ISO 27001 Training

Module 3
Cl1 to Cl6 in Detail
ISO 27001 Contents
■ ISO 27001:2013 is divided into ten clauses, an Annex and a Bibliography, this module
covers clauses 1 – 6.

1. Scope

2. Normative References

3. Terms and Definitions

4. Context of the Organisation

5. Leadership

6. Planning

■ Note that we refer to “the ISO 27001:2013 standard” throughout, simply as “27001”.
General
■ ISO27001 provides the requirements for establishing, implementing, maintaining and
continually improving an Information Security Management System (ISMS).

■ The adoption of an ISMS should be a strategic decision for an organisation.

■ the design and implementation of an ISMS needs to take into account an organisation’s size
and structure, processes, complexity, needs and objectives, and security requirements.

■ It is expected that all of these influencing factors will change over time.

■ The ISMS preserves the confidentiality, integrity and availability of information by applying a
risk management process and gives confidence to interested parties that risks are adequately
managed.

■ It is expected that an ISMS implementation will be scaled in accordance with the needs of the
organisation.

■ The order in which requirements are presented in the standard does not reflect their relative
importance.
Compatibility with other
management system standards
■ 27001 applies the high-level structure, identical sub-clause titles, identical text,
common terms, and core definitions as defined in Annex SL of ISO Directives,
Part 1, Consolidated ISO Supplement, and therefore maintains compatibility
with other management system standards, such as 9001 and 14001.
■ This common approach defined in Annex SL will be useful for those
organisations that choose to operate a single management system (often called
‘integrated management system’ or IMS) that meets the requirements of two or
more management system standards.
Clause 1: Scope
■ 27001 sets out generic requirements that can be implemented in all types and sizes of
organisation, such as commercial entities, government agencies, non-profit
organisations, irrespective of the nature of their activities.
■ 27001 specifies the requirements for establishing, implementing, maintaining and
continually improving an information security management system within the context of
the organisation.
■ 27001 also includes requirements for the assessment and treatment of information
security risks tailored to the needs of the organisation.
■ Organisations cannot claim conformity to 27001 if they exclude any of the requirements
set out in clauses 4 to 10 of the standard.
■ If an organisation already has an operative management system (say, ISO9001 or
ISO14001, it is often preferable to satisfy the requirements of ISO 27001 within that
existing management system.
Clause 2: Normative References

■ ISO uses the Term “Normative Reference” to reference documents which ISO
consider to be indispensable in implementing the standard.
■ ISO 27001:2013 references ISO 27000 Information technology - Security
techniques - Information security management systems - Overview and
vocabulary, which is termed “indispensable” for the application of ISO
27001:2013.
Clause 3: Terms and Definitions

■ For the purposes of ISO 27001:2013, the terms and definitions given in ISO 27000
apply.

■ Please refer to Module 2 of this training material for many of these terms and
definitions.
Clause 4: Context of the organisation
■ This section/clause of the standard has the following sub-clauses:

4.1 Understanding the organisation and its context

4.2 Understanding the needs and expectations of interested parties

4.3 Determining the scope of the information security management system

4.4 Information security management system

■ Let’s now look into each of these in more detail …

4.1 Understanding the organisation and its
context (1)
■ This clause requires that the organisation determines external and internal issues that are
relevant to their purpose and strategic direction and that affect their ability to achieve the
intended outcomes of their ISMS.
■ Notes:
– issues can include positive and negative factors or conditions for consideration
– understanding the external context can be facilitated by considering issues arising from
legal, technological, competitive, market, cultural, social and economic environments,
whether international, national, regional or local.
– understanding the internal context can be facilitated by considering issues related to
acivities, values, culture, knowledge and performance of the organisation
– both PESTLE and SWOT are useful tools in this context
Continued …
4.1 Understanding the organisation and its
context (2)
■ The resultant understanding of the organisation and it’s context is used to establish,
implement, maintain and continually improve the ISMS.

■ The internal and external issues that are determined in clause 4.1 can result in risks and
opportunities to the organisation or to the ISMS.

■ The organisation needs to determine which of those risks and opportunities need to be
addressed and managed.

■ The organisation are also required to monitor and review information about these
external and internal issues.
4.2 Understanding the needs and expectations of
interested parties
■ Due to their effect, or potential effect, on an organisation’s ability to achieve
information security, organisations are required to determine:
– the interested parties that are relevant to the information security management
system
– the requirements, that are relevant to the information security management
system, of those interested parties
■ Note that the requirements of interested parties may include legal and regulatory
requirements and contractual obligations.
■ Organisations must also monitor and review information about those interested
parties, and their relevant requirements.
4.3 Determining the scope of the ISMS

■ organisations must determine the boundaries and applicability of their information

security management system to establish its scope
– when determining scope, organisations need to consider the following:
• the external and internal issues referred to in “4.1 Understanding the
organisation and its context”
• the requirements referred to in “4.2 Understanding the needs and expectations of
interested parties”
• interfaces and dependencies between activities performed by themselves, and
those that are performed by others
• organisations must make the scope available as documented information
4.4 Information security management system

■ 4.4 Information security management system

– organisations are required to establish, implement, maintain and continually
improve an information security management system, in accordance with the
requirements of 27001
Clause 5: Leadership

■ This clause of the standard has the following sub-clauses:

5.1 Leadership and commitment

5.2 Policy

5.3 Organisational roles, responsibilities and authorities

■ Let’s now look into each of these in more detail …

 5.1 Leadership and commitment
■ The top management of an organisation must demonstrate leadership and commitment with
respect to their ISMS by:
– ensuring the information security policy and the information security objectives are
established and are compatible with their strategic direction
– ensuring the integration of the ISMS requirements into their processes
– ensuring that the resources needed for the ISMS are available
– communicating the importance of effective information security management and of
conforming to the ISMS requirements
– ensuring that the ISMS achieves its intended outcome(s)
– directing and supporting persons to contribute to the effectiveness of the ISMS
– promoting continual improvement
– supporting other relevant management roles to demonstrate their leadership as it applies to
their functional areas
5.2 Policy
■ Top management must establish an information security policy that:
– includes information security objectives (see clause 6.2) or provides the
framework for setting information security objectives
– includes a commitment to satisfy applicable requirements related to information
security
– includes a commitment to continual improvement of the information security
management system
■ The information security policy must:
– be available as documented information
– be communicated within the organisation
– be available to interested parties, as appropriate
5.3 Organisational roles,
responsibilities and authorities

■ Top management must ensure that the responsibilities and authorities for roles
relevant to information security are assigned and communicated, including:

– ensuring that the information security management system conforms to the

requirements of 27001

– reporting on the performance of the ISMS to top management

Clause 6: Planning

■ This clause of the standard has the following sub-clauses:

6.1 Actions to address risks and opportunities
6.1.1 General Requirements
6.1.2 Information security risk assessment
6.1.3 Information security risk treatment
6.2 Information security objectives and planning to achieve them
■ Let’s now look into each of these in more detail …
6.1.1 General
■ When planning for the ISMS, organisations must consider the issues referred to in
4.1 “Understanding the organisation and its context”, and the requirements referred
to in 4.2 “Understanding the needs and expectations of interested parties” and
determine the risks and opportunities that need to be addressed to:
– ensure the ISMS can achieve its intended outcome(s)
– prevent, or reduce, undesired effects
– achieve continual improvement
■ Organisations must plan actions to address these risks and opportunities and how to:
– integrate and implement the actions into its ISMS processes
– evaluate the effectiveness of these actions
6.1.2 Information security risk assessment (1)
■ Organisations must define and apply an information security risk assessment process
that:
– establishes and maintains information security risk criteria that include:
• the risk acceptance criteria
• criteria for performing information security risk assessments
– ensures that repeated information security risk assessments produce consistent,
valid and comparable results
– identifies the information security risks, by applying the information security risk
assessment process to identify risks associated with the loss of confidentiality,
integrity and availability for information within the scope of the ISMS, and identifies
the risk owners
Continued …
6.1.2 Information security risk assessment (2)
■ Organisations must define and apply an information security risk assessment process that:
– analyses the identified information security risks to:
• assess the potential consequences that would result if the risks were to
materialise
• assess the realistic likelihood of the occurrence of the risks
– determine the levels of risk
– evaluates the identified information security risks to:
– compare the results of risk analysis with the risk criteria that have been established
– prioritise the analysed risks for risk treatment
■ Organisations must record information about the information security risk assessment
process.
6.1.3 Information security risk treatment (1)
■ Organisations must define and apply an information security risk treatment process to:
– select appropriate information security risk treatment options, taking account of the risk
assessment results
– determine all controls that are necessary to implement the information security risk treatment
option(s) chosen
– compare the controls determined above with those in Annex A and verify that no necessary
controls have been omitted
– produce a Statement of Applicability, based on Annex A, that justifies the non-implementation of
any appropriate Annex A controls, and lists any additional controls, implemented or not, that have
been identified
– formulate an information security risk treatment plan
– obtain risk owners’ approval of the information security risk treatment plan and acceptance of the
residual information security risks
Continued …
6.1.3 Information security risk treatment (2)
■ Organisations must retain documented information (records) about the information
security risk treatment process.
– you can design controls as required, or identify them from any source
– Annex A contains a comprehensive list of control objectives and controls
– use Annex A to ensure that no necessary controls have been overlooked
– control objectives are implicitly included in the controls chosen
– the control objectives and controls listed in Annex A are not exhaustive and
additional control objectives and controls may be required
– the 27001 information security risk assessment and treatment process aligns
with the principles and generic guidelines provided in ISO 31000
6.2 Information security objectives
and planning to achieve them (1)
■ Organisations must establish information security objectives at relevant functions
and levels and those objectives must:
– be consistent with the information security policy
– be measurable (if practicable)
– take into account applicable information security requirements, and results from
risk assessment and risk treatment
– be communicated
– be updated as appropriate
Continued …
6.2 Information security objectives
and planning to achieve them (2)
■ Organisations must retain documented information (records) on their IS objectives
■ When planning how to achieve their information security objectives, organisations
must determine:
– what will be done
– what resources will be required
– who will be responsible
– when it will be completed
– how the results will be evaluated