ISO/IEC 27001 FAQ Frequently Asked Questions and Answers

What is ISO 27001?

ISO/IEC 27001 is an information security standard, part of the ISO/IEC 27000 family of standards, of which the last version was published in 2013, with a few minor updates since then. It is published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) under the joint ISO and IEC subcommittee, ISO/IEC JTC 1/SC 27.

ISO/IEC 27001 specifies a management system that is intended to bring information security under management control and gives specific requirements. Organizations that meet the requirements may be certified by an accredited certification body following successful completion of an external and independent audit.

How to be ISO 27001 Certified?

An organization can be come ISO 27001:2013 certified by successfully completing the certification process as mentioned above. Preparation for the certification requires the establishment of an Information Security Management System, which meets the requirements of the ISO 27001:2013 Standard.

Why get ISO 27001 Certification?

An ISO 27001:2013 certification provides numerous benefits to an organization:

  • Evidence that the organization has a program in place to manage information security
  • The framework may be used to manage multiple compliance requirements such as NIST, PCi, FedRAMP, etc., which impact the organization and can cause resource constraints if not well integrated
  • Cyber security is an evolving challenge and ISO 27001 may be used to manage constant changes and growing security needs as technology advances and security practices are required to keep ahead of emerging threats
  • Provides a framework for people, processes, and technology to align to organizational requirements

Differences between ISO 27001 and 27002?

ISO 27001 is the standard that an organization seeks certification against while ISO 27002 is the code of practice that provides additional guidance on information for the security controls identified in Annex A of ISO 27001:2013.

Differences between ISO 9001 and 27001?

ISO 9001 focuses on quality while ISO 27001 focuses on information security. Both standards have a common framework, which allows for integration to manage quality and security concerns.

Why do a Risk Assessment?

An information security risk assessment is an evaluation of your organization’s vulnerabilities against common areas that require security controls to manage internal and external threats to your data. Understanding your risks is the first step in deciding what level of control is needed to manage risks to an acceptable level to better protect the confidentiality, availability, and integrity of your organization’s critical information and assets.

What is an ISO 27001 Audit?

Either an internal or external audit to evaluate the organization’s Information Security Management System against both internal requirements and the ISO 27001:2013 standard to determine how well the organization is using their information security policies and controls to manage vulnerabilities and protect against threats that pose a risk to the organization and the confidentiality, availability, and integrity of information.

What is an ISMS?

An ISMS is a management system framework for information security. It involves a risk based approach to managing information security and includes guidance for practices and controls necessary to manage the confidentiality, integrity, and availability of information.

What is Information Security?

Information Security (InfoSec) can best be defined as the preservation of the confidentiality, integrity, and availability (CIA) of information. To get a better idea of what this means we should look at the 3 facets of CIA with regards to InfoSec.

  •  Confidentiality – the prevention of compromise or unauthorized access to information.
  •  Integrity – the state of being unchanged or uncorrupted.
  •  Availability – the ability to be accessed or used when needed.

What should I put in my Information Security Policy?

When trying to establish an Information Security Policy there are many things to consider. On the whole, the policy should be clear, concise and describe the importance of IS to the organization. This policy should be written following the determination of the Context of the Organization and define, at a high level, the IS mandates, requirements, and practices of the organization without containing any sensitive or confidential information.

Other policies should be aligned to the Information Security Policy and can be focused within certain areas or concerns (e.g. Access Control, Acceptable Use, Social Media, and others). This policy is management’s way of communicating to interested parties what is expected of them, so it should be written so that it is understandable. It should detail the following:

  • What is the scope of this policy?
  • What information assets does this policy cover?
  • Who does the policy apply to?
  • What are the objectives of this policy?
  • What/Who are the main roles?
  • Management and user responsibilities
  • Effective date, version, and how to access the policy

If this policy is being defined for a specific standard or set of controls, then other content or commitment may be required.

What is Least Privilege?

The Principle of Least Privilege (POLP) is the practice of providing access to the minimum necessary information, systems, tools, and areas that are needed to perform tasks. Least Privilege is a critical concept in information security and is one of the primary controls within all IS structures. In order for Least Privilege to be successful, there needs to be an assessment made of the value or classification of the information and the control structures defined around it.

Definition of ISO 27000 Standards Series

ISO 27000 consists of multiple standards that are a series of documents that comprise guidance on how to implement an information security management system.

The ISO 27000 series is comprised of the following six most commonly used standards:

  1. ISO 27000:2016 – Describes the terminology and vocabulary used for information security management systems;
  2. ISO 27001:2013 – Specific requirements for the implementation of an information security management system and controls for information security risks that each organization must consider to maintain the confidentiality, integrity and availability of information assets;
  3. ISO 27002:2013 – Commonly referred to as the Code of Practice, ISO 27002 provides guidance on the application of security controls in an information security management system;
  4. ISO 27003:2010 – Guidance on the implementation of ISO 27001 and ISO 27002 for organizations;
  5. ISO 27004:2009 – Guidance on the use of metrics to manage the health of information security management systems.
  6. ISO 31000:2009 – Guidance on risk management methodologies and techniques.

In the last several years’ multiple additional standards have been published in the ISO 27000 series including sector specific guidance for healthcare and telecommunications, and more specific information on technical control management around applications and networks to name a few.

Most organizations typically work with ISO 27001 and ISO 27002 when implementing an information security management system

Our certified ISO 27001 Consultants can show you how to successfully prepare for and achieve an ISO 27001 implementation, and strategically support your information security goals and objectives.

What is Annex A of the ISO 27001:2013 standard?

Annex A of the standard consists of 114 controls organized by objective into 14 categories which deal with a variety of issues such as:

  • Physical Security
  • Access Management
  • Information security training.
  • Data encryption and transmission
  • and others

The purpose of these control sets is to provide a comprehensive starting point for addressing the threats and vulnerabilities of risks. The Annex also forms the basis for one of the standard’s mandatory pieces of documentation.

Is there any mandatory documentation for an ISMS?

Yes. There are many pieces of mandatory documentation within the standard. However, a majority of them are policy documents that outline the organization’s requirements when dealing with certain situations or controls, such as access control and required encryption. Other instances of mandatory documentation are also discussed, for example, procedures for change control and continuity as well as a Statement of Applicability.

What exactly is a Statement of Applicability?

A Statement of Applicability (SoA) is a living record that acts as both an output and testament of the risk treatment process. It is a documentation of the disposition of all the controls listed in the Annex A. It must list all of the controls as well as their status in the ISMS – whether of not they are applicable within the ISMS, whether of not they are implemented, and the justification for either inclusion or exclusion (ref. ISO 27001:2013 Section 6.1.3 d). When completed, the SoA should act as a “road map” to the technical implementation of the ISMS.

What is considered an Information Asset?

Information Assets are typically the focus of any management system that deals with information security. They begin with the actual information or data sets that fall within the boundaries of the system. This can also include anything that creates, manages, manipulates, or accesses the data during the information lifecycle. These associated assets can be hardware, paper/documented info, software & information systems, services, or ultimately, even specialized people like subject matter experts and their specific knowledge.

How do I dictate my information security requirements to global IT providers like Microsoft, AWS, and Google?

When vendors or suppliers are included as part of the system, we need to ensure that the mandatory and desired requirements of the organization are written into agreements. When the supplier is an entity that is much larger, the answer is as simple as reviewing the controls that are part of the agreement or service and reconciling them against the organization’s. Any requirements that are not included can be managed as identified risks or via other suppliers that can fulfill the need.

What level of background screening is required for ISO 27001 compliance?

A core control within all the Information Security standards is the concept of performing background screening on all employees or resources. The question at times is, “How much is enough?”

When dealing with ISMS requirements, it’s really up to the system itself. Much of the level of implementation is driven by the information that is involved in the scope. The stricter the classification, the greater the need for security, and therefore the need for surety in the people that are allowed access to the information. It’s also a question of the access levels being assigned. When implemented correctly in a system with multiple-classification levels, background screens are usually contextual. In other words, a candidate for the administrative assistant position will be given less access to sensitive information than an accountant, legal advisor, or IT personnel. Their background screens should mirror that gradient if possible. For example, an accountant may undergo a basic minimum background investigation (MBI) along with an additional credit check.

If my organization implements an ISO 27001 conforming ISMS, how close would we be to being NIST 800-171 CUI compliant?

The truth is that this is not an easily answered question. You may be expecting a simple figure. If one were to go by the mapping table located in Appendix D of the NIST 800-171, you would probably calculate that the coverage level is approximately eighty percent. However, that percentage is really up to the individual and how completely they set up their IS control structure.

One prime example of this misunderstanding is for CUI control 3.1.7 Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs. The mapping table identifies that there are no directly mapped ISO 27001 controls. Though technically true, it does dismiss the fact that the access aspect of this control is well covered byA.9.2.3 Management of privileged access rights and A.9.4.4 Use of privileged utility programsand the logging aspect is covered in A.12.4.1 Event logging and A.12.4.2 Protection of log information.

In the end, a thorough assessment of current controls and status is required to truly understand the level of compliance.