ISO/IEC 27001:2013 Information technology — Security techniques — Information security management systems — Requirements
ISO/IEC 27001 formally specifies an Information Security Management System (ISMS), a suite of activities concerning the management of information security risks. The ISMS is an overarching management framework through which the organization identifies, analyzes and addresses its information security risks. The ISMS ensures that the security arrangements are fine-tuned to keep pace with changes to the security threats, vulnerabilities and business impacts - an important aspect in such a dynamic field, and a key advantage of ISO27k’s flexible risk-driven approach as compared to, say, PCI-DSS.
The standard covers all types of organizations (e.g. commercial enterprises, government agencies, non-profits), all sizes (from micro-businesses to huge multinationals), and all industries/segments (e.g. retail, banking, defense, healthcare, education and government). This is clearly a very wide brief.
ISO/IEC 27001 does not mandate specific information security controls since the controls that are required vary markedly across the wide range of organizations adopting the standard. The information security controls from ISO/IEC 27002 are noted in annex A to ISO/IEC 27001, rather like a menu. Organizations adopting ISO/IEC 27001 are free to choose whichever specific information security controls are applicable to their particular information security situations, drawing on those listed in the menu and potentially supplementing them with other a la carte options (sometimes known as extended control sets). As with ISO/IEC 27002, the key to selecting applicable controls is to undertake a comprehensive assessment of the organization’s information security risks, which is one vital part of the ISMS.
Furthermore, management may elect to avoid, transfer or accept information security risks rather than mitigate them through controls - a risk management decision.
ISO/IEC 27001 originated as BS 7799 Part 2 in 1999. It was revised by BSI in 2002, explicitly incorporating Deming’s Plan-Do-Check-Act cyclic process concept, and was adopted by ISO/IEC in 2005. It was extensively revised in 2013, bringing it into line with the other ISO certified management systems standards and dropping the PDCA concept. See the timeline page for more.
Structure of the standard
ISO/IEC 27001:2013 has the following sections:
0 Introduction - the standard uses a process approach.
1 Scope - it specifies generic ISMS requirements suitable for organizations of any type, size or nature.
2 Normative references - only ISO/IEC 27002:2005 is considered absolutely essential to the use of ’27001.
3 Terms and definitions - a brief, formalized glossary, soon to be superseded by ISO/IEC 27000.
4 Context of the organization - understanding the organizational context, defining the scope of the ISMS.
5 Leadership - top management must demonstrate leadership and commitment to the ISMS, mandate policy etc.
6 Planning - an outline of the process to identify, analyze and plan to treat information security risks, and clarify the objectives of information security.
7 Support - adequate, competent resources must be assigned, awareness raised, procedures documented and controlled.
8 Operation - a bit more detail about assessing and treating information security risks.
9 Performance evaluation - measure and review/audit what’s going on in order to improve it systematically.
10 Improvement - address the findings of audits and reviews, make continual refinements to the ISMS
Annex A Reference control objectives and controls - little more in fact than a list of titles of the control sections in ISO/IEC 27002:2013. The annex is ‘normative’, implying that certified organizations are expected to use it, but they are free to deviate from or supplement it in order to address their particular information security risks.
Bibliography - points readers to five related standards, plus part 1 of the ISO/IEC directives, for more information. In addition, ISO/IEC 27000 is identified in the body of the standard as a normative (i.e. essential) standard.
Mandatory requirements for certification
ISO/IEC 27001 is a formalized specification for an ISMS with two distinct purposes:
It lays out, at a fairly high level, what an organization can do in order to implement an ISMS;
It can (optionally) be used as the basis for formal compliance assessment by accredited certification auditors in order to certify an organization.
The following mandatory documentation (or rather “documented information” in the curiously stilted language of the standard) is explicitly required for certification:
ISMS scope (as per clause 4.3)
Information security policy (clause 5.2)
Information security risk assessment process (clause 6.1.2)
Information security risk treatment process (clause 6.1.3)
Information security objectives (clause 6.2)
Evidence of the competence of the people working in information security (clause 7.2)
Other ISMS-related documents deemed necessary by the organization (clause 7.5.1b)
Operational planning and control documents (clause 8.1)
The results of the risk assessments (clause 8.2)
The decisions regarding risk treatment (clause 8.3)
Evidence of the monitoring and measurement of information security (clause 9.1)
The ISMS internal audit program and the results of audits conducted (clause 9.2)
Evidence of top management reviews of the ISMS (clause 9.3)
Evidence of nonconformities identified and corrective actions arising (clause 10.1)
Various others: Annex A, which is normative, mentions but does not fully specify further documentation including the rules for acceptable use of assets, access control policy, operating procedures, confidentiality/non-disclosure agreements, secure system engineering principles, information security policy for supplier relationships, information security incident response procedures, relevant laws/regulations/contractual obligations plus the associated compliance procedures and information security continuity procedures.
Certification auditors will almost certainly check that these fifteen types of documentation are (a) present, and (b) fit for purpose. Note that the standard does not say precisely what form the documentation should take, but it does talk about the control of such documentation which implies a degree of formality to its creation, authorization, implementation and maintenance.
The implementation process diagram below (taken from the ISO27k Toolkit) shows at what stages various ISMS-related documents are normally produced:
Save your eyesight: click the diagram or download the ISO27k toolkit for a bigger version of this diagram in English, or take the Croatian, Polish or French versions.
ISMS scope, and Statement of Applicability (SoA)
Whereas the standard is intended to drive the implementation of an enterprise-wide ISMS, ensuring that all parts of the organization benefit by addressing their information security risks in an appropriate and systematically-managed manner, organizations can scope their ISMS as broadly or as narrowly as they wish - indeed scoping is a crucial decision for senior management (clause 4.3). A documented ISMS scope is one of the mandatory requirements for certification.
The Statement of Applicability (SoA) is not explicitly specified as such in ISO/IEC 27001, but the term is commonly used for the output from the information security risk assessments and, in particular, the decisions around treating those risks, which are again mandatory requirements for certification specified in clauses 8.2 and 8.3. It may take the form of a matrix identifying various types of information security risks on one axis, and risk treatment options on the other, showing how the risks are to be treated in the body. It usually references the relevant controls in ISO/IEC 27002, but may use a different framework such as NIST SP800-55, BMIS or COBIT or a custom approach.
The ISMS scope and SoA are crucial if a third party intends to attach any reliance to an organization’s ISO/IEC 27001 compliance certificate. If an organization’s ISO/IEC 27001 scope only notes “Acme Ltd. Department X”, for example, the associated certificate says absolutely nothing about the state of information security in “Acme Ltd. Department Y” or indeed “Acme Ltd.” as a whole. Similarly, if for some reason management decides to accept malware risks without implementing conventional antivirus controls, the certification auditors may well challenge such a bold assertion but, provided the associated analyses and decisions were sound, that alone would not be justification to refuse to certify the organization since antivirus controls are not in fact mandatory.
Certified compliance with ISO/IEC 27001 by a properly-accredited and respected certification body is entirely optional but is increasingly being demanded from suppliers and business partners by organizations that are (quite rightly!) concerned about the security of their information.
Certification brings a number of benefits above and beyond mere compliance, in much the same way that an ISO 9000-series certificate says more than just “We are a quality organization”. Independent assessment necessarily brings some rigor and formality to the implementation process (implying improvements to information security and all the benefits that brings through risk reduction), and invariably requires senior management approval (which is an advantage in security awareness terms, at least!).
The certificate has marketing potential and demonstrates that the organization takes information security management seriously. However, as noted above, the assurance value of the certificate is highly dependent on the ISMS scope and SoA - in other words, don’t take certified compliance at face value if the organization’s information security is important to you.
Status of the standard
ISO/IEC 27001 was completely rewritten and re-issued in September 2013. This was far more than just tweaking the content since ISO/IEC JTC1 insisted on substantial changes to align this standard with other management systems standards covering quality assurance, environmental protection etc. The idea is that managers who are familiar with any of the ISO management systems will understand the basic principles underpinning an ISMS. Concepts such as certification, policy, nonconformance, document control, internal audits and management reviews are common to all the management systems standards, and in fact the processes can, to a large extent, be standardized within the organization.
ISO/IEC 27001:2013 is available now from the ISO Webstore for 108 Swiss francs.
ISO/IEC 27002 was extensively revised and re-issued at the same time, hence Annex A to ISO/IEC 27001 has been updated: see the ISO/IEC 27002 page for more.
The extent of the changes to ISO/IEC 27001 are concerning. The changes are bound to impact organizations that use the standard, are certified compliant, or are certifying their clients against it. On the upside, standardization across the management systems standards has medium- to long-term benefits, including greater familiarity with the core concepts and the possibility of merging some of the associated processes. In the short-term, there will be some upheaval and expense for organizations using the 2005 version to migrate to new standard.