ISO 27001 is an international standard that collects requirements for the creation and development of an information security management system.
By and large, it is a collection of "best practices" that allows you to select security controls in such a way as to ensure the protection of information and provide customers with appropriate guarantees.
Falcon Invoice Discounting: The best investment platform in india for investors
Whitepaper iso 27001_isms | All about ISO 27001
1. WHITEPAPER | ISO 27001
Information Security Management System
CHANDAN SINGH GHODELA
MASTERS OF COMPUTER APPLICATION
ISO 27001 LEAD AUDITOR|PCI DSS Implementer
2. INDEX
S.No. Title Page Number
1 ISO 27001 3
2 Information Security Management System 4
3 Key elements of an Information Security System 6
4 Standard Objective 6
5 The ISO/IEC 27001 standard ensures 7
6 Integration with other standards 8
7 Benefits of implementation and certification 9
8 What gives the implementation of ISO/IEC 27001 10
9 Requirements for documented information in ISO/IEC
27001
11
10 Auditing Guidelines for ISO/IEC 27001 13
11 Classification of Controls 15
12 Profile 16
2
ISO 27001| Information Security Management System
3. ISO 27001| Information Security Management System
ISO 27001
ISO 27001 is an international standard that collects requirements for the
creation and development of an information security management system.
By and large, it is a collection of "best practices" that allows you to select
security controls in such a way as to ensure the protection of information
and provide customers with appropriate guarantees.
When carrying out certification, the independent company sends auditors,
whose main purpose is to check the information security processes for
compliance with the "best world practices". As part of audits, auditors
evaluate numerous company processes in different departments - HR, IT,
R&D, Security - and draw up a report, which is analysed by other
independent experts in order to further confirm impartiality and find out
how correctly the audit was conducted. And only after that a certificate is
issued, indicating that the information security management system is at a
high level.
The ISO 27001 standard summarizes the world experience in information
security management and describes the methodology for creating
integrated information security management systems. The standard
defines the requirements for data classification, access control system,
employee responsibility, personnel security, and other aspects of
information security. The management system developed in accordance
with this standard allows you to effectively plan, control and manage the
processes of protecting the information of the enterprise.
3
4. ISO 27001
According to a report by Analysis Mason, approximately 33% of cloud
service providers adhere to the ISO 27001 standard. It was adopted in 2005
and sets forth the requirements for an information security management
system (ISMS). The purpose of this standard is to establish rules for the
creation, implementation, use, monitoring, verification, maintenance and
improvement of ISMS, which is a set of policies and procedures that
include all physical, technical and legal controls involved in risk
management processes associated with the use of information in
organizations.
Information security management systems
• Information security (IS) issues are vitally important for a modern
organization.
• Information security management system developed in accordance
with the requirements of ISO/IEC 27001 will help the organization
preserve its assets and ensure the integrity, reliability and
confidentiality of information.
• Since 2005 more than 25 thousand companies worldwide have
undergone the certification audit for compliance with the requirements
of ISO/IEC 27001 standard (according to IRCA).
• Certification is a useful tool to increase confidence, thereby
demonstrating that the products and services meet the customers’
needs in the field of information security.
4
ISO 27001| Information Security Management System
5. Information security management systems
The ISO/IEC 27001 standard is a source of best practices for the
development of management systems, applicable to almost any
organization, regardless of the ownership, type of activity, size and external
conditions. It is technologically neutral and always allows to choose the
technology. ISO/IEC 27001 is one of the most well-known standards in this
series that meets the requirements of information security management
systems. There are more than a dozen 27000 series standards.
Information security management systems (ISMS) is a part of an overall
management system based on a business risks approach, aiming to
develop, implement, operate, constantly monitor, analyse, maintain and
improve information security. It is a systematic approach to confidential
information management. This system includes personnel, production
processes and IT systems, combined through the implementation of risk
management processes.
In order to determine information security requirements, the standard
defines three main indicators:
• assessment of risks that organization deals with (identification of
threats to resources, their vulnerability and probability of occurrence of
threats and possible damage);
• compliance with legislative, regulatory and contractual requirements by
the organization itself, its business partners, contractors and service
providers;
• establishing a set of principles, objectives and requirements for the
information processing developed by the organization to support its
activities.
5
ISO 27001| Information Security Management System
6. Information security management systems
Key elements of an Information Security System:
• protection against unauthorized program access to the systems,
including internal protection against unauthorized access of the
organization’s employees;
• authorization and authentication;
• protection of data transmission channels, ensuring the integrity;
• ensuring the relevance of the data during the information exchange
with the customers;
• electronic document management;
• IS incident management;
• business continuity management;
• internal and external audit of the information security system.
Standard’s objectives:
• establishment of uniform requirements for ensuring organizations
information security;
• ensuring the communication between management and employees;
• improving the effectiveness of the measures to ensure and maintain
information security of organizations.
6
ISO 27001| Information Security Management System
7. Information security management systems
The ISO/IEC 27001 standard ensures:
• definition of the objectives, concept of direction and principles of
activity regarding information security;
• identification of the approaches to risk assessment and risk
management in the organization;
• information security management in accordance with applicable law
and regulatory requirements;
• use of a unified approach to the development, implementation,
operation, monitoring, analysis, support and improvement of the
management system in order to achieve information security
objectives;
• identification of the processes of information security management
system;
• identification of the status of measures to ensure information security;
• conducting of internal and external audits to determine the degree of
compliance of the information security management system with the
standard’s requirements;
• providing adequate information to partners and other stakeholders
about the information security policy.
7
ISO 27001| Information Security Management System
8. Information security management systems
Integration with other standards
The advantage of ISO/IEC 27001 standard implementation is the direct
benefit to organizations wishing to implement more than one management
system at a time, since ISMS, for example, can be integrated with:
• Business continuity management systems (ISO/IEC 22301);
• IT service management system (ISO/IEC 20000-1);
• Or Quality management system (ISO 9001).
The similar structure of standards saves time and money, as it makes
possible the implementation of integrated policies and procedures.
8
ISO 27001| Information Security Management System
9. Information security management systems
Benefits of implementation and certification
• Increasing the confidence of the clients, partners and other
stakeholders.
• Increasing the stability of functioning of the organizations.
• International recognition and company’s image improvement in the
domestic and foreign market.
• Achieving adequate measures to protect information security against
real threats.
• Mitigation and (or) elimination of damage from information security
incidents.
• Demonstration of a certain level of information security to ensure the
information confidentiality of stakeholders.
• Increase in value of intangible assets, decrease of insurance premiums,
which adds value to the company.
• Decrease of operating costs and exclusions of “cross” financing within
the framework of information security management system.
• Empowerment for company participation in major government
contracts.
• Can significantly facilitate the audits for compliance with PCI
DSS,ISO/IEC 20000-1 requirement.
9
ISO 27001| Information Security Management System
10. What gives the implementation of ISO/IEC 27001
The main advantage of ISMS development and implementation in
accordance with the requirements of ISO/IEC 27001 standard is
independent evidence of the stability and reliability of the organization’s
business processes, including:
• increasing the organization’s credibility;
• increasing the stability of functioning of the organization;
• achieving adequate measures to protect information security against
real threats;
• mitigation and (or) elimination of damage from information security
incident.
Economic benefits:
• independent confirmation that the organization has properly
implemented risk management, relevant management system
procedures are developed, implemented, and are constantly analysed
and improved by competent and responsible personnel;
• evidence of compliance with applicable laws and regulations
(compliance with the mandatory requirements system);
• proof that senior management is aiming and responsible to ensure the
management system in the required volume for the entire organization
in accordance with established requirements;
• demonstration of “maturity” level of management systems to ensure a
high level of customer and organization partner’s service;
• demonstration of conducting regular management systems audits,
performance evaluations and continual improvements.
10
ISO 27001| Information Security Management System
11. Most of the points are simple and straightforward (well, if you have already
implemented an ISMS), but here's what you should pay attention to:
• The scope of the ISMS should be documented and (preferably)
described in some detail (with an indication of the sites, processes and
people included in it). By the way, the scope of certification may well
be less than the scope of the ISMS (and usually it is). I highly
recommend that the scope of the ISMS be formalized as a separate
document, well, or at least as a separate appendix to some top-level
document describing the ISMS.
11
ISO 27001| Information Security Management System
12. • In the Statement of Applicability (SoA), I recommend specifying
technical and organizational measures for each item (list from the annex to
standard 27001). Sometimes a description of measures according to the
first ("text") requirements of the standard is added to the SoA, this is not
necessary for auditors, but it can be useful (albeit laborious).
• Information security objectives should be defined and documented.
Preferably specific and measurable (during the audit, you will show
evidence of their measurement and plans to achieve it). An ideal document
is an information security policy, and in lower-level documents, goals can
be revealed and described more specifically. If the goals of information
security are aligned with the goals of the business ("cascade of goals"),
then this is great and a big plus.
• Be prepared to show the auditor professional information security
certificates, training plans, job description requirements and other
evidence of the competence of information security and IT personnel
(Evidence of competence).
We look at the ISO 27007 standard further and see a simply gorgeous table
- a storehouse of useful information, " Table A.2 Auditing guidelines for ISO
/ IEC 27001". It provides guidance on all (textual) requirements of ISO
27001 that the auditor must (and will) check.
12
ISO 27001| Information Security Management System
13. The table looks like this:
13
ISO 27001| Information Security Management System
14. It is worth studying it very carefully and checking whether everything has
been implemented, whether there is evidence of their fulfilment for all the
requirements.
From my own experience, I will say that most often errors / shortcomings
occur in these topics:
• "A.1.1 Understanding the organization and its context". Context not
documented / poorly documented
• "A.1.2 Understanding the needs and expectations of interested
parties". There is no list of stakeholders and their expectations.
• "A.3.2 Information security objectives and planning to achieve them".
IS goals are not defined and / or their achievement is not evaluated.
• "A.4.2 Competence". There is no evidence of regular training /
continuing education.
• "A.4.5.3 Control of documented information". Versioning of
documents / records is not monitored, employees can use out-of-date
versions of documents.
• "A.6.1 Monitoring, measurement, analysis and evaluation". IB
measurement is not performed.
• "A.7.1 Nonconformity and corrective action". The process is not
formalized, and evidence of non-compliance has not been provided.
Well, in general, ISO 27007 is an extremely useful document when
preparing for certification. The requirements check table is 25 out of 44
pages long and is very useful. If you are preparing for certification, then be
sure to carefully study it.
14
ISO 27001| Information Security Management System
15. 15
ISO 27001| Information Security Management System
For example, the standard invites the auditor to ask questions to
employees to check their awareness of information security ("Ask staff if
they are aware of specific things they should be aware of", A.7.2.2).
Accordingly, our task before the audit is to inform employees about the
possibility of such questions and explain the answer options.
Or, the standard invites the auditor to observe the process of destruction
of media (A.8.3.2).
16. CHANDAN SINGH GHODELA
MASTERS OF COMPUTER APPLICATION
ISO 27001 LEAD AUDITOR|PCI DSS Implementer
PROFILE
7+ Years Experience
• Managing Vulnerability Assessment & Penetration team and audits
• Perform periodic Configuration audits on Network Devices, Servers and
other critical functions.
• Perform code review across a variety of programming languages and
provide recommendations for preventive and corrective actions.
• Other Security-related projects that may be assigned according to skills
• Perform security testing include web application, network, AWS cloud
servers, windows and Linux servers, API penetration testing, etc.
• Perform security configuration reviews of host operating systems,
databases, web infrastructure components and network devices.
• Create detailed report/documentation that clearly communicates
vulnerabilities and remediation steps.
16
ISO 27001| Information Security Management System