ISO/IEC 27001 Requirements

ISO 27001 Requirements and Controls

ISO/IEC 27001 Requirements are comprised of eight major sections of guidance that must be implemented by an organization, as well as an Annex, which describes controls and control objectives that must be considered by every organization:

Section NumberExpectations
1-3. ISO Scope, References, TermsGeneral introduction notes to the standard
4. Context of the OrganizationDetermining the scope of an organization’s Information Security Management System (ISMS)
Understanding of strategy, interested parties, needs and expectations
5. LeadershipLeadership Commitment
Information Security Policy
Roles and Responsibilities
6. PlanningRisk Assessment Process and Plan
Risk Treatment Planning
Security objectives, metrics, and plans
7. SupportResource Management Competency and Training
Security Awareness
Document Management
8. OperationOperational Planning and control
Risk assessment
Implementation of risk treatment
9. Performance EvaluationMonitor and measure
Analysis of Performance
Internal Audit
Management review
10. Improvement Corrective Action
Continual Improvement

Within ISO 27001, the sections outlined above constitute the management system elements or mandatory ISO 27001 requirements, which are designed to set expectations and provide guidance on how to implement an information security management system that provides predictable results.

Based on operations, services and the risk levels associated with an organization and sector, each company will select controls from ISO 27001 Annex A; the controls are intended to help to reduce the likelihood of a harmful information security incident.

ISO 27001 Annex A Objective Controls

The Annex A controls and control objectives are applied to organizationally defined risks to help provide mitigation of risks to assets with the intent to provide a system that defines how information security is managed, what steps are taken, and the results that are intended to be achieved.

In many cases, organizations may have already invested time and resources to control specific requirements. For example, a company that has invested in firewalls to protect networks, implemented background checks for new employees, and/or created access profiles on existing systems to segregate access to information to those that “need to know”.

Since many organizations have started the implementation process to meet customers’ demands, the most pragmatic way to approach ISO/IEC 27001 requirements is to evaluate the current system against each of the mandatory processes and Annex A controls. The Annex A controls are grouped as follows:

A.5 – Information Security Policies

A.6 – Organization of information security

A.7 – Human resources security

A.8 – Asset management

A.9 – Access control

A.10 – Cryptography

A.11 – Physical and environmental security

A.12 – Operations Security

A.13 – Communications Security

A.14 – System acquisition, development and maintenance

A.15 – Supplier Relationships

A.16 – Information Security Incident Management

A.17 – Business Continuity

A.18 – Compliance

After implementing the ISO 27001 requirements for an information security management system, ISO 27001 certification or ISO 27001 registration is a method in which a company can prove that they have successfully implemented the requirements.

After documenting processes and performing reviews, a company may hire an independent auditing company to review their processes and ensure that the company is adhering to the developed processes. At the end of the audit, the company is presented with a certificate that they can then provide to existing and potential customers as proof of their commitment to information security.

An organization ultimately needs to understand the ISO 27001 requirements and controls and how to get ISO 27001 certified.

Looking for methods to address information security?

Learn more about how we can accelerate your ISO 27001 implementation. We will contact you the moment we receive your information to discuss and our certified ISO 27001 Consultants will show you how to successfully prepare for and achieve an ISO 27001 implementation, and strategically support your information security goals and objectives.