ISO/IEC 27001:2013

Information technology — Security techniques —

Information security management systems —
Requirements

April 2020
ISO/IEC 27001:2013 — Information security management systems

• ISO 27001 is an international standard published by the International Standardization Organization

(ISO), and it describes how to manage information security in a company.

• ISO/IEC 27001:2013 is the latest revision of this standard. The first revision of the standard
was published in 2005, and it was developed based on the British standard BS 7799-2.

• ISO 27001 can be implemented in any kind of organization, profit or non-profit, private or state-
owned, small or large.

• ISO 27001 enables companies to become certified, which means that an independent certification
body has confirmed that an organization has implemented information security compliant with ISO 27001.

• ISO 27001 has become the most popular information security standard worldwide and many
companies have certified against it.
Five (5) myths about ISO 27001

People think the standard will describe in detail

everything they need to do:
• how often they will need to perform backup,
• how distant their disaster recovery site should be,
• which kind of technology they must use for network
protection or how they have to configure the router.

Here’s the bad news:

ISO 27001 does not prescribe these things; it works in a completely different way
Five (5) myths about ISO 27001

1 - “The standard requires…”

• passwords to be changed every 3 months,
• multiple suppliers must exist,
• the disaster recovery site to be at least 50 km distant
from the main site,
• Etc……….

The standard doesn’t say anything like that.

Five (5) myths about ISO 27001

2 - “We’ll let the IT department handle it…”

This is the management’s favorite –
“Information security is all about IT, isn’t it?”

Well, not really – the most important aspects

of information security include not only IT
measures, but also organizational
issues and human resource management,
which are usually out of reach of
IT department.
Five (5) myths about ISO 27001

3 - “We’ll implement it in a few months…”

Let’s get a bunch of policies and procedures… ”

You could implement your ISO 27001

 in 2 or 3 months, but it won’t work.

You have to implement:

• Changes, and it takes time for changes to take place,
• Only those security controls that are really needed,
• Analysis of what is really needed takes time,
• Risk assessment and risk treatment.
Five (5) myths about ISO 27001

4 - “This standard is all about documentation…”

The documentation is not an end in itself.

The main point is that you perform your
activities in a secure way, and the
documentation is here to help you do it.
Records will help you measure whether you achieve your information
security goals
Five (5) myths about ISO 27001

5 - “The only benefit of the standard is for marketing

purposes…”
- We are doing this only to get the certificate, aren’t we
?

This is (unfortunately) the way 80 percent of the companies think.

Sure, ISO 27001 should be used in promotional and sales purposes,
but you can also achieve other very important benefits –
like preventing the case of WikiLeaks happening to you
The focus of ISO 27001 is

To protect:
• confidentiality,
• integrity
• and availability of the information in a company.

The safeguards (or controls):

• Policies,
• Form of policies,
• Procedures,
• technical implementation (e.g., software and equipment).
Information Security Risk Management

Essentially, information security is part of

overall risk management in a company,
with areas that overlap with cybersecurity,
business continuity management and IT
management
What does ISO 27001 actually look like?

Section 0: Introduction – explains the purpose of ISO 27001 and its compatibility with other management standards.
Section 1: Scope – explains that this standard is applicable to any type of organization.
Section 2: Normative references – refers to ISO/IEC 27000 as a standard where terms and definitions are given.
Section 3: Terms and definitions – again, refers to ISO/IEC 27000.
Section 4: Context of the organization – this section is part of the Plan phase in the PDCA cycle and defines
requirements for understanding external and internal issues, interested parties and their requirements, and defining the ISMS
scope.

Section 5: Leadership – this section is part of the Plan phase in the PDCA cycle and defines top management
responsibilities, setting the roles and responsibilities, and contents of the top-level Information security policy .
What does ISO 27001 actually look like?

Section 6: Planning – this section is part of the Plan phase in the PDCA cycle and defines requirements for risk
assessment, risk treatment, Statement of Applicability, risk treatment plan, and setting the information security objectives.

Section 7: Support – this section is part of the Plan phase in the PDCA cycle and defines requirements for availability of
resources, competences, awareness, communication, and control of documents and records.

Section 8: Operation – this section is part of the Do phase in the PDCA cycle and defines the implementation of risk
assessment and treatment, as well as controls and other processes needed to achieve information security objectives.

Section 9: Performance evaluation – this section is part of the Check phase in the PDCA cycle and defines requirements
for monitoring, measurement, analysis, evaluation, internal audit and management review.

Section 10: Improvement – this section is part of the Act phase in the PDCA cycle and defines requirements for
nonconformities, corrections, corrective actions and continual improvement.
16 steps to implement ISO 27001
1) Get top management support
2) Use project management methodology
3) Define the ISMS scope
4) Write the top-level Information security policy
5) Define the Risk assessment methodology
6) Perform the risk assessment and risk treatment
7) Write the Statement of Applicability
8) Write the Risk treatment plan
9) Define how to measure the effectiveness of your controls and of your ISMS
10) Implement all applicable controls and procedures
11) Implement training and awareness programs
12) Perform all the daily operations prescribed by your ISMS documentation
13) Monitor and measure your ISMS
14) Perform internal audit
15) Perform management review
16) Implement corrective actions
Mandatory Documentation
ISO 27001 requires the following documentation to be written:
• Scope of the ISMS (clause 4.3)
• Information security policy and objectives (clauses 5.2 and 6.2)
• Risk assessment and risk treatment methodology (clause 6.1.2)
• Statement of Applicability (clause 6.1.3 d)
• Risk treatment plan (clauses 6.1.3 e and 6.2)
• Risk assessment report (clause 8.2)
• Definition of security roles and responsibilities (clauses A.7.1.2 and A.13.2.4)
• Inventory of assets (clause A.8.1.1)
• Acceptable use of assets (clause A.8.1.3)
• Access control policy (clause A.9.1.1)
• Operating procedures for IT management (clause A.12.1.1)
Mandatory Documents
• Secure system engineering principles (clause A.14.2.5)
• Supplier security policy (clause A.15.1.1)
• Incident management procedure (clause A.16.1.5)
• Business continuity procedures (clause A.17.1.2)
• Statutory, regulatory, and contractual requirements (clause A.18.1.1)
• And these are the mandatory records:
• Records of training, skills, experience and qualifications (clause 7.2)
• Monitoring and measurement results (clause 9.1)
• Internal audit program (clause 9.2)
• Results of internal audits (clause 9.2)
• Results of the management review (clause 9.3)
• Results of corrective actions (clause 10.1)
• Logs of user activities, exceptions, and security events
How to get certified

For an organization to become certified, it must implement the standard as explained in

previous sections, and then go through the certification audit performed by the certification
body. The certification audit is performed in the following steps:
• Stage 1 audit (Documentation review) – the auditors will review all the documentation.
• Stage 2 audit (Main audit) – the auditors will perform an on-site audit to check whether all
the activities in a company are compliant with ISO 27001 and with ISMS documentation.
• Surveillance visits – after the certificate is issued, during its 3-year validity, the auditors will
check annualy whether the company maintains its ISMS
How to get certified
How-to links

https://www.nqa.com/medialibraries/NQA/NQA-Media-Library/PDFs/NQA-ISO-27001-Implementation-Guide.pdf
https://www.isaca.de/sites/default/files/isaca_2017_implementation_guideline_isoiec27001_screen.pdf
https://www.itgovernance.co.uk/shop/product/iso-27001-toolkit
http://www.cs.ru.nl/E.Verheul/SIO2017/How%20to%20Achieve%2027001%20Certification%20(2007).pdf
http://dorlov.blogspot.com/p/blog-page_23.html
https://advisera.com/27001academy/