Source : IsecT Ltd.
ISO/IEC 27001 is the formal set of specifications against which organizations may seek independent certification of their Information Security Management System (ISMS).
ISO/IEC 27001 specifies requirements for the establishment, implementation, monitoring and review, maintenance and improvement of a management system – an overall management and control framework – for managing an organization’s information security risks. It does not mandate specific information security controls but stops at the level of the management system.
The standard covers all types of organizations (e.g. commercial enterprises, government agencies and non-profit organizations) and all sizes from micro-businesses to huge multinationals. This is clearly a very wide brief.
Bringing information security under management control is a prerequisite for sustainable, directed and continuous improvement. An ISO/IEC 27001 ISMS therefore incorporates several Plan-Do-Check-Act (PDCA) cycles: for example, information security controls are not merely specified and implemented as a one-off activity but are continually reviewed and adjusted to take account of changes in the security threats, vulnerabilities and impacts of information security failures, using review and improvement activities specified within the management system.
According to JTC1/SC27, the ISO/IEC committee responsible for ISO27k and related standards, ISO/IEC 27001 “is intended to be suitable for several different types of use, including:
- Use within organisations to formulate security requirements and objectives;
- Use within organisations as a way to ensure that security risks are cost-effectively managed;
- Use within organisations to ensure compliance with laws and regulations;
- Use within an organisation as a process framework for the implementation and management of controls to ensure that the specific security objectives of an organisation are met;
- The definition of new information security management processes;
- Identification and clarification of existing information security management processes;
- Use by the management of organisations to determine the status of information security management activities;
- Use by the internal and external auditors of organisations to demonstrate the information security policies, directives and standards adopted by an organisation and determine the degree of compliance with those policies, directives and standards;
- Use by organisations to provide relevant information about information security policies, directives, standards and procedures to trading partners and other organisations that they interact with for operational or commercial reasons;
- Implementation of a business enabling information security; and
- Use by organisations to provide relevant information about information security to customers.”
The information security controls from ISO/IEC 27002 are noted in an appendix (annex) to ISO/IEC 27001, rather like a menu. Organizations adopting ISO/IEC 27001 are free to choose whichever specific information security controls are applicable to their particular information security situations, drawing on those listed in the menu and potentially supplementing them with other a la carte options (sometimes known as extended control sets). As with ISO/IEC 27002, the key to selecting applicable controls is to undertake a comprehensive assessment of the organization’s information security risks, which is one vital part of the ISMS.
History of ISO/IEC 27001
ISO/IEC 27001 was born as BS 7799 Part 2 in 1999. It was revised by BSI in 2002, explicitly incorporating Deming’s Plan-Do-Check-Act cyclic process concept, and was adopted by ISO/IEC in 2005.
Along with ISO/IEC 27002, ’27001 is currently being revised. Comments and contribution from national standards bodies are welcomed by SC27. Please contact your national standards body (e.g. BSI, NIST) or ISO directly for further information or to offer your assistance with the standards development process and ISO/IEC JTC 1/SC 27 in particular. This is your big chance to get involved and influence the future direction of this well-respected information security standard!
Since ISO/IEC 27001 is an active certification standard, major/structural changes will be difficult and even minor changes will have to be justified in order to retain “backwards compatibility” with the existing standard wherever possible. Nevertheless, there is pressure within SC27 to realign 27001 with 27000, 27002, 27003 and 27005, reducing duplication and potential conflict. Furthermore, the ISO TMB JTCG Task Force on Management System Standards wishes to align all the ISO management systems standards for information security, quality management, environmental management etc. to a common structure, using common text for identical clauses (albeit with explanatory notes to clarify their interpretation in the specific context of each management system). The common structure and text is still in draft but looks set to become “ISO Guide 83”.
The Australian and Japanese delegations to ISO/IEC JTC1/SC27, in particular, are very concerned at the extent and nature of the changes to ISO/IEC 27001 caused by the adoption of “ISO Guide 83”. Much of the text describing the application of management system concepts specifically to the management of information security is being removed from the standard, leaving a more generic standard that may be difficult for users and certification auditors to interpret and apply.
In addition to detailed comments on the contents of the main text of ‘27001, Annex A prompted many comments from national standards bodies. The question of what if anything ‘27001 should specify regarding information security policies and/or policies or strategies for the ISMS is also under discussion. SC27’s decision to remove explicit description of the “PDCA model” from ‘27001 has not been universally welcomed, but it looks as if the PDCA coverage in ‘27000 may be increased in order not to lose the value of the structured approach to periodically reassessing infosec risks and controls and hence continually refining the ISMS.
Latest status info
Updating of the standard has been delayed partly by the JTCG decision to harmonized all its management systems standards. Consequently, the revised standard is unlikely to be published much before the end of 2013.
Structure and content of ISO/IEC 27001
ISO/IEC 27001:2005 has the following sections:
0 Introduction – the standard uses a process approach.
1 Scope – it specifies generic ISMS requirements suitable for organizations of any type, size or nature.
2 Normative references – only ISO/IEC 27002:2005 is considered absolutely essential to the use of ’27001.
3 Terms and definitions – a brief, formalized glossary, soon to be superseded by ISO/IEC 27000.
4 Information security management system – the ‘guts’ of the standard, based on the Plan-Do-Check-Act cycle where Plan = define requirements, assess risks, decide which controls are applicable; Do = implement and operate the ISMS; Check = monitor and review the ISMS; Act = maintain and continuously improve the ISMS. Also specifies certain specific documents that are required and must be controlled, and states that records must be generated and controlled to prove the operation of the ISMS (e.g. certification audit purposes).
5 Management responsibility – management must demonstrate their commitment to the ISMS, principally by allocating adequate resources to implement and operate it.
6 Internal ISMS audits – the organization must conduct periodic internal audits to ensure the ISMS incorporates adequate controls which operate effectively.
7 Management review of the ISMS – management must review the suitability, adequacy and effectiveness of the ISMS at least once a year, assessing opportunities for improvement and the need for changes.
8 ISMS improvements – the organization must continually improve the ISMS by assessing and where necessary making changes to ensure its suitability and effectiveness, addressing nonconformance (noncompliance) and where possible preventing recurrent issues.
Annex A – Control objectives and controls – little more in fact than a list of titles of the control sections in ISO/IEC 27002, down to the second level of numbering (e.g. 9.1, 9.2), 133 in total.
Annex B – OECD principles and this International Standard – a table briefly showing which parts of this standard satisfy 7 key principles laid out in the OECD Guidelines for the Security of Information Systems and Networks.
Annex C – Correspondence between ISO 9001:2000, ISO 14001:2004 and this International Standard – the standard shares the same basic structure of other management systems standards, meaning that an organization which implements any one should be familiar with concepts such as PDCA, records and audits.
Mandatory requirements for certification
ISO/IEC 27001 is written as a formalized specification such that accredited certification auditors are meant to be able to use the standard as a formal description of items that their clients must have in order to be certified compliant. It does indeed specify certain mandatory documents explicitly. However, in other areas it is more vague and, in practice, other documents are commonly demanded, including certain items which provide the auditors with evidence or proof that the ISMS is operating. The diagram below (taken from the ISO27k Toolkit) shows at what stages of the typical ISO27k implementation process most of the required documents are normally produced:
ISO/IEC 27001 certifications increasing by ~1,000 per year
A number of certification bodies are accredited by national standards bodies (such as the British Standards Institution and the National Institute of Science and Technology) to review compliance with ISO/IEC 27001 and issue certificates. Over 7,300 organizations worldwide have already been certified compliant with ISO/IEC 27001 or equivalent national variants:
The graph shows the steadily increasing number of ISO/IEC 27001 certificates reported by Ted Humphrey’s site for the last few years. Ted routinely receives and collates information on ISO/IEC 27001 certificates issued by many certification bodies worldwide, but some certification bodies evidently don’t report the numbers to Ted, so the total is an underestimate.
The slight dip in the curve during 2011 may be the result of organizations waiting for the next update of ISO/IEC 27001 to be issued, or it could be a statistical anomaly or due to some other reason such as the global economic situation – who knows? The overall trend is clear enough though: the increase is close to linear. And the need for a professional approach to managing information security is surely greater than ever.
Organizations can specify the scope of their ISO/IEC 27001 certification as broadly or as narrowly as they wish. Understanding the scoping documents plus Statements of Applicability (SoA) is therefore crucial if one intends to attach any meaning to the certificates. If an organization’s ISO/IEC 27001 scope only notes “Acme Ltd. Department X”, for example, the associated certificate says nothing about the state of information security in “Acme Ltd. Department Y” or “Acme Ltd.” as a whole. Similarly, if the SoA asserts that antivirus controls are not necessary for some reason, the certification body will doubtless have checked that assertion but will not have certified the antivirus controls – in fact, they may not have assessed any technical controls since ISO/IEC 27001 is primarily a management system standard, so compliance requires the organization to have a suite of management controls in place but does not necessarily require specific information security controls (caveat emptor!)
Certification is entirely optional but is increasingly being demanded from suppliers and business partners by organizations that are concerned about information security. Certification against ISO/IEC 27001 brings a number of benefits above and beyond simple compliance, in much the same way that an ISO 9000-series certificate says more than “We are a quality organization”. Independent assessment necessarily brings some rigor and formality to the implementation process (implying improvements to information security and all the benefits that brings through risk reduction), and invariably requires management approval (which is an advantage in security awareness terms, at least!). The certificate has marketing potential and should help assure most business partners of the organization’s status with respect to information security without the necessity of conducting their own security reviews.