ISO 27001 Requirements

The ISO 27001 standard has been available since 2005, but many compliance officers are still struggling to understand the impact of the ISMS requirements on their specific situational context. The standard is revised and the latest version is ISO 27001:2013. Although this is a “living” standard, which means it allows for ongoing improvement over time, there are certain building blocks that have remained unchanged since the standard was published.

The following are the main ISO 27001 requirements of the standard, which compliance officers should address when developing an information security management system (ISMS) in accordance with ISO 27001:2013 standards:

  • Information security policies
  • Organization of information security
  • Human resources security
  • Asset management
  • Access control
  • Cryptography
  • Physical and environmental security
  • Operational security
  • Communications security
  • System acquisition, development, and maintenance
  • Supplier relationships
  • Information security incident management
  • Information security aspects of business continuity management
  • Compliance

Organization of Information Security: – This section refers to how your organization views and communicates information security in your organization. The focus is mainly on how information security is managed and communicated at the management level. The organization should have a documented policy on information security, communicate it to all employees and third parties, assign responsibilities for managing information security, maintain a register of ISMS elements, ensure they adhere to their policies, and monitor compliance with them to demonstrate that they achieve this ISO 27001 Requirement.

Planning of Information Security: – Planning process of information security, including assessing risks to your business processes and implementing controls that mitigate them. This is one of the main ISO 27001 requirements here is to understand the risks that could affect the organization.

Support of Information Security: – Setting an appropriate level of assurance on operational systems, which are used for processing and storing your data. An ISO 27001 compliant organization should also consider the enterprise-wide risks that would impact multiple business processes and systems, and set controls to reduce them as part of fulfilling this ISO 27001 requirement.

Operational Management of Information Security: – All day-to-day operational security as well as incident management, which is the process of managing security breaches has to be addressed as per this ISO 27001 requirement. Here, the compliance officer needs to ensure that adequate security controls are implemented in all operating systems and resolve any nonconformity noted in previous audits or during regular checks.

Measurement: – Measuring your organizational performance based on information security standards, and also ensures that you examine and report on your progress to senior management. This is part of ISO 27001 requirement to report to management about the level of implementation, strength, and weakness, and action including planning the budgetary requirements for the future.

Improvement of Information Security: – This section is critical because it ensures that your organization is continuously improving its information security standards. 

There are three main ISO 27001 requirements in this section: 

  • ensuring that you consider all possible risks, monitor your existing controls, and improve them based on new threats and vulnerabilities detected; 
  • define and implement appropriate actions for addressing risks and non-conformities, 
  • ensuring that your controls are effective you need to evaluate them regularly using internal or external experts.

Mandatory ISO 27001 requirements

The two most important activities when implementing ISO 27001 are:

Clause 4.3, Scoping Your ISMS, in which you outline what information needs to be safeguarded; and

In clause 6.12, you describe how you would conduct a risk analysis and establish an information risk treatment approach (which comprises the first six paragraphs).

ISO 27001 requirements Clause wise:

  • Information security policy and objectives (clauses 5.2 and 6.2)
  • Information risk treatment process (clause 6.1.3)
  • Risk treatment plan (clauses 6.1.3 e and 6.2)
  • Risk assessment report (clause 8.2)
  • Records of training, skills, experience, and qualifications (clause 7.2)
  • Monitoring and measurement results (clause 9.1)
  • Internal audit program (clause 9.2)
  • Results of internal audits (clause 9.2)
  • Results of the management review (clause 9.3)
  • Results of corrective actions (clause 10.1)

Annex A controls?

Annex A outlines the controls that are associated with various risks. Annex A includes the following types of text:

  • control objectives 
  • the control activity (actions to be taken); and 
  • The control to assist in risk assessment (defining the scope).

Documents needed to demonstrate that the controls your organization maintains, you will also be required to document:

  • Definition of security roles and responsibilities (clauses A.7.1.2 and A.13.2.4);
  • Inventory of assets (clause A.8.1.1);
  • Acceptable use of assets (clause A.8.1.3);
  • Access control policy (clause A.9.1.1);
  • Operating procedures for IT management (clause A.12.1.1);
  • Secure system engineering principles (clause A.14.2.5);
  • Supplier security policy (clause A.15.1.1);
  • Incident management procedure (clause A.16.1.5);
  • Business continuity procedures (clause A.17.1.2);
  • Statutory, regulatory, and contractual requirements (clause A.18.1.1); and
  • Logs of user activities, exceptions, and security events (clauses A.12.4.1 and A.12.4.3).

ISO 27001 Requirements and Documentation

All ISO 27001 requirements, systems, security policies, and procedures should be documented. Since this information is crucial to your organization’s compliance with ISO 27001, you need to ensure that it is up-to-date and accurate.