Information Security Standards: ISO 27001

By Peter H. Gregory

ISO 27001 is a highly respected international standard for information security management that you will need to know to work in the field. ISO 27001 uses the term information security management system (ISMS) to describe the processes and records required for effective security management in any size organization.

The full name of the standard is Information technology — Security techniques; Information security management systems — Requirements. This complicated name is related to the two major sections of the standard.

Requirements

The requirements section of the standard describes the necessary characteristics for an organization to properly manage its ISMS. The requirements section consists of the following:

  • Context of the organization: The intended scope of the standard in an organization

  • Leadership: The executive management commitment to maintaining an effective ISMS and security policy, and formally establishing security‐related roles and responsibilities

  • Planning: Activities such as risk assessments and risk treatment

  • Support: Providing the necessary resources, training, and communications regarding security

  • Documented information: Consistent practices related to security‐related documents and records

  • Operation: Performing risk assessments and risk treatment

  • Performance evaluation: Security monitoring, internal auditing, and management review

  • Improvement: Watching for and seizing opportunities to make security processes and controls better over time.

Controls

The controls section of ISO 27001 contains a set of industry standard controls, organized in the following categories:

  • Information security policies

  • Organization of information security

  • Human resource security

  • Asset management

  • Access control

  • Cryptography

  • Physical and environmental security

  • Operations security

  • Communications security

  • Systems acquisition, development, and maintenance

  • Supplier relationships

  • Information security incident management

  • Information security aspects of business continuity management

  • Compliance

Becoming ISO 27001 compliant

An organization that wants to improve its security management system using ISO 27001 as its standard would undergo the following activities:

  • Gap analysis: The first step in achieving compliance, a gap analysis is performed either by the organization or by an outside expert. A gap analysis helps the organization understand which requirements and controls it does and doesn’t comply with.

  • Remediation: For any requirements and controls with which the organization is not compliant, it can make changes to its personnel (such as training), processes, and technologies to become compliant.

  • External audit: An organization that needs to demonstrate compliance via an external audit can hire a competent security assessment firm to perform an audit with a detailed audit report and opinion of compliance.

  • Certification and registration: An organization can choose to undergo a higher‐quality external audit by employing one of the organizations authorized to certify and register an organization as ISO 27001 compliant. The advantage is that the audit firm is held to a high standard on ISO 27001 audits. ISO 27001 certification is generally more costly than anexternal audit but may be required in some circumstances.

Individuals in an organization can receive training and earn an ISO 27001 Internal Auditor certification. Organizations committed to ISO 27001 compliance will often obtain this certification for one or more of their employees, who through this training will better understand the meaning of ISO 27001 requirements and controls, as well as the proper techniques to determine compliance.

A single user copy of the ISO 27001 standard costs nearly $300. This cost is the single barrier preventing wider adoption of this high‐quality standard.