Getting started with ISO 27001? Here's what you need to know.

The ISO 27000 family of standards acts as an information security management framework for institutions around the world. ISO 27001 is a cybersecurity standard that consists of best practices and controls organizations can use to implement an information security management system (ISMS) and the CIA (confidentiality, integrity and availability) triad to protect their data.

In this blog, we'll be taking a look at:

What is ISO 27001?

ISO 27001 is a cybersecurity standard and framework which helps organizations put an ISMS in place. It is a risk-based approach, and helps organizations gauge their security posture.

How did ISO 27001 come to be?

The legacy version of ISO 27001, BS 7799, originally written by the United Kingdom's Department of Trade and Industry (DTI), was published by the British Standards Institution (BSI) in 1995. One part of BS 7799 that dealt with information security management best practices was revised in 1998. In 2000, this was adopted by ISO as the ISO/EC 17799 and was termed Information Technology: Code of Practice for Information Security Management. The second part of BS 7799 with the title Information Security Management System released in 1999 that was later adopted as part of risk management and assessment in the ISO 27000 series, called ISO 27001.

The latest version of ISO 27001 was published in 2013 with minor updates implemented in 2017.

How is ISO 27001 structured?

It is divided into two major parts.

• Part One - 12 Segments: The first part consists of a list of 12 segments, which are listed below:
  1. Introduction
  2. Scope
  3. Normative details
  4. Terms and definitions
  5. Context of the organization
  6. Leadership
  7. Planning
  8. Support
  9. Operation
  10. Performance evaluation
  11. Improvement
  12. Reference control objectives and controls
• Part Two - Annexure A: The second part of ISO 27001 is Annexure A, which consists of 114 controls divided into 18 sections, and which follows the 12th control. Since the annexure is linked to ISO 27002, the first four controls are missing from the list. So the list starts from section five.

  The rest of the 18 sections in Annexure A are:

  1. Annex A.5: Information security policies
  2. Annex A.6: Organization of information security
  3. Annex A.7: Human resource security
  4. Annex A.8: Asset management
  5. Annex A.9: Access control
  6. Annex A.10: Cryptography
  7. Annex A.11: Physical and environmental security
  8. Annex A.12: Operations security
  9. Annex A.13: Communications security
  10. Annex A.14: System acquisition, development, and maintenance
  11. Annex A.15: Supplier relationships
  12. Annex A.16: Information security incident management
  13. Annex A.17: Information security aspects of business management
  14. Annex A.18: Compliance

Is it a mandatory compliance standard?

ISO 27001 is not a compliance mandate. As its structure suggests, the standard focuses on the individual requirements of each organization and recognizes that the ISMS put in place has to focus on these unique needs and security risks. Organizations that aim to obtain an ISO 27001 certification must comply with the standard, however.

What is an ISMS and what are the benefits of having one in place?

An ISMS defines an organization's approach to information security, and the controls and specifications it has in place to ensure the safety of its data. Having an ISO 27001 compliant ISMS helps organizations adhere to other security standards, like the GDPR, as well.

The objective of an ISMS is to facilitate organizations to implement the CIA triad of protecting data. The CIA triad consists of:

1. Confidentiality: The measures an organization takes to protect the privacy of its data contribute to its confidentiality, like ensuring authorized and restricted access.
2. Integrity: Organizations must endeavor to sustain the authenticity and reliability of data, and making sure it is error-free to facilitate data integrity.
3. Availability: Organizations must see to the availability of data whenever it will be accessed. This means ensuring all systems and operations that deal with the data function smoothly, and taking steps like eliminating redundant servers or ensuring updates happen on time.

Implementing all three parts of the CIA triad significantly increases cyber resilience and improves the capability of organizations to handle threats.

Benefits of an ISMS

Apart from being compliant with ISO 27001, having an ISMS in place provides several advantages for an organization:

• Safeguarding privileged information: With the primary objective of protecting the confidentiality, integrity, and availability of information, an ISMS works to safeguard the various information assets in an organization.
• Centralized management system: An ISMS ensures that all organization data is stored, secured, and managed in a centralized fashion. This holistic approach leads to an increase in security and contributes to the organization's overall growth.
• Reduction of security costs: Since an ISMS is implemented based on each organization's risk assessment, it can skip costs incurred due to experimenting with various security solutions. Taking a centralized approach leads to a reduction of overall costs as well.
• Increase in cyber resilience: An ISO 27001 compliant ISMS require s organizations to constantly change their security measures and evolve with the threat landscape. This leads to an overall increase in cyber resilience.

How are ISO 27001 and 27002 different?

In simple terms, while ISO 27001 is a cybersecurity framework and organizations can obtain a certification, ISO 27002 is more of a best practices guide, which provides tricks and tips to help organizations implement and understand the ISO 27001 controls in Annexure A. While organizations can choose which best practices to implement from ISO 27002, there is no certification provided for the standard.

How does ISO 27001 help you comply with the GDPR?

Before understanding how ISO 27001 helps you comply with the GDPR, it is important to note that the objective of each standard is different. While the aim of the GDPR is to protect the privacy of the personal information collected from European Union citizens, ISO 27001 works towards helping organizations create an ISMS that helps organizations process the data they collect.

The following are the commonalities between ISO 27001 and the GDPR:

• Risk assessment and exposure: Both standards find their basis in risk assessment. While ISO 27001 requirements ask organizations to conduct a risk assessment before implementing necessary controls for an ISMS, the GDPR also necessitates a Data Protection Impact Assessment (DPIA) to decrease their risk exposure.
• Timely breach notifications: The incident management controls under the 16th segment of Annexure A of ISO 27001, insist that any security breach be communicated swiftly so timely action can be taken. A similar requirement is found in the GDPR which requires organizations to notify controllers and supervisory authorities within 72 hours of a breach.
• Privacy by design: The GDPR is rooted in privacy by design and asks that organizations implement measures that assure data privacy. ISO 27001 looks at data as an information asset and provides best practices that can be used to effectively secure important information.
• Maintaining data records: ISO requires that security processes, and risk assessment procedures and documents be recorded, along with the categorization of information assets. The GDPR insists on recording processes and categorizing data and asks that organizations do not store personally identifiable information (PII) for longer than required.

While both standards have similar controls, it is in the best interest of organizations to comply with the measures put forth by both the GDPR and ISO 27001 to meet their respective objectives.

ISO 27001 certification process

In order to obtain the coveted ISO 27001 certification, an organization will have to show that it has successfully implemented an ISMS and has taken the necessary steps to address risks.

The audit for an ISO 27001 certification takes place in two stages:

Stage 1: This is when an auditor does a review of the documented ISMS and assesses whether it meets the requirements stated in the standard. Organizations need to produce a Statement of Applicability (SoA), which is a vital requirement for certification. It consists of the chosen controls from the list of 114 controls in Annexure A, the implementation procedure of each of them, and the list of omitted controls and why they have been omitted. This is mostly a desktop exercise and there is minimal interaction with the people tasked with overseeing the implementation of the ISMS.

Stage 2:The organization is audited to see if the processes it has in place are as documented in the ISMS. The auditors also interview those responsible for operations, look into the evidence for all the documentation, and review the controls implemented to address risk. Usually three months' worth of proof is required.

Once acquired, an ISO 27001 certification is valid for three years after which a re-certification assessment is conducted. After certification, organizations can expect surveillance visits at least once every year to ensure they are evolving and adding the latest security measures to stay vigilant and up-to-date.

Latest update for ISO 27001 and 27002

ISO 27002 underwent significant modifications in February 2022. The most relevant for organizations implementing ISO 27001 is the decrease in the number of controls listed in ISO 27002, to 93 from the 114.

This might lead to ISO 27001 certified organizations having to compare the previous Annexure A controls to the new 2022 control set in ISO 27002 as if they were a new or different set of security controls. This might continue until an updated version of ISO 27001 is published, which is expected in October 2022.

Complying with ISO 27001 using Log360

Implementing an ISO 27001 compliant ISMS means implementing strict access control measures to upkeep the confidentiality, integrity, and availability of sensitive data. Organizations need to record and regularly review event logs, protect them from unauthorized access, and ensure secure log-on procedures are followed.

ManageEngine Log360, a SIEM solution with extensive log management capabilities, automates collection of logs in terabytes. It ensures that collected logs are securely archived for analysis through file integrity monitoring and helps organizations maintain access control measures through its out-of-the-box security reports. These help keep track of successful and unsuccessful logon attempts, user activity, and authorization access to critical devices and applications. Log360 also helps keep track of changes made to user, domain, and audit policies that organizations can use to make sure reliable logon procedures are in place. These changes can be monitored, analyzed, and generated as real time, audit-ready reports that can contribute significantly to compliance procedures.

To learn more about how Log360 can help you comply with ISO 27001, sign up for a free, 30-day trial to check it out yourself, or request a personalized demo with our product experts.