Professional Documents
Culture Documents
April 2020
ISO/IEC 27001:2013 — Information security management systems
• ISO/IEC 27001:2013 is the latest revision of this standard. The first revision of the standard
was published in 2005, and it was developed based on the British standard BS 7799-2.
• ISO 27001 can be implemented in any kind of organization, profit or non-profit, private or state-
owned, small or large.
• ISO 27001 enables companies to become certified, which means that an independent certification
body has confirmed that an organization has implemented information security compliant with ISO 27001.
• ISO 27001 has become the most popular information security standard worldwide and many
companies have certified against it.
Five (5) myths about ISO 27001
To protect:
• confidentiality,
• integrity
• and availability of the information in a company.
Section 0: Introduction – explains the purpose of ISO 27001 and its compatibility with other management standards.
Section 1: Scope – explains that this standard is applicable to any type of organization.
Section 2: Normative references – refers to ISO/IEC 27000 as a standard where terms and definitions are given.
Section 3: Terms and definitions – again, refers to ISO/IEC 27000.
Section 4: Context of the organization – this section is part of the Plan phase in the PDCA cycle and defines
requirements for understanding external and internal issues, interested parties and their requirements, and defining the ISMS
scope.
Section 5: Leadership – this section is part of the Plan phase in the PDCA cycle and defines top management
responsibilities, setting the roles and responsibilities, and contents of the top-level Information security policy .
What does ISO 27001 actually look like?
Section 6: Planning – this section is part of the Plan phase in the PDCA cycle and defines requirements for risk
assessment, risk treatment, Statement of Applicability, risk treatment plan, and setting the information security objectives.
Section 7: Support – this section is part of the Plan phase in the PDCA cycle and defines requirements for availability of
resources, competences, awareness, communication, and control of documents and records.
Section 8: Operation – this section is part of the Do phase in the PDCA cycle and defines the implementation of risk
assessment and treatment, as well as controls and other processes needed to achieve information security objectives.
Section 9: Performance evaluation – this section is part of the Check phase in the PDCA cycle and defines requirements
for monitoring, measurement, analysis, evaluation, internal audit and management review.
Section 10: Improvement – this section is part of the Act phase in the PDCA cycle and defines requirements for
nonconformities, corrections, corrective actions and continual improvement.
16 steps to implement ISO 27001
1) Get top management support
2) Use project management methodology
3) Define the ISMS scope
4) Write the top-level Information security policy
5) Define the Risk assessment methodology
6) Perform the risk assessment and risk treatment
7) Write the Statement of Applicability
8) Write the Risk treatment plan
9) Define how to measure the effectiveness of your controls and of your ISMS
10) Implement all applicable controls and procedures
11) Implement training and awareness programs
12) Perform all the daily operations prescribed by your ISMS documentation
13) Monitor and measure your ISMS
14) Perform internal audit
15) Perform management review
16) Implement corrective actions
Mandatory Documentation
ISO 27001 requires the following documentation to be written:
• Scope of the ISMS (clause 4.3)
• Information security policy and objectives (clauses 5.2 and 6.2)
• Risk assessment and risk treatment methodology (clause 6.1.2)
• Statement of Applicability (clause 6.1.3 d)
• Risk treatment plan (clauses 6.1.3 e and 6.2)
• Risk assessment report (clause 8.2)
• Definition of security roles and responsibilities (clauses A.7.1.2 and A.13.2.4)
• Inventory of assets (clause A.8.1.1)
• Acceptable use of assets (clause A.8.1.3)
• Access control policy (clause A.9.1.1)
• Operating procedures for IT management (clause A.12.1.1)
Mandatory Documents
• Secure system engineering principles (clause A.14.2.5)
• Supplier security policy (clause A.15.1.1)
• Incident management procedure (clause A.16.1.5)
• Business continuity procedures (clause A.17.1.2)
• Statutory, regulatory, and contractual requirements (clause A.18.1.1)
• And these are the mandatory records:
• Records of training, skills, experience and qualifications (clause 7.2)
• Monitoring and measurement results (clause 9.1)
• Internal audit program (clause 9.2)
• Results of internal audits (clause 9.2)
• Results of the management review (clause 9.3)
• Results of corrective actions (clause 10.1)
• Logs of user activities, exceptions, and security events
How to get certified
https://www.nqa.com/medialibraries/NQA/NQA-Media-Library/PDFs/NQA-ISO-27001-Implementation-Guide.pdf
https://www.isaca.de/sites/default/files/isaca_2017_implementation_guideline_isoiec27001_screen.pdf
https://www.itgovernance.co.uk/shop/product/iso-27001-toolkit
http://www.cs.ru.nl/E.Verheul/SIO2017/How%20to%20Achieve%2027001%20Certification%20(2007).pdf
http://dorlov.blogspot.com/p/blog-page_23.html
https://advisera.com/27001academy/