ISO/IEC 27001:2005 Information technology — Security techniques — Specification for an Information Security Management System
ISO/IEC 27001 is the formal set of specifications against which organizations may seek independent certification of their Information Security Management System (ISMS).
ISO/IEC 27001 specifies requirements for the establishment, implementation, monitoring and review, maintenance and improvement of a management system – an overall management and control framework – for managing an organization’s information security risks. It does not mandate specific information security controls but stops at the level of the management system.
The standard covers all types of organizations (e.g. commercial enterprises, government agencies and non-profit organizations) and all sizes from micro-businesses to huge multinationals.
This is clearly a very wide brief.
Bringing information security under management control is a prerequisite for sustainable, directed and continuous improvement. An ISO/IEC 27001 ISMS therefore incorporates several Plan-Do-Check-Act (PDCA) cycles: for example, information security controls are not merely specified and implemented as a one-off activity but are continually reviewed and adjusted to take account of changes in the security threats, vulnerabilities and impacts of information security failures, using review and improvement activities specified within the management system.
According to JTC1/SC27, the ISO/IEC committee responsible for ISO27k and related standards, ISO/IEC 27001 “is intended to be suitable for several different types of use, including:
- Use within organizations to formulate security requirements and objectives;
- Use within organizations as a way to ensure that security risks are cost-effectively managed;
- Use within organizations to ensure compliance with laws and regulations;
- Use within an organization as a process framework for the implementation and management of controls to ensure that the specific security objectives of an organization are met;
- The definition of new information security management processes;
- Identification and clarification of existing information security management processes;
- Use by the management of organizations to determine the status of information security management activities;
- Use by the internal and external auditors of organizations to demonstrate the information security policies, directives and standards adopted by an organization and determine the degree of compliance with those policies, directives and standards;
- Use by organizations to provide relevant information about information security policies, directives, standards and procedures to trading partners and other organizations that they interact with for operational or commercial reasons;
- Implementation of a business enabling information security; and
- Use by organizations to provide relevant information about information security to customers.”
Structure and content of ISO/IEC 27001
ISO/IEC 27001:2005 has the following sections:
0 Introduction – the standard uses a process approach.
1 Scope – it specifies generic ISMS requirements suitable for organizations of any type, size or nature.
2 Normative references – only ISO/IEC 27002:2005 is considered absolutely essential to the use of ’27001.
3 Terms and definitions – a brief, formalized glossary, soon to be superseded by ISO/IEC 27000.
4 Information security management system – the ‘guts’ of the standard, based on the Plan-Do-Check-Act cycle where Plan = define requirements, assess risks, decide which controls are applicable; Do = implement and operate the ISMS; Check = monitor and review the ISMS; Act = maintain and continuously improve the ISMS. Also specifies certain specific documents that are required and must be controlled, and states that records must be generated and controlled to prove the operation of the ISMS (e.g. certification audit purposes).
5 Management responsibility – management must demonstrate their commitment to the ISMS, principally by allocating adequate resources to implement and operate it.
6 Internal ISMS audits – the organization must conduct periodic internal audits to ensure the ISMS incorporate adequate controls which operate effectively.
7 Management review of the ISMS – management must review the suitability, adequacy and effectiveness of the ISMS at least once a year, assessing opportunities for improvement and the need for changes.
8 ISMS improvements – the organization must continually improve the ISMS by assessing and where necessary making changes to ensure its suitability and effectiveness, addressing nonconformance (noncompliance) and where possible preventing recurrent issues.
Annex A – Control objectives and controls – little more in fact than a list of titles of the control sections in ISO/IEC 27002, down to the second level of numbering (e.g. 9.1, 9.2).
Annex B – OECD principles and this International Standard – a table briefly showing which parts of this standard satisfy 7 key principles laid out in the OECD Guidelines for the Security of Information Systems and Networks.
Annex C – Correspondence between ISO 9001:2000, ISO 14001:2004 and this International Standard – the standard shares the same basic structure of other management systems standards, meaning that an organization which implements any one should be familiar with concepts such as PDCA, records and audits.
Mandatory requirements for certification
ISO/IEC 27001 is written as a formalized specification such that accredited certification auditors are meant to be able to use the standard as a formal description of items that their clients must have in order to be certified compliant. It does indeed specify certain mandatory documents explicitly.
However, in other areas it is vaguer and, in practice, other documents are commonly demanded, including certain items which provide the auditors with evidence or proof that the ISMS are operating.
Organizations can specify the scope of their ISO/IEC 27001 certification as broadly or as narrowly as they wish. Understanding the scoping documents plus Statements of Applicability (SoA) is therefore crucial if one intends to attach any meaning to the certificates. If an organization’s ISO/IEC 27001 scope only notes “Acme Ltd. Department X”, for example, the associated certificate says nothing about the state of information security in “Acme Ltd. Department Y” or “Acme Ltd.” as a whole.
Similarly, if the SoA asserts that antivirus controls are not necessary for some reason, the certification body will doubtless have checked that assertion but will not have certified the antivirus controls – in fact, they may not have assessed any technical controls since ISO/IEC 27001 is primarily a management system standard, so compliance requires the organization to have a suite of management controls in place but does not necessarily require specific information security controls.
Certification is entirely optional but is increasingly being demanded from suppliers and business partners by organizations that are concerned about information security.
Certification against ISO/IEC 27001 brings a number of benefits above and beyond simple compliance, in much the same way that an ISO 9000-series certificate says more than “We are a quality organization”. Independent assessment necessarily brings some rigor and formality to the implementation process (implying improvements to information security and all the benefits that brings through risk reduction), and invariably requires management approval (which is an advantage in security awareness terms, at least!).
The certificate has marketing potential and should help assure most business partners of the organization’s status with respect to information security without the necessity of conducting their own security reviews.