What is ISO 27001 - The Information Security Management Standard?

To give it its full title ISO 27001 is actually “ISO /IEC 27001 information technology – security techniques – information security management systems – requirements” and is published jointly by the ISO (the International Standards Organisation) and the IEC (the International Electrotechnical Commission).

The ISO 27001 standard defines the requirements needed for an organisation to develop a robust and continually improving “information security management system”.

Way back in 1995 the British Standards Institute published its ground-breaking standard; BS 7799. This was the first information security standard.  It was then published, in 2000, as ISO/IEC 17999 as “Information Technology – Code of practice for information security management before being re-published in 2005 as ISO 27001.  Since then it has been revised in 2013 and 2017 to accommodate changing information security demands.

Obviously, all organisations these days are managed to a greater or lesser extent by their IT systems and will have a number of information security controls In place.  In many cases however, these controls have often being developed in response to different issues at different times and, as a result, are often quite uncoordinated.  Additionally, given the nature of the subject, it is often thought that information security is only about “IT” but the standard also includes controls for non-IT information assets (for instance, paperwork and proprietary knowledge).

In fact, the weakest part of any information security system is usually down to human behaviour; people clicking on email links they shouldn’t, writing down passwords, taking notes during a confidential conversations.  Whilst this can’t be totally prevented with the use of embedded IT security features, with good and well communicated policies and good training they can largely be avoided.

The ISO 27001 standard requires that management:

 

  • Review the scope and boundary of the company’s information security requirements by developing a comprehensive understanding of information security risk, and the applicability of the controls outlined in Annex A of the standard. This would include consideration of legal requirements, contractual obligations, business requirements and the results of an information security risk assessment.
  • Design and implement a comprehensive array of information security controls
  • Systematically examine and re-examine the organisation’s information security risks, taking account of threats, vulnerabilities, and impacts;
  • Execute robust management processes that ensure that the information security management system continues to meet the organisation’s needs over time.

 

In total, there are over 100 different controls in Annex A, categorised as follows:

 

  • Information security policies.
  • Organisation of information security.
  • Human resource security.
  • Asset management.
  • Access control.
  • Cryptography.
  • Physical and environmental security.
  • Operations security.
  • Communications security.
  • System acquisition, development and maintenance.
  • Supplier relationships.
  • Information security;
    • Incident management.
    • Aspects of business continuity management.
  • Compliance;
    • With internal requirements, such as policies.
    • With external requirements, such as laws.

 

However, it should be noted that not all controls will be relevant to every organisation.

How long does ISO 27001 take to get?

The duration for obtaining ISO 27001 is likely to depend on a number of factors which might typically include:

  • The activities undertaken
  • The sensitivity of information that you process – the more sensitive the information the more need there is for more stringent controls
  • The degree to which IT is embedded in your organisation
  • The current IT systems and process is in place (and their effectiveness)
  • The level of documentation of current systems
    The degree of consistency across the organisation in the application of those IT systems


However, most of the projects we have undertaken for owner managed organisations typically of between say 30 to 50 people, operating from a single office might take about 6-9 months.

What is the process for obtaining ISO 27001?

Obtaining ISO 27001 is about systematically and rigorously testing your information security processes is against the 100+ controls detailed in the standard.  We’d suggests there are two stages to this:

 

  1. To understand the information flow through your organisation.
  2. At each point to look at the information going in and out of the organisation, and of the risks, threats and vulnerabilities to that information.

 


Given the standard includes paper based information this would also include not just core activities focused on delivering value to the customer but also things like objectives, targets, business plans and strategies.


The first stage will be to understand the boundary of the system; essentially to define what is included and excluded in the system and where responsibility for information management begins and ends.  This would cover hardware and software assets and people and processes and associated hazards and risks for each.  This would require a review of each of the controls in Annex A and due consideration of legal requirements, contractual obligations, business requirements and the results of the information security risk assessment.


This process is likely to result in a number of documents including:

The “Statement of Applicability” detailing the company’s position on each of the relevant controls

The information security risk register detailing the hazards, risks and associated proposed controls

The legal register detailing any applicable legislation that needs to be adhered to

This would usually include “other” requirements the company may also need to comply with; specific contractual requirements, specific membership compliance e.g. Cyber Essentials Plus or contractual IT performance KPI’s linked to testing or security patch management

Once the above have been compiled, along with any other necessary procedural documentation, you will need to:

 

  1. Audit the entire system prior to certification.
  2. Undertake a management review meeting.

 

You are then ready for external assessment by a UKAS approved certification body.

What is the certification process?

The chosen certification body will then undertake an audit in two stages:

  • In the initial instance, stage one, they are making a comparison of your internal information security documentation against the requirements of the ISO 27001 standard
  • The second stage is a rigorous audit comparing the documentation and controls developed against your information security activities


Given all of the requirements have been met and all of the activities are being undertaken as expected the company is likely to be “recommended for registration”.  Interestingly, assessors cannot give approval on the day as their report needs to be endorsed by the accredited certification company’s technical committee.

Who needs to be involved in the process?

Various people will need to be involved in the process and the detail of who will often depend on the information you need secure and also the scale and complexity of your company, but you are likely to need input from:

The senior team in order to understand their strategic objectives and targets, especially those related to information security

The information security team and possibly any critical external providers

Potentially, operational department heads, marketing, sales, operations etc.

In order to understand the information security implications of the different departments.

Potentially, heads of departments for supporting processes

HR, purchasing etc in order to understand how supporting activities assist in delivering company objectives and targets.

What happens after ISO 27001 certification?

The big external benefit of having registration to ISO 27001 is that it will open up new commercial opportunities.  ISO 27001 registration usually allows direct access to larger and more lucrative tenders and contracts offered by central and local government departments and blue chip companies.

However, the world work is rarely static and that is particularly the case with the world of information security.  This means that the underlying core of the information security management standard should be focused on helping the organisation improve overtime.  This will mean:

  • Setting and developing new information security objectives and targets
  • Using attacks, security breaches, problems and mistakes (non conformances) as a vehicle to tighten information security gaps and to learn and improve
  • Auditing the systems to ensure processes and practices are continue to deliver as expected and to gently ratchet up improvement efforts over time
  • Reviewing the information security management system
  • Updating controls as new technology is applied and developed


These are the internal activities that you would need to execute.  In addition to which, the accredited certification body would usually audit the system annually, more frequently for larger more complex organisations, to ensure systems remain effectively implemented.

How can Statius help?

Your focus should be on deploying information security assets so that you are better placed to meet your goals, our focus should be to assist you with the management of the information security management system.   As one client said “you guys keep us honest, you do”.

The type of services and support we can provide includes:

Chairing management review meetings

Undertaking the required internal information security audits

Reviewing and updating the statement of applicability

Reviewing and assessing the processes around the introduction of new information security technology

Assisting with the management of non conformance systems

Undertaking information security supplier audits

Support for the external assessment visit