How-To Guide: ISO 27001 - Requirements for cybersecurity & privacy protection pertaining to Information Security Management Systems

The following is my own practical approach to the ISO 27001. I use examples to explain some of the more vague items described within the ISO 27001. If something seems self-explanatory it won't have examples. If anything still seems confusing feel free to contact me on LinkedIn and I'd be happy to clarify it for you.

After the summary there is an example ISMS you can review and/or use  to create your own information security management system (ISMS). This is supplied so you can see a visual of what an information security management system (ISMS) will look like in a real world scenario. 

After reviewing the ISMS you may move onto the checklist to prepare your organization to become ISO 27001 certified (this happens by passing an audit from a certified ISO auditor). Orgs get ISO 27001 certified to be in compliance in their industry or working with other organizations that have it set as a requirement to do business with them. Being ISO 27001 certified increases security, avoids legal issues, improves business processes, and demonstrates that your business is trustworthy because it puts forth resources to improve their cybersecurity practices and reduce the risk of cyber attacks.

Summary of ISO 27001:

1 Scope

The ISO 27001 standard is designed to continually improve the ISMS within the context of any given organization. It includes the requirements for running assessments and treating security risks that the org is experiencing. This is expected to scale as the organization grows and adapts.

2 Context of the Organization

Determine the external and internal issues that are relevant to the orgs purpose. This could include internal risks such as disgruntled employees or external risks such as advanced persistent threats. Anything that would affect the orgs ability to achieve the intended outcome of its ISMS should be considered.

2.1 Understand the needs and expectations of interested parties

Determine the interested parties that are relevant to the ISMS. Such parties can include but are not limited to board members, executives, and individual department managers.

The relevant requirements of those interested parties must be outlined so that the org. understands which of these requirements will be addressed through the ISMS. These requirements can include legal and regulatory requirements as well as contractual obligations. Examples of these include the compliance requirements such as PCI-DSS for a credit card manufacturing facility. 

2.2 Determining the scope of the infosec management system

Determine the boundaries and applicability of the ISMS to establish its scope. 

Items to consider include:

a) the aforementioned external and internal issues

b) the aforementioned requirements

c)  interfaces and dependencies between activities performed by the org, and those that are performed by other orgs. Examples of interfaces/dependencies could be the dependence of having a third party org run your penetration tests to gauge various vulnerabilities throughout the orgs infrastructure.

Establish, implement, maintain and continually improve the ISMS, including the processes needed and their interactions, in accordance with the requirements they have set.

3 Leadership and commitment

Demonstrate leadership and commitment to the ISMS with the following:

a) ensuring the infosec policy and infosec objectives are established and compatible with the strategic direction of the org.

The strategic direction of the org may be changing over time so it's vital that the policy and objectives remain in sight as that occurs.

b) ensuring the ISMS requirements are integrated into the organizations processes

It's important that security requirements are integrated into processes and considered to be baked into any new processes that may be created to stay in line with the strategic direction of the org.

c) ensuring that the resources needed for the ISMS are available

Resources such as human resources, financial resources, and the time and coordination required to properly maintain the ISMS should always be available.

d) communicating the importance of effective infosec management and of conforming to the ISMS requirements

This could be done through periodic meetings and/or security awareness training

e) ensuring that the ISMS achieves its intended outcome(s)

Keeping track of the management systems outcomes is pivotal so the org can ascertain whether or not they need to make changes to the system. This can be done on a quarterly or bi-quarterly basis.

f) directing and supporting persons to contribute to the effectiveness of the ISMS

Certain staff such as department managers might play a certain role in the ISMS. This could be keeping track of certain metrics and reporting them appropriately.

g) promoting continual improvement

This could be done with periodic meetings discussing security awareness and having the ISMS be a topic of discussion.

h) supporting other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility.

4 Policy

Establish an information security policy that:

a) is appropriate to the purpose of the org.

b) includes the infosec objectives or provides the framework for setting infosec objectives

c) includes a commitment to satisfy applicable requirements related to infosec.

This could be a simple statement pertaining to the requirements and their approach to them.

d) includes a commitment to continual improvement of the ISMS.

e) policy should be available as documented information

f) policy should be communicated within the org

g) policy should be available to interested parties, as appropriate.

4.1 Organizational roles, responsibilities, and authorities

Ensure that the responsibilities and authorities for roles relevant to infosec are assigned and communicated within the org.

Assign the responsibility and authority for:

a) ensuring that the ISMS conforms to the requirements of this document

b) reporting on the performance of the ISMS to top management

5 Planning

5.1 Actions to address risk and opportunities

5.1.1 General

When planning for the ISMS, determine the risks and opportunities that need to be addressed to:

a) ensure the ISMS can achieve its intended outcome(s).

b) prevent, or reduce undesired effects

c) achieve continual improvement

The org should plan:

d) actions on how to address these risks

e) address how to implement the actions into its ISMS processes and to evaluate the effectiveness of these actions

5.1.2  Information security risk assessment 

Define and apply an infosec risk assessment process that:

a) establishes and maintains infosec risk criteria that include:

1) the risk acceptance criteria

2) criteria for performing infosec risk assessments

b) ensures that repeated risk assessments produce consistent, valid, and comparable results

c) identifies the risks:

1) apply risk assessment process to identify risks associated with the loss of C.I.A (confidentiality, integrity, availability) for information within the scope of the ISMS

2) identify the risk owners

d) analyze the risks:

1) assess the potential consequences that would result if the risks were to materialize

2) assess the realistic likelihood of the occurrence of the risks

3) determine the levels of risk

e) evaluates the risks:

1) compare the results of risk analysis with the risk criteria established

2) prioritize the analyzed risks for risk treatment.

Retain documented information about the IS risk assessment process.

5.1.3  Information security risk treatment

Define and apply an infosec risk treatment process to:

a) select appropriate risk treatment options, taking account of the risk assessment results

b) determine all controls that are necessary to implement the risk treatment options chosen.

note: orgs can design controls ad hoc or identify them from any source.

c) compare the chosen controls with the list of possible security controls to verify that no necessary controls have been omitted. (Annex A within the ISO 27001 can be referred to).

d) produce a statement of applicability that contains required controls, justification for their inclusion, whether controls are implemented or not and the justification for excluding any of the Annex A controls.

e) formulate a risk treatment plan

f) obtain risk owners approval of the risk treatment plan and acceptance of the residual risks.

5.2 Infosec objectives and planning to achieve them

Establish objectives at relevant functions and levels.

Objectives should:

a) be consistent with infosec policy

b) be measurable (if possible)

c) take into account the infosec requirements and results from assessments and treatment

d) be monitored

e) be communicated

f) be updated as appropriate

g) be available as documented information

Retain documented information on the infosec objectives.

When planning how to achieve its infosec objectives, the org should determine:

h) what will be done

i) what resources are required

j) who will be responsible

k) when it will be completed

l) how the results will be evaluated

5.3 Planning of changes

When the org determines the need for changes to the ISMS, the changes should be carried out in a planned manner.

6 Support

6.1 Resources

Determine and provide the resources required for the establishment, implementation, maintenance and continual improvement of the ISMS.

6.2 Competence

The org should:

a) determine the necessary competence of the people doing work under its control that affects its infosec performance.

b) ensure that these persons are competent on the basis of appropriate education, training, or experience

c) where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken

d) retain appropriate documented information as evidence of competence.

Note: applicable actions can include the provision of training to, the mentoring of, or the re-assignment of current employees; or the hiring or contracting of competent people.

6.3 Awareness

People working under the org's control should be aware of:

a) the infosec policy

b) their contribution to the effectiveness of the ISMS, including the benefits of improved infosec performance

c) the implications of not conforming with the ISMS requirements

6.4 Communication

Determine the need for internal and external communications relevant to the ISMS including:

a) on what to communicate

b) when to communicate

c) with whom to communicate

d) how to communicate

6.5 Documented Information

6.5.1 General

The ISMS should include:

a) documented information required by this document

b) documented information determined by the org. as being necessary for the effectiveness of the ISMS.

Note: The extent of the information can differ from one org to another due to:

1) the size of the org and its type of activities, processes, products and services

2) the complexity of processes and their interactions

3) the competence of persons

6.5.2 Creating and updating

When creating and updating documented information the org. should ensure appropriate:

a) identification and description (example: title, date, author, or reference number)

b) format (ex: language, software version, graphics) and media (ex: paper, electronic)

c) review and approval for suitability and adequacy

6.5.3 Control of documented information

Documented information required by the ISMS and by this document should be controlled to ensure:

a) its available and suitable for use, where and when it's needed

b) it is adequately protected from loss of C.I.A or improper use.

For the control of documented information, the org. should address the following activities, as applicable:

c) distribution, access, retrieval, and use

d) storage and preservation, including the preservation of legibility

e) control of changes (example: version control)

f) retention and disposition

Documented information of external origin, determined by the org. to be necessary for the planning and operation of the ISMS, should be identified as appropriate and controlled.

7 Operation

7.1 Operational planning and control

Plan, implement and control the processes needed to meet requirements, and to implement the actions determined earlier by:

a) establishing criteria for the processes

b) implementing control of the processes in accordance with the criteria

Documented information should be available to the extent necessary to have confidence that the processes have been carried out as planned.

Control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects as needed.

Ensure that externally provided processes, products or services that are relevant to the ISMS are controlled.

7.2 Information security risk assessment

Perform risk assessments at planned intervals or when significant changes are proposed or occur, taking account of the criteria established before.

Retain documented information of the results of the IS risk assessments.

7.3 Information security risk treatment

Implement the information security risk treatment plan.

Retain documented information of the results of the infosec risk treatment.

8 Performance Evaluation

8.1 Monitoring, measurement, analysis and evaluation

Determine:

a) what needs to be monitored and measured, including infosec processes and controls

b) the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results. The methods selected should produce comparable and reproducible results to be considered valid

c) when the monitoring and measuring should be performed

d) who should monitor and measure

e) when the results from monitoring and measurement should be analyzed and evaluated

f) who should analyze and evaluate these results

Documented information should be available as evidence of the results.

Evaluate the information security performance and the effectiveness of the ISMS.

8.2 Internal Audit

8.2.1 General

Conduct internal audits at planned intervals to provide information on whether the ISMS:

a) conforms to 

1) org's own requirements for its ISMS

2) the requirements of this document

b) is effectively implemented and maintained.

8.2.2 Internal audit programme

Plan, establish, implement and maintain an audit program(s), including the frequency, methods, responsibilities, planning requirements and reporting.

When establishing the internal audit program(s), the org should consider the importance of the processes concerned and the results of previous audits.

The org should:

a) define the audit criteria and scope for each audit

b) select auditors and conduct audits that ensure objectivity and the impartiality of the audit process

c) ensure that the results of the audits are reported to relevant management

Documented information should be available as evidence of the implementation of the audit program(s) and the audit results.

8.3 Management review

8.3.1 General

Top management should review the orgs ISMS at planned intervals to confirm its continuing suitability, adequacy and effectiveness.

8.3.2 Management review inputs

The management review should include consideration of:

a) the status of actions from previous reviews

b) changes in external and internal issues that are relevant to the ISMS

c) changes in needs and expectations of interested parties that are relevant to the ISMS

d) feedback on the information security performance, including trends in:

1) nonconformities and corrective actions

2) monitoring and measurement results

3) audit results

4) fulfillment of infosec objectives

e) feedback from interested parties

f) results of risk assessments and status of risk treatment plan

g) opportunities for continual improvement.

8.3.3 Management review results

The results of the review should include decisions related to continual improvement opportunities and any needs for changes to the ISMS.

Documented information should be available as evidence of the results of management reviews.

9 Improvement

9.1 Continual improvement

The org should continually improve the suitability, adequacy and effectiveness of the ISMS.

9.2 Nonconformity and corrective actions

When a nonconformity (refers to not following procedures, policy, or any other aforementioned agreed upon plans/rules/treatments/etc.) occurs, the org. should:

a) react to the nonconformity, and as applicable:

1) take action to control and correct it

2) deal with the consequences

b) evaluate the need for action to eliminate the causes of nonconformity, in order that it does not recur or occur elsewhere by:

1) reviewing the nonconformity

2) determining the causes of the nonconformity

3) determining if similar nonconformities exist, or could potentially occur

c) implement any action needed

d) review the effectiveness of any corrective action taken

e) make changes to the ISMS, if necessary

Corrective actions should be appropriate to the effects of the nonconformities encountered.

Documented information should be available as evidence of:

f) the nature of the nonconformities and any actions taken

g) the results of any corrective action

---------------------------------------------------------------------------------------------------------------------------

Information Security Management System Example:

Now we are ready to review this ISMS example.

You'll notice that it's structured in a similar way to the ISO 27001 document and my summary. 

There are free templates you could download and use in the real world to fill this out.

---------------------------------------------------------------------------------------------------------------------------

ISO 27001 Checklist to prepare for certification audit:

Once the org sets its initial version of the ISMS it will be ready for the ISO 27001 checklist.

This section will define key control activities that are critical to meet ISO 27001 requirements to obtain certification for the organization. It's important to remember this example is purely for educational purposes. In the real world organizations should ensure that control activities that include but are not limited to ones included here are designed within their organization prior to pursuing an ISO certification.

The ISO 27001 checklist offers a framework but the actual certification process looks different for every company. Company size, existing documentation and your ISMS are some of the items that could create differences in the certification process from org to org.

ISO 27001 Checklist:

1. Assign Roles.

Some companies choose an in-house implementation lead and have employees create security documentation and conduct internal audits. Others prefer an outside consultant or contractors. The first step on your ISO 27001 checklist is to make this crucial decision based on your employees’ expertise and your capacity to divert teams from existing priorities for lengthy, in-depth security work.

2. Conduct Gap Analysis

A gap analysis looks at your existing ISMS and documentation and compares them to the ISO 27001 standards,and you can get a better sense of what to look for, if conducting your own, with an ISO 27001 gap analysis checklist.

You’ll walk away from the analysis with compliance gaps that should define your preparation process and a timeline for how long it will take to reach compliance. Without this personalized roadmap, companies can spend time and money on projects that aren’t directly tied to certification.

3. Develop and document the parts of your ISMS required for certification

Your ISMS will consist of all the internal ISO 27001 policies and procedures in place for cybersecurity. It consists of people, processes, and technology, so it necessitates looking at how information is accessed, when, and by whom. You’ll find all locations where data is stored, document how it is accessed, and make policies to protect it at these touchpoints (hint: you can find ISO 27001 templates for much of the work you’ll need to present at your audit). Consider both physical and digital data in this step.

4. Conduct an internal risk assessment

Now that you know all about your data, it’s time to document the known risks to that data. An ISO 27001 asset management checklist, ISO 27001 network security checklist, ISO 27001 firewall security audit checklist, or an ISO 27001 risk assessment checklist can help you identify and document these risks. How likely are they to occur? How severe would the impact be if they occurred? How will you decide? The process starts with determining how you'll identify and rate risks. A risk matrix can help you prioritize high likelihood and high impact risks to sort them accordingly. For each risk, develop a response plan and assign team members accountable for following up. For external data centers, an ISO 27001 data center audit checklist

can help you document quality control and security procedures.

5. Write a statement of applicability (SOA)

It’s time to dig into the ISO 27001 guidelines. In Annex A of the ISO 27001 document, you’ll find a list of 114 possible controls. Select those that address the risks you identified in your risk assessment. Then write a statement about which controls you will apply. You will need this document for the audit process.

6. Implement your controls

Now that you’ve compared your policies and systems to the ISO 27001 controls and applied controls to your own ISMS, it’s time for your workplace’s systems to reflect what you documented. You may need to update software, procedures, or policies regarding how people handle data. For example, if you have verified that your organization will use cryptography to protect information confidentiality, you’ll need to add that layer to your stack.

7. Train the internal team on your ISMS and security controls

From the selected controls from Annex A or elsewhere, you need to train the internal team on proper security etiquette to retain conformity across the board. Failure to do so can result in a failed audit. For that reason, it's also vital to ensure that this has been documented as you will need this for the audit process.

8. Conduct an internal audit

An internal audit prepares you for the official audit and tests your new systems. Are your controls working? This can be conducted by an internal team that was not a part of setting up and documenting your ISMS, or an independent external reviewer.

An internal audit lets you know and gives you the chance to make changes before the official audit. To get started, try using an ISO 27001 self-assessment checklist or an ISO 27001 internal audit checklist.

9. Have an accredited ISO 27001 lead auditor conduct the ISO 27001 certification audit

You’ll need an accredited ISO 27001 auditor from a recognized accreditation body to conduct a two-step audit: first, they’ll review your documentation and controls. Get a handle on this portion of the audit ahead of time by working through an ISO 27001 stage 1 audit checklist.

Next, the auditor will perform a site audit. They’ll perform tests on your controls to ensure they’re being followed. You guessed it: you can get ahead of this step too, with an ISO 27001 stage 2 audit checklist. You’ll get a list of major and minor nonconformities for each step, and once major nonconformities are addressed, you’ll be issued ISO 27001 certification.

10. Plan for maintaining certification

ISO 27001 certification lasts three years, but you’ll conduct risk assessments and surveillance audits each year while preparing new documentation for your renewal audit in the third year. In addition to updating your policies and systems and managing your ISMS, there’s ongoing employee training to schedule annually.

Overall, the steps you’ll need to fulfill ISO 27001 guidelines can be broken down into multiple smaller checklists. Depending on the needs of your organization, make use of resources like an ISO 27001 Annex A checklist, ISO 27001 evidence checklist, ISO 27001 gap analysis checklist, or ISO 27001 surveillance audit checklist.

I hope this has been informative.

If you have any questions feel free to reach out to me on LinkedIn.

Thank you for reading.