ISO 27001 domains – Crush Course

I am teaching for the last 3 years ISO 27001 classes Australia wide, and wanted to put together some resources that can be used by my students or blog followers.

Below you will find the main domains which is covered under ISO27001 and please look for more in other posts.

Enjoy:

ISO 27001 domains (update)

It’s important to note that the latest version of ISO 27001 (released in 2022) has shifted away from the 14 domains that were present in the 2013 version.

Now, Annex A of ISO 27001:2022 outlines 93 information security controls categorized into 4 themes.

Here’s a breakdown of those themes and the controls within them:

1. Organizational (37 controls)

• 5. Information security policies: Establishing and communicating policies for information security.
• 6. Organization of information security: Defining roles, responsibilities, and structures for information security management.
• 7. Human resource security: Ensuring that employees and contractors are aware of and comply with security policies. This includes security considerations before, during, and after employment.
• 8. Asset management: Identifying and managing information assets, including ownership, classification, and handling.
• 11. Physical and environmental security: Protecting physical assets and facilities from unauthorized access, damage, and environmental threats.
• 15. Supplier relationships: Managing security risks associated with suppliers and third-party relationships.

2. People (8 controls)

• 7. Human resource security: This section includes controls related to screening, training, and managing employees and contractors to ensure they understand and adhere to security policies.

3. Physical (14 controls)

• 11. Physical and environmental security: This theme focuses on protecting the organization’s physical environment, including access control, perimeter security, and protection against environmental threats.

4. Technological (34 controls)

• 9. Access control: Restricting access to information and systems based on defined roles and permissions.
• 10. Cryptography: Using encryption and other cryptographic techniques to protect information confidentiality and integrity.
• 12. Operations security: Managing IT operations to ensure the security of information and systems.
• 13. Communications security: Protecting information in transit and at rest, including network security and secure communication channels.
• 14. System acquisition, development and maintenance: Ensuring that security is considered throughout the lifecycle of information systems.
• 16. Information security incident management: Establishing processes for detecting, responding to, and recovering from security incidents.
• 17. Information security aspects of business continuity management: Ensuring that information security is considered in business continuity and disaster recovery plans.
• 18. Compliance: Complying with relevant laws, regulations, and contractual obligations.

Original content

While the structure has changed, the core principles of information security remain the same. ISO 27001 still emphasizes a risk-based approach, requiring organizations to identify and assess their information security risks and implement appropriate controls to mitigate them.

If you’re working towards ISO 27001 certification, make sure you’re using the 2022 version of the standard and focus on these updated controls.

• ISO/IEC 27001, part of the growing ISO/IEC 27000 series of standards, is an information security management system (ISMS) standard published in October 2005 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Its full name is ISO/IEC 27001:2005 – Information technology — Security techniques — Information security management systems — Requirements but it is commonly known as “ISO 27001”.
•  
• It is intended to be used in conjunction with ISO/IEC 27002, the Code of Practice for Information Security Management, which lists security control objectives and recommends a range of specific security controls. Organizations that implement an ISMS in accordance with the best practice advice in ISO/IEC 27002 are likely to simultaneously meet the requirements of ISO/IEC 27001 but certification is entirely optional (unless mandated by the organization’s stakeholders).
• http://en.wikipedia.org/wiki/ISO_27001
• ISO 27001/2 stipulates a number of principles/ procedures that an auditor should adopt when preparing and carrying out an audit. The audit process is broken down into a number of disparate sections which the company being audited should ideally have appropriate policies and controls in place:
  • Information Security Management System (ISMS)
    • Establish
      • Define an ISMS policy
        • Scope
        • Boundaries
      • Define the risk assessment methodology
        • Identify, Analyse and evaluate risks
        • Identify and evaluate options for the treatment of risks.
        • Select control objectives and controls for the treatment of risks.
        • Obtain management approval of the proposed residual risks.
      • Documentary requirements
        • General requirements
        • Control of documents
        • Control of records
      • Management authorisation for implementation and operation.
        • Management responsibility
          • Management commitment
          • Resource management
            • Provision of resources
            • Training, awareness and competence
    • Implement and Operate
      • Monitor and continually review
        • General
        • Review input
        • Review output
      • Maintain and improve
        • Continual Process
        • After Corrective action identified
        • After Preventive action required and identified
      • Control objectives and controls
        • Security policy
          • Information security policy
        • Organisation of information security
          • Internal organisation
          • External parties
        • Asset management
          • Responsibility for assets
          • Information classification
        • Human Resources (Personnel) Security
          • Pre-employment
          • Whilst employed
          • Post employment
        • Physical and Environmental security
          • Secure areas
          • Equipment
        • Communications and Operations Management
          • Procedures, roles and responsibilities
          • Third party SLA
          • System planning and acceptance
          • Malicious/ Mobile code Defences
          • Back-up
          • Network Security
          • Media handling
          • Dissemination of information
          • E-commerce services
          • Monitoring/ Audit
        • Access Control Policies
          • Business Requirement
          • User access management
          • User responsibilities
          • Network Access Control mechanisms
          • OS control mechanisms
          • Application and File System security controls
          • Remote/ Home working
        • Information systems acquisition, development and maintenance
          • Security requirements
          • Secure processing
          • Cryptographic Mechanisms employed
          • File System Security
          • Security in development and support processes
          • Technical Vulnerability Risk Management/ Mitigation process
        • Information Security Incident Management (Incident Handling Procedures)
          • Reporting security breaches/ identify System weaknesses etc.
          • Incident Management and Rectification procedures
        • Business Continuity Management (Disaster Recovery Plan)
        • Compliance Rules and Regulations
          • Legal requirements
          • Security policies and standards
          • Specific audit requirements
      • Internal audits

ISO 27001 toolkit

FREE ISO 27001 Toolkit