personnel
and budget.
Objectives and Planning (Clause 6.2)
Clause 6.2 requires that an organization establish
formalized “security objectives” and plans to achieve
those objectives. The security objectives should be in
alignment with the business’s goals.
1) Support (Clause 7.1)
Clause 7.1 requires that an organization “determine and
provide resources” needed to establish, implement,
maintenance, and continue to improve the information
security program. The term “resources” includes both
personnel and budget.
2) Operational planning (Clause 8.1)
Clause 8.1 reemphasizes the requirements outlined in
clause 6.2, but adds that the organization must have
established mechanisms in place “to have confidence
that the processes have been carried out as planned.”
Most commonly, organizations satisfy this requirement
by implementing agreed-upon key performance
indicators (KPIs) and regular communication cadences
including status reports and formalized status meetings.
Document Checklist | Strategic Planning
+ Program Roadmap – Project plan outlining what
you are going to do, when you plan to do it, and
who will execute.
+ Security Program Resource Plan – The resource
plan should include budget for personnel, toolsets,
implementations, etc.
+ Key Performance Indicators (KPIs) – Defined
measurables tied to program success indicators.
+ Communication Plan – Plan to communicate with
key stakeholders including status reporting and
meeting cadences.
Internal Audit and Performance Monitoring (Clause
9 and 10)
Understanding that no program is perfect or stagnant,
ISO 27001 emphasizes Management’s commitment to
continuous improvement. As a result, ISO 27001
requires that management measure the program on a
periodic basis and take actions to improve the program
based on the results. On key element of measuring the
security program is internal audit.
The Internal Audit workstream satisfies clause 9.2 and
requires that the internal audit function is formally
defined and authorized to carry out assessments. ISO
27001 requires that the internal audit function have:
“Specified responsibilities; establish independence,
objectivity, and impartiality of the internal audit
function; a defined internal audit plan of audit activities;
allocated resources; defined audit procedures; executed
audit activities; report on audit findings; and
nonconformity follow-up activities.”
Included in the internal audit activities is the testing of
the ISMS to include clauses 4-10 and the Annex A
controls. Since not all organizations have an
independent, objective, and impartial internal audit
function capable of auditing the ISMS, organizations
may leverage third party assessors to execute internal
audit activities.
ISO 27001: The Path to Certification | Page 5

Document Checklist | Internal Audit and
Performance Monitoring
+ Internal Audit Policy – Policy that defines the roles,
responsibilities, authority, and process that governs
internal audit. The policy should define auditor
qualifications and methodology.
+ Internal Audit Plan – The internal audit plan should
be a 3-year plan (in alignment with the 3-year ISO
27001 certification). The plan must be “risk based”
and include the entirety of the ISMS Scope.
+ Internal Audit Report – Results of the annual
internal audit in line with the Internal Audit plan.
+ Management Action Plans – Management
commitments as a result of any internal audit
findings.
In summary, the foundation of the ISMS is top level
Management’s ability to control and continuously
improve the security program in alignment with
identified risks and opportunities. Next, we will take a
deeper look into the 114 controls that comprise Annex
A and consider a few self-assessment questions that
may provide insight into your current alignment with
ISO 27001 requirements.
Annex A Controls
Controls and Self-Assessment Questions
ISO 27001 Annex A is the section that outlines the 14
categories, 35 control objectives and 114 controls
companies should consider alignment with. You may
refer to ISO/IEC 27002 for further detail on the controls,
including implementation guidance.
Below we will outline each category and suggest a few
questions you may consider to assess your ability to
align to the framework.
A.5 Information Security Policies – Defines
requirements for policies and procedures.
Sample Questions to Consider:
• Do Security policies exist?
• Are all policies approved by management?
• Are policies properly communicated to employees?
• Are security policies subject to review?
• Are the reviews conducted at regular intervals?
• Are reviews conducted when circumstances
change?
A.6 Organization of Information Security – Defines
requirements for roles and responsibilities.
Sample Questions to Consider:
• Are responsibilities for the protection of individual
assets clearly identified and defined and
communicated to the relevant parties?
• Do all projects go through some form of
information security assessment?
• Does a mobile device policy exist?
• Is there a set process for remote workers to get
access?
A.7 Human Resource Security – Defines requirements
for pre-employment, during employment, and
termination.
Sample Questions to Consider:
• Are background verification checks carried out on
all new candidates for employment?
• Are all employees, contractors and third party users
asked to sign confidentiality and non-disclosure
agreements?
• Are managers (of all levels) engaged in driving
security within the business?
• Do all employees, contractors and 3rd party users
undergo regular security awareness training
appropriate to their role and function within the
organization?
• Is there a documented process for terminating or
changing employment duties?
A.8 Asset Management – Defines requirements for
inventory, ownership, and use of assets.
Sample Questions to Consider:
• Is there an inventory of all information and physical
IT assets?
• Is the inventory accurate and kept up to date?
• Is there a policy governing information
classification?
ISO 27001: The Path to Certification | Page 6
• Is there a process by which all information can be
appropriately classified?
• Is there a policy governing removable media?
• Is there a physical media transfer policy?
• Is media in transport protected against
unauthorized access, misuse or corruption?
A.9 Access Control – Defines requirements for user
access management throughout the user lifecycle.
Sample Questions to Consider:
• Is there a documented access control policy?
• Is access to all systems limited based on the
principle of lease priviledge?
• Is there a formal provisioning and deprovisioning
process?
• Are privileged access accounts separately managed
and controlled?
• Is there a formal management process in place to
control allocation of secret authentication
information?
• Do you perform periodic user access reviews?
• Are complex passwords required?
• Are privilege utility programs restricted and
monitored?
• Is access to the source code of the Access Control
System protected?
A.10 Cryptography – Defines requirements fo
cryptographic controls and key management.
Sample Questions to Consider:
• Is there a policy on the use of cryptographic
controls?
• Is there a cryptographic key management policy?
A.11 Physical and Environment Security
Sample Questions to Consider:
• Are sensitive or critical information areas
segregated and appropriately controlled?
• Do secure areas have suitable entry control systems
to ensure only authorized personnel have access?
• Are environmental hazards identified and
considered when equipment locations are selected?
• Is there a UPS system or back up generator?
• Is there a rigorous equipment maintenance
schedule?
• Is there a process controlling how assets are
removed from site?
• Does the organization have a policy around how
unattended equipment should be protected?
A.12 Operations Security – Defines requirements for
security operations such as system security, backup,
logging, malware, and vulnerability management.
Sample Questions to Consider:
• Is there a controlled change management process in
place?
• Is there a capacity management process in place?
• Does the organization enforce segregation of
development, test and operational environments?
• Are processes to detect malware in place?
• Is there an agreed backup policy?
• Are appropriate event logs maintained and regularly
reviewed?
• Are sysadmin / sysop logs maintained, protected
and regularly reviewed?
• Is there a vulnerability management program?
• Is there a process to risk assess and react to any
new vulnerabilities as they are discovered?
• Do you perform penetration tests?
A.13 Communications Security – Define requirements
for network security and information transfer.
Sample Questions to Consider:
• Is there a network management process in place?
• Does the organization implement a risk
management approach which identifies all network
services and service agreements?
• Is security mandated in agreements and contracts
with service providers (in house and outsourced)?
• Are security related SLAs mandated?
• Does the network topology enforce segregation of
networks for different tasks?
• Do organizational policies govern how information
is transferred?
• Are relevant technical controls in place to prevent
non-authorized forms of data transfer?
ISO 27001: The Path to Certification | Page 7
• Do contracts with external parties and agreements
within the organization detail the requirements for
securing business information in transfer?
• Do security policies cover the use of information
transfer while using electronic messaging systems?
A.14 System Acquisition, Development and
Maintenance – Defines requirements for security in the
system development and change management lifecycle.
Sample Questions to Consider:
• Are information security requirements specified
when new systems are introduced?
• Are controls in place to prevent incomplete
transmission, misrouting, unauthorized message
alteration, unauthorized disclosure, unauthorized
message duplication or replay attacks?
• Are there policies mandating the implementation
and assessment of security controls?
• Is there a formal change control process?
• Is there a policy in place which mandates when and
how software packages can be changed or
modified?
• Do all projects utilize the secure development
environment appropriately during the system
development lifecycle?
• Where systems or applications are developed, are
they security tested as part of the development
process?
A.15 Supplier Relationships – Defines requirements for
security as related to vendors.
Sample Questions to Consider:
• Is information security included in contracts
established with suppliers and service providers?
• Is there an organization-wide risk management
approach to supplier relationships?
• Are suppliers provided with documented security
requirements?
• Is supplier access to information assets &
infrastructure controlled and monitored?
• Are suppliers subject to regular review and audit?
A.16 Informaiton Security Incident Management –
Defines requirements for management of security
incidents.
Sample Questions to Consider:
• Are management responsibilities clearly identified
and documented in the incident management
processes?
• Is there a process for reviewing and acting on
reported information security events?
• Is there a process for reporting of identified
information security weaknesses?
• Is there a process to ensure information security
events are properly assessed and classified?
• Is there a forensic readiness policy?
A.17 Information Security Aspects of Business
Continuity Management – Defines requirements for
information security continuity and redundancies.
Sample Questions to Consider:
• Do BCP/DR Policies exist?
• Do you perform a BIA?
• Do you perform BCP/DR testing?
• Are systems reduandant to ensure availability?
A.18 Compliance – Defines requirements for legal and
contractual requirements.
Sample Questions to Consider:
• Has the organization identified and documented all
relevant legislative, regulatory or contractual
requirements related to security?
• Does the organization keep a record of all
intellectual property rights and use of proprietary
software products?
• Does the organization monitor for the use of
unlicensed software?
• Are records protected from loss, destruction,
falsification and unauthorized access or release in
accordance with legislative, regulatory, contractual
and business requirements?
• Is personal data protected in accordance with
relevant legislation?
• Are cryptographic controls protected in accordance
with all relevant agreements, legislation and
regulations?
• Is the organizations approach to managing
information security subject to regular independent
review?
ISO 27001: The Path to Certification | Page 8
• Is the implementation of security controls subject to
regular independent review?
• Does the organization regularly conduct technical
compliance reviews of its information systems?
Authoritative Guidance
ISO 27001 is accompanied by ISO 27002 which provides
detailed implementation guidance for the 114 controls.
Annex A Controls | Did you Know?
Did you know that you can achieve ISO 27001
certification even if some controls are not currently
implemented? It is a common myth (and often costly)
that all controls must be implemented. Contact a
professional to learn more about the nuances to ISO
27001 implementation and how to achieve certification.
The Certification Process
If you are considering ISO 27001 certification and would
like to understand the process in detail check out Part 3
in our whitepaper series where we cover the ISO 27001
certification process in detail.
If you would like assistance with guided implementation
and certification, risk3sixty can help. Following
risk3sixty’s guided implementation process, our clients
have 100% ISO 27001 certification success rate. We can
assist with every step of the project from complete
implementation, auditor selection, and working directly
with the auditor during the certification process.
✓ 100% Certification Success Rate
✓ 100% three-year client retention
✓ Our clients consistently report 50% faster
implementation
✓ Supported by a complete team of security and
compliance experts
✓ Leveraging our audit workflow platform Phalanx, we
save our clients an average of 50% over attempting
to implement ISO 27001 without assistance
✓ Our firm is peer reviewed for rigorous quality
standards by an independent CPA firm (read our
results here).
Let’s Get Started
Contact a Professional
Christian Hyatt, Managing Director
CISA | CISM | ISO 27001 Lead Auditor | PCI QSA
Christian.Hyatt@risk3sixty.com
404.333.1669
Christian White, Managing Director
CISA | CRISC | PCI QSA | ISO 27001 Lead Implementer
Christian.White@risk3sixty.com
770.289.3505
risk3sixty
IT Audit | Cyber Risk | Compliance Advisory
Risk3sixty, LLC, is an Atlanta-based Information Risk
Management (IRM) advisory firm focused on IT audit,
Cyber Risk, and compliance consulting and software
solutions.
Our management-level consulting team leverages deep
industry experience and unique technology solutions to
enhance risk visibility, reduce the burdens of
compliance, and create actionable programs which
enable executives and their management teams to
make better decisions.
Phalanx
Manage Security and Compliance in One Platform
From vulnerability scanning, to policy curation, team
collaboration, audits, and assessments - manage your
entire security and compliance program in a single
platform.
✓ Simple and Fast Implementation
✓ One-Click Compliance Reporting
✓ Quickly Assess Risk with Asset Labeling
✓ Complete Team Collaboration
✓ Project Management to Vulnerability Closure
✓ Automated Scan and Rescan to Validate Issue Closure
✓ Management-Level KPIs and Progress Reporting
✓ Customized Workflow.
✓ ISO 27001, SOC 2, GDPR, PCI DSS, and more!
ISO 27001: The Path to Certification | Page 9